Get 4 FREE months of Conformio to implement ISO 27001

How does ISO 9001 property clause 8.5.3 reflect on software?

There can be confusion with clause 8.5.3 of ISO 9001:2015, which discusses property belonging to customers or external providers, especially for software. When creating your Quality Management System (QMS), what software is included in the requirements of clause 8.5.3, and what software is excluded? Here is some information to help you find the right answers.

What does the standard say in clause 8.5.3?

Clause 8.5.3 (Property belonging to customers or external providers), is all about handling property that is given to you to use, but that does not belong to you. This property is anything that is provided for you to use with, or incorporate into, your products and services. Clause 8.5.3 instructs you to be careful with the property given to you, meaning you need to identify, verify, protect, and safeguard the property while you manage it. Further, if it is lost, damaged, or unsuitable for use, you need to report this to the customer or external provider and keep records of the response.

The clause includes a note with an explanation of what external providers’ property can be, and includes materials, components, tools and equipment, premises, intellectual property, and personal data. So, in short, if you are using anything that belongs to another organization, you need to follow the good standard practices of clause 8.5.3.

This is easy to understand if your customer provides you with a physical piece of hardware to install into your final product, or if a supplier gives you a piece of test equipment to individually verify their material when it is at your facility. It is also easy to see that if you are at a customer’s premises to perform a test and they give you a room to use, you will need to take care of their facility. It is also clear that you’ll need to be careful with any confidential information provided by a customer or supplier. Where does this leave us with software?


What software is included in clause 8.5.3?

Software can be one of the pieces of property that are provided by a customer or external provider, but what would qualify to meet these criteria? Consider the following types of software that should be included under clause 8.5.3:

  • Software that a customer provides for you to install onto an electronic assembly
  • Software provided by a supplier to perform a final test on their product that could not be performed at their facility
  • Software provided by a customer to perform a specific test, usually proprietary software
  • Software provided by a supplier to perform a test of their product after it is installed
  • Software provided by a customer for use in testing a design requirement
  • Software provided by a supplier to verify a test previously performed by them

So, any software that your company does not own needs to be controlled per the process for clause 8.5.3. Some of this control may be handled using other processes in your system as well. For instance, if a piece of software provided by your customer to be installed on your electronic product doesn’t work, this is a nonconforming material. When you fix this problem, you will use your non-conforming material process. However, the customer will be more involved than they might be for other problems you have with your products.

What software is excluded from clause 8.5.3?

Of course, not all software that can affect the quality of your end product or service is controlled under clause 8.5.3. Here are some types of software that are not included, and what process controls this software:

  • Software that you develop and supply as part of your product or service (Control of product and service provision)
  • Software that you buy from a supplier to install on your product or service (externally provided product)
  • Software that you use to design your product or service (externally provided product)
  • Software used in your product testing area (Control of monitoring and measuring resources)
  • Software used to control your production facility (Control of product and service provision)

If you have acquired the software yourself for use in your facility, then clause 8.5.3 does not apply to that software.

How can you know what software to include?

Clause 8.5.3 is about providing due care for property (including software) that is provided for you to use. So, the end decision about controlling this software per clause 8.5.3 comes down to the obligations you have agreed on for the software. Have you made agreements to not share the input with other organizations, such as intellectual property agreements? If you have an obligation to control software that is provided by someone else, then it is clear that the controls in clause 8.5.3 of ISO 9001:2015 apply. So, ensure that you know the obligations that you have for the software that you use.

If you need to find out more about the requirements of ISO 9001:2015, see this white paper: Clause-by-clause explanation of ISO 9001:2015.

Advisera Mark Hammar
Author
Mark Hammar
Mark Hammar is a Certified Manager of Quality / Organizational Excellence through the American Society for Quality and has been a Quality Professional since 1994. Mark has experience in auditing, improving processes, and writing procedures for Quality, Environmental, and Occupational Health & Safety Management Systems, and is certified as a Lead Auditor for ISO 9001, AS9100, and ISO 14001.