Whittington & Associates Newsletter

Newsletter sign-upSign up for our monthly email newsletter to get the latest guidance on ISO 9001, AS9100, AS9110, AS9120, ISO 13485, IATF 16949, ISO 14001, ISO 27001, ISO 45001, ISO 20000, and related ISO standards, as well as, Six Sigma.

If you have any questions about the articles appearing in this issue, or you want to suggest topics for future issues, please let us know.

Quality Plan Guidance

Aug 1, 2018 in Newsletter | Comments Off on Quality Plan Guidance

The third edition of ISO 10005, Quality management – Guidelines for quality plans, has been published.

This document gives guidelines for establishing, reviewing, accepting, applying, and revising quality plans. It is applicable to quality plans for any intended output, whether a process, product, service, project, or contract, and any type or size of organization.

ISO 10005:2018 is applicable whether the organization has a management system in conformity with ISO 9001:2015 or not. It provides guidance and does not specify requirements.

It is focused primarily on the provision of outputs and is not a guide to the planning of quality management system development. The prior edition, ISO 10005:2005, has been withdrawn.

ISO 10005:2018 is 27 pages and can be ordered at this ANSI web page for $162 (member price $129.60). Or, it can be ordered at this ISO web page for about $138.

Key Changes

The main changes in ISO 10005:2018 compared to ISO 10005:2005 are:

1. It applies terminology from ISO 9000:2015, which includes changes to definitions, such as:

  • Definition of “quality plan”, which has been modified to replace the phrase “procedures and associated resources to be applied when and by whom” by “actions, responsibilities and associated resources”;
  • Definition of “specific case”, which has been modified to refer to “service”, as ISO 9001:2015 now refers to “products and services” and no longer just to “products”;
  • Replacement of the terms “documentation” and “record” by the term “documented information”, which is generally used in ISO management system standards to include both “procedures” and “records” which are not necessarily distinct from each other in a digital environment.

Documented information to support process operation is “maintained”, which means that it is established and updated as required. Documented information that provides evidence of conformity with requirements is “retained”, which means that it is protected from unintended alterations.

2. It is aligned to ISO 9001:2015, leading to:

  • a significant revision in the clause and sub-clause sequence, titles, and the addition of new material, e.g., the inclusion of “5.2 Context of a quality plan”, and the extension of 7.2 to also reference the monitoring of a quality plan;
  • the incorporation of “risk-based thinking”.

3. A new clause 4 has been added on using a quality plan, including guidance on requesting and managing external provider quality plans.

Table of Contents

Foreword
Introduction
1. Scope
2. Normative references
3. Terms and definitions

4. Using a quality plan
4.1 Introduction
4.2 Requesting external provider quality plans
4.3 Managing external provider quality plans

5. Development of a quality plan
5.1 Context of the quality plan
5.2 Inputs to the quality plan
5.3 Defining the scope of the quality plan
5.4 Preparation of the quality plan
5.4.1 Initiation
5.4.2 Defining the quality plan
5.4.3 Consistency and compatibility
5.4.4 Presentation and structure

6. Content of the quality plan
6.1 General
6.2 Scope of the quality plan
6.3 Quality plan inputs
6.4 Quality objectives
6.5 Quality plan responsibilities
6.6 Control of documented information
6.7 Resources
6.7.1 Provision of resources
6.7.2 Materials, products, and services
6.7.3 People
6.7.4 Infrastructure and environment for the operation of processes
6.7.5 Monitoring and measuring resources
6.8 Customers and other interested parties communication
6.9 Design and development
6.9.1 Design and development process
6.9.2 Control of design and development changes
6.10 Externally provided processes, products, and services
6.11 Production and service provision
6.12 Identification and traceability
6.13 Property belonging to customers or external providers
6.14 Preservation of outputs
6.15 Control of nonconforming outputs
6.16 Monitoring and measurement
6.17 Audits

7. Operation and control of the quality plan
7.1 Review and acceptance of the quality plan
7.2 Implementation and monitoring of the quality plan
7.3 Revision of the quality plan
7.4 Feedback and improvement

Annex A: Examples of formats for quality plans
Annex B: Schematic representation of a process approach applied to quality plans
Annex C: Correlation matrix between the clauses in this document and those in ISO 9001:2015
Annex D: Correlation matrix between the clauses of this document and the quality management principles from ISO 9000:2015

Bibliography

IATF 16949 SIs and FAQs

Aug 1, 2018 in Newsletter | Comments Off on IATF 16949 SIs and FAQs

The International Automotive Task Force (IATF) has approved the release of updated IATF 16949:2016 Sanctioned Interpretations (SIs) and Frequently Asked Questions (FAQs).

Sanctioned Interpretations alter the existing published requirements of the IATF 16949:2016 standard.  Frequently Asked Questions clarify an existing requirement.

Sanctioned Interpretations

The approved Sanctioned Interpretations include “revised” SI 8, clause 8.4.2.3, Supplier quality management system development and SI 10, clause 7.1.5.3.2, External laboratory.

The “new” Sanctioned Interpretations are shown below. The replaced text has strike-throughs and the new text is in bold.

SI 12 –  Clause 5.1.1.2, Process effectiveness and efficiency

Top management shall review the product realization processes effectiveness and efficiency of the quality management system  and support processes to evaluate and improve their effectiveness and efficiency the organization’s quality management system. The results of the process review activities shall be included as input to the management review (see Section 9.3.2.1.).

Rationale for change: Clarified that not every process requires an efficiency measure.  The organization needs to determine which processes require efficiency measures within their quality management system.  Additionally, the organization’s problem-solving processes need to have an effectiveness review conducted by the organization’s management.

SI 13 – Clause 9.3.2.1, Management review inputs – supplemental

Input to management review shall include:

a) cost of poor quality (cost of internal and external nonconformance);
b) measures of process effectiveness;
c) measures of process efficiency for product realization processes, as applicable;
d) product conformance;
e) assessments of manufacturing feasibility made for changes to existing operations and for new facilities or new product (see  7.1.3.1);
f) customer satisfaction (see ISO 9001, Section 9.1.2);
g) review of performance against maintenance objectives;
h) warranty performance (where applicable); i) review of customer scorecards (where applicable);
j) identification of potential field failures identified through risk analysis (such as FMEA);
k) actual field failures and their impact on safety or the environment.

Rationale for change: Clarified that not every process requires an efficiency measure.  The organization needs to determine which processes require efficiency measures within their quality management system.

Frequently Asked Questions

The approved Frequently Asked Questions include these two new entries:

FAQ 21 – clause 8.6.2, Layout inspection and functional testing

QUESTION:  Is a layout inspection different from a product requalification or functional testing?

ANSWER:  Yes, as stated in Note 1 of 8.6.2 of IATF 16949, [Layout inspection is the complete measurement of all product dimensions shown on the design record(s)]; layout inspection is limited to dimensional measurement and requirements. Performance or materials measurements are not included in a layout inspection.

Product requalification would normally imply full validation to all product approval requirements (e.g., PPAP or PPA) and therefore exceeds the scope of a layout inspection.

Functional testing/verification would normally be limited to performance and material measurements such as durability or tensile strength and would not include dimensional measurements.

Where frequency is not defined by the customer, the organization is responsible to define the frequency of layout inspection.

Layout inspection is a part of product requalification, if product requalification is required by the customer. On-going layout inspection and functional testing requirements are defined in the control plan.  If customer-specific requirements exist, then those requirements (including layout inspection and functional testing requirements) are also included in the control plan.

FAQ 22 – clause 9.2.2.4, Product audit 

QUESTION:  How does a product audit differ from a layout inspection?

ANSWER:  As defined in section 3 of IATF 16949, the term product is used to represent “…any intended output…” of the manufacturing process.

Products typically have dimensional, performance (functional) and material requirements, therefore, product audits may contain verification of dimensional, performance (functional), or material requirements. As stated in the FAQ 21 above, a layout inspection is limited to dimensional requirements.

Product audits can be carried out on finished or partially finished product, following customer specified approaches (e.g., VDA 6.5 Product Audit), if applicable.  Product audits may include packaging and labeling requirements.

A product audit, like other audit types, is an independent verification of compliance to requirements. As such, the product audit has a defined frequency and scope specified within the audit program and is based on risk.

SI and FAQ Downloads

The IATF 16949:2016 SIs and FAQs are located on the IATF Global Oversight website:http://www.iatfglobaloversight.org.

ISO 22000:2018

Aug 1, 2018 in Newsletter | Comments Off on ISO 22000:2018

ISO 22000:2018, “Food safety management systems — Requirements for any organization in the food chain”, has been published to replace ISO 22000:2005.

ISO 22000 specifies requirements for a food safety management system (FSMS) to enable an organization that is directly or indirectly involved in the food chain to:

a) plan, implement, operate, maintain, and update a FSMS providing products and services that are safe, in accordance with their intended use;

b) demonstrate compliance with applicable statutory and regulatory food safety requirements;

c) evaluate and assess mutually agreed customer food safety requirements and to demonstrate conformity with them;

d) effectively communicate food safety issues to interested parties within the food chain;

e) ensure that the organization conforms to its stated food safety policy;

f) demonstrate conformity to relevant interested parties;

g) seek certification or registration of its FSMS by an external organization, or make a self-assessment or self-declaration of conformity to this document.

All ISO 22000 requirements are generic and are intended to be applicable to all organizations in the food chain, regardless of size and complexity. Organizations that are directly or indirectly involved include, but are not limited to,

  • feed producers,
  • animal food producers,
  • harvesters of wild plants and animals,
  • farmers,
  • producers of ingredients,
  • food manufacturers,
  • retailers,

and organizations providing:

  • food services,
  • catering services,
  • cleaning and sanitation services,
  • transportation,
  • storage and distribution services,
  • and suppliers of equipment, cleaning and disinfectants, packaging materials and other food contact materials.

ISO 22000 allows any organization, including small and/or less developed organizations (e.g., a small farm, a small packer-distributor, or a small retail or food service outlet) to implement externally-developed elements in their FSMS.

Internal and/or external resources can be used to meet the requirements of this document. The 37-page ISO 22000:2018 standard can be ordered at this ISO web page for about $158.

ISO 27005:2018

Aug 1, 2018 in Newsletter | Comments Off on ISO 27005:2018

ISO 27005:2018, Information technology – Security techniques – Information security risk management, is available with guidelines for information security risk management.

ISO 27005 supports the general concepts specified in ISO 27001 and is designed to assist the implementation of information security based on a risk management approach.

Knowledge of the concepts, models, processes, and terminologies described in ISO 27001 and ISO 27002 is important for a complete understanding of ISO 27005.

ISO 27005 is applicable to all types of organizations (e.g., commercial enterprises, government agencies, and non-profit organizations) which intend to manage risks that can compromise the organization’s information security.

The 56-page standard can be ordered from ANSI.org for $167.20 for members ($209 for non-members) or at ISO.org for about $178.

To request our 1.5-day “ISO 27001:2013 Requirements” course be taught onsite at your location, please go to this web page.

ISO 19011:2018

Aug 1, 2018 in Newsletter | Comments Off on ISO 19011:2018

ISO 19011:2018, the third edition of the “Guidelines for Auditing Management Systems” standard, has been released and replaces the second edition (ISO 19011:2011).

According to the standard itself, the main differences compared to the second edition are:

1. addition of the risk-based approach to the principles of auditing;
2. expansion of guidance on managing an audit program, including audit program risk;
3. expansion of guidance on conducting an audit, particularly the section on audit planning;
4. expansion of the generic competence requirements for auditors;
5. adjustment of terminology to reflect the process and not the object (“thing”);
6. removal of the annex containing competence requirements for auditing specific management system disciplines (due to the large number of individual management system standards, it would not be practical to include competence requirements for all disciplines);
7. expansion of Annex A to provide guidance on auditing (new) concepts such as organization context, leadership and commitment, virtual audits, compliance, and supply chain.

This standard provides guidance on auditing management systems, including the principles of auditing, managing an audit program, and conducting management system audits. It also provides guidance on the evaluation of competence of individuals involved in the audit process.

These activities include the persons managing the audit program, auditors, and audit teams. ISO 19011:2018 is applicable to all organizations that need to plan and conduct internal or external audits of management systems or manage an audit program.

Order ISO 19011:2018

The 46-page standard can be ordered from ISO or ANSI:

ISO.org
PDF + ePub (for tablets and phones) = about $158
PDF + Redline (changes) = about $190
Paper = about $158

ANSI.org
PDF = $185 (member $148)

Internal Auditor Courses

Training providers base their internal auditor courses on ISO 19011. Their courses will need to be updated to reflect the revised ISO 19011:2018 auditing guidance.

Our onsite W&A internal auditor courses based on ISO 19011:2018 are ready now. You can click on a course title below to view its description and contact us to arrange an onsite class:

ISO 9001:2015 Internal Auditor (2.5 days)

ISO 14001:2015 Internal Auditor (2.0 days)

AS9100D:2016 Internal Auditor (3.5 days)

AS9110C:2016 Internal Auditor (3.5 days)

AS9120B:2016 Internal Auditor (3.5 days)

IATF 16949:2016 Internal Auditor (3.5 days)

ISO 27001:2013 Internal Auditor (2.5 days)

ISO 13485:2016 Internal Auditor (2.5 days)

ISO 45001:2018 Internal Auditor (3.0 days) with guidance on transitioning from OHSAS 18001