Organisations are required under ISO 9001:2015 to ensure that externally provided processes, products and services do not adversely affect their ability to deliver conforming products and services to their customers by:
We can see that organisations are now required to take a risk-based approach when determining the type and extent of controls to apply to external providers of processes, products and services. IE They should be planned, appropriate and proportionate.
Note that defining the controls to apply to an external provider and to the resulting output requires both the suppliers / subcontractors / outsourced activity providers to be controlled and the products or services they provide. Focus should always be on prevention through appropriate selection and control of providers wherever possible, but if subsequent inspection and test is required, these activities must also be defined and controlled. IE through Control / Sampling Plans.
Examples of Selection Criteria:
International Standards certification (EG: ISO 9001:2015!) financial Reports (EG: Dun & Bradstreet,) technical and manufacturing capability (Statistical Capability Studies) demonstrated capacity, delivery performance records, cost.
Data can typically be acquired via remote correspondence (questionnaire / copies of certifications) on site visits (audit reports) group approval processes and in some instances, references from other customers for example.
Examples of Monitoring and Control
Performance trend analysis such as PPM defects / Non conforming products received and timeliness of corrective actions, concessions requested, delivery to plan / time slot performance, service level agreement compliance and timely / comprehensive subsequent investigations / corrective and preventive actions.
Whilst documented evidence is not expressly required under clause 8.4.2 in the 2015 update, organisations will still need to demonstrate that controls are in place, are monitored and reviewed and are effective. IE: Evidence of management review. (See Article 9.3.2) and planning activities for (See Article 8.4.1)
auditors may also wish to verify that risk based thinking has been applied when determining appropriate controls for external providers. One size may not (and in most cases, should not,) fit all providers to an organisation, and a planned methodology should be applied in determining the most suitable methods for both selection and approval and monitoring and control.
This article is the property of David Barker Consulting © and is free for you to use. If you wish to reproduce elsewhere, please be so kind as to ask permission first and credit me as your source. If you need any further assistance, feel free to use my contacts page to get in touch and let me know how I can help!
David Barker CQP MCQI