ISO 9001:2008 Purchasing Requirements

[WannaDoQA]

Hello all. I'm relatively new to the forum but have been reading for a while. I can't find help anywhere else as I'm also relatively new to the field of quality management and ISO but am on my own to try to get some of these things figured out, so please bear with me.

We are a small wire harness manufacturing company, just to give some background. We buy connectors, terminals, and wire/cable and put it all together according to customer specifications. We maintain product traceability through internal Lot numbers.

We were recently audited by one of our customers and they had many findings resulting in issuing many Supplier Corrective Actions. We are not ISO certified but we are still trying to comply with ISO (and we said as such), thus we were audited to ISO 9001:2008. We had many ISO procedures in place from 1994 but were struggling trying to get up to speed with 2008. So, ultimately, it turned out not so good for us.

One of the findings was related to our Purchasing procedure, that parts are not being inspected but are certified on the C of C for products they buy from us, and that there is no evidence the parts can be traceable to the original manufacturer and material specification.

For example, for product 12345, we may have a customer requested C of C that states the certification of specific attributes of a specific component, such as, "Component Part# ABC, manufacturer Schurter, rated 250V, 10Amp, UL and/or CSA marked."

We will send that C of C with the completed product. The short of it is that we are stating those things on our C of C but we are not actually inspecting the part to see if it meets those criteria - I can fix that and I think I did. However, we are not able to trace that part back to its original manufacturer/material spec, and that's what I need help with.

Here is what I've done so far:

1: Created Incoming Inspection procedure that doubles as a record for each component that requires certification. It lists the attributes/criteria that we certify on the C of C. We check off that we verified those attributes, enter data specific to the delivery (date, supplier, lot or PO#, quantity inspected) on the document itself, print out the paper and sign/date it. This document is then filed. We do this for every part that requires certification.

2: Added each part that requires certification to our Incoming Inspection List, which does not allow parts to be received until they have been inspected.


What I need to do:

-Come up with a way to trace certified components throughout production. Right now, even if I have the record of the part's certification, I cannot trace it to a specific Lot that we build. When we release an internal Lot to begin production and start pulling parts, we do not record any information related to the component anywhere - we simply use FIFO. If our customer calls me and asks me:

"Hi WannaDoQA, I have product 12345 that you built, Lot# XYZ, which uses a certified component Part# ABC. Can you provide objective evidence that component ABC was certified and used in product 12345 for Lot# XYZ?"

My answer to this is: No.

I can show them the record of certification for the component, but I cannot say whether it was used in Lot XYZ.

It seems like a super long post for such a short question but does anyone anywhere know how I can do this easily, for really cheap, and really really fast? I'm ready to answer any questions because I know it all seems so convoluted.

How do other companies do this? I'm assuming it's a really easy fix, and believe me, I have my palm ready to hit my forehead but.........

Help!

 

[Jim Wynne]

Re: ISO 9001:2008 Purchasing

Hello all. I'm relatively new to the forum but have been reading for a while. I can't find help anywhere else as I'm also relatively new to the field of quality management and ISO but am on my own to try to get some of these things figured out, so please bear with me.

We are a small wire harness manufacturing company, just to give some background. We buy connectors, terminals, and wire/cable and put it all together according to customer specifications. We maintain product traceability through internal Lot numbers.

We were recently audited by one of our customers and they had many findings resulting in issuing many Supplier Corrective Actions. We are not ISO certified but we are still trying to comply with ISO (and we said as such), thus we were audited to ISO 9001:2008. We had many ISO procedures in place from 1994 but were struggling trying to get up to speed with 2008. So, ultimately, it turned out not so good for us.

One of the findings was related to our Purchasing procedure, that parts are not being inspected but are certified on the C of C for products they buy from us, and that there is no evidence the parts can be traceable to the original manufacturer and material specification.

For example, for product 12345, we may have a customer requested C of C that states the certification of specific attributes of a specific component, such as, "Component Part# ABC, manufacturer Schurter, rated 250V, 10Amp, UL and/or CSA marked."

We will send that C of C with the completed product. The short of it is that we are stating those things on our C of C but we are not actually inspecting the part to see if it meets those criteria - I can fix that and I think I did. However, we are not able to trace that part back to its original manufacturer/material spec, and that's what I need help with.

The first thing you need to do is find out where this traceability requirement came from, because it didn't come from ISO 9001:2008. Did the auditor's nonconformity statement include the standard or requirement that was allegedly violated? If so, it would be good if you could share it with us, verbatim.

In general, if your customer gives you a material specification, you're beholden to verify that the specification has been satisfied. The form that verification takes is another matter, however. If the customer is looking for something your company hasn't agreed to, the "requirement" should be questioned and your company should be working with the customer to determine a method that will make everyone happy.

 

[WannaDoQA]

Re: ISO 9001:2008 Purchasing

The first thing you need to do is find out where this traceability requirement came from, because it didn't come from ISO 9001:2008. Did the auditor's nonconformity statement include the standard or requirement that was allegedly violated? If so, it would be good if you could share it with us, verbatim.

In general, if your customer gives you a material specification, you're beholden to verify that the specification has been satisfied. The form that verification takes is another matter, however. If the customer is looking for something your company hasn't agreed to, the "requirement" should be questioned and your company should be working with the customer to determine a method that will make everyone happy.

Thank you for your reply. They cited the following areas: Section 7.1, 7.4.3, 7.5.3, 8.1, and 8.2.6. Their total finding was, "Parts are not being inspected but certified on the C of C. There is no clearly defined process or procedure to control the Certificates of Compliance. There is no evidence that the parts can be traceable to the manufacturer and material specification."

 

[Jim Wynne]

Re: ISO 9001:2008 Purchasing

Thank you for your reply. They cited the following areas: Section 7.1, 7.4.3, 7.5.3, 8.1, and 8.2.6. Their total finding was, "Parts are not being inspected but certified on the C of C. There is no clearly defined process or procedure to control the Certificates of Compliance. There is no evidence that the parts can be traceable to the manufacturer and material specification."

Thanks for the clarification. Again, there is no requirement in ISO 9001:2008 for certificates of conformance, or a procedure to "control" (whatever that might mean) them, and no requirement for the kind of traceability they're referring to.

A certificate of conformance is a mostly useless document. Nonetheless, if you're giving them something that says that the product supplied meets (for example) purchase order or drawing requirements, but you can't substantiate that assertion, I think it's reasonable on the part of the customer to be concerned. That concern should not be expressed in terms of requirements that don't actually exist, but it still sounds like a legitimate concern.

The best thing to do right now is find out from the customer exactly what it is that they expect to see, and where that requirement is specifically defined.

 

[AndyN]

Re: ISO 9001:2008 Purchasing

Jim has given an excellent reply. I'd add that the fact the auditor cited a number of requirements means they aren't sure so gave a number of requirements where the nc might 'stick'.

If you haven't entered into a contractual arrangement to give traceability, the auditor is grasping at straws. In many cases, you're not adding value by inspection, anyways. This is one of the reasons for a C of C. You might do some form of verification, but since the needs for QC is often based on past performance, unless these suppliers to you have screwed up, you might just as well drop the stuff directly to stores, for what it's worth.

I guess you could make a case for including C of Cs in your document/records control procedure, but did they actually review that? Because that's a different ball of wax to what they're citing in ISO 9001! Another case of grasping at straws?

 

[dkusleika]

Re: ISO 9001:2008 Purchasing

They are definitely talking about two completely separate issues, in my opinion. Verification of purchased product: You are verifying purchased product by getting a CoC. If they think that's inadequate, they should say so and you can negotiate what is adequate verification. If I'm buying wire and connectors from the manufacturer or an authorized distributor and getting a CoC, I would push back pretty hard that no further verification is necessary. But you have to look at the situation too. If it was my only customer, I might not push back quite so hard.

The second issue of traceability is different. Traceability is great, but it is not quick, easy, or cheap and I would never implement full component traceability without doing a cost/benefit, risk/reward analysis. If I determined that the benefits outweigh the costs or that the risk of not doing it was too high, here's how I would do it:

Assign a lot number to each shipment of raw materials that you get. A purchase order number may work for that or a variant of a PO number if you typically get more than one shipment per PO. You have to then identify the raw materials with that lot number - you can't throw a bunch of connectors in a bin, you have to keep the lots separate and identifiable. Then keep a spreadsheet that links the raw material lots with the production lots. Assume you have two raw materials, wire and connectors, for a production lot. The spreadsheet might look like this:

Production Lot   RM Lot RM
XYZ                 123     20g Wire
XYZ                 137     20g Wire
XYz                 245     1" connector

In this super simple example, there wasn't enough wire in 123 to complete XYZ, so 123 was exhausted and some wire from 137 was used. There were enough connectors in one lot to complete the whole production run, so only one lot of those are listed.

You'll never get a clean one-to-one relationship between production and materials unless your product happens to allow it. So you can't say that all the wire from 123 was used in XYZ. But if you find out that the wire from 123 is bad and causing problems, you can filter your spreadsheet and see all the production runs that used wire from 123.

That was a simple example of a product with only two components. It becomes a lot of administrative work to keep track of all of this. You also might have to change your storeroom layout to keep RM lots separate and identifiable. And the production people will have to record which lots they use for each run. That's why I said it's not easy or cheap and a cost/benefit is needed.

If you're reading this and thinking you'd rather find a different job than do all this work, then do the cost/benefit and make the case to your customer that the cost of traceability, like what they want, is too high. Back it up with some real cost estimates and a projected price increase - that will get their attention.

Also give them some risk mitigation for why full traceability might be unnecessary. Maybe you only get 12 shipments of 20 gauge wire per year (one per month) and that if they had a problem with XYZ, you could reasonably narrow the wire used to two of those shipments. From that, you might be able to identify a number of production runs that reasonably could have used the wire from those two shipments. What you're left with is a number of cable harnesses that may have that wire - a greater number than the actual cable harnesses that use that wire but a smaller number than every cable harness you've ever created.

Now they're going to want to test all those cable harnesses to see if they exhibit the same problem that made them ask the question in the first place. They have to test more harnesses than they would if you used strict component traceability, but less than 100% of the harnesses. If the cost of the addition testing is $1k and the cost of implementing traceability is $10k, then you can make the case that traceability doesn't make sense.

Good luck.

 

[WannaDoQA]

All of your replies have been very helpful - thank you.

Jim Wynne & AndyN: I was also unsure how they lumped the C of C into the verification of purchased product, but it does seem like it falls into Doc Control. As far as I know, we have not entered into any contractual agreement regarding traceability. I also think they are grasping at straws, but they are also one of our bigger customers, so we are pandering. I tried gently suggesting we ask the customer (since they are expecting some objective evidence soon), but my boss didn't really seem too keen on that idea.


dkusleika - Thanks for your reply, I would really love to look at the cost/benefit, but I think my bosses really just want to make the customer happy and do whatever they want, no questions asked. Ultimately we came up with a different idea, though. As I said in my first post, if a component is certified on our C of C to our customer, we have an Incoming Inspection procedure that doubles as a record for certifying the component when it comes in. To achieve traceability to that inspection record, we are going to identify that component as a "certified component" with a yellow sticker on its identification label in the stocking area. Our parts picker will then know that when they pull the part, they need to write the Lot/PO# of that part (that has already been inspected/certified w/a record to prove it) on the Pick List of the internal Lot they are picking parts for. The Pick List will then get filed with all of our other documentation for that internal Lot. Traceability achieved!

 

[AndyN]

This one of the reasons for having an accredited certification. Since customers' auditors aren't necessarily competent and a CB is required to have competent auditors. It's supposed to work that by having a certified QMS, these types of situations might be avoided. Do you know if they would have audited you, if you'd been ISO 9001 Certified by a CB?

 

[WannaDoQA]

I don't know if they would have audited us if we'd have been certified by a CB. Regardless, it had been ~10 years since they last audited us and that's why they came (as far as I'm aware), so I'm not sure if it would have totally negated the audit if we'd have been certified by a CB.

 

[AndyN]

I don't know if they would have audited us if we'd have been certified by a CB. Regardless, it had been ~10 years since they last audited us and that's why they came (as far as I'm aware), so I'm not sure if it would have totally negated the audit if we'd have been certified by a CB.

You might have been able to pull the 'Well, it's never been a problem for the CB..." stunt!:mg: