Clause 8.5.2 Identification and Traceability (revealed)

Table of Contents

It would be a little disconcerting to have a delivery to your business that contained no means of identification. In a service industry, how would you trace a critical maintenance activity without an identifiable service record? Imagine the scenario of drugs being administered on a hospital ward without a record of what the drug was, how much was administered and by whom. In a situation where you might encounter non-conforming outputs, you might need to trace certain materials back to the delivery or consignment number. Certain traceability requirements might involve being able to trace materials through their life cycle from extraction from the ground through to their arrival at your organisation.

It would be a very rare situation where at least some form of traceability was not a requirement. In fact, so rare that I can’t think of an example. Differing levels of traceability will be required depending upon the internal requirements of your organisation, the requirements of your customers, and any statutory or regulatory requirements. Regulatory requirements are found in many industries including aviation, transportation, food and medical devices etc. and would be considered high-risk. Identification methods will vary and could include but are not limited to:

  • Unique identifiers for electronic documentation.
  • A bar code.
  • A manufacturer’s part number is displayed on a label.
  • A physical sign containing dates and times.
  • A label containing an electronic data microchip.
  • Product brand name.
  • A global trade identification number (GTIN) such as EAN,s or ISBN,s etc.

Verification Status

Clause 8.6 of ISO 9001:2015 focuses on the release of products and services, clause 8.7 is focused on the control of non-conforming outputs and in clause 9.1 you will find requirements for monitoring, measuring and analysis. These clauses are there to ensure that you have processes for verifying the conformance of products and services. Does the product or service meet the requirements of the customer and the design specifications? Your goal is to verify that all products or services are correct before they are delivered. Unfortunately, mistakes can and will occur but you have to try and keep mistakes to a minimum wherever possible. You can achieve product or verification by:

  • Performing inspections and internal audits at various points during manufacturing or service delivery and maintaining the inspection records.
  • Release records that indicate final inspections before product or service delivery.
  • Records of inspection during the transportation of products.
  • Records that indicate the acceptance of a product or service by the customer.
  • Labels attached to products indicate inspection results.
  • Signs and labels that indicate the delivery of a service such as a label that indicates a machine inspection of maintenance activity.

Product Verification and Traceability

When manufacturing products, it might be a requirement that you can trace every aspect of the product including:

  • All of the materials used.
  • How and when the materials were changed.
  • What the machines were that manufactured the product.
  • When the machines were serviced and maintained.
  • Who performed the maintenance.
  • Who operated the machines.
  • Who performed the inspections and testing.
  • Who performed the packing.
  • When and how was the product delivered.
  • Who received the product.

As mentioned earlier, this involves many unique identifiers such as labels, barcodes, product codes and physically signed records etc. Performing verification and traceability for the whole of a product or service lifecycle from materials extraction to final delivery to the customer (or landfill) is sometimes referred to as two-way traceability. This is not a requirement of ISO 9001:2015 but may be a requirement from the customer, a regulator or your internal processes.

Service Verification and Traceability

For service delivery, verification happens at the design stages and at the point of delivery. For example, a cleaning contract might be for general office type cleaning or highly specialised cleaning of critical machine parts used for a satellite. As you can imagine, the design specifications for the service delivery would be very different and require vastly different verification activities. For the office cleaning, a simple sign-off sheet that indicates who and when the cleaning took place would be sufficient. Random inspections of the cleaning activities against the requirement criteria would then be used to verify the status of service delivery. Traceability of certain cleaning products might be required as part of the design specification requirements for the contract in environments such as hospitals etc.

8.5.3 Property Belonging to Customers or External Providers

Do you have the property that is under your control but does not belong to you? If so, then this clause applies to you. The clause intends to ensure that this type of property is protected while it is in your control. I once sent off a mobile phone for repair under a guarantee. The repair service arranged for a courier to collect the phone. Whilst the phone was in transit, it got lost. The service company tried to absolve themselves of any responsibility until I reminded them that they arranged for the collection of the phone, not me. While my goods (phone) were under their control they were responsible for them not me. I eventually received a new phone after many weeks of communication and a threat of using a small claims court (UK). Another common example might be when you take your car in for an annual service only to find that it has been scratched upon its return.

Customer property refers to items that are incorporated into or used for the production of products or services such as a photograph to be framed or a music CD-ROM used during a wedding service. External provider property refers to items such as equipment that you might hire or the personal data of customers stored during a sales order. ISO 9001:2015 requires that you ‘exercise care’ while handling property belonging to customers or external providers. This is open to a little interpretation but I would interpret it as; ensuring the property is not lost, damaged or stolen. How do we achieve this and what are the steps that we might take? ISO 9001:2015 requires that you perform the following:

Property Identification

Is it obvious to all interested parties to who the property belongs? Although in most cases this might be easily understood it’s best not left to chance. We have already discussed the various ways in which a product can be identified and traced should it be required, and you can use the same approach with a property that does not belong to you. Using visible labels that indicated ownership is the most obvious with a physical product.

Property Verification

Have you ever hired a car? If you have then you will be familiar with the formal release inspection and verification that the vendor performs with you that establishes the condition of the car. Should the car be returned with a scratch that was not present during release, you are likely to receive quite a large bill for repair. As I’m sure you are already aware, during the initial inspection of the car be sure to record your camera phone video that captures the vehicle’s current status. Also, ensure that the vendor is aware that you are performing this video capture and try to include them in the video whilst stating the time and date. If this sounds like I’m speaking from personal experience, you would be correct.

Property Protection

As mentioned earlier, you are being asked to ensure that property belonging to customers or external providers does not get damaged, lost or stolen. Certain products might require special storage conditions whilst in your care such as:

  • Temperature control.
  • Humidity control.
  • Protection from light.
  • Protection from vibration.
  • Protection from dirt and dust.
  • Protection from theft.

Intellectual property such as personal data has gained special status and regulation since the introduction of the General Data Protection Regulations 2018 (Europe):

The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.
(Source: GDPR.EU)

Lost, Damaged or Unsuitable Property

Should property belonging to a customer or external provider be lost, damaged or rendered unsuitable for use, do you have a process that is designed to deal with this? This process must be triggered quickly and without undue delay. Fast communication with the property owner should happen first. The process should then establish:

  • What has occurred; loss or damage etc.
  • When the event occurred.
  • How did it happen; root-cause investigation.
  • Who was involved?
  • What are the consequences?
  • How to quickly correct the situation.
  • How to update the management system and contribute to the continual learning process.

It would be best practice to maintain records of your communications with the customer. Although it is not strictly a requirement of this clause, it wouldn’t be wrong to suggest that it might be a requirement of your communications strategy as required for clause 7.4.

For Auditors:

  • Check to see if a process exists for the identification of products and services.
  • Investigate some samples of identification and traceability.
  • Check the corrective actions log if any errors have occurred and how they contributed to continual improvement.
  • Check the identification of product samples and how they could be traced both forward and backwards if required.
  • Check how service delivery is verified for conformance to requirements.
  • Check that a process exists for handling customer or externally provided property.
  • Check the corrective actions log if any errors have occurred concerning customer property and how they contributed to continual improvement.

Questions that I will answer in future articles:

  • How does ISO define traceability?
  • What is traceability in QMS?
  • What is the purpose of traceability?
  • How long must traceability records be held?
  • Is traceability a legal requirement?
  • What is customer property in ISO 9001?
  • What is an external provider in ISO?
  • What are post-delivery activities?
  • What are external providers?
  • What is an internal service provider?

References: 

  • www.iso.org
  • ISO 9000:2015
  • ISO 9002:2015
  • ISO 14001:2015
  • ISO 45001:2018

Please be kind, share and create a link back to this article.

(c) All content is copyrighted to ISO Training UK – All rights reserved 2022.

Author Bio

Paul Ingram has over 15 years of experience working in quality, health and safety and environmental management. Specialising as a trainer, he has provided training to thousands of delegates for small and multi-national businesses across the globe. A specialist in management system training and able to design and deliver courses for ISO 9001, 45001 & 14001. This includes implementation, Introduction, Internal Auditor, Lead Auditor, Remote Auditing, Management Brief and many more. For more information about booking a course visit: ISO Training & Consultancy

You cannot copy content of this page