IS0 9001:2015

Clause 8.4.2 External Providers - Type and extent of control

Organisations are required under ISO 9001:2015 to ensure that externally provided processes, products and services do not adversely affect their ability to deliver conforming products and services to their customers by:

  1. Ensuring that externally provided processes remain within the control of its management system,
  2. Defining both the controls that it intends to apply to an external provider and those it intends to apply to the resulting output,
  3. Taking into consideration the potential impact (IE risk) of the externally provided processes, products and services on the organisation’s ability to consistently meet customer and applicable statutory and regulatory requirements and the effectiveness of controls applied by the external provider,
  4. Determining the verification, or other activities, necessary to ensure that the externally provided processes, products and services meet requirements.

Comment:

We can see that organisations are now required to take a risk-based approach when determining the type and extent of controls to apply to external providers of processes, products and services. IE They should be planned, appropriate and proportionate.

Note that defining the controls to apply to an external provider and to the resulting output requires both the suppliers / subcontractors / outsourced activity providers to be controlled and the products or services they provide. Focus should always be on prevention through appropriate selection and control of providers wherever possible, but if subsequent inspection and test is required, these activities must also be defined and controlled. IE through Control / Sampling Plans.

Examples of Selection Criteria:

International Standards certification (EG: ISO 9001:2015!) financial Reports (EG: Dun & Bradstreet,) technical and manufacturing capability (Statistical Capability Studies) demonstrated capacity, delivery performance records, cost.

Data can typically be acquired via remote correspondence (questionnaire / copies of certifications) on site visits (audit reports) group approval processes and in some instances, references from other customers for example.

Examples of Monitoring and Control

Performance trend analysis such as PPM defects / Non conforming products received and timeliness of corrective actions, concessions requested, delivery to plan / time slot performance, service level agreement compliance and timely / comprehensive subsequent investigations / corrective and preventive actions.

Audit Check:

Whilst documented evidence is not expressly required under clause 8.4.2 in the 2015 update, organisations will still need to demonstrate that controls are in place, are monitored and reviewed and are effective. IE: Evidence of management review. (See Article 9.3.2) and planning activities for (See Article 8.4.1)

auditors may also wish to verify that risk based thinking has been applied when determining appropriate controls for external providers. One size may not (and in most cases, should not,) fit all providers to an organisation, and a planned methodology should be applied in determining the most suitable methods for both selection and approval and monitoring and control.

This article is the property of David Barker Consulting © and is free for you to use. If you wish to reproduce elsewhere, please be so kind as to ask permission first and credit me as your source. If you need any further assistance, feel free to use my contacts page to get in touch and let me know how I can help!

David Barker CQP MCQI

ISO 9001:2015

1. General Introduction to ISO 9001 and a look at sections 1 and 2 and 3 of the standard.
Clause 4.1 Understanding the organisation and its context
Clause 4.2 Understanding the needs and expectations of interested parties
Clause 4.3 Determining the scope of the Quality Management System
Clause 4.4 Quality Management System and its processes
Clause 5.1 Leadership and commitment
Clause 5.2 Policy
Clause 5.3 Organizational roles, responsibilities and authorities
Clause 6.1 Actions to address risks and opportunities
Clause 6.2 Quality objectives and planning to achieve them
Clause 6.3 Planning of changes
Clause 7.5.1 Documented information - General
Clause 7.1 Resources
Clause 7.1.5 Monitoring and measuring resources
Clause 7.1.6 Organizational knowledge
Clause 7.2 Competence
Clause 7.3 Awareness
Clause 7.4 Communication
Clause 7.5.2 Documented information - Creating and updating
Clause 7.5.3 Control of Documented Information
Clause 8.1 Operational planning and control
Clause 8.2 Requirements for products and services
Clause 8.3.1 & 8.3.2 Design and development of products and service
Clause 8.3.3 Design and development inputs
Clause 8.3.4 Design and development controls
Clause 8.3.5 Design and development outputs
Clause 8.3.6 Design and development changes
Clause 8.4.1 Control of externally provided processes, products and services - General
Clause 8.4.2 External Providers - Type and extent of control
Clause 8.4.3 Information for external providers
Clause 8.5.1 Control of production and service provision
Clause 8.5.2 Identification and traceability
Clause 8.5.3 Property belonging to customers or external providers
Clause 8.5.4 Preservation
Clause 8.5.5 Post-delivery activities
Clause 8.5.6 Control of changes
Clause 8.6 Release of products and services
Clause 8.7 Control of nonconforming outputs
Clause 9.1.1 Monitoring, measurement, analysis and evaluation of performance - General
Clause 9.1.2 Customer satisfaction
Clause 9.1.3 Analysis and Evaluation
Clause 9.2 Internal audit
Clause 9.3 Management review
Clause 10.1 Improvement – General Requirements
Clause 10.2 Nonconformity and corrective action.
Clause 10.3 Continual improvement

Arrange an obligation-free consultation

get in touch
true
3