ISO 9001:2015 clauses 8.4.1 – 8.4.3 and requires that external providers must be controlled and their performance be evaluated. This 9001 clause applies to IATF 16949, AS9100D, 13485, 14001 45001, and ISO 27001. Effectively there is almost no difference between purchasing a service and outsourcing of a process.
What processes are outsourced, and how are they controlled?
Usually, outsourced processes include things like:
- component manufacturing
- accounting
- maintenance
- transportation
- IT support
- warehousing & distribution
- banking & finance
- legal
- consultant/auditor
Internal and certification audits take into account Outsourced Processes & Products. ISO Standard 8.4.1 covers how organizations address external outsource vendors.
How to control outsourced process/external service/product providers
One method to control outsourced processes is through the contractual document. This document should define service levels, roles, responsibilities, and methods to monitor and report on the deliverables. Also, the contract should cover the documented information from the outsourcing organization.
Another method is through a second-party audit process. A second party audit is carried out on a potential or current supplier by a purchasing organization. The purpose is to use the audit result as part of the purchasing decision - a factor to conform to clause 8.4 of ISO 9001.
In this time of lean operations, it is good to know competent auditors available to meet your second party audit needs.
Here are the steps of a Second Party Audit
- Purchaser considers purchasing from supplier and sets up audit
- Decides to audit
- Audit carried out and reported
- If outcome successful then, order placed
- Follow-up
Interested parties, including the outsourced organizations, have a big impact on the organization’s performance.
8.4 Control of externally provided processes, products and services
In general, it is required that the organization ensure that any externally provided products or services meet the same requirements in the management system. Controls need to be defined and documented if:
- The provided products or services are incorporated into the organization’s own products or services
- The products or services are provided to the organization’s customer’s directly
- A process used from an external provider is the result of the organization’s decision
The organization must create and apply criteria to the external organization for:
- Evaluation
- Selection
- Monitoring
- Re-Evaluation
8.4.2. Type and extent of control
Be sure the provided processes conform to the control of its quality management systems compare the control of the external process/product with your own controls.
Define both the controls that it intends to apply to an external provider and those it intends to apply to the resulting output.
Ensure the processes, products and services consistently meet applicable statutory and regulatory requirements. The method and frequency of verification should also match your Management System.
Verify the external provider employs effective controls. Review their Management System.
Verify the external processes, products and processes meet requirements through testing or inspection.
8.4.3 Information for external providers
The following should be communicated to the external provider:
- Detailed description of the requirements for processes, products and services
- How the products and services are approved, and (b 2) the methods and equipment used
- Under what conditions the products and services are released to the organization
- The requirements needed to ensure competence of the people involved
- How the external provider interacts with the organization
- How the performance is controlled and monitored
- What and how are the activities verified and validated at the external provider’s location