ISO9001 Clause 7.4.3 - Verification of Purchased Product - Software

W

wslabey

How do you interpret 7.4.3 Verification of Purchased Product for software product purchases? Do you require software suppliers to provide certification? Ignore the clause for software? Specify fitness for use and merchantaiblity in your standard purchasing terms and conditions? What do you do with software purchases to verify?

In our company we buy all kinds of software from Microsoft office products, CAD software, Finite Element Analysis, to customer modules of MRP software. Your thoughts please?

I am finding that software suppliers want to provide nothing in terms of quality assurance pledges or certificates of conformity.

Bill
 

Jim Wynne

Leader
Admin
How do you interpret 7.4.3 Verification of Purchased Product for software product purchases? Do you require software suppliers to provide certification? Ignore the clause for software? Specify fitness for use and merchantaiblity in your standard purchasing terms and conditions? What do you do with software purchases to verify?

In our company we buy all kinds of software from Microsoft office products, CAD software, Finite Element Analysis, to customer modules of MRP software. Your thoughts please?

I am finding that software suppliers want to provide nothing in terms of quality assurance pledges or certificates of conformity.

Bill

You're dealing with off-the-shelf products, so your receiving verification should be dealing with them the same way you deal with other OTS things. In general, certificates of conformance are worthless. As far as verifying that the software is appropriate to the application and performs as expected is a different issue.
 
W

wslabey

Thanks for the reply. So, do you verify OTS software or not? We do use C of C for special processes and require suppliers to provide evidence that substantiate the C of C. The C of C must be signed by the Quality responsible manager.
 

v9991

Trusted Information Resource
I guess, the requirement for validation would be same as that followed in other regulated industries; (only it might be little linieant in terms of documentation) Based on above assumption, i am providing following thoughts...

Risk based approach is the answer; (GAMP model)
First categorize the applications wrt relevance&dependancy of Quality&Manufacturing processes.
Also consider the product nature, Off the shelf vs customized vs bespoke etc.,

Further at next level, it will also involve your reliance on the software for taking GxP(QMS) relevant activities/decisions.

viz., if MRP includes production planning & scheduling whichinvolves typical GxP activities of selecting approved materials; or FIFO then it becomes part of qualification/validation; otherwise if its restricted to replenishments; then it may not require; just verification is adequate (supplier certifications).

Above categorization shall determine extent of verification-qualification-validation required before putting them to use;

Have a look at other posts/links on GAMP, computer system validation at the end of post.

hope that helps.
 

sagai

Quite Involved in Discussions
Hi,
in a ISO9001 only world I would not go that far.
The requirements for the purchased sw, you do anyway, it is a company interest to have the most suitable (incl. feature and money too) software.
I would suggest to have an objective evidence in a retrievable format (paper, electronic doc, email, etc.) that you had requirements (could be a very high level ones only), you have evaluated the potential solution and there should be also objective evidence, that you received, what you wanted to purchase.
I think you would do it anyway.

Regards
Szabolcs
 

Jim Wynne

Leader
Admin
Thanks for the reply. So, do you verify OTS software or not? We do use C of C for special processes and require suppliers to provide evidence that substantiate the C of C. The C of C must be signed by the Quality responsible manager.
I don't know what you mean by "verify." There is a process of software validation that provides evidence for or against the proposition that the software is suitable for the intended use, but I don't see it applying except in specialized instances. I don't see much need for validating MS Office applications or calibration software (essentially database applications).

As far as the general question of certificates of conformance is concerned, if your suppliers are giving you some form of actual evidence of conformance, why do you need a C of C? Unless there's some kind of extrinsic requirement for it, it serves no useful purpose. By accepting the terms of a purchase order and shipping goods against it, suppliers are already providing a tacit C of C. That is to say, they are tacitly warranting that the goods meet the requirements of the purchase order.
 
R

Ralph Long

I have not been exposed to any requirements for CofC for purchased "off the shelf" software. If you had a need and made a purchase, put it into use successfully then that should be self evident...unless it did not work as needed.

Our company is in the process of upgrading our MRP software. It's custom made. Verification will be demonstrated through notes on reviews at each step (predetermined) of implementation. We have a timeline and there will be action items if things do not go correctly. There is a list of expectations - verification will be when everything performs to that list and final payment is made.
 
W

wslabey

I don't know what you mean by "verify." There is a process of software validation that provides evidence for or against the proposition that the software is suitable for the intended use, but I don't see it applying except in specialized instances. I don't see much need for validating MS Office applications or calibration software (essentially database applications).

As far as the general question of certificates of conformance is concerned, if your suppliers are giving you some form of actual evidence of conformance, why do you need a C of C? Unless there's some kind of extrinsic requirement for it, it serves no useful purpose. By accepting the terms of a purchase order and shipping goods against it, suppliers are already providing a tacit C of C. That is to say, they are tacitly warranting that the goods meet the requirements of the purchase order.

Jim,

Thanks for your response. I take it as a no for making arrangements for verification of purchased software. Below is the actual standard for reference:

ISO 9001:2008, Quality management systems — Requirements

7.4.3 Verification of purchased product
The organization shall establish and implement the inspection or other activities necessary for ensuring that purchased product meets specified purchase requirements.

Where the organization or its customer intends to perform verification at the supplier's premises, the organization shall state the intended verification arrangements and method of product release in the purchasing information.


I don't see any exclusions for purchased software.

Regarding a C of C, it is routine in aerospace, some military and amusement park rides. The signed C of C by the quality rep is similar to a signed PSW by the quality responsible rep in the company.

A company's standard or specific purchasing T & C's have to have specific language requiring suppliers to be responsible for product verification to an agreed to plan.

Bill
 
W

wslabey

I have not been exposed to any requirements for CofC for purchased "off the shelf" software. If you had a need and made a purchase, put it into use successfully then that should be self evident...unless it did not work as needed.

Our company is in the process of upgrading our MRP software. It's custom made. Verification will be demonstrated through notes on reviews at each step (predetermined) of implementation. We have a timeline and there will be action items if things do not go correctly. There is a list of expectations - verification will be when everything performs to that list and final payment is made.

Hi Ralph,

I get it on custom software development. You need to agree to Statement of expectation of statement of work that calls out acceptance critiria and verification to same. Coincidently, we are going through nailing down an agreement with a supplier who has signed up for custom software development for hardware they produce. The supplier doesn't want to sign up for returning the hardware if their software doesn't do the job it was intended.


Bill
 

Jim Wynne

Leader
Admin
Jim,

Thanks for your response. I take it as a no for making arrangements for verification of purchased software. Below is the actual standard for reference:

ISO 9001:2008, Quality management systems — Requirements

7.4.3 Verification of purchased product
The organization shall establish and implement the inspection or other activities necessary for ensuring that purchased product meets specified purchase requirements.

Where the organization or its customer intends to perform verification at the supplier's premises, the organization shall state the intended verification arrangements and method of product release in the purchasing information.

I don't see any exclusions for purchased software.

Regarding a C of C, it is routine in aerospace, some military and amusement park rides. The signed C of C by the quality rep is similar to a signed PSW by the quality responsible rep in the company.

A company's standard or specific purchasing T & C's have to have specific language requiring suppliers to be responsible for product verification to an agreed to plan.

Bill

You had made no mention of aerospace requirements, and referred only to ISO 9001. Nonetheless, I did say "Unless there's some kind of extrinsic requirement for it, it serves no useful purpose." There is, in your case apparently, an extrinsic requirement.

As far as verification of purchased product is concerned, and again in lieu of extrinsic requirements to the contrary, you are verifying that a catalog item is what was ordered. Anything outside of that (validation, e.g.) is beyond the scope of 7.4.3.
 
Top Bottom