Mark Hammar There can be confusion with clause 8.5.3 of ISO 9001:2015, which discusses property belonging to customers or external providers, especially for software. When creating your Quality Management System (QMS), what software is included in the requirements of clause 8.5.3, and what software is excluded? Here is some information to help you find the right answers.
What does the standard say in clause 8.5.3?
Clause 8.5.3 (Property belonging to customers or external providers), is all about handling property that is given to you to use, but that does not belong to you. This property is anything that is provided for you to use with, or incorporate into, your products and services. Clause 8.5.3 instructs you to be careful with the property given to you, meaning you need to identify, verify, protect, and safeguard the property while you manage it. Further, if it is lost, damaged, or unsuitable for use, you need to report this to the customer or external provider and keep records of the response.
The clause includes a note with an explanation of what external providers’ property can be, and includes materials, components, tools and equipment, premises, intellectual property, and personal data. So, in short, if you are using anything that belongs to another organization, you need to follow the good standard practices of clause 8.5.3.
This is easy to understand if your customer provides you with a physical piece of hardware to install into your final product, or if a supplier gives you a piece of test equipment to individually verify their material when it is at your facility. It is also easy to see that if you are at a customer’s premises to perform a test and they give you a room to use, you will need to take care of their facility. It is also clear that you’ll need to be careful with any confidential information provided by a customer or supplier. Where does this leave us with software?
What software is included in clause 8.5.3?
Software can be one of the pieces of property that are provided by a customer or external provider, but what would qualify to meet these criteria? Consider the following types of software that should be included under clause 8.5.3:
- Software that a customer provides for you to install onto an electronic assembly
- Software provided by a supplier to perform a final test on their product that could not be performed at their facility
- Software provided by a customer to perform a specific test, usually proprietary software
- Software provided by a supplier to perform a test of their product after it is installed
- Software provided by a customer for use in testing a design requirement
- Software provided by a supplier to verify a test previously performed by them
So, any software that your company does not own needs to be controlled per the process for clause 8.5.3. Some of this control may be handled using other processes in your system as well. For instance, if a piece of software provided by your customer to be installed on your electronic product doesn’t work, this is a nonconforming material. When you fix this problem, you will use your non-conforming material process. However, the customer will be more involved than they might be for other problems you have with your products.
What software is excluded from clause 8.5.3?
Of course, not all software that can affect the quality of your end product or service is controlled under clause 8.5.3. Here are some types of software that are not included, and what process controls this software:
- Software that you develop and supply as part of your product or service (Control of product and service provision)
- Software that you buy from a supplier to install on your product or service (externally provided product)
- Software that you use to design your product or service (externally provided product)
- Software used in your product testing area (Control of monitoring and measuring resources)
- Software used to control your production facility (Control of product and service provision)
If you have acquired the software yourself for use in your facility, then clause 8.5.3 does not apply to that software.
How can you know what software to include?
Clause 8.5.3 is about providing due care for property (including software) that is provided for you to use. So, the end decision about controlling this software per clause 8.5.3 comes down to the obligations you have agreed on for the software. Have you made agreements to not share the input with other organizations, such as intellectual property agreements? If you have an obligation to control software that is provided by someone else, then it is clear that the controls in clause 8.5.3 of ISO 9001:2015 apply. So, ensure that you know the obligations that you have for the software that you use.
To implement ISO 9001 easily and efficiently, use our ISO 9001 Premium Documentation Toolkit that provides step-by-step guidance and all documents for full ISO 9001 compliance.
