Outsourced Processes - Type and Extent of Control to be Applied - ISO 9001:2008

[Sidney Vianna]

According to ISO 9001:2008 DIS, an organization must define the type and extent of control to outsourced processes.

According to the N526 - Guide to the Terminology used in ISO 9001:2000 and ISO 9004:2000 document, the definition of control is :

• power to give orders or to restrain something
• means of restraining or regulating
• standard of comparison for checking the results of an action or measurement.

So, I would like to start a debate on what quality professionals, knowledgeable about ISO 9001 on the adequacy of controls which would be deemed acceptable. We know that it is not a requirement for ISO 9001 compliant organizations to flow down ISO 9001 compliance to their suppliers. However, just specifying certain requirements for outsourced processes in a contract and/or PO is no guarantee that the supplier will perform adequately.

For example, if an organization outsources the design of a product to a design-house, what would be the expected controls to be exercised for this supplier? Would compliance to ISO 9001 section 7.3 be mandated? How would the customer assure that the supplier conforms with such requirements? What about other associated requirements, such as the competence of the people performing design work? Would a requirement such as that need to be explicitly invoked?

Opinions welcomed.

 

[Stijloor]

Re: Outsourced Processes - Type and Extent of Control to be Applied - ISO 9001:2008 D

According to ISO 9001:2008 DIS, an organization must define the type and extent of control to outsourced processes.

According to the N526 - Guide to the Terminology used in ISO 9001:2000 and ISO 9004:2000 document, the definition of control is :

• power to give orders or to restrain something
• means of restraining or regulating
• standard of comparison for checking the results of an action or measurement.

So, I would like to start a debate on what quality professionals, knowledgeable about ISO 9001 on the adequacy of controls which would be deemed acceptable. We know that it is not a requirement for ISO 9001 compliant organizations to flow down ISO 9001 compliance to their suppliers. However, just specifying certain requirements for outsourced processes in a contract and/or PO is no guarantee that the supplier will perform adequately.

For example, if an organization outsources the design of a product to a design-house, what would be the expected controls to be exercised for this supplier? Would compliance to ISO 9001 section 7.3 be mandated? How would the customer assure that the supplier conforms with such requirements? What about other associated requirements, such as the competence of the people performing design work? Would a requirement such as that need to be explicitly invoked?

Opinions welcomed.

It would depend on the risks associated with the outsourced process and product. For some activities such as a low-risk machining process, the information on the Purchase Order and a drawing will suffice.

For some processes such as product design; that obviously would require many more controls to ensure that the resulting design will meet the requirements.

Risk and reputation (competency) of the supplier will dictate what controls must be deployed.

Stijloor.

 

[Sidney Vianna]

Re: Outsourced Processes - Type and Extent of Control to be Applied - ISO 9001:2008 D

For some processes such as product design; that obviously would require many more controls to ensure that the resulting design will meet the requirements.

I agree that risk is to be considered. But I was looking for examples of what people would expect to see as a way to demonstrate control over outsourced processes.

As I mentioned earlier, just specifying the product/service being purchased, via PO and/or contract does not raise (imo) to the level of control. So, if we stick to the example of an outsourced design package, what would constitute control in the context of the ISO 9001:2008 standard?

If you mandate the supplier to comply with paragraph 7.3 of ISO 9001, what would be the evidence to you, the customer, that they complied with? A self-declaration of conformance? A customer audit? A 3rd party audit? An ISO 9001 certificate? An accredited ISO 9001 certificate? An IAF "endorsed" accredited ISO 9001 certificate? An IAF "endorsed" accredited ISO 9001 certificate, issued by a reputable registrar?

 

[BradM]

Re: Outsourced Processes - Type and Extent of Control to be Applied - ISO 9001:2008 D

Interesting topic, Sidney. This sounds like Agency Theory. I really like this link to Agency Theory, as it cites the seminal papers.

Starting off, everything is great. They negotiate a low price and high quality to establish your business. After the honeymoon is over, they will incrementally go up on price, down on quality, or both. Eventually like with Economies of Scale, the supplier will get close to the marginal utility (or barrier to exit), and either lose your business, or reign things back in.

Seeing the stuff they make their vendors do, I guess Wal-Mart can objectively demonstrate sovereign reign over their outsourced processes!

Sidney, I am probably not even close to your initial query. I see this more on the operational level of the strength of the Supply Chain relationships, and the level of control the agent has. As with E-Technology (Harland et al, 2007), implementation of E-technologies in SME's is largely dictated by customer pressure. The greater the agent strength, the more control (to the point of satisfying internal quality requirements) will be exercised.

The level of compliance by outside vendors reminds me of the many addressing NADCAP and it's implementation. If they can afford it, suppliers told Boeing to take a leap. If Boeing needed them, they had to overlook it. If the vendor needed Boeing's contracts, they complied and implemented it.

 

[BradM]

Re: Outsourced Processes - Type and Extent of Control to be Applied - ISO 9001:2008 D

But I was looking for examples of what people would expect to see as a way to demonstrate control over outsourced processes.

I thought maybe one way of demonstrating control is through CAPA's involving external processes.

 

[michellemmm]

Re: Outsourced Processes - Type and Extent of Control to be Applied - ISO 9001:2008 D

Quote:
Originally Posted by Sidney Vianna

But I was looking for examples of what people would expect to see as a way to demonstrate control over outsourced processes.

I thought maybe one way of demonstrating control is through CAPA's involving external processes.

Outsourced processes... I struggled with that... I dealt with multi location, multi-cultural companies...Where suppliers become customers and customers become suppliers frequently....

I ended up defining and structuring critical processes based on PDCA, the same way as I approach any other process. It was an eye opener for me to see outsourced processes integrated in to a process map.

The root cause of all outsourced processes nonconformities are due to lack of adequate planning and established realistic objectives. With inadequate planning, expediting becomes a mode of operation and control. Deficiency in inadequate planning is due to lack of expertise and chasing moving targets.

I believe P D C A effectiveness of each process should be measured. An effective outsourced process should have PA>CA.

 

[RoxaneB]

Re: Outsourced Processes - Type and Extent of Control to be Applied - ISO 9001:2008 D

I've seen controls on outsourced activities in various manners, all dependent on the risk/impact, relationship, performance history, etc.:

• Audits
• Receiving inspection
• Evaluations
• Testing (sent to unbiased 3rd party)
• Surveys

A simple database or matrix listing suppliers for outsourced processes could be developed to show all options and the one(s) that apply to the supplier. It would be possible to include the history of evolution of the supplier, too. A supplier, for example, may once have been subjected to audits once per quarter or something and then with consistent performance, move to external testing on an annual basis.

 

[Helmut Jilling]

Re: Outsourced Processes - Type and Extent of Control to be Applied - ISO 9001:2008 D

According to ISO 9001:2008 DIS, an organization must define the type and extent of control to outsourced processes.

According to the N526 - Guide to the Terminology used in ISO 9001:2000 and ISO 9004:2000 document, the definition of control is :

• power to give orders or to restrain something
• means of restraining or regulating
• standard of comparison for checking the results of an action or measurement.

So, I would like to start a debate on what quality professionals, knowledgeable about ISO 9001 on the adequacy of controls which would be deemed acceptable. We know that it is not a requirement for ISO 9001 compliant organizations to flow down ISO 9001 compliance to their suppliers. However, just specifying certain requirements for outsourced processes in a contract and/or PO is no guarantee that the supplier will perform adequately.

For example, if an organization outsources the design of a product to a design-house, what would be the expected controls to be exercised for this supplier? Would compliance to ISO 9001 section 7.3 be mandated? How would the customer assure that the supplier conforms with such requirements? What about other associated requirements, such as the competence of the people performing design work? Would a requirement such as that need to be explicitly invoked?

Opinions welcomed.

Some examples I have seen:

• Could be as simple as requiring certification (ISO 9001, ISO 17025).
• Could be as complex as onsite, co-located Engineers or support personnel.
• Requiring a certain level or type of inspection, frequency, etc.
• Defining certain levels of inspection results (internal Cpk, ppm rates, etc.).
• Requiring certain employees to have certain skills or training.
• Requiring CQI 9, 11, or 12.
• differing levels of design collaboration, depending on the level of skill of the outsourced design firm.
• requiring orders to be performed only in certain workcells, only on certain machines (known to be more capable or modern), or by certain personnel.
• Certain SPC or other monitoring data be shared.

These are a few that came to mind. There are many others, but perhaps these will spark conversation.

 

[Sidney Vianna]

The future of ISO 9001

According to this recent article, outsourcing of processes will be a focus area for future discussions on ISO 9001 revisions....

Outsourcing and offshoring
There were several other factors that were the subject of discussion at the most recent meetings of TC 176/SC2 (the ISO subcommittee directly responsible for work on ISO 9000, ISO 9001, and ISO 9004).
The most prominent factors deal with various aspects of the supply chain, specifically, outsourcing of processes, globalization, environmental factors, and information management.
Within the context of ISO 9001, outsourcing refers to those processes needed by the organization that are performed by an external entity. The decision to outsource can be based either on the determination that the organization does not have the requisite resources or ability to effectively implement the process, or that it would be more financially advantageous to have someone else do it. Typical examples include third-party testing and verification, development of user manuals, packaging, heat-treating, and technical support help lines.
The technical experts have recognized that outsourcing is a growing aspect of many organizations. It serves to extend product offerings, increase aftermarket service opportunities, and augment capabilities. Outsourcing can reduce overhead, defer the need for capital expenditures, mitigate risks resulting from spikes in demand, and contribute to lean initiatives.
Currently, ISO 9001 has limited language addressing the requirements surrounding outsourced processes. As outsourcing becomes more widespread, it will be appropriate to insert additional language, proportionate to the prevalence of the practice.
A growing amount of the outsourcing is also going offshore, as have many other links in the supply chain. Raw materials, components, finished goods, and customer service now come to us from almost every corner of the globe. The authors of ISO 9001 anticipate that the standard will inevitably need to more extensively address requirements unique to these long-distance suppliers. There are specific constraints that accompany global supplier relations. Distance, transportation, time zones, cultural differences, communication, and infrastructure reliability can all affect intercontinental partnerships. Although ISO 9001 deals with supplier-related issues, the text will need to be revised to remain relevant to evolving market practices.

 

[AndyN]

Re: Outsourced Processes - Type and Extent of Control to be Applied - ISO 9001:2008 D

Helmut has it - as ever.

Since you identified the (thorny) design control requirements, Sidney, I'd offer that an organization that outsourced design might not have anyone qualified to review the design or participate in the selection of a qualified designer/supplier. In that case, they should seek another 'expert' to do the evaluation and report back to the organization, with recommendations for the controls to be put in place.