I only realized recently that I had published a few articles on the controversy surrounding my Request for Interpretation (RFI) sent to TC 176 about ISO 9001 clause 8.4.3, but hadn’t published the background article about my reasons. This article was written, but stuck in a “draft” folder and not published. Yes, I’m a professional. Sigh.

So here it is.

Clause 8.4.3 of ISO 9001:2015 was released with a minor error that has gone on to cause an avalanche of problems for users of both ISO 9001 and AS9100, largely because of incompetent auditors and CB managers who refuse to stand up to them.

The clause is called “purchasing information” and requires the user organization to clearly “communicate” what it is buying to the supplier in question. This is commonly done on a purchase order (PO) or contract; a company sends a PO to its supplier describing what it wants, which ensures the supplier can provide it.

The ISO 9001:2015 version then goes on to say, “The organization shall communicate to external providers its requirements for…” and then gives a list of items to consider putting on a PO or contract to a supplier. In ISO 9001:2015, that list includes nine bullet items, while in AS9100 Rev. D it was expanded to 27.

To see the problem, we need to look at prior versions of ISO 9001.

Where Applicable

Now we go back to the earliest version of ISO 9001, from 1987. We see the same requirement, here called “Purchasing Data,” but prefaced with the term “where applicable“:

Purchasing clause from ISO 9001:1987

That carried through the 1994, 2000, and 2008 versions, where the term “where appropriate” was used:

Purchasing clause from ISO 9001:2008

Obviously, this language then followed over to each corresponding edition of AS9100, too.

In ISO 9001:2015, however, the term “where appropriate” was accidentally left out, and because there were no editors used when developing that version, this mistake was published.

I raised the issue at the time, but TC 176 authors were — as usual — smug. One claimed that “it is obvious” what the intent of that clause is, and that adding the words would have no effect. They were, as always, wrong.

Now, an accurate reading still shows the bullet list items are optional, but you have to squint.  The literal wording under ISO 9001:2015 says the organization will communicate “its” requirements. So if a requirement is not applicable, it would not be one of “its” requirements, and wouldn’t need to be communicated.

Simple, right?

The Inevitable Fallout

No. This is all too difficult for today’s crop of ISO 9001 and AS9100 auditors to understand. Ignorant people will often quote a thing verbatim because they lack the intellectual capacity to interpret a thing using common sense. That’s what we see here.

To date, I have had roughly 20 (or more) clients receive ISO or AS nonconformities on this clause because they did not “flow down” all of the bullet list requirements on every purchase order, to every supplier.

Here’s one such finding from an auditor with SAI Global:

And another from an auditor with TUV Rheinland:

To date, we have seen this same finding raised by auditors from BSI, TUV USA, DEKRA, Perry Johnson Registrars, Intertek, NQA, NSF, and more.

In each case, the auditor demanded that every single bullet point from 8.4.3 be included on every single PO sent to every single supplier. They just want to see the clause copied-and-pasted onto POs, because they think that is how quality management works.

To get there, auditors have to ignore the following:

  1. … that every single edition of ISO 9001 had previously stated “as appropriate” and nothing in the new version changed to suddenly make all of these bullet points mandatory.
  2. … the word “its.
  3. … all common sense.

So, to the TC 176 guy who told me “it is obvious,” please go eat a shoe.

The Real World

In reality, companies use all sorts of suppliers for an endless variety of raw materials and critical items. These include suppliers like Amazon or eBay, or giant distributors like McMaster, Grainger, or Digi-Key. There is no way to flow down nearly thirty requirements to such suppliers, as they will either ignore them entirely, or refuse to process the order.

Think about it. One of the AS9100 bullet points is to flow down requirements for the “use of statistical techniques.” Ignorant auditors would have you believe that you must flow this down to Amazon or McMaster. How, exactly, would that apply to such companies? Auditors never think that far ahead.

Another bullet point suggests flowing down requirements related to “competence, including any required qualification of persons.” Do you really think that the box packer at Grainger needs some special “qualification“? What would that be? Are you going to flow down training requirements for things you buy from eBay?

Some of the requirements would be self-harming. For example, AS9100 includes a bullet point to “implement a quality management system.” Let’s say you flow that down, and the vendor decides to implement ISO 9001 or AS9100 as a result. Now that company has to comply with clause 8.2 on contract review:

If upon review the organization determines that some customer requirements cannot be met or can only partially be met, the organization shall negotiate a mutually acceptable requirement with the customer.

So by flowing down one requirement you are forcing your vendor to invoke another, and reject your own future orders.  Again, the auditors don’t think that far ahead, because they’re morons.

Increasingly, companies are buying more supplies and components from, of all places, Wal-Mart. This is especially common in companies who use “commercial off the shelf” (COTS) items in their products. Recently, it was discovered that Wal-Mart was reselling counterfeit electronics. So, an auditor would say, you can solve all of Wal-Mart’s problems simply by flowing down the AS9100 bullet point suggesting they implement controls for counterfeit products. Oh, yes, I’m sure Wal-Mart will change its entire global business strategy because of the fine print on your $15 purchase order. [/sarcasm]

Official Rulings on the Issue

Meanwhile the ISO and IAQG officials have already ruled on this, sort of.

For AS9100, back in 2017 I sent an official request for interpretation through the IAQG OASIS ticket system. The issue was answered by Alan Daniels, who is not only the lead AS9100 developer, but also the Chair of the US TAG to TC 176…meaning I was getting the view for both AS9100 and ISO 9001. Look what Daniels wrote back, in the official OASIS response:

The ISO text incorporated as the baseline of 9100:2016 starts out by saying “the organization shall communicate its requirements for”, so if the organization doesn’t have any requirements for items on the list then quite simply they don’t provide those to the external provider. Either they exist or they don’t. The intent isn’t to make up requirements that aren’t necessary, but to ensure to include all of those that are.

Here’s the full ticket:

You can see, then, that Daniels suggests the matter go up for official “clarification.” And it did.

But here is where the IAQG screwed things up. In the final clarification, the issue was handed off to someone else, not Daniels. (It looks like this was Buddy Cressionnie, but I can’t be sure. It certainly smacks of his ability to screw things up.) The final ruling bungled the matter, and suggested companies can exclude the individual 8.4.3 bullet point from the scope of their entire QMS.

Here’s the IAQG clarification as it’s published now:

Again, this shows just how ignorant the so-called experts are. It is not a matter of excluding a given bullet point entirely from the QMS, it was always intended that you would exclude them from individual POs. Or, more accurately, you’d only include the applicable bullets on a given PO.

So IAQG admits the bullets are optional, but now we need to get them to fix their clarification. Daniels insisted to me a few weeks ago that, yes, he’s working on a revision.

Meanwhile, multiple folks at TC 176 also agreed that the intent was never to require all the bullets on every outgoing PO. This was confirmed with representatives from the US TAG to TC 176, the ISO 9001 Auditing PRactices Group, and reps from other TC 176 member countries. No one said the bullets were mandatory.

But everyone said an official RFI is required to get the matter settled.

Thus I submitted the RFI to the US TAG, who promptly sent it over to ASQ. It was then handled by an ASQ staffer who has a personal axe to grind against me, and rejected. That was last week’s scandal.

Now the matter is being re-submitted by other countries, so we can bypass the US entirely since the US TAG is entirely dysfunctional.

CBs Dig In

It may not matter, though. The CBs ultimately run the scheme, since no one will stand up to them. When it comes to CB incompetence, the Accreditation Bodies like ANAB and UKAS are terrified to do their job and enforce accreditation rules. The ISO Auditing Practices Group publications are all optional, and feature lots of disclaimers saying so. TC 176 itself claims it has no role whatsoever in certification, so cannot enforce its interpretations. On the AS9100 side, the IAQG has also proven to be incapable of enforcing its rules.

So the CBs don’t really care what “interpretation” or “clarification” anyone publishes. Even when presenting the official IAQG ruling to the CBs who try to write this up, they refuse to stand down. SAI reported back to me that they are “not obligated to abide by ISO or IAQG interpretations.” NQA just said, “the nonconformity stands,” without any justification. It’s a brick wall.

Auditors Performing Consulting

Remember that ISO and AS auditors are not allowed to consult, because that means they are certifying their own work. The accreditation rules established in ISO 17021-1 define “consulting” as providing “specific solutions.”

For this problem, in nearly every case, the auditor provided a very specific solution that the company simply copy-and-paste the bullet points from 8.4.3 onto a “terms and conditions” page on every outgoing PO. Later, if the client does this, they sign off because the auditor recognize shis own work, and agrees with himself. (Surprise.) If you push back, they get angry that you’re not accepting their consulting, and raise a “major” nonconformity out of spite.

That’s not how objective auditing is supposed to work but, again, the ABs and IAF and IAQG don’t do anything about it.

So even when TC 176 and IAQG issue a clarification, it’s not likely to matters. Tough-guy auditors will continue to try and prove how smart they are by imposing their own ideas on how to implement a QMS, and no one will hold them accountable.

Which means the only real solution is to fix the standard. But since the same people who wrote the 2015 version are at the wheel this time, and all signs point to them making the standard worse, not better, we can’t have much hope there, either.

This should never have turned into the complicated mess that it has.

About Christopher Paris

Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.


Traditional Tri-System