ISO 9001:2015 – Newsletter – Issue 29

The new numbering format… 

Element 4 – Context of the organization
Element 5 – Leadership
Element 6 – Planning
Element 7 – Support
Element 8 – Operation
Element 9 – Performance evaluation
Element 10 – Improvement

Clause 8.4  Control of externally provided processes, products and services consists of three (3) Sub-Clauses as listed below:

8.4.1  General

8.4.2  Type and Extent of Control

8.4.3  Information for External Providers

Sub-Clause 8.4.1  General – I’ll start this off by saying that for many organizations, Clause 8.4 now covers a lot more territory than what the old “purchasing section” covered back in 2008… let me explain.  The use of the words “and services” is the first hit since that means that now outside (or outsourced) services need to be addressed.  You probably should start by making a list of what externally provided services that includes.  Begin with those externally provided services that have a direct impact on the conformity of your outbound products, and a direct impact on your outbound services.  Then expand that list to now include any externally provided services that have an indirect impact.

The second way Clause 8.4 gets expanded is with the term “externally provided processes”, which can be interpreted as being those activities provided by: another Department outside the scope of the QMS (like Legal); or another sister plant/facility; or your head office/corporate.  If it helps you to distinguish, think of the common denominator here being that “no money is changing hands, nor are purchase orders being issued”.  I would once again build a list of the externally provided processes that affect your QMS, and I would use the same approach (direct impact – and indirect impact – on the conformity of your outbound products and outbound services).  The challenge here is that most of the things on your list will not be covered by a Purchase Order (PO), or by a Contact, which makes applying controls difficult.  With regard to “control of these externally provided processes” my recommendation is to look at what activities you perform WITHIN your circle of responsibility, that interact with those external providers, and at the very least document (and report on) the performance of those interactions.

Let’s now get back to discussing sub-clause 8.4.1, specifically a) b) and c), all of which are asking you to decide what controls you will put in place in the three scenarios listed… a) when what is being externally provided goes into or around your outbound products/services; b) when the external provider does the last step before the Customer sees it; and c) when you make a business decision to outsource a process instead of doing it yourself.  In these cases you will need to decide what controls you will put in place on these external providers to ensure requirements are met.

Sub-Clause 8.4.2  Type and extent of Control – This sub-clause is drilling down further into the “controls” you implement, with a new requirement found in 8.4.2 a) which asks organizations to ensure that externally provided processes remain within the control of its QMS.  The challenge again is when there are no contracts, PO’s or agreements in place for externally provided processes.  As an example, the only control you may have with your corporate office being an external provider (say of IT services), is the ability to document and report on any adverse performance issues being experienced, and identifying what impact that may be having on your business performance or any impact on your Customer’s level of satisfaction.  Another new requirement is found in 8.4.2 c2) which wants you to take into consideration how strong (or weak) the controls are that are being applied by the external provider on themselves.

Sub-Clause 8.4.3  Information for External Providers – This sub-clause is very similar to those old requirements found back in 2008.  Some additional requirements are found in 8.4.3 c) asking you to define any “competency” requirements for the external provider; 8.4.3 d) which wants you to specify how you will interact with your external provider; and 8.4.3 e) dealing with how you intend to control and monitor the external provider’s performance.  This is easily addressed when you have a PO or Contract between yourself and the external provider, because that is where these details can be covered.  In some instances, organizations have implemented Service Level Agreements (SLA’s) for those departments that support the business operations, and this is where these requirements can be communicated.

However this is not so easily done with other external providers where there is no written agreement in place.  One way of handling this is to look carefully at the wording used to start the 2nd paragraph in sub-clause 8.4.3, which reads: “The organization shall communicate to external providers its requirements for: …”.  One could logically interpret the words “its requirements” as being the situation where the organization has NO requirements in this regard for its external provider.  For example, when purchasing raw materials, your company has NO requirements for the competency of the people producing those raw materials, and therefore competency requirements do NOT need to be communicated to the external provider (8.4.3c) within the PO or Contract.

ISO 9001:2015 Essentials + Gap Audit

This combines the ISO 9001:2015 Essentials Session with a Gap Audit – This approach is used to assist organizations in launching their transition efforts for this new ISO Standard. This event accomplishes two things: a) it provides education on the new ISO 9001:2015 Standard for your key personnel (i.e. internal auditors; etc.), by highlighting the differences from the 2008 version; and b) assesses the gap from where you are today to where you need to be to achieve compliance to this new ISO Standard. Training certificates covering education on the new ISO 9001:2015 Standard, as well as issuing of a Gap Audit Report for distribution to your Top Management, are the two deliverables from this event. On a final note, a closing meeting can be arranged with key individuals so they can hear first hand the results of the Gap Audit that was performed.  PS: We’ve also done this session with just the QMS Management Rep attending, which allowed them to quickly get up to speed on this new Standard, as well as to see how much of an effort the transition will be… and of course they receive their own Training Certificate as part of this event.  This also allowed them to avoid traveling offsite to get the training they needed anyways, as evidence for their Certification Bodies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~