ISO9001 in 2021 Week by Week - Week 36 – 8.4.2 Type and extent of control

This is a 52 week discussion of ISO9001:2015. Each week, we discuss a specific clause of the ISO9001:2015 standard in detail and look for ways to trim the fat. (As a member of TAG/TC176, the committee responsible for review and revision of ISO9001, (possible revision in 2023), I’ll keep you posted on what I learn all year!)

(It is strongly recommended that you purchase a copy of ISO9001:2015  for reference).  And, be sure to do your homework!

8.4.2 Type and extent of control

Last week, we reviewed 8.4.1 where the requirements of how the standard applies.  This week, we begin to peel back the layers, so to speak, about what must actually be done to be compliant.

Before we get down to business, I’d like to point out the potential in this area for “risk-based thinking”.  This stuff is pretty common sense, but the language is pretty “squishy” and I suspect it will be difficult to audit.  Let’s read on……

“The organization shall ensure that externally provided products and services do not adversely affect the organization’s ability to consistently deliver conforming products and services to its customers.

The organization shall:

a)  ensure that externally provided processes remain within the control of its quality management system;”

So, this leaves the door wide open for a “judgment call” on the part of the organization.  There would be little reason to apply its external provision process to those processes, products and services that are unlikely to impact their ability to make good product.  Organizations have historically taken this approach when defining how and where the process applies.  In other words, “No, we don’t send a vendor performance report card to our vending machine provider in the break room, because we doubt a breakdown in their service would affect our ability to make shipments today”.  Wherever the ideas of likely or unlikely appear, so does the idea of risk-based thinking.

“b)  define both the controls that it intends to apply to an external provider and those it intends to apply to the resulting output;”

Again, the organization must ask itself what controls it intends to implement and whether its controls are or will be effective.  Many organizations do a full rescreening of products/services from external sources prior to incorporating them into their process.  And those organizations typically feel pretty confident that their controls will be effective.  Other organizations defer back to “if they have achieved registration to ISO9001, they’re good to go”.  Which is why the standard goes on to require additional requirements beyond just accepting certification.  So, in making the decisions on “how much control” to apply, the requirements continue with these clarifiers…

“c)  take into consideration:

• The potential impact of the externally provided processes, products and services on the organization’s ability to consistently meet customer and applicable statutory and regulatory requirements;
• The effectiveness of the controls applied by the external provider;

So, the organization should use the criteria above in order to determine how much control to apply and where to apply it.  Once the initial controls have been applied in choosing the providers, the organization must move forward with a plan to control externally provided products and services throughout the procurement process.

“d)  determine the verification, or other activities, necessary to ensure that the externally provided processes, products and services meet requirements.”

Most organizations use some combination of verification activities such as requiring certificates of analysis or SPC data in tandem with random audits of inbound materials, products, etc to monitor the risk associated with the external provider and/or the practice of outsourcing a process, product or service.  Vendor performance information should also be considered, because a vendor failure could definitely impact the organization’s ability to perform.  Therefore, a whole process of selection, monitoring and maintaining vendors must be integrated to ensure the organization’s quality performance remains unencumbered by outsourcing.

This is also a fun little side note indicating that outsourcing a process, product or service does not preclude the organization from responsibility for the output.  No, we can’t “exclude” it from our quality system.  And “no, we can’t hold a vendor solely responsible” should something they contribute have a negative impact on our product or service.  We have to have a process in place to control both provider and output to some extent.

THIS WEEK’S HOMEWORK

Review your process for selecting, evaluating and monitoring externally supplied resources.  Does it meet the criteria as shown above?  Now, take a random sampling of your outsourced items (your purchasing or procurement group can probably help).  Based on the scope of your external sourcing process, are you satisfied that the controls apply to the right vendors and in the right situations?  Is any more required?  Anything less?

This weekly series is a DIY guide including lots of FREE STUFF like templates, examples and tutorials.  So, SUBSCRIBE today and we’ll keep it coming to your inbox weekly.

Do you need help with your Supplier Management process to comply with these requirements?  Connect with us today and we'll help you create a robust but simple supplier management program that will be easy to manage, but powerful in terms of your reliance on your supply chain.  

And the options don't stop there.  

For more information about 8.4.2 Type and extent of control and all the other clauses of ISO9001, watch this 3-minute video about another great resource to accompany this series.   Get the self-directed, on demand, online learning series  ISO9001 in Plain English, today and you'll get:

• A clear understanding of the requirements of ISO9001:2015
• Proven tips to build a robust quality system that's easy to use
• Ways to reduce documentation and paperwork (yes, really!!)

Each video is about 15 minutes and targets a specific element of ISO9001, (with over 6 hours of total content!).  We translate all the gobbledegoop into Plain English you can understand and leverage the requirements to get maximum VALUE from your quality efforts. 

For a deeper dive into the process side of your quality system, get Tribal Knowledge - The Practical Use of ISO, Lean and Six Sigma Together, a simple guide to UNITE ISO9001, lean and Six Sigma to create a robust quality system with better results.  Read what ASQ American Society for Quality – Quality Progress Magazine  had to say about it. 

We look forward to continuing this YEAR LONG journey with you.  SUBSCRIBE today and the series will come to you weekly to get you off to a great start and your quality system reinvigorated. 

And join me on my journey to always keep improving!