Customer, Statutory and Regulatory Requirements - Intent of Clause 4.1, Note 3

[RRder]

I'm having a problem interpreting the intent of this note 3 taken from clause 4.1 of the ISO 9001:2008 standard. "Ensuring control over outsource processes does not absolve the organization of the responsibility of conformity to all customer, statutory and regulatory requirements."

The comma after customer is what is questioned. If the comma is defining a list, the sentence reads " ... all customer, all statutory, all regulatory requirements". If the comma is defining a phrase that is used as an adjective then the meaning becomes the customer's statutory and regulatory requirements. In other words, our organization would be responsible to ensure the outsourced process meets the customers requirements that are statutory and regulatory.

The ISO auditor interprets the comma as a list and has issued an OFI for our fire extinguishers and overhead cranes (statutory and regulatory) that are not controlled in our QMS system. We control these items in our Safety and Environmental system (OSHA, KDHE, etc.) outside our QMS. As for the QMS, we are not certified to any ISO standard other than ISO 9001:2000 and seeking 2008.

Six of our employees were asked how they interpret the comma in this sentence and five say it is an adjective phase one says it is a list. Our interpretation of this one comma makes a large difference in how we respond to the corrective actions to the 3rd party ISO auditor's OFI.

My thought is the ISO 9001:2008 guidance document, 630R3 "ISO 9000 Introduction & Support Package: Guidance on 'Outsourced Processes', is to help us with our outsourced processes, and not a way to put controls on us that are clearly outside the QMS system.

Possibly the sentence should have been structured differently for the intent. I'm no English composition major as you can tell, but I and my fellows need help, so let me hear your interpretations with our thanks in advance.

 

[ChrissieO]

Re: Intent of Clause 4.1, Note 3 - ?????

I'm having a problem interpreting the intent of this note 3 taken from clause 4.1 of the ISO 9001:2008 standard. "Ensuring control over outsource processes does not absolve the organization of the responsibility of conformity to all customer, statutory and regulatory requirements."

The comma after customer is what is questioned. If the comma is defining a list, the sentence reads " ... all customer, all statutory, all regulatory requirements". If the comma is defining a phrase that is used as an adjective then the meaning becomes the customer's statutory and regulatory requirements. In other words, our organization would be responsible to ensure the outsourced process meets the customers requirements that are statutory and regulatory.

The ISO auditor interprets the comma as a list and has issued an OFI for our fire extinguishers and overhead cranes (statutory and regulatory) that are not controlled in our QMS system. We control these items in our Safety and Environmental system (OSHA, KDHE, etc.) outside our QMS. As for the QMS, we are not certified to any ISO standard other than ISO 9001:2000 and seeking 2008.

Six of our employees were asked how they interpret the comma in this sentence and five say it is an adjective phase one says it is a list. Our interpretation of this one comma makes a large difference in how we respond to the corrective actions to the 3rd party ISO auditor's OFI.

My thought is the ISO 9001:2008 guidance document, 630R3 "ISO 9000 Introduction & Support Package: Guidance on 'Outsourced Processes', is to help us with our outsourced processes, and not a way to put controls on us that are clearly outside the QMS system.

Possibly the sentence should have been structured differently for the intent. I'm no English composition major as you can tell, but I and my fellows need help, so let me hear your interpretations with our thanks in advance.

I interpretate this as a list. You need to meet the requirements of - the customer and any relevant statutory or regulatory body.

I am struggling to where the auditor is coming from regarding your OFI. If these contractors (fire extinguisher and overhead cranes) are clearly controlled with in the EHS system, this should suffice. We have never had any problems with this. It may be an idea just to put a reference within your QMS that these contracts are managed within your EHS.

Chrissie

 

[scoraccio]

I'm having a problem interpreting the intent of this note 3 taken from clause 4.1 of the ISO 9001:2008 standard. "Ensuring control over outsource processes does not absolve the organization of the responsibility of conformity to all customer, statutory and regulatory requirements."
...

Greets, I can give you an interpretation based on my current experience as an ISO 9001 auditor - I work for a Registrar (two, actually).

The general interpretation of this is that yes; OSHA, among other state and federal regulations are "fair game".

While we do not perform an OSHA audit per se, we do audit around how those requirements are executed within the company. And, as we've been in a few hundred other companies that have OSHA compliant programs, an auditor begins to glean what those requirements are - so that they can ask some informed questions, such as about daily forklift (powered industrial truck) checks.

Another common issue are these new state personal information security laws, such as Massachusetts's 201 CMR 17 - we would ask how the company has complied with this new requirement; looking for either a program, or a plan as a starting point.

As an aside - nonconformances to this, when not made as an observation, are typically against 5.1 a)

Lastly, as far as documenting these programs, there is often an existing safety program (as you've indicated here) BUT if these things are necessary to ensure the effective control of the program, then these documents need to be controlled (see 4.2.1 d) and 4.2.3 respectively.

It's a good topic, to be sure, and I often have to spend some time explaining it, to the limit of my ability (as in - I can't consult on how to fix it...).

 

[somashekar]

"Ensuring control over outsource processes does not absolve the organization of the responsibility of conformity to:
1. all customer requirements.
2. statutory requirements.
3. regulatory requirements.

Read as above. And lets not do a research on english ...

 

[ChrissieO]

"Ensuring control over outsource processes does not absolve the organization of the responsibility of conformity to:
1. all customer requirements.
2. statutory requirements.
3. regulatory requirements.

Read as above. And lets not do a research on english ...

Chrissie

 

[JaneB]

It's definitely a list, and no, it's definitely not restricted to just the customer's stat/reg requirements. Uh uh.

"Ensuring control over outsourced processes does not absolve the organization of the responsibility of conformity to:
1. all customer requirements.
2. statutory requirements.
3. regulatory requirements.

I hate to be picky, really I do, but I'd move the position of all to make it relate to ALL the list, not just point 1, thus:

"Ensuring control over outsourced processes does not absolve the organization of the responsibility of conformity to all:
1. customer requirements
2. statutory requirements
3. regulatory requirements
plus of course the all-important:"... relevant/affecting the quality of service and/or product"

As to practical solution: If it's well controlled within the OSHA system, surely just have a reference to that from your QMS?