Outsourced Processes - Type and Extent of Control to be Applied - ISO 9001:2008

[Sidney Vianna]

According to ISO 9001:2008 DIS, an organization must define the type and extent of control to outsourced processes.

According to the N526 - Guide to the Terminology used in ISO 9001:2000 and ISO 9004:2000 document, the definition of control is :

• power to give orders or to restrain something
• means of restraining or regulating
• standard of comparison for checking the results of an action or measurement.

So, I would like to start a debate on what quality professionals, knowledgeable about ISO 9001 on the adequacy of controls which would be deemed acceptable. We know that it is not a requirement for ISO 9001 compliant organizations to flow down ISO 9001 compliance to their suppliers. However, just specifying certain requirements for outsourced processes in a contract and/or PO is no guarantee that the supplier will perform adequately.

For example, if an organization outsources the design of a product to a design-house, what would be the expected controls to be exercised for this supplier? Would compliance to ISO 9001 section 7.3 be mandated? How would the customer assure that the supplier conforms with such requirements? What about other associated requirements, such as the competence of the people performing design work? Would a requirement such as that need to be explicitly invoked?

Opinions welcomed.

[Stijloor]

Quote:

In Reply to Parent Post by Sidney Vianna

According to ISO 9001:2008 DIS, an organization must define the type and extent of control to outsourced processes.

According to the N526 - Guide to the Terminology used in ISO 9001:2000 and ISO 9004:2000 document, the definition of control is :

• power to give orders or to restrain something
• means of restraining or regulating
• standard of comparison for checking the results of an action or measurement.

So, I would like to start a debate on what quality professionals, knowledgeable about ISO 9001 on the adequacy of controls which would be deemed acceptable. We know that it is not a requirement for ISO 9001 compliant organizations to flow down ISO 9001 compliance to their suppliers. However, just specifying certain requirements for outsourced processes in a contract and/or PO is no guarantee that the supplier will perform adequately.

For example, if an organization outsources the design of a product to a design-house, what would be the expected controls to be exercised for this supplier? Would compliance to ISO 9001 section 7.3 be mandated? How would the customer assure that the supplier conforms with such requirements? What about other associated requirements, such as the competence of the people performing design work? Would a requirement such as that need to be explicitly invoked?

Opinions welcomed.

It would depend on the risks associated with the outsourced process and product. For some activities such as a low-risk machining process, the information on the Purchase Order and a drawing will suffice.

For some processes such as product design; that obviously would require many more controls to ensure that the resulting design will meet the requirements.

Risk and reputation (competency) of the supplier will dictate what controls must be deployed.

Stijloor.

[Sidney Vianna]

Quote:

In Reply to Parent Post by Stijloor

For some processes such as product design; that obviously would require many more controls to ensure that the resulting design will meet the requirements.

I agree that risk is to be considered. But I was looking for examples of what people would expect to see as a way to demonstrate control over outsourced processes.

As I mentioned earlier, just specifying the product/service being purchased, via PO and/or contract does not raise (imo) to the level of control. So, if we stick to the example of an outsourced design package, what would constitute control in the context of the ISO 9001:2008 standard?

If you mandate the supplier to comply with paragraph 7.3 of ISO 9001, what would be the evidence to you, the customer, that they complied with? A self-declaration of conformance? A customer audit? A 3rd party audit? An ISO 9001 certificate? An accredited ISO 9001 certificate? An IAF "endorsed" accredited ISO 9001 certificate? An IAF "endorsed" accredited ISO 9001 certificate, issued by a reputable registrar?

[BradM]

Interesting topic, Sidney. This sounds like Agency Theory. I really like this link to Agency Theory, as it cites the seminal papers.

Starting off, everything is great. They negotiate a low price and high quality to establish your business. After the honeymoon is over, they will incrementally go up on price, down on quality, or both. Eventually like with Economies of Scale, the supplier will get close to the marginal utility (or barrier to exit), and either lose your business, or reign things back in.

Seeing the stuff they make their vendors do, I guess Wal-Mart can objectively demonstrate sovereign reign over their outsourced processes!

Sidney, I am probably not even close to your initial query. I see this more on the operational level of the strength of the Supply Chain relationships, and the level of control the agent has. As with E-Technology (Harland et al, 2007), implementation of E-technologies in SME's is largely dictated by customer pressure. The greater the agent strength, the more control (to the point of satisfying internal quality requirements) will be exercised.

The level of compliance by outside vendors reminds me of the many addressing NADCAP and it's implementation. If they can afford it, suppliers told Boeing to take a leap. If Boeing needed them, they had to overlook it. If the vendor needed Boeing's contracts, they complied and implemented it.

[BradM]

Quote:

In Reply to Parent Post by Sidney Vianna

But I was looking for examples of what people would expect to see as a way to demonstrate control over outsourced processes.

I thought maybe one way of demonstrating control is through CAPA's involving external processes.

[michellemmm]

Quote:

Quote:
Originally Posted by Sidney Vianna

But I was looking for examples of what people would expect to see as a way to demonstrate control over outsourced processes.

Quote:

In Reply to Parent Post by BradM

I thought maybe one way of demonstrating control is through CAPA's involving external processes.

Outsourced processes... I struggled with that... I dealt with multi location, multi-cultural companies...Where suppliers become customers and customers become suppliers frequently....

I ended up defining and structuring critical processes based on PDCA, the same way as I approach any other process. It was an eye opener for me to see outsourced processes integrated in to a process map.

The root cause of all outsourced processes nonconformities are due to lack of adequate planning and established realistic objectives. With inadequate planning, expediting becomes a mode of operation and control. Deficiency in inadequate planning is due to lack of expertise and chasing moving targets.

I believe P D C A effectiveness of each process should be measured. An effective outsourced process should have PA>CA.

[RCBeyette]

I've seen controls on outsourced activities in various manners, all dependent on the risk/impact, relationship, performance history, etc.:

• Audits
• Receiving inspection
• Evaluations
• Testing (sent to unbiased 3rd party)
• Surveys

A simple database or matrix listing suppliers for outsourced processes could be developed to show all options and the one(s) that apply to the supplier. It would be possible to include the history of evolution of the supplier, too. A supplier, for example, may once have been subjected to audits once per quarter or something and then with consistent performance, move to external testing on an annual basis.

[Helmut Jilling]

Quote:

In Reply to Parent Post by Sidney Vianna

According to ISO 9001:2008 DIS, an organization must define the type and extent of control to outsourced processes.

According to the N526 - Guide to the Terminology used in ISO 9001:2000 and ISO 9004:2000 document, the definition of control is :

• power to give orders or to restrain something
• means of restraining or regulating
• standard of comparison for checking the results of an action or measurement.

So, I would like to start a debate on what quality professionals, knowledgeable about ISO 9001 on the adequacy of controls which would be deemed acceptable. We know that it is not a requirement for ISO 9001 compliant organizations to flow down ISO 9001 compliance to their suppliers. However, just specifying certain requirements for outsourced processes in a contract and/or PO is no guarantee that the supplier will perform adequately.

For example, if an organization outsources the design of a product to a design-house, what would be the expected controls to be exercised for this supplier? Would compliance to ISO 9001 section 7.3 be mandated? How would the customer assure that the supplier conforms with such requirements? What about other associated requirements, such as the competence of the people performing design work? Would a requirement such as that need to be explicitly invoked?

Opinions welcomed.

Some examples I have seen:

• Could be as simple as requiring certification (ISO 9001, ISO 17025).
• Could be as complex as onsite, co-located Engineers or support personnel.
• Requiring a certain level or type of inspection, frequency, etc.
• Defining certain levels of inspection results (internal Cpk, ppm rates, etc.).
• Requiring certain employees to have certain skills or training.
• Requiring CQI 9, 11, or 12.
• differing levels of design collaboration, depending on the level of skill of the outsourced design firm.
• requiring orders to be performed only in certain workcells, only on certain machines (known to be more capable or modern), or by certain personnel.
• Certain SPC or other monitoring data be shared.

These are a few that came to mind. There are many others, but perhaps these will spark conversation.