Incorporating Non-ISO 9001 programs into the QMS (Quality Management System)

[RosieA]

My company is working on the Customs-Trade Partnership Against Terrorism (C-TPAT) initiative and there is a debate going on at the corporate level about whether to roll this program into our ISO 9001 processes or handle it outside ISO. C-TPAT is an initiative for any industry working with imports and exports to insure the secure transportation of goods across borders. For more detail see: Customs-Trade Partnership Against Terrorism (C-TPAT)

There will be a corporate Security Manual and local level procedures, mostly around existing pieces of the QMS, like shipping and receiving and internal auditing. So from my perspective, putting it in the existing ISO QMS, makes perfect sense. I see no point in having two document control systems.

Two questions for Covers:
1. I think the best way to handle the corporate C-TPAT manual is to consider it a document of external origin, the same way I would an industry standard or customer specific documents. I don't control it, it just guides my actions and requires me to accomodate it in my QMS. Any other thoughts as to an approach?

2. Does this invite my Registrar to audit things that do not relate to the quality of the product produced, such as plant security operations? This is really what most concerns top management...their thinking: we have to pass a government audit on this program, so why invite ISO in also?

Opinions?
Thanks,
Rosie

 

[Sidney Vianna]

My position in the subject is the same as the discussion about Safety and ISO 9001, discussed in this thread: Health & Safety in ISO 9001:2000 Audits - OH&S Regulations.

The last post I had on that topic is copied below. I still believe that it applies.

"...If a Registrar, contracted for performing an assessment against ISO 9001, denies certification to an organization, due to a safety, environmental or non-quality related non-conformity, the registrar would be violating the requirements of ISO Guide 62, paragraph 2.1.1.4, which states:
"...The certification/registration body shall confine it's requirements, assessments and decision on certification/registration to those matters specifically related to the scope of the certification/registration being considered. ..."
In my opinion, this would be an easy appeal for the registrant. ..."

So, my suggestion is for you to find ways to comply with the Security requirements, as part of your business operating system and not be concerned with an external audit. If you find an external auditor delving in issues outside of the management system s/he is supposed to be assessing, remind them of the system boundaries.

 

[RoxaneB]

Hey, Rosie-girl! We'll be incorporating the Sarbanes-Oxley requirements into our Business Management System shortly and have pretty much included every other non-ISO 9000 requirement into our BMS (e.g., H&S, 14001, my favourite work instruction on using the company credit card [I'm not kidding...we really have that documented!]).

1. I think the best way to handle the corporate C-TPAT manual is to consider it a document of external origin, the same way I would an industry standard or customer specific documents. I don't control it, it just guides my actions and requires me to accomodate it in my QMS. Any other thoughts as to an approach?

That's what we do.

2. Does this invite my Registrar to audit things that do not relate to the quality of the product produced, such as plant security operations? This is really what most concerns top management...their thinking: we have to pass a government audit on this program, so why invite ISO in also?

We just remind external auditors of their scope and they're pretty good at sticking to it. And when it comes to confidential information, they're pretty good about respecting our privacy, as well. ISO audits ISO stuff. Gvmt. audits Gvmt. stuff.

The true benefit comes on your Internal Audits when you can audit the SYSTEM and ensure that all of your processes line up properly and are using the same tools in the same manenr.

 

[RosieA]

Thanks for the links, Sidney.

Picking up an environmental or safety issue in and ISO 9001 audit would be easy to do because of the 6.3 and 6.4 clauses in 9001 that tie to that topic. But C-TPAT is a different animal...not regulatory or statutory, but voluntary. So, I appreciate the clear reference to Guide 62.

Roxane, I quite agree on the need to document and audit the WHOLE system. It's a goal of mine to get us there. I've been here three months and just discovered that there are many procedures not covered in the document control system because of the fear that they'd be audited if they were. It makes no sense. How am I, as a manager, supposed to follow procedures that I don't know exist? But, hey, what fun would it be to walk into a perfect quality system?

 

[Claes Gefvenberg]

Hey, Rosie-girl! We'll be incorporating the Sarbanes-Oxley requirements into our Business Management System shortly and have pretty much included every other non-ISO 9000 requirement into our BMS.

Exactly... I agree with what has been said here already. I would just like to add that the mere fact that we talk about a BMS today, rather than separate systems, should be enough to answer the question.

/Claes

 

[Paul Simpson]

Exactly... I agree with what has been said here already. I would just like to add that the mere fact that we talk about a BMS today, rather than separate systems, should be enough to answer the question.

/Claes

I agree with Claes.

• If you want to have a requirement managed you put it in your BMS.
• If you want to check your people are following it your internal audit programme covers it
• If you want an independent viewpoint you ask someone to come in and audit (may or may not be your registrar)

Just another question. If you advertise the fact that you are complying with a particular requirement does it then become part of your customer communication (Clause 7.2.3) and then subject to audit?

 

[RoxaneB]

Just another question. If you advertise the fact that you are complying with a particular requirement does it then become part of your customer communication (Clause 7.2.3) and then subject to audit?

Where is it written in ISO 9001 what specific details need to be communicated. General concepts such as product information, etc. are listed, but the details of the communication are left up to the organization.

Now, as more standards/guidelines/requirements are brought into an organization's Business Management System, there may be a specific requirement on detailed information to be communicated to interested external parties and that will be need to be acted upon by the organization in an appropriate manner.

That being said, if the scope of an external audit is ISO 9001 or "Bob's Generic Standard" then the parameters of the audit are set. The difficulty arises in how aspects of the Business Management System are worded. If a company states "We also tell our Customers xxx.", then yes, under 7.2.3 I would audit them. If they said something to the effect of "As per YYY, Customer's are notified of xxx where appropriate.", then I wouldn't audit under ISO 9001 due to the direct reference to YYY.

 

[Paul Simpson]

Roxane. The question was just that.

As an examples. If as a company I advertise the fact that I comply with Sarbanes-Oxley, Fair trade or any other requirement there may be companies out there who come to me as a potential supplier for those reasons. That might come under the "customer communications" element of iso 9001 and make compliance with the rules subject to audit.

 

[RosieA]

Except that Sarbanes Oxley isn't a value added program, it's a government mandate. We all have to deal with OSHA requirements too, but not all companies audit OSHA in the Internal Audit system.

 

[Paul Simpson]

A little knowledge ....

Except that Sarbanes Oxley isn't a value added program, it's a government mandate. We all have to deal with OSHA requirements too, but not all companies audit OSHA in the Internal Audit system.

My apologies. I am just showing my ignorance of US programs. I don't have any knowledge of the content of Sarbanes Oxley.

The principle is still the same. Taking your other example. As has been mentioned in other threads OSHA is not subject to audit (but might be included in an internal audit programme). However if the company makes a claim in marketing material to be complying with OHSAS 18001 (for example) then a third party certification body might be entitled to assess whether this is true. Otherwise they may be misleading customers.