Issue 29 – Clause 8.4: Control of Externally Provided Processes, Products and Services
Clause 8.4: Control of Externally Provided Processes, Products and Services
What’s new in Clause 8.4?… In our last Newsletter (ISO 9001:2015 Newsletter Issue 28) we discussed the topic of “design and development”, and now here in Clause 8.4 we address the area dealing with “externally provided processes, products and services”. At this point within Element 8.0 (Operation), you’ve been asked to implement “plans and controls for your operations”, then you’ve determined all of your “product and service requirements”, which was then followed by performing “design and development” activities if your outbound products and outbound services needed them… which means now in Clause 8.4 (which is the old Purchasing section of 2008) your organization needs to put in place a controlled process for obtaining any needed externally provided products, any externally provided services and any externally provided processes. Another way to view the term “externally provided” is to think “inbound”. I’ve made this distinction on purpose so as to minimize confusion about the term “products and services”… because so far that has meant outbound, i.e. products and services we provide to the Customer.
Note A: This Clause DOES include requirements for “documented information”.
Note B: As I’ve mentioned in the past, the content for these Newsletters comes from working in the field with my Clients, and with their ISO Certification Bodies. I gain a lot of hands-on experience from conducting gap audits (as well as training seminars), where the requirements of the Standard have to be interpreted and applied to each unique situation. Combining an on-site Gap Audit with ISO 9001 Essentials Training, has become our most popular request for proposal from our Newsletter readers (…more details on this, as well as other training that we offer, can be found below).
The new numbering format…
Element 4 – Context of the organization
Element 5 – Leadership
Element 6 – Planning
Element 7 – Support
Element 8 – Operation
Element 9 – Performance evaluation
Element 10 – Improvement
Clause 8.4 Control of externally provided processes, products and services consists of three (3) Sub-Clauses as listed below:
8.4.2 Type and Extent of Control
8.4.3 Information for External Providers
Sub-Clause 8.4.1 General – I’ll start this off by saying that for many organizations, Clause 8.4 now covers a lot more territory than what the old “purchasing section” covered back in 2008… let me explain. The use of the words “and services” is the first hit since that means that now outside (or outsourced) services need to be addressed. You probably should start by making a list of what externally provided services that includes. Begin with those externally provided services that have a direct impact on the conformity of your outbound products, and a direct impact on your outbound services. Then expand that list to now include any externally provided services that have an indirect impact.
The second way Clause 8.4 gets expanded is with the term “externally provided processes”, which can be interpreted as being those activities provided by: another Department outside the scope of the QMS (like Legal); or another sister plant/facility; or your head office/corporate. If it helps you to distinguish, think of the common denominator here being that “no money is changing hands, nor are purchase orders being issued”. I would once again build a list of the externally provided processes that affect your QMS, and I would use the same approach (direct impact – and indirect impact – on the conformity of your outbound products and outbound services). The challenge here is that most of the things on your list will not be covered by a Purchase Order (PO), or by a Contact, which makes applying controls difficult. With regard to “control of these externally provided processes” my recommendation is to look at what activities you perform WITHIN your circle of responsibility, that interact with those external providers, and at the very least document (and report on) the performance of those interactions.
Let’s now get back to discussing sub-clause 8.4.1, specifically a) b) and c), all of which are asking you to decide what controls you will put in place in the three scenarios listed… a) when what is being externally provided goes into or around your outbound products/services; b) when the external provider does the last step before the Customer sees it; and c) when you make a business decision to outsource a process instead of doing it yourself. In these cases you will need to decide what controls you will put in place on these external providers to ensure requirements are met.
Sub-Clause 8.4.2 Type and extent of Control – This sub-clause is drilling down further into the “controls” you implement, with a new requirement found in 8.4.2 a) which asks organizations to ensure that externally provided processes remain within the control of its QMS. The challenge again is when there are no contracts, PO’s or agreements in place for externally provided processes. As an example, the only control you may have with your corporate office being an external provider (say of IT services), is the ability to document and report on any adverse performance issues being experienced, and identifying what impact that may be having on your business performance or any impact on your Customer’s level of satisfaction. Another new requirement is found in 8.4.2 c2) which wants you to take into consideration how strong (or weak) the controls are that are being applied by the external provider on themselves.
Sub-Clause 8.4.3 Information for External Providers – This sub-clause is very similar to those old requirements found back in 2008. Some additional requirements are found in 8.4.3 c) asking you to define any “competency” requirements for the external provider; 8.4.3 d) which wants you to specify how you will interact with your external provider; and 8.4.3 e) dealing with how you intend to control and monitor the external provider’s performance. This is easily addressed when you have a PO or Contract between yourself and the external provider, because that is where these details can be covered. In some instances, organizations have implemented Service Level Agreements (SLA’s) for those departments that support the business operations, and this is where these requirements can be communicated.
However this is not so easily done with other external providers where there is no written agreement in place. One way of handling this is to look carefully at the wording used to start the 2nd paragraph in sub-clause 8.4.3, which reads: “The organization shall communicate to external providers its requirements for: …”. One could logically interpret the words “its requirements” as being the situation where the organization has NO requirements in this regard for its external provider. For example, when purchasing raw materials, your company has NO requirements for the competency of the people producing those raw materials, and therefore competency requirements do NOT need to be communicated to the external provider (8.4.3c) within the PO or Contract.
Be sure to watch for our next Newsletter issue where we will cover another section of ISO 9001:2015…
PS: Don’t forget to look at the Q&A section below for some final thoughts…
To view all of our past Newsletters or to sign up to receive them… click here
For cost effectiveness, the Internal Audit function can be outsourced to an external experienced auditor on a periodic basis. This will provide an independent and objective assessment to management, along with identifying opportunities for improvement. It will also provide the evidence needed to satisfy Internal Audit requirements in the ISO Standards.
The two (2) day Internal Process Auditing for ISO 9001:2015 Training Session is focused on a process approach to auditing with the objective being not only to assess conformance of the quality management system, but also to uncover process improvements during an audit. This goes hand in hand with the process auditing requirements found within ISO 19011 and the process approach covered in ISO 9001:2015, which promotes continual process improvement throughout this Standard. An enhanced checklist is developed, and there will be workshops throughout, to reinforce learning, as well as a live, practice audit. If you are looking to meet the ISO 9001:2015 internal audit requirements and to “raise the bar” for your internal audit program then this is the course you should consider.
This combines the ISO 9001:2015 Essentials Session with a Gap Audit – This approach is used to assist organizations in launching their transition efforts for this new ISO Standard. This event accomplishes two things: a) it provides education on the new ISO 9001:2015 Standard for your key personnel (i.e. internal auditors; etc.), by highlighting the differences from the 2008 version; and b) assesses the gap from where you are today to where you need to be to achieve compliance to this new ISO Standard. Training certificates covering education on the new ISO 9001:2015 Standard, as well as issuing of a Gap Audit Report for distribution to your Top Management, are the two deliverables from this event. On a final note, a closing meeting can be arranged with key individuals so they can hear first hand the results of the Gap Audit that was performed. PS: We’ve also done this session with just the QMS Management Rep attending, which allowed them to quickly get up to speed on this new Standard, as well as to see how much of an effort the transition will be… and of course they receive their own Training Certificate as part of this event. This also allowed them to avoid traveling offsite to get the training they needed anyways, as evidence for their Certification Bodies.
Q: How do you perform a gap audit for Clause 8.4 of ISO 9001:2015?
A: For Clause 8.4, a Gap Audit checklist should cover these areas:
– Has the organization identified its externally provided processes? Its externally provided products? Its externally provided services?
– What “controls” have been implemented for each of them?
– Does the organization have external providers who provide products and services directly to the Customer on their behalf?
– Does the organization retain control of externally provided processes within its QMS? How?
– Does the organization take into consideration the effectiveness of controls applied by external providers? How?
– Does the organization communicate competency requirements to its external providers? How?
– Does the organization specify how interactions will take place between themselves and the external provider? How?
– Does the organization communicate what control and monitoring activities they will apply to the external provider? How?
(Make sure to interview more than one person and obtain examples for the items listed above)
Until next time…
Helping Business Professionals Reduce Risk and Remove Waste!