Search results

Determining product safety characteristics

Product safety characteristics affect product design and/or production process design.

The issue of product safety is related to special characteristics and product safety characteristics are very important for the design and production of products. These important requirements are determined during the product and production design process. For example, material hardness and tensile stress are very important safety characteristics for the durability of brake parts. These characteristics come from product design specifications, product drawing, and design FMEA.

In addition, the hardness of the material is also affected by the heat treatment conditions in production, production parameters such as temperature and time. Thus, production parameters such as temperature and time of heat treatment are the subject of product safety and they are also special characteristics related to safety for brake parts. Another example is the tightening torque amount for seat manufacturing and seat assembly process. Screw tightening torque is also safety characteristics and can be affected by the wrong set up of production or not calibration of torque meter, both of the causes may come from the production process.

Critical characteristics of the product and production process; it is defined by legal regulations, security, and significant important critical characteristics.  All these characteristics have different symbols according to customer-specific requirements as (R/S, CC, SC)

All these characteristics, come from legal regulations, product drawings, product specifications, and production parameters that affect the health of production operators and the durability of the product. 

According to the IATF 16949 standard, Product Safety is relating to the design and manufacturing of products to ensure they do not represent harm or hazard to customers. As you know customers are regulations, end-users (driver and passenger), OEM plants, the other manufacturing plants, and production operators.  The customer should not be at risk of affecting the safety of the product. These special characteristics related to product safety is determined by regulation, product drawing, and which have to be monitored and controlled at the production point affecting the safety of the product.

All these requirements must be transferred via product drawing, material specification, DFMEA, PFMEA, Control Plan, etc to the entire supply chain, and the entire supply chain must comply with the product and production-specific characteristics for product safety.

For more information, please read the following article:

• Ensuring product safety according to IATF 16949  https://advisera.com/16949academy/blog/2017/09/20/ensuring-product-safety-according-to-iatf-16949/ 

• Stakeholder requirements

  By different requirements you may mean opposite or even conflicting requirements. That is the root of strategic orientation. When an organization decides to specialize in serving a certain kind of customers it is also deciding not to serve another kind of customers. Of course, some interested parties have a particular power, the government may decide on laws that go against shareholders interests. Organizations must comply with laws and regulations and one can say that that it is a technical decision. All other decisions about priorities concerning interested parties are not technical, are a matter of strategic decision from top management. The more competitive is your market the more important is that decision. An organization with a strategic orientation will assume to be good in some things and not so good at others. For example, if an organization has a strategic orientation of being a very competitive low-price supplier it cannot be, at the same time, a very competitive supplier of innovative products and services.

  The following material will provide you information about strategic orientation:

  • ISO 9001 – Aligning quality objectives of the QMS with the strategic direction of the company - https://advisera.com/9001academy/blog/2017/03/07/aligning-quality-objectives-of-the-qms-with-the-strategic-direction-of-the-company/
  • You can look for strategic orientation example in this link https://advisera.com/books/wp-content/uploads/sites/9/2017/09/Discover-ISO-9001-through-practical-examples-EN-LookInside.pdf
  • Free online training ISO 9001:2015 Foundations Course –https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

• ISMS system

  1. We have put in place an isms system. We are yet to perform a gap assessment to evaluate how far we have progressed in the journey. To me, this is the time ( prior to gap assessment and then certification) to assess how much of what we have written is applicable i.e of relevance in context to changing business requirements, to organization appetite for investment, and then amend the isms to appear more practical.
  Does the above mentioned is relevant?

  Considering your stated status, I think you are referring to internal audit instead of gap assessment (these are different things):

  • gap analysis is not mandatory in the ISO 27001, while the internal audit is.
  • gap analysis is performed at the beginning of the project, while the internal audit is performed at the end
  • gap analysis helps you understand what you already have implemented regarding the standard, while internal audit provides evidence that requirements are implemented and working, and that the ISMS is relevant to the organization and is achieving intended outcomes

  For further information, see:

  • How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
  • How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

  These materials will also help you regarding internal audit:

  • ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
  • When there is any question about internal audit Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

  2. What isms documents do the auditors look at?  Or to say which document is critical to iso certification

  The certification auditor will look for all documents and records stated as mandatory by the standard, and those considered applicable by the organization (e.g., policies and procedures related to applied controls).

  In the ISO world, mandatory requirements/documents are related to the words “must” or “shall”, while non-mandatory requirements/documents are related to the words “may” or “should”. Documents and records mandatory to fulfill clauses from the main sections of the standard (sections 4 to 10) are:

  • Scope of the ISMS (clause 4.3)
  • Information security policy and objectives (clauses 5.2 and 6.2)
  • Risk assessment and risk treatment methodology (clause 6.1.2)
  • Statement of Applicability (clause 6.1.3 d)
  • Risk treatment plan (clauses 6.1.3 e and 6.2)
  • Risk assessment report (clause 8.2)
  • Records of training, skills, experience, and qualifications (clause 7.2)
  • Monitoring and measurement results (clause 9.1)
  • Internal audit program (clause 9.2)
  • Results of internal audits (clause 9.2)
  • Results of the management review (clause 9.3)
  • Results of corrective actions (clause 10.1)

  These articles will provide you a further explanation about documents required for certification and the certification audit:

  • List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
  • Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

  These materials will also help you regarding the certification process:

  • Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
  • ISO 27001/ISO 22301: The certification process [free webinar] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/

• ISO 27001 certification

  The implementation duration depends on many variables (e.g., size and complexity of the scope, financial resources, and expertise available, etc.), but for very small and small-sized business generally is possible to implement ISO 27001 within 3 months. I suggest you take a look at our ISO 27001/ISO 22301 Implementation Duration Calculator at this link: https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/

  This tool can help you estimate the implementation duration considering your company scenario.

  Regarding ISO 27001 implementation approaches, you have three options:

  • Implementing with your own employees (in general the cheapest and longest)
  • Hiring a consultant (in general the costliest and fastest)
  • Implementing by yourself with external support (a balanced solution)

  Each one of them has its advantages and disadvantages, related to time, resources, and knowledge. For more information, I suggest you the following materials:

  • 3 strategic options to implement any ISO standard https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
  • Implementing ISO 27001 with a consultant vs. DIY approach https://info.advisera.com/27001academy/free-download/implementing-iso-27001-with-a-consultant-vs-diy-approach

  Advisera is specialized in the third approach. We offer toolkits with templates and expert support, and also free material in the form of articles, papers, and webinars, to help you with your implementation project. Please see these materials for more information:

  • ISO 27001 Documentation Toolkit https://advisera.com/27001academy/iso-27001-documentation-toolkit/
  • How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-27001-free-webinar-on-demand/

• Internal and external parties

  The reason that ISO 45001 has you identify internal and external parties in clause 4.2 is so that you can identify the needs and expectations that each of these parties has that you need to incorporate into your OHSMS. So, if you identify a government agency and an external party, and identify that they have a law that they expect you to meet on chemical handling; this would become a part of the processes within your OHSMS. In short, the effects of these interested parties on the OHSMS is that they identify the requirements that need to be included int eh OHSMS processes.

  You can learn more about the requirements for interested parties in the article: Determining interested parties according to ISO 45001, https://advisera.com/45001academy/blog/2018/03/14/determining-interested-parties-according-to-iso-45001/

• Scope of BCMS

  You do not need to include all the functions in the Organisation to go for ISO 22301 certification.

  The best approach would be to define the BCMS scope in terms of the products and/or services you provide, and from the nature of each one of them identify which functions should be included in the BCMS. In case you have multiple divisions and locations, you should consider independent certifications, so any problem in one site cannot impact the certification of other sites.

  This article is related to ISMS but can provide some tips about defining a BCMS scope:

  • How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

  These materials will also help you regarding BCMS scope definition:

  • Book Becoming Resilient, The Definitive Guide to ISO 22301 Implementation  https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ 
  • Free online training ISO 22301: An overview of the BCM implementation process https://advisera.com/27001academy/webinars/

• PDCA definition

  A PDCA is a method used in business for the control and continuous improvement of processes and products, so the things you need to do is to define the improvement you want to implement and how you can measure if it was achieved. E.g.: improve information security, by implementing an ISO 27001 compliant ISMS, or bring information risks to acceptable levels, by implementing a Risk Treatment Plan.

  The definition of time for each activity needs to consider the available resources and the competence of the personnel involved.

  For staring a project, the first activity you need to consider is getting top management buy-in.

  These articles will provide you a further explanation about ISO 27001 projects:

  • ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
  • 4 crucial techniques for convincing your top management about ISO 27001 implementation https://advisera.com/27001academy/blog/2016/09/12/4-crucial-techniques-for-convincing-your-top-management-about-iso27001-implementation/
  • Has the PDCA Cycle been removed from the new ISO standards? https://advisera.com/27001academy/blog/2014/04/13/has-the-pdca-cycle-been-removed-from-the-new-iso-standards/

  These materials will also help you regarding ISO 27001 projects:

  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• ISO 27001 implementation

  Do I need to list individual software licenses in the risk assessment or can they be put into broader categories? I’m thinking ahead to an eventual audit and what an auditor might want to see to show that we are taking everything into account.

  i.e.
  Software tools that may contain PII and/or confidential information
  Software tools that do not contain PII and/or confidential information

  And do they need to be separated by whether they are run on premises only or in the cloud?

  Or, do I need to put:
  Salesforce.com
  Microsoft Office,
  etc and list all threats/vulnerabilities of each?  We have a list of all software tools that contain PII for GDPR already in the Appendix – Inventory of Processing Activities.

  You don't have to fill in each and every software license separately - you can just specify that you have a class called "software licenses" and associate to it the threats and vulnerabilities common to all of them. In case you have threats and vulnerabilities related to a specific software license, then you can list that software license separately for that set of threats and vulnerabilities.

  For further information, see:

  • How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

  Is there an easy way to know which controls would apply for each vulnerability? I.e. a mapping to the vulnerabilities that are pre-populated in the Risk Assessment? I think that each vulnerability listed probably has a specific control so having a mapping would save a lot of time vs trying to match them one by one.

  There is no definitive document we can recommend, since, for each organization, the applicable controls may vary according to the organization's risk tolerance and results of risk assessment (for the same vulnerability one or more controls may be applicable). Additionally, such documents may mislead organizations while implementing their own practices, because they may understand that these are the solution for their risk, without considering their own organizational context.

  These materials will also help you regarding risk treatment:

  • Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process
  • The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
  • Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

   When creating the risk assessment using the Asset-Threat Vulnerability method and assigning a Likelihood do we take into account the current state of that risk given our already implemented (pre-ISO27001) controls? i.e. if we have multi-factor authentication the risk of access to our email system is lower, therefore would we put a lower number for likelihood? I assume this is the case, but am not clear.

  Your understanding is correct. When you perform a risk assessment, you need to consider the risk values including the effects of implemented controls. You only need to ensure that the information about the implemented controls are also documented in the risk assessment.

  Do you suggest using the OCTAVE Allegro worksheets (or something similar) for polling the risk owners while creating the Risk Assessment, or is there a questionnaire available that can be sent to them with specific questions that I am missing?

  Octave or other approaches for identifying risks are not needed. You can ask your asset owners to simply identify threats/vulnerabilities that can affect their assets based in the catalog of threats/vulnerabilities included in the Risk Assessment Table, located on the folder 10 Risk Assessment and Risk Treatment.

  For further information, see:

  • ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities: https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

• Calculating environmental aspects

  Each organization can develop its own method for calculating significant environmental aspects, considering its own reality, complexity and dimension. Please consider the guidelines in this article - Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/

  You can find more information in the following links:

  • Article - Article - Catalogue of environmental aspects - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/catalogue-of-environmental-aspects/
  • Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
  • ISO 14001 document template: Procedure for Identification and Evaluation of Environmental Aspects and Risks - https://advisera.com/14001academy/documentation/procedure-for-identification-and-evaluation-of-environmental-aspects/
  • Enroll for free in this course – ISO 14001:2015 Lead Auditor Course - https://advisera.com/training/iso-14001-lead-auditor-course/
  • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

• Supplier quality plan

  First, not all suppliers are equal, or have the same impact on the project. So, your organization can start to evaluate supplier’s potential impact on the project with quality problems or delays.

  Second, for the critical suppliers your organization can require a quality plan. As soon as you realize that a supplier is or will be critical a quality plan should be requested. Ideally, the quality plan should be part of the supplier proposal when answering to a request for quotation.

  In this case a quality plan is a document setting supplier’s arrangements needed to ensure and demonstrate that quality is embedded in products and services during its creation and not just before sending to the customer.

  The following material will provide you more information about quality plans:

  • Article - Making the best out of ISO 9001 Quality Plan - https://advisera.com/9001academy/blog/2015/12/08/making-the-best-out-of-iso-9001-quality-plan/
  • Free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
  • Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/