Yellow font on Black background Black font on White background Black font on Cream background
Call us today 01621 857841 or Email us
Quality Matters Logo

"Quality Matters in your Business"

Thursday, 22 December 2016

Merry Christmas and a Happy New Year

This has been a very busy year for us with many clients transitioning to the revised Standards ISO 9001:2015 and ISO 14001:2015.  The transition work has meant that a rethink was required for both Standards.  These are now risk based and new documented information (previously quality and environmental manuals) were needed to make the transition easy for clients.

Clients not yet transitioned must do so before September 2018  or they will automatically be deregistered.  UKAS have stated that there will be no exemptions to this rule and no extensions will be granted.  The transition by your Certification Body must have been completed by the drop dead date and of course any non-conformities must be cleared and accepted by the CB.   The Certification Body will expect to see that the revised Standard(s) have been in use for some time before transition as clearly; they can only assess what you have been doing and not what you intend to do. 

In addition, the revised Aerospace, Space and Defence Standards AS9100, AS9110 and AS9120  have been published recently with a transition period expiring on 14 September 2018; this is a tight timescale and we will work with our clients to ensure a timely transition is made.

This will be our final blog for 2016. Our offices will be closed from midday on Tuesday 22 December and will reopen on 3rd January 2017. Our email will be monitored but may take longer for us to respond during this period.

We wish our Clients and readers of our blog a very Merry Christmas and a Happy and prosperous New Year.

2016 year end and onwards to 2017

Monday, 12 December 2016

A Detailed Look at ISO 14001:2015 Part 4: Support & Operation

SUPPORT


7.1 Resources


Details the requirement for the organisation to determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the environmental management system.

7.2 Competence


Details the requirement that the organisation must:

•    Determine the necessary competence of person(s) doing work under its control that affects its environmental performance and its ability to fulfil its compliance objectives;
•    Ensure that these persons are competent on the basis of appropriate education, training or experience;
•    Where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken.

7.3  Awareness


Details the requirement that the organisation must ensure that persons doing work under the organisation’s control are aware of:

•    The environmental policy;
•    The significant aspects and related actual or potential environmental impacts associated with their work;
•    Their contribution to the effectiveness of the environmental managements system, including the benefits of enhanced environmental performance;
•    The implications of not conforming with the environmental management system requirements, including not fulfilling the organisation’s compliance obligations.



7.4 Communication

 

7.4.1  General


Details of the requirements that the organisation must establish, implement and maintain the processes needed for internal and external communications relevant to the environmental management system including:

  • On what to communicate?
  • With whom to communicate?
  • How to communicate?

When establishing its communication process(es) the organisation must:

  • Take into account its compliance obligations;
  • Ensure that the environmental information communicated is consistent with information generated within the environmental management system, and is reliable.

The organisation must respond to relevant communications on its environmental management system.

The organisation must retain documented information as evidence of its communications, as appropriate.

7.4.2  Internal communication


Details of the requirement that the organisation must:

  • Communicate internally on information relevant to the environmental management system among the various levels and functions of the organisation, including changes to the environmental management system, as appropriate;
  • Ensure its communication process(es) enable(s) persons doing work under the organisation’s control to contribute to continual improvement.

7.4.3  External communication


Details of the requirement that the organisation must:

  • Communicate externally on information relevant to the environmental management system, as established by the organisation’s communication process(es) and as required by its compliance obligations;

7.5   Documented information

 

7.5.1  General


Details the requirement that the organisation’s environmental management system must include:

  • Documented information required by ISO 14001:2015;
  • Documented information determined by the organisation as being necessary for the effectiveness of the environmental managements system.

7.5.2  Creating and updating


Details the requirement that creating and updated document information must be controlled:

  • Identification and description (e.g. title date, author or reference number);
  • Format (e.g. language, software version, graphics) and media (e.g. paper, electronic);
  • Review and approval for suitability and adequacy.

7.5.3  Control of documented information 


Details the requirements to ensure that documented information required by the environmental management system and ISO 14001:2015 must be controlled to ensure:

  • It is available and suitable for use, where and when it is needed;
  • It is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity);
  • Computer back-up and protection of back-up copies.

The organisation must address the following activities, as applicable:

  • Distribution, access, retrieval and use;
  • Storage and preservation, including preservation of legibility;
  • Retention and disposal.

Documented information of external origin determined by the organisation to be necessary for the planning and operation of the environmental management system must be identified, as appropriate, and controlled.

8. OPERATION

 

8.1 Operational planning and control

 

Details the requirement that the organisation must establish, implement, control and maintain the processes needed to meet environmental management systems requirements, and to implement the actions identified in 6.1 and 6.3 by:

  • Establishing operating criteria for the processes;
  • Implementing control of the process(es).
The organisation must control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary.

The organisation must ensure that an outsourced process(es) is (are) controlled or influenced.  The type of control or influence to be applied to the process(es) must be defined within the environmental management system.

Consistent with a lifecycle perspective, the organisation must:

  • Establish controls],  as appropriate, to ensure that its environmental requirement(s) is (are) addressed in the design and development process for the product or service, considering EACH STAGE OF ITS LIFECYCLE;
  • Determine its environmental requirement(s) for the procurement of products and services, as appropriate;
  • Communicate its relevant environmental requirement(s) to external; providers, including contractors;
  • Consider the need to provide information about potential significant environmental impacts associated with the TRANSPORTATION, OR DELIVERY, USE, END OF LIFE, TREATMENT AND FINAL DISPOSAL OF PRODUCTS AND SERVICES.

The organisation must retain documented information to the extent necessary to have confidence that the process(es) has(have) been carried out as planned.

8.2  Emergency preparedness and response

Details the requirement that the organisation must establish, implement and maintain the processes needed to prepare for and respond to potential emergency situations identified in 6.11.

The organisation must:

  • Prepare to respond by planning actions to prevent or mitigate adverse environmental impacts from emergency situations;
  • Respond to actual emergency situations;
  • Take actions to prevent or mitigate the consequences of emergency situations, appropriate to the magnitude of the emergency and its potential environmental impact;
  • Periodically test the planned response actions, where practicable;
  • Periodically review and revise the process(es) and planned response actions, in particular after the occurrence of emergency situations or test(s);
  • Provide relevant information and training related to emergency preparedness and response, as appropriate, to relevant interested parties, including persons working under its control.

The organisation must maintain documented information to the extent necessary to have confidence that the process(es) is (are) carried out as planned.

Monday, 14 November 2016

A Detailed Look at ISO 14001:2015 Part 3: Planning

PLANNING

6.1 Actions to address risks and opportunities


1. General 

 

Details the requirements to establish, implement and maintain the processes needed to:

  • Understand the organisation and its context;
  • Understand the needs and expectations of interested parties;
  • Set the scope of its environmental management system and determine the risks and opportunities, related to its: 

    • Environmental aspects
    • Compliance obligations
    • Other issues and requirements identified by the organisation that need to be addressed to:

      • Give assurance that the environmental management system can achieve its intended outcomes
      • Prevent, or reduce, undesired effects, including the potential for external environmental conditions to affect the organisation;
      • Achieve continual improvement. 

The organisation must maintain documented information of it’s:

  • Risks and opportunities that need to be addressed;
  • Processes needed to the extent necessary to have confidence they are carried out as planned.

 

2. Environmental aspects

 

Details the requirements, within the scope of the environmental management system, to determine the environmental aspects of its activities, products and services that it can control and those that it can influence, and their associated environmental impacts, considering a life cycle perspective.

When determining environmental aspects, the organisation must take into account:

  • Change, including planned or new developments, and new or modified activities, products and services;
  • Abnormal conditions and reasonably foreseeable emergency situations; 

The organisation must determine those aspects that have or can have a significant environmental impact -  significant aspects.

The organisation must communicate on its significant environmental aspects among the various levels and functions of the organisation, as appropriate.

The organisation must maintain documented information of it’s:

  • Environmental aspects and associated environmental impacts;
  • Criteria used to determine its significant environmental aspects;
  • Significant environmental aspects.

 

3. Compliance obligations 


Details the requirement for the organisation to;

  • Determine and have access to the compliance obligations related to its environmental aspects;
  • Determine how these compliance obligations apply to the organisation;
  • Take these compliance obligations into account when establishing, implementing, maintaining and continually improving its environmental management system.

 

4. Planning action 


Details the requirement to plan:

  • To take actions to address its:
    • Significant 
    • Environmental aspects;
    • Compliance obligations;
    • Risks and opportunities.

  • How to:
    • Integrate and implement the actions into its environmental management system processes;
    •  Evaluate the effectiveness of these actions. 


6.2 Environmental objectives and planning to achieve them 

 

1. Environmental objectives  


Details the requirements for the organisation to establish environmental objectives at relevant functions and levels, taking into account the organisation’s significant environmental aspects and associated compliance obligations, and considering its risks and opportunities.

The environmental risks must be:

  • Consistent with the environmental policy;
  • Measurable (if practicable);
  • Monitored;
  • Communicated;
  • Updated as appropriate.

The organisation must maintain documented information on environmental objectives.

 

2. Planning actions to achieve environmental objectives 


Details the requirement for the organisation to determine:
  • What will be done?
  • What resources will be required?
  • Who will be responsible?
  • When will it be completed?
  • How the results will be evaluated, including indicators for monitoring progress towards achievement of its measurable environmental objectives?

The organisation must consider how actions to achieve its environmental objectives can be integrated into the organisation’s business processes.

Tuesday, 25 October 2016

A Detailed Look at ISO 14001:2015 Part 2: Context & Leadership

4. CONTEXT OF THE ORGANISATION

4.1 Understanding the organisation and its context


Details the requirements that the organisation must determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomes of its environmental management system. Such issues include environmental conditions being affected by or capable of affecting the organisation.

Organisations are expected to measure results against the organisation’s environmental policy, environmental objectives or other criteria using indicators.

As in most management systems ISO14001 provides a structured process for the achievement of continual improvement.  The rate and extent of this continual improvement is determined by the organisation, taking economic and other circumstances into consideration.

This environmental standard can be implemented in the entire organisation, or to specific operating units or activities of the organisation.

Integration of environmental matters with the overall management system can contribute to the effective implementation of the environmental management system, as well as to the efficiency and to clarity of roles.


4.2 Understanding the needs and expectation of interested parties


Details the requirements that the organisation must determine:

  • The interested parties that are relevant to the environmental management system;
  • The relevant needs and expectations of these interested parties;
  • Which of these needs and expectations become its compliance obligations?

4.3 Determining the scope of the environmental management system


Details the requirement for the boundaries and applicability of the environmental management system to establish its scope.

When determining this scope, the organisation must consider:

  • External and internal issues referenced in 4.1;
  • Compliance issues referenced in 4.2;
  • Its organisational unit(s) function(s) and physical boundaries;
  • Its activities, products and services;
  • Its authority and ability to exercise control and influence.

Once produced as documented information it must be available to interested parties.

4.4 Environmental management system


Details the requirement to establish, implement, maintain and continually improve an environmental management system, including the processes needed and their interactions, in accordance with ISO 14001: 2015.

5. LEADERSHIP

5.1 Leadership and commitment


Details of the requirement that top management must demonstrate leadership and commitment with respect to the environmental management system by:

  • Taking accountability for the effectiveness of the environmental management system;
  • Ensuring that the environmental policy and environmental objectives are established and are compatible with the strategic direction and context of the organisation;
  • Ensuring the integration of the environmental management system requirements into the organisation’s business processes;
  • Ensuring that the resources needed for the environmental management system are available;
  • Communicating the importance of effective environmental management and of conforming to the environmental management system requirements;
  • Ensuring that the environmental management system achieves its intended outcomes;
  • Directing and supporting persons to contribute to the effectiveness of the environmental management system;
  • Promoting continual improvement;
  • Supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.

5.2 Environmental Policy


Details of the requirement to establish, implement and maintain an environmental policy, that within the defined scope of its environment management system:

  • Is appropriate to the purpose and context of the organisation, including the nature, scale and environmental impacts of its activities, products and services;
  • Provides a framework for setting environmental objectives;
  • Includes a commitment for the protection of the environment, including the prevention of pollution and other specific commitments relevant to the context of the organisation;
  • Includes a commitment to fulfil its compliance obligations;
  • Includes a commitment to continual improvement of the environmental management system to enhance environmental performance.

The environmental policy must:

  • Be maintained as documented information;
  • Be communicated within the organisation;
  • Be available to interested parties.

Monday, 10 October 2016

A Detailed Look at ISO 14001:2015 Part 1

Continuing our coverage of the new Standards here is some information about ISO 14001:2015

IS0 14001 is a Model for environmental management systems. It specifies the requirements for an environmental management system that an organisation can use to enhance its environmental performance.

The standard, issued in 1996, was revised and updated in 2004 and again in 2015 to complement ISO 9001:2015. It follows the Hi Level - Annex SL format.

Formal assessment of an organisation’s environmental management system is carried out by an independent and accredited third party certification body.  If all the requirements are met, a certificate of conformity is issued.  Regular surveillance visits are carried out, subsequently, to ensure that the standard is being maintained.

Accreditation of the Certification Bodies (CB’s) in the UK is carried out by UKAS (United Kingdom Accreditation Service) UKAS is the sole accreditor in the UK.

A register of environmentally competent firms is maintained by the Stationery Office (TSO) under subscription and is used as a reference for purchasing authorities.

The 2015 Standard allows for other means of showing conformance to ISO 14001:2015:
  • Making a self-determination and self-declaration, or
  • Seeking confirmation of its conformance by parties having an interest in the organisation, such as customers/clients, or
  • Seeking confirmation of its self-declaration by a party external to the organisation.

The market-place is becoming ever more competitive. It is clear that only the companies providing quality goods or services and protecting the environment are going to be able to compete.

The threat of global warming and its influence on the planet is easy to see with the change in climate year on year having marked effects.

Put very simply, ISO 14001 is a declaration of an organisations ability to implement, maintain and improve an environmental management system. It has a duty to minimise the impact of its processes on the environment, fulfil compliance obligations and achieve environmental objectives.

Today’s Global Market means that companies throughout the world are able to offer their goods and services on equal terms.   The increasing use of the internet and e-commerce for business makes it vital that we are able to compete.

ISO 14001 makes it easier to compete in that marketplace.

Legislation and Regulation require a company to prove that it has taken all necessary and reasonable steps to produce safe products that minimise the risk to people and the environment.

  • ISO 14001 helps provide such assurance.

ISO 14001 requires 7 -10 main sections to be addressed before certification
can take place.

The 2015 standard does not allow any clauses to be excluded

ISO 14001 BY SECTION  

  1. Scope
  2. Normative References- there are none
  3. Terms and definitions
  4. Context of the organisation
    1. Understanding the organisation and its context
    2. Understanding the needs and expectations of interested parties
    3. Determining the scope of the environmental management system
    4. Environmental Management system
  5. Leadership
    1. Leadership and commitment
    2. Environmental Policy
    3. Organisational roles, responsibilities and authorities
  6. Planning
    1. Actions to address risks and opportunities
      1. General
      2. Environmental aspects
      3. Compliance obligations
      4. Planning action
    2. Environmental objectives and planning to achieve them
      1. Environmental objectives
      2. Planning actions to achieve environmental objectives
    3. Planning of changes
  7. Support
    1. Resources
    2. Competence
    3. Awareness
    4. Communication
      1. General
      2. Internal communication
      3. External communication
    5. Documented information 
      1. General
      2. Creating and updating
      3. Control of documented information
  8. Operation
    1. Operational planning and control
    2. Emergency preparedness and response
  9. Performance evaluation
    1. Monitoring, measurement, analysis and evaluation
      1. General
      2. Evaluation of compliance
    2. Internal audit
      1. General
      2. Internal audit programme
    3. Management review
  10. Improvement
    1. General
    2. Nonconformity and corrective action
    3. Continual improvement

Monday, 26 September 2016

Aerospace and Defence Standards update

IAQG have finally announced the timetable for release and transition of the AS 91xx: 2016 Standards.

AS9100 :2016 Aerospace and Defence Standard released for publication in all sectors on
23 September 2016

AS9101:2016  QMS audit Standard, AS9110:2016  Maintenance QMS  and AS 9120:2016 Distributor QMS  to be released for publication in all sectors in October 2016.

It is important to note that any audit carried out from June 2017 must be to the 9100:2016, 9110:2016  or 9120 : 2016 standards.  That does make the timescale rather short.

Any organisation not transitioning to the 2016 standards by 15 September 2018 will no longer hold a valid certificate.

The revised Standards are based on the updated ISO 9001:2015 Standard and Annex SL (10 Section format) but with additional requirements.

Monday, 12 September 2016

A detailed look at the ISO 9001:2015 Quality Management Standard: Part 5

9. PERFORMANCE EVALUATION


MONITORING, MEASUREMENT, ANALYSIS AND EVALUATION


Details the requirement for the organisation to determine:

  • What needs to be monitored and measured;
  • The methods for monitoring, measurement, analysis and evaluation needed to ensure valid results;
  • When monitoring and measuring is performed;
  • When the results from monitoring and measurement are analysed and evaluated.
  • The organisation must evaluate the performance of the quality management system.

The organisation must retain documented information as evidence of the results.

CUSTOMER SATISFACTION


Details the requirement to monitor customers’ perception of the degree to which their needs and expectations have been fulfilled.  The organisation must determine the methods for obtaining, monitoring and reviewing this information.

The methods may include customer surveys, customer feedback on delivered products and services, meeting with customers, market share analysis, compliments, warranty claims and dealer reports.

ANALYSIS AND EVALUATION


Details the requirement for the organisation to analyse and evaluate appropriate data and information arising from monitoring and measurement. 

The results of analysis must be used to evaluate:

  • Conformity of products and services;
  • The degree of customer satisfaction;
  • The performance and effectiveness of the quality management system;
  • If planning has been implemented effectively;
  • The effectiveness of actions taken to address risks and opportunities;
  • The performance of external providers;
  • The need for improvements to the quality management system.

Methods to analyse data can include statistical techniques.

INTERNAL AUDIT


Details the requirements to conduct internal audits at planned intervals to provide information on whether the quality management system:

  • Conforms to:
    • The organisation’s own requirements for its quality management system;
    • The requirements of ISO 9001:2015;
  • Is effectively implemented and maintained.

The organisation must:

  • Plan, establish, implement and maintain an audit programme(s) including the frequency, methods, and responsibilities. Planning requirements and reporting, which must take into consideration the importance of processes concerned, changes affecting the organisation, and the results of previous audits;
  • Define the audit criteria and scope for each audit;
  • Select properly qualified auditors and conduct audits to ensure objectivity and impartiality of the audit process;
  • Ensure that the results of audits are reported to relevant management;
  • Take appropriate corrective actions without undue delay;
  • Retain documented information as evidence of the implementation of the audit programme and the audit results.

 

MANAGEMENT REVIEW


Details the requirement for the organisation to review the quality management system, at planned intervals, to ensure its continuing suitability, adequacy, effectiveness and alignment with strategic direction of the organisation.


MANAGEMENT REVIEW INPUTS


The management review must be planned and carried out taking into consideration:

  • The status of actions from previous management reviews;
  • Changes in external and internal issues that are relevant to the quality management system;
  • Information on the performance and effectiveness of the quality management system, including trends in:
    • Customer satisfaction and feedback from relevant interested parties;
    • The extent to which quality objectives have been met;
    • Process performance and conformity of products and services;
    • Nonconformities and corrective actions;
    • Monitoring and measurement results;
    • Audit results;
    • The performance of external providers;
  • The adequacy of resources;
  • The effectiveness of actions taken to address risks and opportunities;
  • Opportunities for improvement.

MANAGEMENT REVIEW OUTPUTS


The outputs of the management review must include decisions and actions related to:

  • Opportunities for improvement;
  • Any need for changes to the quality management system;
  • Resource needs;

The organisation must retain documented information as evidence of the results of management reviews.

10. IMPROVEMENT


GENERAL


Details of the requirements for the organisation to determine and select opportunities for improvement and implement any necessary actions to meet customer requirements and enhance customer satisfaction.  These must include:

  • Improving products and services to meet requirements as well as to address future needs and expectations;
  • Correcting, preventing or reducing undesired effects;
  • Improving the performance and effectiveness of the quality management system;

NONCONFORMITY AND CORRECTIVE ACTION


Details the requirement for the organisation to action nonconformities, including any arising from complaints and must:

  • React to the nonconformity, and as applicable:
    • Take action to control and correct it;
    • Deal with the consequences;
  • Evaluate the need for action to eliminate the cause(s) of the nonconformity, in order that it does not recur or occur elsewhere by:
    • Reviewing and analysing the nonconformity;
    • Determining the cause of nonconformity;
    • Determining if similar nonconformities exist, or could possibly occur;
  • Implement any action needed;
  • Review the effectiveness of any corrective action taken;
  • Update risks and opportunities, determined during planning, if necessary;

Corrective actions must be appropriate to the effects of the nonconformities encountered.

The organisation must retain documented information as evidence of:

  • The nature of the nonconformities and any subsequent actions taken;
  • The results of corrective action.

CONTINUAL IMPROVEMENT


Details the requirement for the organisation to continually improve the suitability, adequacy and effectiveness of the quality management system.

The organisation must consider the results of analysis and evaluation, and the outputs from management reviews, to determine if there are needs or opportunities that must be addressed as part of continual improvement.


Once all this is put into place a formal assessment can take place.  Of course continued compliance is a must and will be checked by the Certification Body.

Tuesday, 30 August 2016

A detailed look at the ISO 9001:2015 Quality Management Standard: Part 4

 

8. OPERATION


Details the requirement for the planning, implementation and control of the processes needed to meet the requirements for the provision of products and services, and to implement the actions determined in Section 6 (Planning), by:

  • Determining the requirements for the products and services;
  • Establishing the criteria for:
    • The processes;
    • The acceptance of products and services;
  • Determining the resources needed to achieve conformity to the product and service requirements;
  • Implementing control of the processes in accordance with the criteria;
  • Determining and keeping documented information to the extent necessary:

    • To have confidence that the processes have been carried out as planned;
    • To demonstrate the conformity of products and services to their requirements.


The output of this planning must be suitable for the organisation’s operations.


The organisation must control planned changes and review the consequences of unintended changes, taking actions to mitigate any adverse effects, as necessary.


The organisation must ensure that any outsourced processes are controlled.


REQUIREMENTS FOR PRODUCTS AND SERVICES

 

CUSTOMER COMMUNICATION


This includes:


  • Providing information relating to products and services;
  • Handling enquiries, contracts or orders, including changes;
  • Obtaining customer feedback relating to products and services, including customer complaints;
  • Handling or controlling customer property;
  • Establishing specific requirements for contingency actions, where relevant.


DETERMINING THE REQUIREMENTS RELATED TO PRODUCTS AND SERVICES


When determining the requirements for products and services to be offered to customers, the following must be addressed:


  • The requirements for the products and services are defined, including:
    • Any applicable statutory and regulatory requirements;
    • Those considered necessary by the organisation
  • The organisation can meet the claims for the products and services it offers.


REVIEW OF REQUIREMENTS RELATED TO PRODUCTS AND SERVICES


The organisation must ensure that it has the ability to meet the requirements for products and services being offered to customers. The organisation must conduct a review before committing to supply products and services to a customer to include:


  • Requirements specified by the customer, including the requirements for delivery and post-delivery activities;
  • Requirements not stated by the customer, but necessary for the specified or intended use, where known;
  • Requirements specified by the organisation;
  • Statutory and regulatory requirements applicable to the products and services;
  • Contract or order requirements differing from those previously expressed are resolved.
  • The customer’s requirements must be confirmed by the organisation before acceptance, when the customer does not provide a documented statement of their requirements.
  • Where internet sales are involved, a formal review is impractical for each order. Instead the review can cover relevant product information, such as catalogue or advertising material.
  • The organisation must retain documented information, as applicable:
    • On the results of the review;
    • On any new requirements for the products and services.


CHANGES TO REQUIREMENTS FOR PRODUCTS AND SERVICES



The organisation must ensure that relevant documented information is amended, and that relevant persons are made aware of the changed requirements, when the requirements for products and services are changed.
 


DESIGN AND DEVELOPMENT OF PRODUCTS AND SERVICES



Details the requirements that the organisation must establish, implement and maintain a design and development process that is appropriate to ensure the subsequent provision of products and services.



DESIGN AND DEVELOPMENT PLANNING



The stages and controls for design and development including:


  • The nature, duration and complexity of the design and development activities;
  • The required process stages, including applicable design and development reviews;
  • The required design and development verification and validation activities;
  • The responsibilities and authorities involved in the design and development process;
  • The internal and external resource needs for the design and development of products and services;
  • The need to control interfaces between persons involved in the design and development process;
  • The need for involvement of customers and users in the design and development process;
  • The requirements for subsequent provision of products and services;
  • The level of control expected for the design and development process by customers and other relevant interested parties;
  • The documented information needed to demonstrate that design and development activities have been met.



DESIGN AND DEVELOPMENT INPUTS



Functional and performance requirements, information derived from previous similar design and development activities, statutory and regulatory requirements, standards or codes of practice that the organisation has committed to implement, potential consequences of failure due to the nature of the products and services.


Inputs must be adequate for design and development purposes, complete and unambiguous.


Conflicting design and development inputs must be resolved


Documented information on design and development inputs must be kept.



DESIGN AND DEVELOPMENT OUTPUTS   



  • Must meet input requirements;
  • Are adequate for the subsequent processes for the provision of products and services;
  • Include or reference monitoring and measuring requirements, as appropriate, and acceptance criteria;
  • Specify the characteristics of the products and services that are essential for their intended purpose and their safe and proper provision;


Documented information on design and development inputs must be kept.



CONTROL OF DESIGN AND DEVELOPMENT CHANGES



The organisation must identify, review and control changes made during, or subsequent, to the design and development of products and services, to the extent necessary to endure that there is no adverse impact on conformity to requirements.


Change documented information must include, as appropriate:


  • Design and development changes;
  • The results of reviews;
  • The authorisation of the changes;
  • The actions taken to prevent adverse impacts.


CONTROL OF EXTERNALLY PROVIDED PRODUCTS AND SERVICES



Details the requirements the organisation must ensure that externally provided processes, products and services conform to requirements.  The organisation must determine the controls to be applied to externally provided processes, products and services, when:


  • Products and services from external providers are intended for incorporation into the organisation’s own products and services;
  • Products and services are provided directly to the customer(s) by external providers on behalf of the organisation;
  • A process, or part of a process, is provided by an external provider as a result of a decision by the organisation.


The organisation must determine and apply criteria for the evaluation, selection, monitoring of performance, and re-evaluation of external providers, based on their ability to provide processes or product and services in accordance with requirements.


The organisation must retain documented information of these activities and any necessary actions arising from the evaluations.



TYPE AND EXTENT OF CONTROL



The organisation must ensure that externally provided processes, products and services do not adversely affect the organisations ability to consistently deliver conforming products to its customers.



INFORMATION FOR EXTERNAL PROVIDERS


Details the requirements that the organisation must ensure the adequacy of requirements prior to their communication to the external provider.  The organisation must communicate to external providers its requirements for:

  • The processes, products or services to be provided;
  • The approval of:
    • Products and services
    • Methods, processes and equipment;
    • The release of products and services;
    • The external providers’ interactions with the organisation;
    • Control and monitoring of the external providers’ performance to be applied to the organisation;
    • Verification or validation activities that the organisation, or its customer intends to perform at the external providers’ premises.
  
 

PRODUCTION AND SERVICE PROVISION



CONTROL OF PRODUCTION AND SERVICE PROVISION-  



Details of the controlled conditions in place for actual product manufacture or service delivery.   Controls must be sufficient to ensure that there is quality of consistent conformance to the specification. These may include, as applicable:

  • The availability of documented information that defines:
    • The characteristics of the products to be produced, the services to be provided, or the activities to be performed;
    • The results to be achieved;
  • The availability and use of suitable monitoring and measuring resources;
  • The implementation of monitoring and measuring activities at appropriate stages to verify that criteria for control processes or outputs, and acceptance criteria for products and services, have been met;
  • The use of suitable infrastructure and environment for the operation of processes;
  • The appointment of competent persons, including any required qualification;
  • The validation, and periodic re-validation, of the ability to achieve planned results of the processes for production And service provision;
  • The implementation of actions to prevent human error;
  • The implementation of release, delivery and post-delivery activities.



IDENTIFICATION AND TRACEABILITY



Details the requirements that the organisation must use suitable means to identify outputs when it is necessary to ensure the conformity of products and services.


The organisation must identify the status of outputs with respect to monitoring and measurement requirements throughout production and service provision.


The organisation must control the unique identification of the outputs when traceability is a requirement, and must retain documented information necessary to enable traceability.



PROPERTY BELONGING TO CUSTOMERS OR EXTERNAL PROVIDERS



The organisation must exercise care with property belonging to customers or external providers while under the organisation’s control or being used by the organisation.


The organisation must identify, verify, protect and safeguard customers’ or external providers’ property provided for use or incorporation into the products or services.


When the property of a customer or external provider is lost, damaged or otherwise found to be unsuitable for use, the organisation must report this to the customer or external provider and retain documented information on what has occurred.


This property can include material, components, tools and equipment, premises, intellectual; property and personal data.



PRESERVATION



Details the requirement for the organisation to preserve the outputs during production and service provision, to the extent necessary to ensure conformity to requirements.


Preservation can include identification, handling, contamination control, packaging, storage, transmission or transportation, and protection.


POST DELIVERY ACTIVITIES



Details the requirements for post-delivery activities associated with products and services.  The following must be considered:

  • Statutory and regulatory requirements;
  • The potential undesired consequences associated with its products and services;
  • The nature, use and intended lifetime of its products and services;
  • Customer requirements;
  • Customer feedback;
  • Warranty and servicing, where appropriate and recycling or final disposal.


CONTROL OF CHANGES



Details the requirement to review and control changes for production or service provision, to the extent necessary to ensure continuing conformity with requirements.


The organisation must retain documented information describing the results of the review of changes, the person(s) authorising the change, and any necessary actions arising from the change, and any necessary actions arising from the review.



RELEASE OF PRODUCTS AND SERVICES



Details the planned arrangements, at appropriate stages, to verify that the product or service requirements have been met.


The release of products and services to the customer must not proceed until the planned arrangements have been satisfactorily completed, unless otherwise approved by a relevant authority and, as applicable, by the customer.


The organisation must retain documented information on the release of products and services.  The documented information must include:


  • Evidence of conformity with acceptance criteria;
  • Traceability to the person(s) authorising the release.


CONTROL OF NONCONFORMING PROCESS OUTPUTS



Details the requirements to ensure that outputs that do not conform to their requirements are identified and controlled to prevent their unintended use or delivery.


The organisation must take appropriate action based on the nature of the nonconformity of products and services.  This must also apply to nonconforming products and services.  This must also apply to nonconforming products and services detected after delivery of products, during or after provision of services.


The organisation must deal with nonconforming products and services in one of the following ways;


  • Correction;
  • Segregation, containment, return or suspension of  provision of products and services;
  • Informing the customer
  • Obtaining authorisation for acceptance under concession.

Conformity to the requirements to the requirements must be verified when nonconforming outputs are corrected.


The organisation must retain documented information that:


  • Describes the nonconformity;
  • Describes the actions taken;
  • Describes any concessions obtained;
  • Identifies the authority deciding the action taken in respect to the nonconformity.

Friday, 12 August 2016

A detailed look at the ISO 9001:2015 Quality Management Standard: Part 3

6. PLANNING FOR THE QUALITY MANAGEMENT SYSTEM

Details the requirements for concepts of risk (and opportunity).

  • ACTIONS TO ADDRESS RISKS AND OPPORTUNITIES - The requirement to understand the risks and opportunities relevant to the scope of the organisation and determine actions, objectives and plans to address them.

  • The risks and opportunities use the inputs that the organisation has identified in understanding its context and the views from interested parties.

  • Options to address risks and opportunities can include:

    • Avoiding risk;
    • Taking risk in order to pursue an opportunity eliminating the risk source;
    • Changing the likelihood or consequences;
    • Sharing the risk; or
    • Retaining risk by informed decision.
  • Opportunities:

    • Can lead to the adoption of new practices:
    • Launching new products;
    • Opening new markets;
    • Addressing new clients;
    • Building partnerships;
    • Using new technology and other desirable and viable possibilities to address the organisation’s or its customers’ needs.
  • QUALITY OBJECTIVES AND PLANNING TO ACHIEVE THEM - The requirement for the organisation to set quality objectives at relevant functions, levels and processes needed for the quality management system.  These objectives must be SMART (Specific, Measurable, Achievable, Realistic and Timely) and can include:

    • Market position/growth;
    • Process effectiveness/efficiency;
    • Maintenance of present position;
    • Reduction in costs of quality;
    • Improvements in product conformity;
    • Reduction in defects/poor service;
    • Improved customer/client satisfaction.


    Objectives can be part of staff development/appraisals and records need to be kept on levels of achievement.

    • What will be done?
    • What resources will be required?
    • Who will be responsible?
    • When will it be completed?
    • How the results will be evaluated?

  • PLANNING OF CHANGES- The requirement is to ensure changes and the impact of changes are considered in terms of risk and are effectively planned, controlled and managed.

7. SUPPORT

Details the requirement for the activities for People, Infrastructure, Environment for the Operation of Processes and Monitoring and Measurement Resources, Measurement Traceability, together with Organisational Knowledge Procedural Requirements of the quality management system.

  • RESOURCES -   The requirement for the resources needed for the establishment, implementation, maintenance and continual improvement of  the quality management, including the requirement for externally supplied resources.

  • PEOPLE – Determine and provide the persons necessary for effective implementation of the quality management system and for the operation and control of its processes.

  • INFRASTRUCTURE – Determine, provide and maintain the infrastructure necessary for the operation of its processes and to achieve conformity of products and services.

  • ENVIRONMENT FOR THE OPERATION OF ITS PROCESSES – Determine, provide and maintain the environment necessary for the operation of its processes and to achieve conformity of products and services.

  • These can be a combination of social, psychological and physical.

  • MONITORING AND MEASURING RESOURCES – The requirement to determine and provide the resources needed to ensure valid and reliable results when monitoring or measuring is used to verify the conformity of products and services to requirements.  Documented information as evidence of fitness for purpose of the monitoring and measurement resources are kept.

  • MEASUREMENT TRACEABILITY – When measurement traceability is a requirement, or is considered to be an essential part of providing confidence in the validity of measuring results, measuring equipment must be:

    • Calibrated, or verified, or both, at specified intervals, or prior to use, against measurement standards traceable to international or national measurement standards.  Where no standard exists the basis for calibration or verification must be documented.
    • Identified in order to determine their status
    • Safeguarded from adjustments that would invalidate the calibration status.
    • Where equipment is found to be unfit for its intended purpose then the validity of previous measurements must be reviewed.

  • ORGANISATIONAL KNOWLEDGE – Determine the knowledge necessary for the operation of its processes and to achieve conformity of products and services.   This knowledge must be maintained and be made available to the extent necessary.  

  • This knowledge can be from internal resources (e.g. intellectual property, knowledge specific to the organisation, gained from experience, lessons learned from failures and successful projects, capturing and sharing undocumented knowledge and experience, the results of improvements in processes, products and services).

  • External sources (e.g. standards, academia, conferences, gathering knowledge for customers or external providers).

  • COMPETENCE -  The requirement to determine the necessary competence of persons doing work under its control that affects the performance and effectiveness of the quality management system; where competence criteria are not met then the training required to acquire such competence.   There is a requirement to manage recruitment, induction and ongoing training and maintain documented information.

  • AWARENESS – The requirement to ensure that staff are made aware of the relevance of the quality policy, relevant quality objectives and their activities and how they contribute to the achievement of quality objectives.  Conversely the implications of not contributing to the specific and overall quality management system.

  • COMMUNICATION – The requirement for the organisation to determine the internal and external communications relevant to the quality management system including:

    • On what it will communicate?
    • When to communicate?
    • With whom to communicate?
    • How to communicate?
    • Who communicates?
  • DOCUMENTED INFORMATION – the requirement for documented information required by ISO 9001:2015 and documented information determined by the organisation as being necessary for the effectiveness of the quality management system.
There is no longer a requirement for mandatory documented procedures or manuals, but there is a requirement to maintain documented evidence of the system being operated.

In practice many organisations will maintain manuals and procedures to act as a guide and ensure operations are carried out effectively and efficiently.     
    
Documents, documented information can be in any format.                                           

  • CREATING AND UPDATING – When creating and updating documented information the following must be observed;

    • Identification and description (e.g. Title, date, version, author, or reference number).
    • Format (e.g. language, software version, graphics) and media (e.g. Paper or electronic).
    • Review and approval for suitability and adequacy.
  • CONTROL OF DOCUMENTED INFORMATION -  Documented information required by the quality management system and by ISO 9001:2015 must be controlled to ensure:

    • It is available and suitable for use, where and when it is needed;
    • It is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).


  • The following activities must be addressed, as appropriate:

    • Distribution, access, retrieval and use;
    • Storage, preservation, including preservation of legibility;
    • Control, of changes (e.g. version control);
    • Retention and disposition.
Documented information of external origin determined by the organisation to be necessary for the planning and operation of the quality management system is identified, as appropriate and controlled.

Documented information retained as evidence of conformity is protected from unintended alterations.

Monday, 1 August 2016

A detailed look at the ISO 9001:2015 Quality Management Standard: Part 2

ISO 9001 BY SECTION


4. CONTEXT OF THE ORGANISATION

 

Details the requirements for:

  • UNDERSTANDING THE ORGANISATION AND ITS CONTEXT- the requirement for the organisation to consider a wide range of potential factors, both external and internal, that can impact on the management system, in terms of its structure, scope, implementation and operation, including:

    • Social;
    • Economic;
    • National;
    • Governance;
    • Technological;
    • Political;
    • Products and services


  • UNDERSTANDING THE NEEDS AND EXPECTATIONS OF INTERESTED PARTIES – The requirement to consider the needs of interested parties both internal and external, including, as appropriate:

    • Directors;
    • Employees;
    • Contractors;
    • Clients/Customers;
    • Suppliers;
    • Regulators;
    • Legislation;
    • Shareholders;
    • Neighbours;
    • Non-Government Organisations (NGO’s);
    • Parent Organisations.

The best way to demonstrate this is to have both the context and interested parties logged in a database, register or similar. This should include details of Legislation or Regulation to which the organisation must comply

  • DETERNMINING THE SCOPE OF THE QUALITY MANAGEMENT SYSTEM – Now includes a requirement to consider both the Context and Interested parties along with the products or services being delivered.

    Naturally the scope must include a requirement to comply with the Quality Management Standard ISO 9001:2015.

  • QUALITY MANAGEMENT SYSTEM AND ITS PROCESSES – The requirement to establish, implement, maintain and continually improve the management system, including the processes needed and their interactions in order to deliver the required products, services and performance required under the scope.

    The term processes (a set of interrelated activities which transforms inputs into outputs).

    Organisations need to address risks and opportunities (Section 6)

    Organisations will also need to demonstrate the resources needed, ensuring their availability.

5. LEADERSHIP

This clause used to be “management commitment” but now requires that top management engage more fully with the critical, aspects of the quality management system.

  • LEADERSHIP AND COMMITMENT – The requirement that top management must demonstrate leadership and commitment to it. It is now a requirement that this top level oversight of the quality management system is a key component of the organisation and its core business processes and activities.

    The quality management system must be integrated into the organisation’s business processes.

  • CUSTOMER FOCUS - A requirement to demonstrate leadership and commitment with respect to customer focus:

    • Fully determine market/customer needs and expectations.  This information then acts as an input to determining strategy, direction and facilities development of a management system capable of satisfying the targeted market or customer.

      An example could be:

    • Market surveys;
    • Customer/client meeting minutes;
    • Questionnaires;
    • Other areas of research.

    Customer/Client focus has been extended to include determination of risks and opportunities that affect conformity of products and services.

    This could be a S.W.O.T analysis (strengths, weaknesses opportunities and threats) or PESTLE (Political, Economic, Social, Technological, Legal and Environmental) or similar.

  • QUALITY POLICY – The requirement for a quality policy establishing goals and commitments appropriate to the organisation & not simply a bland statement that could apply to any business.  The policy must be communicated to all employees and they need to understand the part that they have play in its deployment.  Additionally, the policy must be available to interested parties.  The policy is authorised by the most senior person in the organisation, CEO, MD, Senior Partner, etc.

  • ORGANISATIONAL ROLES, RESPONSIBILITIES and AUTHORITIES – The requirement to ensure those involved are fully aware of their role. Top management must be identified as being responsible for ensuring that aspects of the system are properly assigned, communicated and understood.

  • Top management must ensure that key responsibilities are defined. An organisation chart and job descriptions or procedures to identify responsibilities and authorities.

    Unlike previous versions of this standard the specific role of Management Representative is not used.  The activities of the role however, are now referenced within the core structure of the organisation, including top management.

Monday, 18 July 2016

A detailed look at the ISO 9001:2015 Quality Management Standard - Part 1

All management standards issued since 2012 follow the Hi Level structure (HLS) set out in Annex SL of the ISO systems standard and each will have ten identical clauses.  This will make it easier to integrate standards and will simplify documentation. 

The ten clauses are:
 
  1. Scope
  2. Normative references
  3. Terms and definitions
  4. Context of the organisation
  5. Leadership
  6. Planning
  7. Support
  8. Operation
  9. Performance evaluation
  10. Improvement

ISO 9001 is a Model for quality management systems. It is a quality system certification scheme where a company's processes are assessed to a quality standard.  This standard has been agreed in this country, the European Union and Internationally.

The Standard, which is now on its sixth generation, was first known as BS 5750.

Formal assessment of an organisation’s quality management system is carried out by an independent and accredited third party certification body.  If all the requirements are met, a certificate of conformity is issued.  Regular surveillance visits are carried out, subsequently, to ensure that the standard is being maintained.

Accreditation of the Certification Bodies (CB’s)  in the UK is carried out by UKAS (United Kingdom Accreditation Service)  UKAS is the sole accreditor in the UK.

A register of quality competent firms is maintained by the Stationery Office (TSO) under subscription and is used as a reference for purchasing authorities.

The market-place is becoming ever more competitive. It is clear that only the companies providing goods or services of the required quality are going to be able to compete.

Put very simply BS EN ISO 9001 sets out the requirements of a quality management system which supports the delivery of a product or service, through the application of effective and continually improving systems, assuring conformity to customer and applicable legal requirements, whilst enhancing customer satisfaction.

Today’s Global Market means that companies throughout the world are able to offer their goods and services on equal terms.   The use of the internet and E-commerce for business makes it vital that we are able to compete.

        ISO 9001 makes it easier to compete in that market-place.

Product liability laws require a company to prove that it has taken all necessary and reasonable steps to produce safe products that minimise the risk to users.

  • ISO 9001 helps provide such assurance.
  • ISO 9001 requires 7 main sections (4-10) to be addressed before certification can take place.  

The 2015 standard does not allow any clauses to be excluded, unlike previous versions.

Monday, 4 July 2016

EU Referendum

The seemingly endless conversations about the UKs place in the European Union is put to the people of the United Kingdom.

Britain voted to leave the EU; the ground didn’t open up and swallow us nor did the four horsemen of the apocalypse arrive as predicted by the many doom mongers.

Clearly there is much negotiation to take place and a significant review of the EU directives that have been transposed into UK Statute. The UE has produced hundreds of Directives over the years, some we can keep and others we can discard.

The main areas which will need serious consideration are the Environmental Laws which have placed a heavy burden on British businesses, particularly in climate levies and VAT on energy.

The other area which will need fairly urgent consideration is the proposed Data Protection Act revision which is in the final stages as an EU Directive.

Notwithstanding these issues there will be a transition period before any major changes.  It is important to note that until negotiations are complete and actual BREXIT takes place we are still in the EU with all its advantages and disadvantages.  It is possible that the divorce could take up to two years to effect.

We at Quality Matters are confident that we can continue to serve our Clients and provide help with all the major management standards.

Where next after the EU vote?

Monday, 20 June 2016

Ransomware


Ransomware is a viral system that installs itself on your computer and then searches out various document, Excel and databases and encrypts them with an impossible to crack password.  The perpetrator then send a demand for payment, usually in Bitcoins to release the files.  Once payment has been made the password is supplied which will unlock the files.

Sadly a number of victims have paid the ransom only to find that the password is not supplied or a further demand for payment is made.

The alternative to paying the ransom  is to clear all infected files and restore from a good backup.
I received such an email which purported to be an invoice with a zip attachment.  It arrived on a Sunday so I was sure it wasn’t genuine.  I downloaded it to a totally isolated machine so as not to infect our platform.  The attachment contained an exe file which installed cryptoxxx on the computer and searched for files to encrypt.

There were only a handful of test files which were encrypted.  The ransom email requested 50 bitcoins to release the password. At its current value this is about £1500.

Needless to say we wouldn’t pay.

Apparently the UK is prime hunting grounds for these crooks as curiosity results in people opening these attachments just to see what they are.  The results can be devastating, particularly if good backups are not available.

If you are a victim of one of these scams then report it to www.actionfraud.police.uk/report_fraud




Monday, 6 June 2016

ISO 45001 – replacement for OHSAS 18001

It seems that there is a certain amount of dissent for the latest draft of ISO 45001 which was due to be published later this year in October.

Part of the approval process relies on a positive vote from the 60 or so National Standards Bodies.  Voting took place  following assessment during February and May of this Year; there was a majority  in favour of approval (71%) but  28% voted against.  Astonishingly one Country abstained.

This will mean that it is back to the drawing board.  It was always ambitious to expect 60 countries to agree an Occupational Health & Safety Standard and this emphasises the different approach to H & S  in each country.

Consequently, there will have to be a major re-think and redraft based on the responses from the Country Bodies.  There is even some talk that the Standard may be abandoned if sufficient support cannot be generated.

Watch this space.

Monday, 23 May 2016

AS 9100 series of Standards

The aerospace and defence standards AS9100, AS 9110 and AS 9120 which were due to be published in April of 2016 have been delayed.

The latest information from The International Aerospace Group (IAQG) indicates that the Standards will be published concurrently across Americas, Asia-Pacific and Europe towards the end of this year.

  • AS9100: 2016 is planned for October 2016
  • AS9110: 2016 is planned for November 2016
  • AS9120: 2016 is planned for December 2016

It is hoped that these timelines may be shortened but it must be remembered that the transition deadline remains the same – 15 September 2018, to align with ISO 9001:2015.

The shortened time line my cause problems, particularly with the current shortage of auditors.

Organisations leaving the transition to the last minute may find that they miss the deadline because they cannot arrange a transition visit and clear any non-conformities.  Any organisation missing the deadline will be left without certification.  There can be no exceptions and the deadline will not be extended.

Although the format (which will follow the ISO Annex SL) is known, the actual content is subject to change.  This is evident as the April proposed publication date was missed.   We recommend that outline transition effort can be made but detailed transition effort should wait until formal publication dates.

Monday, 9 May 2016

Windows

Readers of this blog will know that I comment on windows on occasions and this invariably means Microsoft Windows.  There have been a number of issues surrounding Windows 8 and subsequently  Windows 10. There was no Windows 9.

This blog has nothing to do with Microsoft;  our Landlord has decided to replace all the windows in our building with energy efficient double glazed units.

While we welcome the end result, the process of removing the old windows has been less than  conducive.  Loud banging, drilling and filing have made working in the office pretty difficult.

I have been fortunate in that the week of the building work coincided with a week away from the office auditing. I only had to put up with this for half a day, before leaving for my Client.

I am sure that I will appreciate the benefits of double glazing both in the winter when they should insulate the office from cold and also in the summer when the energy coating should reduce the sun glare.

It remains to be seen if my optimism is justified.


Watch this space…………………….

Monday, 25 April 2016

Microsoft and data gathering

Some time ago we advised our readers that the Microsoft diagnostic tracking element was running and how you could disable it. It stated:

"Examples of data we collect include your name, email address, preferences and interests; browsing, search and file history; phone call and SMS data; device configuration and sensor data; and application usage."

Quite a lot of users concerned about privacy disabled this element in the registry.  We all thought it had disappeared in recent Windows 10 builds – but it hadn’t. Microsoft had simply renamed it and turned it on by default.  Now it is called “Connected User Experiences and Telemetry Service”

Once again, it needs to be disabled manually.

  1. Right click the windows button and type run enter
  2. Type services.msc 
  3. Scroll down to Connected User Experiences and Telemetry Service 
  4. Right click and Select Properties 
  5. Select Disable

If Microsoft are going to make updates available and each time re-enable this data slurping device we all need to be vigilant.

Monday, 11 April 2016

Bank Holiday Monday

This year I had arranged a Client visit some hundred miles distant on the Tuesday after Easter and to make sure I was able to get there on time I stayed overnight at a local hotel nearby.

The following morning, I arrived at the appointed time at my Client and was met by one of the managers who told me that she was not sure if the Quality Manager was going to attend.  Although this is a rare occurrence it is nevertheless irritating.   She telephoned the QM who said that he had just returned from holiday was busy looking at his emails from home and thought our meeting had been cancelled, but he may have forgotten to tell me.

The visit was in preparation for both an internal and an external audit so it was pretty important.
The Manager and I were embarrassed that both she and I had been let down and that this opportunity to be fully prepared for the two audits had been wasted.

Naturally the Client would be billed for the abortive day and the Manager was in full agreement, and full of apologies.  I did say that it was not her fault that this had happened.

I received an email from the Quality Manager saying that he thought the meeting was unnecessary and that he could cover the topics by telephone.  Unfortunately, I would not be available to discuss all the relevant matters on the telephone before the April audit as I was fully booked; he would have to accept that there may be non-conformities declared at the audit which may be difficult to correct before the external audit a few weeks later and this may have an adverse impact on the Company certifications.

Inevitably there are occasions where a meeting has to be cancelled or postponed; this is usually some form of emergency and in those circumstances it is unavoidable, but not in this instance.

I understand that the matter has been escalated within the Company and I will wait for an outcome.

Tuesday, 29 March 2016

ISO 13485:2016 Quality Management for Medical Devices

Standards last year and this year seem to be like buses, nothing for ages them all come at once, there have been a rush of enhancements to various Standards and most have gone with the new format ISO Annex SL, where all the Standards have ten clauses to allow easier integration.

The long awaited ISO 13485:2016  has just been published, sadly it does not follow the annex SL format but does address risk and opportunity as part of the requirements.

 The revised Standard, applicable to a wide range of medical products from bandages to remote robot surgical systems and everything in between.  Like all the revised standards there is more emphasis on suppliers and the roles they have to play, including products and services; looking at the entire life-cycle of products

There are a number of new elements that have been introduced:

  • Work environment now includes contamination control;
  • Particular requirements for validation of processes for sterilisation and sterile barrier systems;
  • Reporting to regulatory authorities;
  • Actions in response to nonconforming product detected after delivery;
  • Rework;
  • Rules for medical software as a product.
There will be a transition period of three years to allow organisations to take the revised Standard on board.

Organisations that have a combined ISO 9001 and ISO 13485 will have to consider whether these Standards will have to be audited separately as they have somewhat diverged.  This will, of course,  have a cost implication.

Monday, 14 March 2016

Smart Phones and Loss of Data

I was with a client this week in London, and while going through the requirements for transition to ISO 9001:2015, the revised quality management Standard we were visited by the Police. 

No they weren’t coming to get me (or the Client); they were advising local businesses that there had been a number of instances where phones had been snatched from people in the street.  Apparently this has reached almost 100 cases this year alone. The thief riding a scooter or small bike rides up behind the person and snatches the phone from the users ear and then rides away.

Most phones are protected by a pin, but the savvy thief can get round this. A better method is some form of fingerprint or face recognition authentication or better still two factor authentication, where the user enters a password and then must enter a unique one-time code before the phone is useable.
Many companies now allow email and server access through smartphones so the loss of one of these is not only inconvenient but could allow unauthorised access to company systems.

Of course the best way is not to use a phone in the street or look around to see if you are alone before using it but as we all know the number of people with their hands up to their ears with phones is enormous.

Our own phones are complete with software that allows us to remote wipe the phone; this protects the company computer network but does little for the budget when having to purchase new phones.

Monday, 29 February 2016

AS9100, AS9110 & AS9120 Aerospace and Defence Standards 2016

The IAQG have advised that the revised standards are due for publication in April 2016 and the deadline for transition has been aligned with the revised ISO 9001:2015.  This means that there will not be a three-year transition period but rather two years and five months.  Any organisation not transitioning successfully before the deadline will be de-registered automatically.

All certificate holders are advised to plan for the new standards and ensure that they are aware of the changes and timescales.

We will plan the transition with our Clients as soon as the publication has been made.

Just to remind readers:

The revised standards use the Hi Level Annex SL format produced for all new ISO standards and comprise ten clauses.

  1. Scope
  2. Normative references
  3. Terms and definitions
  4. Context of the organisation
  5. Leadership
  6. Planning
  7. Support
  8. Operation
  9. Performance evaluation
  10. Improvement

A number of the requirements deemed unnecessary in ISO 9001:2015 have been reinstated in AS 9100.

These additional requirements are necessary for control and traceability required in the aerospace industry, which would not be met with the basic ISO9001 standard.

These include:

  • management representative is required
  • documented information with items to be identified (Quality Manual)

In addition, a number of requirements have been added:

  • Protection from counterfeit products, 
  • Product safety (awareness and compliance)
  • Computer back up secured
  • Project management
  • Measures of on-quality and on-time delivery
  • Stakeholders
  • Transfer of work
  • Reviews of requirements related to products and services coordinated with applicable  functions
  • Actions to be taken when not meeting customer requirements
  • Handling obsolescence
  • Changes
  • Controls of external providers and sub-tier providers
  • Additional evaluation of data and test reports
  • Controls of production equipment
  • Tools and software programmes
  • Validation of special processes
  • production process variations
  • problems detected after delivery
  • procedure to define NC process and responsibilities
  • review of on-time delivery performance
  • actions based on risk assessments, and human factors.

Monday, 15 February 2016

Data Encryption

What is Encryption?


Encryption is a method of scrambling a message or other data so that is cannot be read by an unauthorised person. Sadly it has become too easy to intercept messages and use them for illegal purposes. Encryption protects that data.  It is important that an email with a sensitive attachment is encrypted to avoid this information being read by unauthorised persons.

A very simple encryption might be to use the alphabet In reverse:

A    B    C    D    E    F    G    H    I    J    K    L    M    N    O    P    Q    R    S    T    U    V    W    X    Y    Z

Z    Y    X    W    V    U    T    S    R    Q    P    O    N    M    L    K    J    I    H    G    F    E    D    C    B    A

'Please reply to this message' becomes KOVZHV IVKOB GL NVHHZV

Unfortunately this code would be broken very easily. A more secure system would use the shift method where the table is used but each letter is shifted to the right by 3 boxes.

'Please reply to this message' Now becomes SOSWVS FSHLE DI DPOE KSEEWQS. This is better but relies on the person receiving the message knowing the key (what method was used). This type of encryption would be broken in seconds by an experienced cracker.

Encryption used by spies during the cold war depended on a code based on a book with the page number, line and word in a line used to decrypt the message.  Both the sender and receiver must have a copy of the book. This method is far more difficult to crack.

Modern computers rely on even more secure methods:

The first of these is the SYMMETRIC KEY where the sender and the receiver know the key and the message is decrypted. Anyone else will see a jumble of letters.

The second method is known as PUBLIC KEY, a typical system uses PGP (pretty good privacy) and relies on a public key which is available in the message and a private key which is know to only to the sender and the receiver. Again anyone else will see gibberish.

The third method is known as DIGITAL CERTIFICATE where the certificate acts as a middleman, checking the identity of both the sender and the receiver; if both are genuine the certificate allows the message to be decrypted.

Additionally financial transactions use a secure system know as SSL (Secure Sockets Layer) the user will notice that the usual http:// is replaced by https:// and a small padlock is normally present on the web-site to show that SSL is in use. Credit Card transactions use this very secure method of encryption.

Monday, 1 February 2016

Data Hijacking

Recently a system called Ransomware has come to light; this relies on a Trojan which encrypts the receiver’s data with a very complicated password, typically 40 + characters long.  The criminal offers to sell the password to the receiver for a relatively small sum usually $100 or so but this must be paid in bitcoins.  Once the sum has been paid the password is sent to the receiver to decrypt the data.  Sadly some of the criminals do not send the password but then ask for a bigger sum of money.

I cannot stress enough the importance of keeping good back-ups which can enable a user to revert to a previous backup set which is not encrypted.  Many companies are targeted by these ransomware threats and it has become apparent that many have simply paid up.

The criminals are getting bolder by the day and the latest notification was from Lincolnshire County Council who received a ransom demand for a million pounds. The Council are working with a security company to clear the infection from their systems and revert to a clean backup.  The police are trying to identify the source of the ransom. The criminals are clever enough to cover their tracks under layers of security but we can hope that they slip up and are brought to justice.

At Quality Matters we have more than one back up of data and up to date antivirus and anti- malware systems in use but we are not complacent.  Vigilance is our byword. Security is a moving target and must be reviewed regularly.

Monday, 18 January 2016

Transition for 9001/14001 auditors

All auditors must re-qualify to be able to audit to the 2015 versions of ISO 9001 and ISO 14001.  This requirement is necessary because these revised standards have been radically changed and now use Annex SL as the basis of the standards.  In addition, there is the change of emphasis to “risk based thinking”.

Last December I also had to attend a transition course to keep my own IRCA qualification up to date.

Over the years we have trained a good number of internal auditors and it is important that they transition to the new standards to enable them to carry out audits in the future.

We are taking bookings for our next internal auditing course to be held in Colchester, Essex on

23 June 2016 - 24 June 2016
Cost: £375.00 + VAT per delegate

This cost effective two day course will provide you with the necessary training to carry out internal audits in your workplace to the ISO9001:2015, ISO14001: 2014 or OHSAS 18001 (which will be updated to ISO 45001 this year).

Remember if your company systems transition to the new (2015) standards you will not be able to carry out internal audits unless you attend a course to update your knowledge. Most Certification Bodies will expect to see evidence in the form of a certificate that the auditor has transitioned.
   
Don’t let your internal auditor qualification lapse

Monday, 4 January 2016

Happy New Year 2016

We wish our Clients and readers of this blog a very happy and prosperous New Year. 2016 is a leap year and extends February to 29 days. One of my colleagues has his birthday on 29 February and rejoices in the fact that he ages one year every leap year!!

This year will also be a year of transitions for management systems:

ISO 27001 reached its transition deadline in September 2015 and consequently any company not transitioning to the 2013 version will have been automatically de-registered.

ISO 9001:2015 Quality Management System does have a transition deadline of September 2018 but most holders of 9001 will transition this year or latest 2017. Our clients will transition on a time scale best suited to them and with our help.

ISO 14001 :2015 Environmental Management system also has a transition deadline of September 2018 but most holders of 14001 will transition this year or latest 2017. Our clients will transition on a time scale best suited to them and with our help.

OHSAS 18001 Occupational Health and Safety system is planned to be released as ISO 45001: 2016 this year and as with the other new standards will probably have a three year transition period.

There are a number of Standards which have ISO 9001 as core requirements and these are planned to be released this year. The ones which are relevant to Quality Matters are:

  • AS 90100, AS 9102 & AS 9001 Aerospace and Defence Standards 
  • TS 16949 Automotive Standard 
  • ISO 13485 Medical Devices Standard 
  • ATEX Explosive Atmospheres Standard 

Readers of our blog will know that all new standards will follow the annex SL format with 10 identical clauses which will allow easy integration.

Quality Matters

P.O.Box 5479
Maldon
Essex
CM9 8GG
England

T: 01621 857841
F: 01621 856016
M: 07702 193788

© 2015 Quality Matters Ltd. All rights reserved. Responsive Design