ISO 9001: 2015 Clause 8.4.3

Mr. Pareto Head and Supply Chain comic strip

Question

It’s not clear to me who an external provider may be. Could it be an electrical contractor, a lunch truck, a caterer, or other similar? That thinking is tremendously different than just the traditional “supplier” which is what this company has using been for many years. So there’s that concern. Also, advising our external providers what equipment to use, how to use it and how to train their people? Is that really what’s said here? That would require tremendous knowledge in our organization that most likely is not here. What exactly is being said here? I’m a little confused how to address this requirement. Finally, section (e): we must communicate to the external provider how we are going to measure them? Can it be done through email, or phone, or what is a common method for meeting the requirement? Thanks much.

Answer

Who is an external provider?

ISO 9001:2015, 8.4.1 states, the organization shall determine the controls to be applied to externally provided processes, products and services when:

  1. products and services from external providers are intended for incorporation into the organization’s own products and services;
  2. products and services are provided directly to the customer(s) by external providers on behalf of the organization;
  3. a process, or part of a process, is provided by an external provider as a result of a decision by the organization.
    1. Refers to a product that becomes part of your product; for example, a bolt incorporated into a seat assembly. You purchase these.
    2. Refers to a product that is “dropped shipped” to a customer. Think of an Amazon purchase where the product comes from a second party under the Amazon logo.
    3. Refers to a process that is outsourced as a result of the organization’s decision to have the process managed externally. For example, the heat treating of a part where the part needs to be heat treated but the organization does not have that process internally.

Therefore, an electrical contractor, a lunch truck, etc. are not included since they are outside the scope of the QMS.

Secondly, “advising our external providers,” refers to the type and extent of control.  Will you perform 100% incoming verification, or require material certifications, or require certification to a quality management standard? In certain instances, you may want to specify the equipment or training an external provider must implement.  For example, for outsourced welding, your requirement might be that welders are certified by the American Welding Society or your calibration company be accredited to ISO 17025.

How will you measure an external provider?  It can be on-time delivery, responsiveness to requests, PPM targets.  Communicating the measurement (8.4.3 e) is related to 8.4.1, “retain documented information of these activities and any necessary actions arising from the evaluations”.  Therefore, a record must be retained.

George Hummel

ISO 9001: 2015 Clauses 4.1 and 4.2

Question

Let’s start with clause 4.2. What level of detail is required here? Is “supplier” or “customer” sufficient, or is it required to drill down from there to specific suppliers or customers? We have hundreds of suppliers and many more customers. Regarding 4.1, thinking about working this from the bottom up. Each Leader (supervisor, manager, director) will review processes under their control and identify issues related to those processes. Those processes can have internal and externally related issues. It’s the hope (plan) that this approach will cover all relevant issues (internal & external) that would impact our ability to meet the needs of the QMS -and- meet the needs of the interested parties (we are adding a column that identifies which interested party would be affected by the issue). As a side note, we’ll also do our risk analysis on all of the noted issues and roll the top items into the CAR/CI process. I feel I may be missing something with this approach, but it seems to mostly meet the requirements of 4.1 and 4.2.

Answer

4.2:  What level of detail?  The standard states, “the organization shall determine:

  1. the interested parties that are relevant to the quality management system;
  2. the requirements of these interested parties that are relevant to the quality management system. The organization shall monitor and review information about these interested parties and their relevant requirements.  [emphasis added]

Is “supplier” or “customer” sufficient?  It would be if all had the same requirements.  Assuming that they do not, you are required to “drill down.”  Customer satisfaction cannot be achieved unless you understand the individual requirements and monitor and review those requirements (which are an input to Management Review).

Furthermore, the list of interested parties goes beyond “customers & suppliers.”  Owners, employees, regulatory agencies, financial institutions, etc. to name a few have requirements as interested parties. These need to be addressed, as well.

“We are adding a column that identifies which interested party would be affected by the issue.” This is a good approach if the requirement is also addressed and you go beyond customer and supplier.

“Regarding 4.1, thinking about working this from the bottom up.” Once again, the standard states, “The organization shall determine external and internal issues that are relevant to its purpose and its strategic direction…”

The key in this requirement is “strategic direction.”  If from working from the bottom up, you ultimately tie these external and internal issues to the organization’s strategic direction, there should not be a problem.

Be aware that your approach will not be familiar to your auditor.  In that case, you will need to fully explain your approach.

George Hummel

DPMO

Question

My question concerns the process performance metric DPMO (defects per million opportunities). I want to use this to quantify a particular supplier’s performance. My question is, is the number of defects referred to in the calculation the number of defects produced by the supplier (in which case it would involve data I don’t have access to), or is it the number of defects experienced by the customer (which is us)? I of course can count the number of defects we receive from the supplier, but if this metric is supposed to be based on the number of defects produced by an organization, I would have no way of knowing how many defects are produced by the supplier’s process, but contained within the supplier’s facility. My hope is to be able to characterize the supplier’s process performance in terms of sigma level.
Answer

The DPMO metric is not usually considered a point estimate of the true percent defective in the lot (either at the supplier or customer site).  It is a relative performance metric used to equate the observed percent defective from a sample to defective units per million opportunities.  If a supplier culls out all the defective units before shipping to you (i.e. perfect inspection system), your internal DPMO would be 0, even if the supplier DPMO is high. If your goal is to characterize the supplier’s process performance in terms of sigma level, you would need their data, as the data you collect internally is just an estimate for the average outgoing quality from the supplier and not their process performance.

Steven Walfish

ISO Certification and Suppliers

Mr. Pareto Head and Supply Chain comic strip

Question

I work for a small family company that purchases items and potentially processes or packages them into heat protection materials. One of my existing customers is asking for ISO certification for some materials that I will sell to them. The material I’m trying to sell him comes from my supplier who is ISO 9001 certified, but my company is not. How can I show my customer that my supplier is ISO certified without the customer knowing who my supplier is?

Answers

The company is doing a value added process, and not a distributor.  As a result, if the customer is demanding ISO 9001 certification from the company, they need to make the decision, do they want to do business with the company? If so they need to pursue certification. If they do not want to pursue certification, they should tell the customer they do not want to pursue certification.  The customer can make the decision whether they will purchase product from the company.  I have had an experience where I did not want to do an audit with a company.  We told the customer, we will not do it.  The customer responded and came back with a reasonable proposal.  They wanted the business.

John G. Surak, PhD
Surak and Associates
Clemson, SC
A member of Stratecon International Consultants
www.stratecon-intl.com/jsurak.html

First, ISO certification is for a company’s quality management system, not for particular materials.  I would let the customer know, on company letter head, that:  “We certify that the materials we purchased are from ISO 9001 certified suppliers only.  The name of these suppliers is company confidential.”

James D. Werner
Principal Consultant
MDQC
Medical Device Quality Compliance, LLC

ISO 9001: Product Development and Customer Satisfaction

Manufacturing, inspection, exclusions

Q: Does a company certified to ANSI/ISO/ASQ Q9001-2008 Quality management systems — Requirements that produces raw materials for a customer according to their written specification also, as a raw material supplier, have a responsibility under ISO 9001 to meet the customer’s needs for their design intent and intended and known use?

In simple language, I sell a raw material to a customer who takes my raw material and then designs a product and sells it to a customer who uses it in the field. I wonder where does the ISO standard application stop for the raw material supplier?  How can a raw material supplier under ISO 9001 meet the needs of a customer’s trade secret designs, or further down the intended use of the product where the raw material supplier has no control over how it will be used or maintained?

A: Your question is more a legal one than a quality one. You are offering a product to a customer. This is your finished product and their raw material. When both parties agree to the terms and conditions (payment, form, fit, function, shipping, etc.) a contract exists. We call this a purchase order (PO) and part of that PO is the specification for your product. If they place an order to your spec, you have done the design work under ISO 9001 and they are accepting your design. END OF YOUR RESPONSIBILITY for future application and use. If you accept an order to their spec, they have done the design work and you are obligated to make sure your product meets the stated (and often implied) form/fit/function requirements. We call this quality control and you do this by testing in the lab prior to shipment.

Most firms address the issue of application by stating quite clearly in the contract terms that you are selling your product as-is and you do not warrant the product as fit for ultimate use. This is the kind of thing the lawyers require.

Having said all this, there is a requirement in ISO 9001 for you to measure customer satisfaction. You must state in your manual the concept (strategies) for doing this and have some defined processes – usually called procedures – to carry it out. Of course, part of this is the regular management review. Quality, marketing, and sales all provide input on how well the customer needs are being met. Your registrar should be examining how you do this.

If there is a trend showing that customers are unhappy with how the stuff performs under end-use conditions, ISO says you should address those issues. (Ignoring them is an option, if it is deliberate). Mature firms will work on building customer-supplier partnerships, getting their engineers to talk to your engineers. Although this is technically outside of the quality function, it is still part of your overall quality management system.

Charlie Cianfrani
Consulting Engineer
Green Lane Quality Management Services
Green Lane, PA
ASQ Fellow; ASQ CQE, CRE, CQA, RABQSA Certified QMS-Auditor (Q3558)
ASQ Quality Press Author
Related Content:

Open access resources about supplier quality and product development:

Two Sides of the Same Coin: Using Teams in Customer-Supplier Relationships, Journal for Quality and Participation

In the Know: A BoK dedicated to quality in outsourcing is essential in today’s global marketplace, Quality Progress

The Role of Quality Management Practice in the Performance of Integrated Supply Chains, Quality Management Journal

Has Information About Quality Become a Liability? Quality Progress

Product Liability: Beyond Loss Control — An Argument for Quality Assurance, Quality Management Journal

ISO 9001 Clause 7.4.1, Supplier Control

Mr. Pareto Head and Supply Chain comic strip

Q: My interpretation of  ISO 9001:2008 Quality management systems–Requirements regarding supplier control as addressed in clause 7.4.1 Purchasing process is that suppliers who would require evaluation, selection and registry, would be those who supply products (or services) which affect subsequent product realization, or the final product.

Excellent examples for our organization would be vendors providing raw material, tool/dies, surface preparation or calibration services.

I also believe that the “extent of control” exercised by the organization, could, in fact, mean that certain suppliers are not controlled (evaluated, selected and registered), due to their lack of impact on product realization.

Good examples here would be stationery or sanitation supplies.

After conferring with several colleagues, we are all puzzled to see freight companies (UPS, FedEx) included as controlled suppliers and nonconformance reports written for failure to comply with the standard if they are not included on our approved suppliers list.

I understand the standard is written to provide a framework, and not examples, however I find this interpretation to be too broad for the intended purpose.

A: Thank you for contacting ASQ’s Ask the Experts program.  The intent of ISO 9001:2008, clause 7.4.1 is to ensure suppliers are selected based upon their ability to meet the organization’s requirements, which generally include quality and delivery of product or service intended for the customer.

As you mentioned, suppliers of office supplies such as paper, printer toner and etc. are not usually included on an approved suppliers list since they have zero impact on the organization’s ability to meet customer requirements.

However, some registrars may consider trucking firms or delivery services such as UPS and FedEx as suppliers of services that could impact an organization’s  ability to meet requirements, such as on time delivery and the delivery of product in an acceptable condition to the customer.

Most registrars welcome rebuttals from their clients regarding audit findings.  This could be an excellent opportunity for your company state its position to the registrar and to understand their rationale as to why they believe UPS and FedEx must be on the approved suppliers list.

The bottom line is that your registrar determines how its auditors interpret audit criteria such as clause 7.4.1.

If it is decided to add these companies to the approved supplier list, it should be a painless process since your company probably already has an established performance history for them.

I hope this helps!

Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX
www.astontechconsult.com

ANSI/ASQC C1-1996 Supplier Testing

Schedule, calendar, timeline

Q: I need clarification on the following, please:

ANSI/ASQC C1-1996 — Specification of General Requirements for a Quality Program — has been included in the required specifications from a prospective customer. Section 3.3.4 states (in the last sentence) “Furthermore, the validity of certifications shall be periodically verified by the buyer through independent testing.”

What criteria (time-frame, suppliers, mills, etc.) should be used to comply with “periodically?”

What testing is to be performed for the required independent testing? Is it to be only a chemical analysis, or are mechanical tests to be performed as well?

Does this standard require independent testing of materials in purchased components such as gaskets, glass, bolts and fittings, or is “raw materials” only meant to be the base materials such as plate and sheet steel that we purchase?

A: To begin with, most establishments, including your customer, already know that materials most often come with material test certificates.  For example, when you order a sheet of steel from EMJ Metals or another supplier, they will supply a test certificate along with it.

The certificates include that data which would be most important to your customer such as chemical analysis, mechanical properties, ASTM specifications, etc. You are probably already aware of all this.

As for “periodic” and “independent” testing, here is my opinion:

If you have, in writing, a document stating that all purchased materials will be subject to receiving inspection and such inspections will verify that customer requirements have been met, that will be step 1.

For step 2, if you go to the web site of almost any materials supplier, they will have documentation (quality manual, ISO certification, etc.) which you can use as evidence they are a qualified supplier.

You can then contact that supplier and ask if they will verify, in writing, that they also test the material they are sending.  Steel suppliers, like most material suppliers, sell what they receive from the original mills.  The material certs they provide to you are made of tests the mills run.  A company such as EMJ, which I mentioned earlier, uses what is called a Niton tester to verify chemical make up of the product which they buy and in turn sell to their customers.

Finally, step 3: as with any quality management system, you must “do what you say you do.”  So, if you say that part of your receiving inspection includes hardness testing, be ready to provide evidence of that (incoming inspection reports).

In closing, I feel confident that if you prepare the steps noted above, or something similar and communicate this to your potential customer, they will be doubly satisfied with your company. Doubly because all of this would display evidence of an organization with a mature QMS.

Bud Salsbury,
ASQ Senior Member, CQT,CQI