According to ISO 9001:2008 DIS, an organization must define the type and extent of control to outsourced processes.

According to the N526 - Guide to the Terminology used in ISO 9001:2000 and ISO 9004:2000 (http://isotc.iso.org/livelink/livelink/3553791/Terminology.doc?func=doc.Fetch&nodeid=3553791) document, the definition of control is :

power to give orders or to restrain something
means of restraining or regulating
standard of comparison for checking the results of an action or measurement.So, I would like to start a debate on what quality professionals, knowledgeable about ISO 9001 on the adequacy of controls which would be deemed acceptable. We know that it is not a requirement for ISO 9001 compliant organizations to flow down ISO 9001 compliance to their suppliers. However, just specifying certain requirements for outsourced processes in a contract and/or PO is no guarantee that the supplier will perform adequately.

For example, if an organization outsources the design of a product to a design-house, what would be the expected controls to be exercised for this supplier? Would compliance to ISO 9001 section 7.3 be mandated? How would the customer assure that the supplier conforms with such requirements? What about other associated requirements, such as the competence of the people performing design work? Would a requirement such as that need to be explicitly invoked?

Opinions welcomed. :read:

According to ISO 9001:2008 DIS, an organization must define the type and extent of control to outsourced processes.

According to the N526 - Guide to the Terminology used in ISO 9001:2000 and ISO 9004:2000 (http://isotc.iso.org/livelink/livelink/3553791/Terminology.doc?func=doc.Fetch&nodeid=3553791) document, the definition of control is :

power to give orders or to restrain something
means of restraining or regulating
standard of comparison for checking the results of an action or measurement.So, I would like to start a debate on what quality professionals, knowledgeable about ISO 9001 on the adequacy of controls which would be deemed acceptable. We know that it is not a requirement for ISO 9001 compliant organizations to flow down ISO 9001 compliance to their suppliers. However, just specifying certain requirements for outsourced processes in a contract and/or PO is no guarantee that the supplier will perform adequately.

For example, if an organization outsources the design of a product to a design-house, what would be the expected controls to be exercised for this supplier? Would compliance to ISO 9001 section 7.3 be mandated? How would the customer assure that the supplier conforms with such requirements? What about other associated requirements, such as the competence of the people performing design work? Would a requirement such as that need to be explicitly invoked?

Opinions welcomed. :read:

It would depend on the risks associated with the outsourced process and product. For some activities such as a low-risk machining process, the information on the Purchase Order and a drawing will suffice.

For some processes such as product design; that obviously would require many more controls to ensure that the resulting design will meet the requirements.

Risk and reputation (competency) of the supplier will dictate what controls must be deployed.

Stijloor.

For some processes such as product design; that obviously would require many more controls to ensure that the resulting design will meet the requirements.I agree that risk is to be considered. But I was looking for examples of what people would expect to see as a way to demonstrate control over outsourced processes.

As I mentioned earlier, just specifying the product/service being purchased, via PO and/or contract does not raise (imo) to the level of control. So, if we stick to the example of an outsourced design package, what would constitute control in the context of the ISO 9001:2008 standard?

If you mandate the supplier to comply with paragraph 7.3 of ISO 9001, what would be the evidence to you, the customer, that they complied with? A self-declaration of conformance? A customer audit? A 3rd party audit? An ISO 9001 certificate? An accredited ISO 9001 certificate? An IAF "endorsed" accredited ISO 9001 certificate? An IAF "endorsed" accredited ISO 9001 certificate, issued by a reputable registrar?:confused:

Interesting topic, Sidney. This sounds like Agency Theory (http://www.istheory.yorku.ca/agencytheory.htm). I really like this link to Agency Theory, as it cites the seminal papers.

Starting off, everything is great. They negotiate a low price and high quality to establish your business. After the honeymoon is over, they will incrementally go up on price, down on quality, or both. Eventually like with Economies of Scale, the supplier will get close to the marginal utility (or barrier to exit), and either lose your business, or reign things back in.

Seeing the stuff they make their vendors do, I guess Wal-Mart can objectively demonstrate sovereign reign over their outsourced processes!:tg:

Sidney, I am probably not even close to your initial query. I see this more on the operational level of the strength of the Supply Chain relationships, and the level of control the agent has. As with E-Technology (Harland et al, 2007), implementation of E-technologies in SME's is largely dictated by customer pressure. The greater the agent strength, the more control (to the point of satisfying internal quality requirements) will be exercised.

The level of compliance by outside vendors reminds me of the many addressing NADCAP and it's implementation. If they can afford it, suppliers told Boeing to take a leap. If Boeing needed them, they had to overlook it. If the vendor needed Boeing's contracts, they complied and implemented it.

But I was looking for examples of what people would expect to see as a way to demonstrate control over outsourced processes.




I thought maybe one way of demonstrating control is through CAPA's involving external processes.

Quote:
Originally Posted by Sidney Vianna http://elsmar.com/Forums/images/buttons/viewpost.gif (http://elsmar.com/Forums/showthread.php?p=231539#post231539)

But I was looking for examples of what people would expect to see as a way to demonstrate control over outsourced processes.


I thought maybe one way of demonstrating control is through CAPA's involving external processes.

Outsourced processes... I struggled with that:frust::frust:... I dealt with multi location, multi-cultural companies...Where suppliers become customers and customers become suppliers frequently....

I ended up defining and structuring critical processes based on PDCA, the same way as I approach any other process. It was an eye opener for me to see outsourced processes integrated in to a process map.

The root cause of all outsourced processes nonconformities are due to lack of adequate planning and established realistic objectives. With inadequate planning, expediting becomes a mode of operation and control. Deficiency in inadequate planning is due to lack of expertise and chasing moving targets.

I believe P D C A effectiveness of each process should be measured. An effective outsourced process should have PA>CA.

I've seen controls on outsourced activities in various manners, all dependent on the risk/impact, relationship, performance history, etc.:

Audits
Receiving inspection
Evaluations
Testing (sent to unbiased 3rd party)
Surveys


A simple database or matrix listing suppliers for outsourced processes could be developed to show all options and the one(s) that apply to the supplier. It would be possible to include the history of evolution of the supplier, too. A supplier, for example, may once have been subjected to audits once per quarter or something and then with consistent performance, move to external testing on an annual basis.

According to ISO 9001:2008 DIS, an organization must define the type and extent of control to outsourced processes.

According to the N526 - Guide to the Terminology used in ISO 9001:2000 and ISO 9004:2000 (http://isotc.iso.org/livelink/livelink/3553791/Terminology.doc?func=doc.Fetch&nodeid=3553791) document, the definition of control is :

power to give orders or to restrain something
means of restraining or regulating
standard of comparison for checking the results of an action or measurement.So, I would like to start a debate on what quality professionals, knowledgeable about ISO 9001 on the adequacy of controls which would be deemed acceptable. We know that it is not a requirement for ISO 9001 compliant organizations to flow down ISO 9001 compliance to their suppliers. However, just specifying certain requirements for outsourced processes in a contract and/or PO is no guarantee that the supplier will perform adequately.

For example, if an organization outsources the design of a product to a design-house, what would be the expected controls to be exercised for this supplier? Would compliance to ISO 9001 section 7.3 be mandated? How would the customer assure that the supplier conforms with such requirements? What about other associated requirements, such as the competence of the people performing design work? Would a requirement such as that need to be explicitly invoked?

Opinions welcomed. :read:


Some examples I have seen:

Could be as simple as requiring certification (ISO 9001, ISO 17025).
Could be as complex as onsite, co-located Engineers or support personnel.
Requiring a certain level or type of inspection, frequency, etc.
Defining certain levels of inspection results (internal Cpk, ppm rates, etc.).
Requiring certain employees to have certain skills or training.
Requiring CQI 9, 11, or 12.
differing levels of design collaboration, depending on the level of skill of the outsourced design firm.
requiring orders to be performed only in certain workcells, only on certain machines (known to be more capable or modern), or by certain personnel.
Certain SPC or other monitoring data be shared.These are a few that came to mind. There are many others, but perhaps these will spark conversation.

According to this recent article (http://www.qualitydigest.com/currentmag/articles/02_article.shtml), outsourcing of processes will be a focus area for future discussions on ISO 9001 revisions....

Outsourcing and offshoring
There were several other factors that were the subject of discussion at the most recent meetings of TC 176/SC2 (the ISO subcommittee directly responsible for work on ISO 9000, ISO 9001, and ISO 9004).
The most prominent factors deal with various aspects of the supply chain, specifically, outsourcing of processes, globalization, environmental factors, and information management.
Within the context of ISO 9001, outsourcing refers to those processes needed by the organization that are performed by an external entity. The decision to outsource can be based either on the determination that the organization does not have the requisite resources or ability to effectively implement the process, or that it would be more financially advantageous to have someone else do it. Typical examples include third-party testing and verification, development of user manuals, packaging, heat-treating, and technical support help lines.
The technical experts have recognized that outsourcing is a growing aspect of many organizations. It serves to extend product offerings, increase aftermarket service opportunities, and augment capabilities. Outsourcing can reduce overhead, defer the need for capital expenditures, mitigate risks resulting from spikes in demand, and contribute to lean initiatives.
Currently, ISO 9001 has limited language addressing the requirements surrounding outsourced processes. As outsourcing becomes more widespread, it will be appropriate to insert additional language, proportionate to the prevalence of the practice.
A growing amount of the outsourcing is also going offshore, as have many other links in the supply chain. Raw materials, components, finished goods, and customer service now come to us from almost every corner of the globe. The authors of ISO 9001 anticipate that the standard will inevitably need to more extensively address requirements unique to these long-distance suppliers. There are specific constraints that accompany global supplier relations. Distance, transportation, time zones, cultural differences, communication, and infrastructure reliability can all affect intercontinental partnerships. Although ISO 9001 deals with supplier-related issues, the text will need to be revised to remain relevant to evolving market practices.

Helmut has it - as ever.

Since you identified the (thorny) design control requirements, Sidney, I'd offer that an organization that outsourced design might not have anyone qualified to review the design or participate in the selection of a qualified designer/supplier. In that case, they should seek another 'expert' to do the evaluation and report back to the organization, with recommendations for the controls to be put in place.

To control outsourced activities we implemented the following as in attached word doc.

On a case by case we add specific items for the outsourced activities under consideration.
It's a 2 year old file but I have saved it today in the new Word version.

Best regards,

Antoine

Hi,

2008 version still for discussion,any way for outsourcing PDCA still the best techniques including its First Article,Top Defects and frequent visits to suppliers for monitoring purposes.Control for materials consigned or turnkey,machine overall effectiveness(output,cycle time and downtime) must be monitored by customers including Handling issues.

"learning after failing":)

Hello All,

Interesting discussion. I believe the controls implemented are risk based and start with the contractural agreement and/or statement of work with the supplier. This document MUST clearly define the expectations and if the supplier is not ISO certified, then the specific requirements need to be defined and agreed in the signed contract or SOW. Once the requirements are clearly defined, your supplier quality program can take over and audit the supplier against the contract or SOW.

This has worked in our organization with mixed results, all depending on how well thought-out the contract or statement of work is for the supplier quality program to perform their audits effectively.

Hi All,

Outsourcing controls?
Well, as per ISO 9001:200x which had emphasized on the Process Approach, would it be considered to think about process management involving the outsourcing activities such as how do the outsources activities impacting to the organization in terms of positive and negative. From these assessment, the types of controls can be introduced as per the levels of the impact, so that the system will be robust enough to deliver quality products and services. Such assessment can be considered is the business risk management, process and product risk management, or financial risk management.

I hope this could enlighten us... Cheers! :rolleyes:

'May The Force Be With You'

OB1

Well, tommorrow I'm going to get the 2008 revision to the standard since obviously I am being audited to that version even though I contracted under the 2001 version. However, I need to know the definition of "outsourced process." I will determine, in accordance with any new requirements, what controls I must have on an outsourced process, BUT I need to first know what is considered outsourced. My definition of outsourcing is "an arrangement in which one company provides services for another company that could also be or usually have been provided in house." My situation: I purchase a metal housing from a supplier. I receive the housing , inspect it, and send it out to a firm to annodize. I don't have the capability to annodize and of course I have never performed that process inhouse. Have I outsourced a process, or have I simply purchased a service?

Kindly give me your thoughts.
Thanks

even though I contracted under the 2001 version.SNIP SNIPKindly give me your thoughts.2001 version? You probably mean 2000....

Concerning outsourced processes....what about the TC176 assistance: Guidance on Outsourced Processes (http://isotc.iso.org/livelink/livelink/3553354/Outsourced.doc?func=doc.Fetch&nodeid=3553354). All your questions answered...http://dvcreators.net/discuss/images/smilies/sarcasm.gif

My definition of outsourcing is "an arrangement in which one company provides services for another company that could also be or usually have been provided in house."
Sounds pretty good. It's actually defined in Note 2 of ISO 9001:2008 under 4.1:NOTE 2 An “outsourced process” is a process that the organization needs for its quality management system and which the organization chooses to have performed by an external party.

My situation: I purchase a metal housing from a supplier. I receive the housing , inspect it, and send it out to a firm to annodize. I don't have the capability to annodize and of course I have never performed that process inhouse. Have I outsourced a process, or have I simply purchased a service?
You have outsourced a process. It may have been done (and controlled) through your purchasing process.

Yes, I do mean 2000. Sorry. I have just read ISO/TC 176/SC . . and guidance on "what is an outsourced process." As now defined an "outsourced process" is a process that the organization needs for its quality management system and which the organization chooses to have performed by an external party. Since my annodization is one activity in a set of activities in the product realization process, I assume that I have not outsourced a PROCESS?? Sorry to be so muddy on this, but it seems that there ought to be a definite line here on what is a purchase of a service or product versus what is a subcontracted or outsourced process. My auditor gave the example of "painting" or "plating." I assume these are similar to "annodizing." It looks like it could get even muddier on "purchased machined parts." I would like for you to give me your opinion, right or wrong, a to whether my annodizing process is an outsourced "process."
Thanks

Karen:

If you send parts out to a supplier - for anodizing - that's an outsourced process. Your organization doesn't do the process itself, so it can only be 'outsourced'.......I think you're over thinking this!;)

I would like for you to give me your opinion, right or wrong, a to whether my annodizing process is an outsourced "process."You have outsourced a process.If you send parts out to a supplier - for anodizing - that's an outsourced process. I think you're over thinking this!I agree with Steve and Andy. And, depending on the type of anodizing you need, part of the control to be exercised here could include requirements for process validation.

<snip>I would like for you to give me your opinion, right or wrong, a to whether my annodizing process is an outsourced "process."
Thanks

Simple example: Your process for making widgets from beginning to end takes let's say 10 steps. Step 8 is an activity for which you don't have the technical capability. The parts then leave the company for step 8 (outsourced) after which they come back for step 9 and 10. Widgets completed. ;)

Stijloor.

Well, tommorrow I'm going to get the 2008 revision to the standard since obviously I am being audited to that version even though I contracted under the 2001 version. However, I need to know the definition of "outsourced process." I will determine, in accordance with any new requirements, what controls I must have on an outsourced process, BUT I need to first know what is considered outsourced. My definition of outsourcing is "an arrangement in which one company provides services for another company that could also be or usually have been provided in house." My situation: I purchase a metal housing from a supplier. I receive the housing , inspect it, and send it out to a firm to annodize. I don't have the capability to annodize and of course I have never performed that process inhouse. Have I outsourced a process, or have I simply purchased a service?

Kindly give me your thoughts.
Thanks

I think you are pretty close. By the way, the requirements to define controls for outsourced processes is not new, it was part of the 2000 version.

I would suggest the metal housing you purchased is a purchased product. The anodizing is an outsourced process.

The controls you have to define are relatively simple. In the old days, people used to say, "we send the anodizing out, we're not responsible for that." Of course, that is a silly position. You are responsible for it, whether you do it, or you have it done. The 2000 and 2008 ISO says that. You are responsible for it, whether you do it, or you outsource it.

ISO requires that you define the details of your processes (cl 4.1) so that you ensure the output 100% meets requirements. For outsourced processes, ISO goes easy on you. You don't have to all the things in Cl 4.1, you just have to identify that process ispart of your defined processes, AND define what controls (if any) you need to define to ensure that the outputs 100% meets requirements.

In some cases that might be very little (ISO certification, receiving inspection), and in other cases it could be quite a few controls. It is up to you, as long as the output 100% meets requirements.

Karen:

I've used this analogy before (I apologize in advance to the 'regulars who have to read this stuff over and over again!)

It's just the same type of thing when you go to the grocery store - Kelloggs/Campbells' etc - little to no controls needed on your part!

Veggies/fruit - some inspections required!

Dairy - use the 'fifo' date code on milk etc. Some inspection required on eggs, for example (eggsample? - sorry I couldn't help myself!)

It's just that simple!

Karen,

Ultimately, it does not matter whether you buy in a thing, a service or a process - you are buying in something that you either don't have the inhouse capacity to do/make/produce, or something that you don't choose to do (eg, you can't/happens only rarely/cheaper to have someone else to do it, etc).

Suggest instead of worrying over much about whether it's a 'process' or not, an 'activity' etc. that you focus your attention more on:

1. what do we send out of our premises to be done?
2. what do we buy in?

(And that when asking either question, you understand 'what' to mean 'what = that is important/essential/critical to the quality of our product or service' - eg, this would screen out the largely trivial "paperclips-we-use-in-office" stuff)

You see, whether you send something out to be anodised, painted, plated, machined or whatever, the key point is: what arrangements do you make in order to maintain reasonable control over that? (I'm assuming you don't just send it out, cross your fingers, and accept whatever comes back!)

I think the extra info in the 2008 version was intended to overcome some blind spots that many organisations had - I've heard them say often things something like: Oh, that's not included because XYZ company does that, and we don't control them.

ISO 9001's point of view is: it is you who has made an agreement to supply your customers, and that includes the responsibility of having reasonable arrangements to 'control' whatever you choose to outsource so that, ultimately, your customer gets what you agreed to supply to them. (All very reasonable and good business sense IMO)

Thus, as clause 7.4 requires, you need to make sure that you adequately convey to your supplier what your requirements are, and then ensure that you got what you specified, etc. You don't necessarily have to worry about how it is controlled internally at your supplier's - that is usually their job and definitely sounds so in this case. But it's also a reason why ISO requires you to pay attention to how you select and monitor your suppliers, as well as check whatever stuff you have 'done externally' rather than simply hand it straight across to your customer & disclaim all responsibility.

I'm not suggesting it's not an interesting question to debate (a process or not? an activity?) but you may get a range of opinions even among experts, and just end up confused.

Ultimately, I see very little distinction between:

what is a purchase of a service or product versus what is a subcontracted or outsourced process.

All those additional Notes and info are just clarifying - or trying to! :D

Friends,

Karen's head must be spinning by now....:D

Us Covers never give up! :agree1:

Stijloor.

It's just that simple!Sorry, Andy, but it isn't. This kind of analogy is used by many instructors during ISO 9000 courses, trying to use day to day cases as examples, so people can "relate".

But if it were that simple, the TC 176 would have not developed a guidance document on the subject.

To attempt to simplify is good. To trivialize the issue is not.

Sorry, Andy, but it isn't. This kind of analogy is used by many instructors during ISO 9000 courses, trying to use day to day cases as examples, so people can "relate".

But if it were that simple, the TC 176 would have not developed a guidance document on the subject.

To attempt to simplify is good. To trivialize the issue is not.

Do you think I was trivializing it? I did only use the word 'simple'.....I'm not sure that because a guidance document was issued it indicates any specific condition exists. We all see many (complex) implementation issues discussed here, but no TC 176 document exists for all of them, so I believe that there's no greater gravity to the requirement (simply) because a guidance document exists.

And, yes, I did use this example when I was an instructor. Often people make waaaaaay to much of requirements - as you are well aware. So what's the problem with helping people relate? Don't forget, Sidney, that many (most) folks come to ISO without the benefit of any prior knowledge (of similar requirements) at all!

The process of food 'manufacturing' is outsourced by many of us (I tried to grow stuff but wasn't entirely successful) - I buy based on past performance, relying on USDA/FDA requirements etc. In some cases (as with veg/fruit) I have to do inspections before I agree to purchase. Because I can't taste milk before I buy, I have to rely on the FIFO process at the supplier and date coding of products. With eggs, my experience is that all those controls can be in place, but there may also be damage, so I open the container and check them for damage.......

What's being trivialized here? Is there some 'rocket science' I'm not privileged to know or understand?

What's being trivialized here?Grocery shopping tips is all I need to know to understand controls over outsourced processes. That is the message I got from your previous post.

In my judgement, it is not "that simple".

When an organization outsources sterilization processes of their medical devices, the controls to be exercised by the customer go beyond what I do when buying milk and eggs at Costco.

Andy's analogy covers the supplier selection, risk assessment and determination of the level of appropriate incoming inspection elements of the process pretty well and is a good model for buying "off the shelf" products or services.
What it doesn't cover is the ordering of bespoke products or services. The specification must be clearly defined to the supplier, you may need to audit the supplier to ensure their competence, there may be a requirement for project management and periodic review, there may be a requirement for PPAP, supplier performance must be monitored and a CAPA process in place.
Things are complicated further when special processes or regulatory requirements are involved and additional controls and records are needed.

So, I would like to start a debate on what quality professionals, knowledgeable about ISO 9001 on the adequacy of controls which would be deemed acceptable. We know that it is not a requirement for ISO 9001 compliant organizations to flow down ISO 9001 compliance to their suppliers. However, just specifying certain requirements for outsourced processes in a contract and/or PO is no guarantee that the supplier will perform adequately.

I have read all the posts and I would like to state my opinion in an independent manner.
IMO The requirement for control over outsourced processes is there to ensure that the company can not waive its responsibility for ensuring the maintenance of customer requirements by saying that it was someone else.
In most cases I have seen the control has been through the purchasing procedure which has ensured the evaluation and monitoring of the subcontractor, the correct definition of the requirements and the method of acceptance of the goods/service.
One of the differences between ISO 9001:2000 and ISO 9001:2008 is the addition of a reference to clause 7.4.
I suggest that in the fact the controls available in 7.4 are enough to control the outsourced supplier.

We covered it by stating that, All current suppliers are grandfathered, and that all new suppliers must either be ISO certified or approved by the company president.

We just had our Stage II audit and this was fine with our auditor.

That's disappointing. Grandfathering current suppliers has nothing to do with defining controls for outsourced processes.

I suggest you reread clauses 4.1 and 7.4. It might be a good idea for your auditor to do so as well...

By the way, though it is a common practice, "grandfathering" suppliers is not a concept that is found in the ISO standard. In many cases it is compliant simply because the suppliers are good. But grandfathering a bad supplier does not turn them into a good or compliant supplier. It is an outdated concept and should be put to rest.

Disappointing if your auditor "was fine with it."

That's disappointing. Grandfathering current suppliers has nothing to do with defining controls for outsourced processes.

I suggest you reread clauses 4.1 and 7.4. It might be a good idea for your auditor to do so as well...

By the way, though it is a common practice, "grandfathering" suppliers is not a concept that is found in the ISO standard. In many cases it is compliant simply because the suppliers are good. But grandfathering a bad supplier does not turn them into a good or compliant supplier. It is an outdated concept and should be put to rest.

Disappointing if your auditor "was fine with it."

I think you're correct in saying that grandfathering doesn't address the definition of controls, but I can't agree with the poo-pooing of grandfathering in general. If the number of suppliers is large it's usually the only practical way to go. It doesn't mean that "bad" suppliers are deemed "good" or that there are even definitions of "good" and "bad," or that such definitions are needed. 7.4.1 says that the organization shall:
...evaluate and select suppliers based on their ability to supply product in accordance with the organization's requirements. Criteria for selection, evaluation and re-evaluation shall be established.
(My emphasis)

There is still the requirement to exert control over outsourced processes in accordance with 4.1, whether suppliers are grandfathered or new.

Grocery shopping tips is all I need to know to understand controls over outsourced processes. That is the message I got from your previous post.

In my judgement, it is not "that simple".

When an organization outsources sterilization processes of their medical devices, the controls to be exercised by the customer go beyond what I do when buying milk and eggs at Costco.

I agree and, now we have a place to start that discussion - since this is the 'vanilla' ISO 9000 forum, I didn't intend to complicate things with the details of those complex situations for regulated businesses.

Prototyper is correct (IMHO) for those organizations which procure to custom specifications. My comments were made for the preponderance of organizations making purchases. I wasn't aware we were talking specifically about a regulated industry here.......is that the context of Karen's question?

That's disappointing. Grandfathering current suppliers has nothing to do with defining controls for outsourced processes.

I suggest you reread clauses 4.1 and 7.4. It might be a good idea for your auditor to do so as well...

By the way, though it is a common practice, "grandfathering" suppliers is not a concept that is found in the ISO standard. In many cases it is compliant simply because the suppliers are good. But grandfathering a bad supplier does not turn them into a good or compliant supplier. It is an outdated concept and should be put to rest.

Disappointing if your auditor "was fine with it."

In my opinion, grandfathering of existing suppliers is only acceptable if the organization has been evaluating their performance of the suppliers on an ongoing basis and has found they have demonstrated the ability to consistently meet requirements.

Supplier grandfathering by itself (as Helmut states) does not address "controls" for outsourced processes. However, if we have communicated (contractually) controls for the outsourced process to the provider, and have been evaluating their performance, it could be an acceptable practice.

In my opinion, grandfathering of existing suppliers is only acceptable if the organization has been evaluating their performance of the suppliers on an ongoing basis and has found they have demonstrated the ability to consistently meet requirements.

Supplier grandfathering by itself (as Helmut states) does not address "controls" for outsourced processes. However, if we have communicated (contractually) controls for the outsourced process to the provider, and have been evaluating their performance, it could be an acceptable practice.

There are no retroactive requirements in the standard. By that I mean that the standard doesn't require that we show evidence of compliance with it in the past (when initially audited). What is required is that there is evidence of control of outsourced processes, and evidence of criteria for evaluating a supplier's ability to meet the organization's requirements--not the requirements of the standard. I can determine what those requirements are, including deeming existing suppliers acceptable en masse based on any number of factors (price, proximity, nepotism, whatever).

I agree there are no retroactive requirements. However, if the company chooses not to evaluate the suppliers/service providers now (grandfather), past evaluations are acceptable.

I agree there are no retroactive requirements. However, if the company chooses not to evaluate the suppliers/service providers now (grandfather), past evaluations are acceptable.

My point was that the nature of the evaluations is left to "the organization" by the standard. An incumbent supplier may meet the organization's requirements by being an existing supplier. At the time of the initial CB audit there will have to be evidence of the organization's control of outsourced processes (appropriate to the degree of risk invoved), not detailed evidence of requalification of existing suppliers.

I agree. :agree:

I think you're correct in saying that grandfathering doesn't address the definition of controls, but I can't agree with the poo-pooing of grandfathering in general. If the number of suppliers is large it's usually the only practical way to go. It doesn't mean that "bad" suppliers are deemed "good" or that there are even definitions of "good" and "bad," or that such definitions are needed. 7.4.1 says that the organization shall:

(My emphasis)

There is still the requirement to exert control over outsourced processes in accordance with 4.1, whether suppliers are grandfathered or new.

We agree that grandfathering does not address defining controls.

On the other aspect, I was trying to carefully chose my words. I did say in many cases "grandfathering is compliant," and I have accepted it in principle many times. But, it is not the act of "grandfathering" that is compliant, rather that the underlying suppliers meet the defined performance criteria. Thus a "bad" (non-performing) supplier does not become good or acceptable by "grandfathering." In other words, the grandfathering is kind of moot. ISO requires that suppliers meet the defined criteria. Those that do, can be grandfathered with no further records or qualification activities.

If no criteria for suppliers are defined, I think there is a nonconformity. And if outsourced processes and controls are not defined and documented, I think there is a nonconformity there too.

hi, these are good suggestions... however, my confusion is like this.. I have documented a Supplier Accreditation and Supplier Evaluation under purchasing process. But, there are services that are outsourced that are not under Purchasing like the General Admin services such as security and messengerial and utility works, and some other services of other departments. What shall i do? Will it be enough that those departments will set their criteria, monitoring and evaluation? Or is it alright to incorporate it with the procedures I have in Purchasing manual? Need your suggestions please...
thanks so much

hi, these are good suggestions... however, my confusion is like this.. I have documented a Supplier Accreditation and Supplier Evaluation under purchasing process. But, there are services that are outsourced that are not under Purchasing like the General Admin services such as security and messengerial and utility works, and some other services of other departments. What shall i do? Will it be enough that those departments will set their criteria, monitoring and evaluation? Or is it alright to incorporate it with the procedures I have in Purchasing manual? Need your suggestions please...
thanks so much

Just weigh those other services against their potential to effect product conformity and customer satisfaction. If they can reasonably cause a problem (your determination and not some goofy auditor's) then control them, if not then go on to more important issues.