Category Archives: Annoucement

AS9100 and ISO 9001 Time-Saver Packages

NIST 800-171 Compliance

We have a Fast-Track Program to assist Suppliers to the Federal Government with meeting the requirements for Compliance with Executive Order 13556 and NIST 800-171

Our professional services include assisting with:

  • Initial Risk Assessments for Controlled Unclassied Information (CUI)
  • Preparation of a CUI Security Plan and Statement of Applicability
  • Preparation of Policies, Procedures and Control Objectives
  • Personnel Awareness Training
  • Auditing for Compliance to NIST 800-171 and ISO 27001

Contact Us | Request a Proposal

Controlled Unclassified Information (CUI) supports federal missions and business functions that affect the economic and national security interests of the United States. Non-federal organizations (e.g. colleges, universities, state, local and tribal governments, federal contractors and subcontractors) often process, store, or transmit CUI.

Executive Order 13556, as issued November 10, 2010, designated the National Archives and Records Administration (NARA) as the Executive Agent to implement the CUI program. NIST Special Publication 800-171 defines the security requirements for protecting CUI in non-federal information systems and organizations. The final draft was made public in April 2015.

NIST 800-171 REQUIREMENTS

Security Requirements for Protecting the Confidentiality of CUI

NIST Special Publication 800-171 contains fourteen families of security requirements (including basic and derived requirements)18 for protecting the confidentiality of CUI in nonfederal information systems and organizations.

The security controls from NIST Special Publication 800-53 associated with the basic and derived requirements are also listed in Appendix D. Organizations can use Special Publication 800-53 to obtain additional, non-prescriptive information related to the CUI security requirements (e.g., supplemental guidance related to each of the referenced security controls, mapping tables to ISO/ IEC security controls, and a catalog of optional controls that can be used to help specify additional CUI requirements if needed).

The security requirements identified in 800-171 are intended to be applied to the non-federal organization’s general-purpose internal information systems that are processing, storing, or transmitting CUI. Some specialized systems such as medical devices, Computer Numerical Control (CNC) machines, or industrial control systems may have restrictions or limitations on the application of certain CUI requirements and may be granted waivers or exemptions from the requirements by the federal agency providing oversight.

1 ACCESS CONTROL

Basic Security Requirements:

1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

1.2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

Derived Security Requirements:

1.3 Control the flow of CUI in accordance with approved authorizations.

1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts.

1.6 Use non-privileged accounts or roles when accessing nonsecurity functions.

1.7 Prevent non-privileged users from executing privileged functions and audit the execution of such functions.

1.8 Limit unsuccessful logon attempts.

1.9 Provide privacy and security notices consistent with applicable CUI rules.

1.10 Use session lock with pattern-hiding displays to prevent access/viewing of data after period of inactivity.

1.11 Terminate (automatically) a user session after a defined condition.

1.12 Monitor and control remote access sessions.

1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

1.14 Route remote access via managed access control points.

1.15 Authorize remote execution of privileged commands and remote access to security-relevant information.

1.16 Authorize wireless access prior to allowing such connections.

1.17 Protect wireless access using authentication and encryption.

1.18 Control connection of mobile devices.

1.19 Encrypt CUI on mobile devices.

1.20 Verify and control/limit connections to and use of external information systems.

1.21 Limit use of organizational portable storage devices on external information systems.

1.22 Control information posted or processed on publicly accessible information systems.

2 AWARENESS AND TRAINING

Basic Security Requirements:

2.1 Ensure that managers, systems administrators, and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of organizational information systems.

2.2 Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.

Derived Security Requirements:

2.3 Provide security awareness training on recognizing and reporting potential indicators of insider threat.

3 AUDIT AND ACCOUNTABILITY

Basic Security Requirements:

3.1 Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.

3.2 Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.

Derived Security Requirements:

3.3 Review and update audited events.

3.4 Alert in the event of an audit process failure.

3.5 Correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity.

3.6 Provide audit reduction and report generation to support on-demand analysis and reporting.

3.7 Provide an information system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.

3.8 Protect audit information and audit tools from unauthorized access, modification, and deletion.

3.9 Limit management of audit functionality to a subset of privileged users.

4 CONFIGURATION MANAGEMENT

Basic Security Requirements:

4.1 Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

4.2 Establish and enforce security configuration settings for information technology products employed in organizational information systems.

Derived Security Requirements:

4.3 Track, review, approve/disapprove, and audit changes to information systems.

4.4 Analyze the security impact of changes prior to implementation.

4.5 Define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system.

4.6 Employ the principle of least functionality by configuring the information system to provide only essential capabilities.

4.7 Restrict, disable, and prevent the use of nonessential programs, functions, ports, protocols, and services.

4.8 Apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.

4.9 Control and monitor user-installed software.

5 IDENTIFICATION AND AUTHENTICATION

Basic Security Requirements:

5.1 Identify information system users, processes acting on behalf of users, or devices.

5.2 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

Derived Security Requirements:

5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

5.4 Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.

5.5 Prevent reuse of identifiers for a defined period.

5.6 Disable identifiers after a defined period of inactivity.

5.7 Enforce a minimum password complexity and change of characters when new passwords are created.

5.8 Prohibit password reuse for a specified number of generations.

5.9 Allow temporary password use for system logons with an immediate change to a permanent password.

5.10 Store and transmit only encrypted representation of passwords.

5.11 Obscure feedback of authentication information.

6 INCIDENT RESPONSE

Basic Security Requirements:

6.1 Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities.

6.2 Track, document, and report incidents to appropriate officials and/or authorities both internal and external to the organization.

Derived Security Requirements:

6.3 Test the organizational incident response capability.

7 MAINTENANCE

Basic Security Requirements:

7.1 Perform maintenance on organizational information systems.24

7.2 Provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.

Derived Security Requirements:

7.3 Ensure equipment removed for off-site maintenance is sanitized of any CUI.

7.4 Check media containing diagnostic and test programs for malicious code before the media are used in the information system.

7.5 Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.

7.6 Supervise the maintenance activities of maintenance personnel without required access authorization.

8 MEDIA PROTECTION

Basic Security Requirements:

8.1 Protect (i.e., physically control and securely store) information system media containing CUI, both paper and digital.

8.2 Limit access to CUI on information system media to authorized users.

8.3 Sanitize or destroy information system media containing CUI before disposal or release for reuse.

Derived Security Requirements:

8.4 Mark media with necessary CUI markings and distribution limitations.25

8.5 Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.

8.6 Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.

8.7 Control the use of removable media on information system components.

8.8 Prohibit the use of portable storage devices when such devices have no identifiable owner.

8.9 Protect the confidentiality of backup CUI at storage locations.

9 PERSONNEL SECURITY

Basic Security Requirements:

9.1 Screen individuals prior to authorizing access to information systems containing CUI.

9.2 Ensure that CUI and information systems containing CUI are protected during and after personnel actions such as terminations and transfers.

Derived Security Requirements: None.

10 PHYSICAL PROTECTION

Basic Security Requirements:

10.1 Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

10.2 Protect and monitor the physical facility and support infrastructure for those information systems.

Derived Security Requirements:

10.3 Escort visitors and monitor visitor activity.

10.4 Maintain audit logs of physical access.

10.5 Control and manage physical access devices.

10.6 Enforce safeguarding measures for CUI at alternate work sites (e.g., telework sites).

11 RISK ASSESSMENT

Basic Security Requirements:

11.1 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of CUI.

Derived Security Requirements:

11.2 Scan for vulnerabilities in the information system and applications periodically and when new vulnerabilities affecting the system are identified.

11.3 Remediate vulnerabilities in accordance with assessments of risk.

12 SECURITY ASSESSMENT

Basic Security Requirements:

12.1 Periodically assess the security controls in organizational information systems to determine if the controls are effective in their application.

12.2 Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems.

12.3 Monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.

Derived Security Requirements: None.

13 SYSTEM AND COMMUNICATIONS PROTECTION

Basic Security Requirements:

13.1 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems.

Derived Security Requirements:

13.3 Separate user functionality from information system management functionality.

13.4 Prevent unauthorized and unintended information transfer via shared system resources.

13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

13.7 Prevent remote devices from simultaneously establishing non-remote connections with the information system and communicating via some other connection to resources in external networks.

13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.

13.9 Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.

13.10 Establish and manage cryptographic keys for cryptography employed in the information system.

13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.

13.12 Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.

13.13 Control and monitor the use of mobile code.

13.14 Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.

13.15 Protect the authenticity of communications sessions.

13.16 Protect the confidentiality of CUI at rest.

14 SYSTEM AND INFORMATION INTEGRITY

Basic Security Requirements:

14.1 Identify, report, and correct information and information system flaws in a timely manner.

14.2 Provide protection from malicious code at appropriate locations within organizational information systems.

14.3 Monitor information system security alerts and advisories and take appropriate actions in response.

Derived Security Requirements:

14.4 Update malicious code protection mechanisms when new releases are available.

14.5 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

14.6 Monitor the information system including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.

14.7 Identify unauthorized use of the information system.

NIST 800-171 SECURITY FAMILIES

(14 DERIVED FROM 800-53)

NIST 800-53 R4 SECURITY FAMILIES

Access Control Access Control
Awareness and Training Awareness and Training
Audit and Accountability Audit and Accountability
Configuration Management Configuration Management
(Not required by NIST 800-171) Contingency Planning
Identification and Authentication Identification and Authentication
Incident Response Incident Response
Maintenance Maintenance
Media Protection Media Protection
Personnel Security Personnel Security
Physical Protection Physical Protection and Environmental Protection
(Not required by NIST 800-171) Planning
(Not required by NIST 800-171) Program Management
Risk Assessment Risk Assessment
Security Assessment Security Assessment and Authorization
System and Communications Protection System and Communications Protection
System and Information Integrity System and Information Integrity
(Not required by NIST 800-171) System and Services Acquisitions

The development of the CUI security requirements and the expectation of federal agencies in working with nonfederal entities include:

  • Nonfederal organizations have information technology infrastructures in place, and are not necessarily developing or acquiring information systems specifically for the purpose of processing, storing, or transmitting CUI;
  • Nonfederal organizations have specific safeguarding measures in place to protect their information which may also be sufficient to satisfy the CUI security requirements;
  • Nonfederal organizations can implement a variety of potential security solutions either directly or through the use of managed services, to satisfy CUI security requirements; and
  • Nonfederal organizations may not have the necessary organizational structure or resources to satisfy every CUI security requirement and may implement alternative, but equally effective, security measures to compensate for the inability to satisfy a particular requirement.

More about NIST 800-171 …

Online Internal Auditor Training Course Updated

We have updated the ‘online version’ of our Internal Auditor Training Course. This course is applicable to many ISO Management Systems, including:

  • AS9100, AS9120
  • ISO 9001
  • ISO 13485
  • ISO 14001
  • ISO/TS 16949
  • ISO 17025
  • ISO 18000
  • ISO 22000
  • ISO 22301
  • ISO 27001

Some of the Learning Objectives of this Course

  • Learn how to create an environment where management and staff members (employees) fully appreciate the value of internal audits in the continual improvement of their organization, which also shall contribute to their success.
  • Learn easy-to-use methods for audit preparation to enable you to develop a more effective approach to process auditing.
  • Learn easy-to-use audit techniques that can enable you to discover findings that will genuinely contribute to the success of the organization.
  • Learn additional techniques that can be used in conducting the audit in way to tap into the expertise of the auditee (management, staff members or employees) and find those opportunities for improvement that may result in an important return on investment.
  • Learn an approach to reporting non-conformance and to report internal audit results in a way that encourages timely and effective corrective actions.

This course has 5 Learning Modules:

  1. Example-Certificate-of-AchievementIntroduction to Internal Auditing of Management Systems
  2. Basics of Process Auditing
  3. Preparing for an Internal Audit
  4. Performing the Audit
  5. Reporting the Audit

Also, this Internal Auditor Course includes an option to take a learning confirmation quiz, which contains 100 True or False Questions.

  • The course Certificate of Achievement requires a minimum score of 80% and you may have only one opportunity to complete the quiz.
  • Participants that attain a score of less than 80% on the final course quiz shall be issued a Certificate of Completion.

This course includes Auditor Templates and Tools

  • Template for creating a Turtle Diagram for Process. (Word.docx file)
  • Template for creating an Audit Action List of Corrective Action Request written during the Audit. (Word.docx file)
  • Template for creating a Journal of Required Records (ISO9001:2008 & ISO13485:2003 in the template). (Word.docx file)
  • License for QMSCAPA™ software for managing International Management Systems.

Complete the Course at your own pace

  • $300priceInternalAuditorCourseThere is not a course completion deadline.
  • Download our Internal Auditor Learning Guide for offline studying.
  • Take the final quiz for certification online when you are ready.
  • The course and the quiz takes approximately 4 hours to complete.

Click to Order this online Internal Auditor Training Course

Use the Buy Now button to order through PayPal’s secure online credit card services.

ISO 13485 Auditor Training Slated for Anaheim, California

For Internal Auditors (4 Days) and Certified Lead Auditors (4 1/2 Days)

This comprehensive course enables participants to develop the necessary expertise to audit a Quality Management System (QMS) based on ISO 13485:2003 and to manage a team of auditors by applying widely recognized audit principles, procedures and techniques. During this training, the participant will have an opportunity to acquire the necessary knowledge and skills to proficiently plan and perform internal and external audits in compliance with the certification process of the ISO 19011 and ISO 17021 standards.

Based on practical exercises, the participant will have an opportunity to develop the skills (mastering audit techniques) and competencies (managing audit team and audit program, communicating with customers, conflict resolution, etc.) necessary to efficiently conduct an audit of a Quality Management System for Medical Devices. The daily agenda of the Class appears below.

ansi-logo-200x125Lead Auditor Certification Examination and Registration by the Professional Evaluation and Certification Board, an ANSI Accredited Program for Personnel Certification #1003.

 Register as a Participate for Internal Auditing or Lead Auditing Class Dates Location Class Fee
ISO 13485 Internal Auditor Course, 4 Days (excludes PECB Certification Examination) July 13 – 16 Anaheim, California $1495.00Click here to Register
ISO 13485 Lead Auditor Course, 4 1/2 Days (includes PECB Certification Examination) July 13 – 17 Anaheim, California $1995.00Click here to Register

Who should attend?

  • Auditors wanting to perform and lead Quality Management System (QMS) certification audits in the medical device industry
  • Expert advisors in Quality Management Systems
  • Internal auditors
  • Members of a quality team
  • Persons responsible for the quality or conformity in an organization
  • Project managers or consultants wanting to master the Quality Management System audit process
  • Regulatory affairs managers
  • Technical experts wanting to prepare for a Quality audit function in the medical device industry

Nationally Recognized Testing Laboratory: UL or CSA

The “CSA” or Canadian Standards Association has recently been certified by the United States Occupational Safety and Health Administration (OSHA) as a “Nationally Recognized Testing Laboratory” (NTRL), just like Underwriters Laboratories (UL). Therefore, since both the UL and CSA are now recognized by all US federal, state, provincial and local authorities to test and certify product-safety in the U.S. and Canada, Your products may use either approval.

Evaluating and Scoring Suppliers

I have developed a prototype quality management Excel spreadsheet tool for evaluating, scoring and approving suppliers.

Be sure to join our Quality Managers User Group to download the Excel workbook and the workinstructions, which are described below.

Click here to Join our User Group or Download our resources.

Jack T. Bogle, Managing Partner
abci-consultants.com

Supplier Evaluation & Scoring Calculator Log.xlsx

The following table describes the features in the Supplier Evaluation Excel Workbook, which is shown above.

  1. The Active Suppliers field is automatically tallied when a 1 or 0 is entered into Column A.
  2. A supplier can be marked active or inactive by entering a 1 or 0 into Column A.
  3. The Minimum Score Required to be APPROVED field is user-defined and intended to mean the minimum scored needed to indicate an approved supplier.
  4. The Over-all Experience with a supplier is an average score of all suppliers.
  5. Enter up to 100 suppliers for evaluation.
  6. Enter the date of the last evaluation and the next evaluation date is automatically generated.
  7. If the (H) Supplier Score in less than the (C) Minimum Score Required to be APPROVED, then the (G) Approval Status automatically becomes ‘Not-approved’, else the Status becomes ‘Approved’. The ‘Provisional’ column to the right of the Approval Status column is meant to be used for indicating that a supplier ‘Not-approved’ may be used as needed.
  8. The average individual Supplier Score.

Supplier Evaluation & Scoring Calculator Log.xlsx

(not within the print area)

The image below shows the Excel columns not intended for printing.

  1. The Supplier Evaluation Criteria should be entered into row 1, columns G1 through Q1.
  2. The over-all average score and the average score for each supplier is displayed on row 2, columns G1 through Q1.
  3. Section (C) shows the individual scores for each supplier.
  4. Section (D) shows the individual criteria score for each supplier.

A Supplier Evaluation form is located in the Excel Workbook, Supplier Form tab/worksheet.

 

Supplier Name

Contact:

Email:

Phone:

Evaluation Completed by:

Date:

Complete the survey below to provide an evaluation of the supplier. Using a scale of 1 through 10; a 1 would indicate that you are very dissatisfied with the supplier, a 5 would indicate indifference and a 10 would indicate that you are very satisfied.

# Component Rating Key: 1 = Very Dissatisfied – 5 = Neutral – 10 = Very Satisfied Rating

Rate your experience with the supplier’s Sales personnel. Were the personnel prompt, professional, and courteous?

2

Rate your experience with the receipt of orders. Are orders correct as ordered?

Rate your experience with on-time delivery. Did you receive the product on-time as expected?

Rate your impression of the quality of the product ordered.

Rate your impression of the value received for the product ordered.

Rate your experience with the packaging and intact delivery condition.

Results of Supplier Quality Survey.

Rate the experience with the supplier’s Customer Services. Were the personnel prompt, professional, and courteous?

Rate your experience with the product realization compared to product specification.

10•

Rate your over-all experience with doing business with the supplier. Would you recommend this supplier to others for the products and experience that you have received?

TOTAL RATING:

Status:  √ Approved  √ Provisional  √ Not-Approved

I certify that the above described supplier has been actively supplying products and/or services for at least 6 months, and their quality performance has been satisfactory. This certification is based on my personal knowledge of the supplier’s performance as reflected in the above over-all rating. Approved by:
Job Title:
Approval Date

 

Is AS9003-A an alternative to AS9100-C as a Quality System for small non-complex aerospace businesses?

The AS9003-A Standard states that AS9003 is an “inspection and test quality system” for the aerospace industry by the America’s Aerospace Quality Group (AAQG), an industry organization made up of representatives from leading aerospace companies in both North and South America and sponsored by the Society of Automotive Engineers (SAE) International.

The AS9003 Standard has been revised using AS9100:2009 as the baseline document. AS9100:2009 requirements are applicable to noncomplex products and manufacturing processes, which have been incorporated into this standard and modified, as necessary, to reflect the intent of this standard.

AS9003 standardizes, to the greatest extent possible, inspection and test quality system requirements for suppliers that provide noncomplex products. Within the AS9003 Standard, the term “inspection and test quality system”” is referred to as quality system.

The globalization of the aerospace industry and the resulting diversity of regional and national requirements and expectations have complicated quality objectives, which includes:

  • To assure customer satisfaction, aviation, space, and defense organizations must produce, and continually improve safe, reliable products that meet or exceed customer, and applicable statutory and regulatory requirements.
  • Organizations have the challenge of purchasing products from suppliers throughout the world and at all levels of the supply chain. Suppliers have the challenge of delivering products to multiple customers having varying quality requirements and expectations.

The General SCOPE of AS9300A states the standard includes selected quality system requirements from ISO 9001:2008 and AS9100:2009 applicable to noncomplex products and associated manufacturing processes. The requirements of the AS9300A standard are intended to be applied in whole, without any exclusions.

Compliance with all corresponding AS9100 requirements is considered to meet/exceed compliance with the requirements of this standard. Therefore, the requirements specified in this standard are “complementary (not alternative) to contractual and applicable statutory and regulatory requirements”.

Also, the process approach described in ISO 9001 and AS9100 applies to this standard.

The following outline is from the AS9003A Standard. Those familiar with ISO 9001:2008 shall notice many similarities.

 4.0 INSPECTION AND TEST QUALITY SYSTEM

4.1.   General Requirements

4.2.   Documentation Requirements

4.2.1. Quality Manual

4.2.2. Control of Documents

4.2.3. Control of Records

5.0 MANAGEMENT RESPONSIBILITY

5.1.   Management Representative

6.0 RESOURCE MANAGEMENT

6.1.   Human Resources

6.2.   Work Environment

7.0 PRODUCT REALIZATION

7.1.   Planning of Product Realization

7.1.1.      Configuration Management

7.2.   Customer-Related Processes

7.3.   Design and Development (Excluded by the Standard)

7.4.   Purchasing

7.4.1. Purchasing Process

7.4.2.  Purchasing Information

7.4.3. Verification of Purchased Product

7.5.   Production

7.5.1. Control of Production

7.5.1.1. Production Process Verification

7.5.1.2.  Control of Production Process Changes

7.5.2.  Identification and Traceability

7.5.3. Preservation of Product

7.6.  Control of Monitoring and Measuring Equipment

8.0 MEASUREMENT, ANALYSIS, AND IMPROVEMENT

8.1.   Monitoring and Measurement of Product

8.2.   Control of Nonconforming Product

8.3.   Corrective Action

8.4.   Internal Audit

Once again AS9003-A is very similar to ISO 9001:2008 with some key factors from AS9100, which makes a robust quality management system framework. Therefore, one could make the case that AS9003-A is a viable alternate to AS9100 as Quality Management System.

Jack T. Bogle, Managing Partner
Access Business Communications, Inc.
International Management Systems
16835-236 Algonquin Street
Huntington Beach, CA 92649
(800) 644-2056

How do you Plan, Schedule and Record Training Effectiveness

We all know the importance of planning, scheduling and executing an effective personnel training program for the continual improvement of quality and customer satisfaction. When discussing this topic of planning, scheduling and executing training, often times the question comes up, “how do you track personnel training and its effectiveness?”

The answers are various and many, which includes the use of spreadsheets, paper forms, calendars and databases. The question and the answers prompted me to explore an effective and efficient semi-automated solution.

Therefore, inside QMSCAPA I have published an example of how one can setup and manage a plan and schedule for personnel training, which includes a method of recording the training results and effectiveness.

I view training as “three dimensional”, which involves:

  • People to be trained;
  • Training Programs or Courses;
  • A schedule of Training Programs or Courses and the enrolled students.

Therefore, in order to construct an easy to use and effective training module inside QMSCAPA I created the following relational databases:

  • A list of personnel and instructors;
  • A list of training places;
  • A list of Training Programs, which includes a list of elements of the course;
  • A list Training Programs that are planned, which includes a list of personnel that are enrolled.

These interrelated databases allow me to report:

  • A detailed list of Training Programs and elements;
  • A detailed list of Training that is planned, scheduled and completed;
  • A detailed list of Personnel that are enrolled into Training Programs and the results the training.

To see this software module in action, download QMSCAPA from ABCI-Software.

The hyperlink is http://qmscapa.abci-software.com, look for the Download QMSCAPA Software menu option on the left-side.

Of course, your questions and feed-back are always welcomed!

Jack Bogle, Managing Partner

Access Business Communications, Inc.
International Management Systems
16835-236 Algonquin Street
Huntington Beach, CA 92649
+1 800 644 2056

Customer Satisfaction Survey

We are all familiar with Clause and Paragrah 

7.2.3 Customer Communication
Identify and establish methods for communication with customers relating to:
Product information
Inquiries, contracts or order handling including amendments
Customer feedback, including complaints

The organization must determine what processes are in place to communicate with clients.

Examples:
How does sales get information on customer requirements?
How are changes communicated to clients?
What system(s) are used for client satisfaction and dissatisfaction data collection?

Survey Example

In the example below, 10 questions with answers on a scale of 1 to 10 rating are used to provide a broad range of customer satisfaction related topics. A scale of 1 to 10 is preferred on a scale of 1 to 5 or something less than 10 because a customer may wish to rate their impression slightly less than can be expected. Therefore, a rating of 9 out of 10 bodes well over a rating  of 4 out 5; (i.e., an A- vs. a B-).

We would like to know what you think of our products and services. Please complete this short survey to provide us with feedback. Using a scale of 1 through 10; a 1 would indicate that you are very dissatisfied with the work product, a 5 would indicate indifference and a 10 would indicate that you are very satisfied.

Q#

Component Rating Key: 1 = Very Dissatisfied – 5 = Neutral – 10 = Very Satisfied Rating

Œ1

Rate your experience with our Sales personnel. Were our personnel prompt, professional, and courteous?

Rate your impression >

2

Rate your experience with the receipt of your order. Was your order correct as ordered?

Rate your impression >

!Rate your experience with on-time delivery. Did you receive the product on-time as expected?

Rate your impression >

Rate your impression of the quality of the product ordered.

Rate your impression >

Rate your impression of the value received for the product ordered.

Rate your impression >

Rate your experience with our packaging and intact delivery condition.

Rate your impression >

Rate your experience our product documents. We upload and publish all product documentation to our web site

http://www.abci-consultants.com, navigate to the ‘download’ option.

Rate your impression >

Rate the experience with our Customer Service representatives. Were our personnel prompt, professional, and courteous?

Rate your impression >

Rate your experience with the ease of installation, use and serviceability of our products.

Rate your impression >

10•

Rate your over-all experience with doing business with us. Would you recommend us to others for the products and experience that you have received?

Rate your impression >

QUESTIONNAIRE TOTAL RATING:

Comments:
 
 
 

Please forward the completed survey to: Jack T. Bogle, Manager of Quality Systems

Access Business Communications, Inc.

16835-236 Algonquin Street

Huntington Beach, CA 92649

Phone:

Fax:

Email:

800-644-2056

714-442-9994

jacktbogle> @ <abci-consultants.com

 Download the Customer Satisfaction Survey template (Word) and calculator log (Excel).

On-time Delivery Calculator

On-time delivery is an important metric, which must be included in a Quality Management System to be effective. Measuring and monitoring on-time delivery is an important quality metric of all ISO 9001:2008 base Quality Management Systems, and required for AS9100, TL9000 and TS16949.

I have created a simple EXCEL sheet for measuring and monitoring on-time delivery.

In this simple example workbook the first worksheet is setup to be the Dash Board, which shows the key elements needed to derive the On-Time Delivery % from each annual shipping log (i.e. 2012 Log worksheet table that appears at the bottom of the workbook.

The worksheet protection password is ‘abci.’

Dash Board characteristics

  • Row 1 contains the metrics and the column labels. Updating this row will also update the column labels on each annual log.
  • Row 3 is a summary average of all years.
  • Column B shows the total active shipments.
  • Column N is the cumulative number of late days.
  • Column O shows the number of late shipments.
  • Column P shows the On-Time Delivery %.

Annual / Year Log characteristics

  • The metrics on Row 1 are derived from the Dash Board.
  • Row 3 contains protect cells for the total shipment count (A3), # late days (M3), Late Shipments (N3) and On-Time % (O3).
  • Column A must have a 1 to activate the record and count the total orders.
  • Column B is the person that sold or negotiated the ship by date, which should be determined based upon your customers ‘need by date.’
  • Column C is the ‘Ship by Date’ that is compared to the ‘Shipped Date’ in Column L.
  • Column D customer name or customer reference number.
  • Column E is the order #.
  • Column G is used as a divider between Sales & Shipping.
  • Column H is for Id for the packer.
  • Column I is the Packing Date.
  • Column J is the Invoice #.
  • Column K is the Shipped By or person shipping.
  • Column L is the Carrier Id.
  • Column M is the ‘Shipped Date’. If the Ship By Date is equal to the Shipped Date, then your shipment to your customer should be theoretically ‘on-time’.
  • Column M counts the number of late days.
  • Column N counts the number of late shipped orders.
  • Column O, Row 3 displays the ‘On-Time %’.

We hope you enjoy our Quality On-time Delivery Calculator. If you have an improvement, please share your version with us.

Thank you,

Jack Bogle, President
Access Business Communications, Inc.
International Management Systems
16835-236 Algonquin Street
Huntington Beach, CA 92649
 
abci-consultants.com
abci-software.com
(800) 644-2056
 
Click here to join our Quality Managers Group and download our resources.