Outsourced Processes - Type and Extent of Control to be Applied - ISO 9001:2008

[Stijloor]

Re: Outsourced Processes - Type and Extent of Control to be Applied - ISO 9001:2008 D

<snip>I would like for you to give me your opinion, right or wrong, a to whether my annodizing process is an outsourced "process."
Thanks

Simple example: Your process for making widgets from beginning to end takes let's say 10 steps. Step 8 is an activity for which you don't have the technical capability. The parts then leave the company for step 8 (outsourced) after which they come back for step 9 and 10. Widgets completed.

Stijloor.

 

[Helmut Jilling]

Re: Outsourced Processes - Type and Extent of Control to be Applied - ISO 9001:2008 D

Well, tommorrow I'm going to get the 2008 revision to the standard since obviously I am being audited to that version even though I contracted under the 2001 version. However, I need to know the definition of "outsourced process." I will determine, in accordance with any new requirements, what controls I must have on an outsourced process, BUT I need to first know what is considered outsourced. My definition of outsourcing is "an arrangement in which one company provides services for another company that could also be or usually have been provided in house." My situation: I purchase a metal housing from a supplier. I receive the housing , inspect it, and send it out to a firm to annodize. I don't have the capability to annodize and of course I have never performed that process inhouse. Have I outsourced a process, or have I simply purchased a service?

Kindly give me your thoughts.
Thanks

I think you are pretty close. By the way, the requirements to define controls for outsourced processes is not new, it was part of the 2000 version.

I would suggest the metal housing you purchased is a purchased product. The anodizing is an outsourced process.

The controls you have to define are relatively simple. In the old days, people used to say, "we send the anodizing out, we're not responsible for that." Of course, that is a silly position. You are responsible for it, whether you do it, or you have it done. The 2000 and 2008 ISO says that. You are responsible for it, whether you do it, or you outsource it.

ISO requires that you define the details of your processes (cl 4.1) so that you ensure the output 100% meets requirements. For outsourced processes, ISO goes easy on you. You don't have to all the things in Cl 4.1, you just have to identify that process ispart of your defined processes, AND define what controls (if any) you need to define to ensure that the outputs 100% meets requirements.

In some cases that might be very little (ISO certification, receiving inspection), and in other cases it could be quite a few controls. It is up to you, as long as the output 100% meets requirements.

 

[AndyN]

Re: Outsourced Processes - Type and Extent of Control to be Applied - ISO 9001:2008 D

Karen:

I've used this analogy before (I apologize in advance to the 'regulars who have to read this stuff over and over again!)

It's just the same type of thing when you go to the grocery store - Kelloggs/Campbells' etc - little to no controls needed on your part!

Veggies/fruit - some inspections required!

Dairy - use the 'fifo' date code on milk etc. Some inspection required on eggs, for example (eggsample? - sorry I couldn't help myself!)

It's just that simple!

 

[JaneB]

Re: Outsourced Processes - Type and Extent of Control to be Applied - ISO 9001:2008 D

Karen,

Ultimately, it does not matter whether you buy in a thing, a service or a process - you are buying in something that you either don't have the inhouse capacity to do/make/produce, or something that you don't choose to do (eg, you can't/happens only rarely/cheaper to have someone else to do it, etc).

Suggest instead of worrying over much about whether it's a 'process' or not, an 'activity' etc. that you focus your attention more on:

1. what do we send out of our premises to be done?
2. what do we buy in?

(And that when asking either question, you understand 'what' to mean 'what = that is important/essential/critical to the quality of our product or service' - eg, this would screen out the largely trivial "paperclips-we-use-in-office" stuff)

You see, whether you send something out to be anodised, painted, plated, machined or whatever, the key point is: what arrangements do you make in order to maintain reasonable control over that? (I'm assuming you don't just send it out, cross your fingers, and accept whatever comes back!)

I think the extra info in the 2008 version was intended to overcome some blind spots that many organisations had - I've heard them say often things something like: Oh, that's not included because XYZ company does that, and we don't control them.

ISO 9001's point of view is: it is you who has made an agreement to supply your customers, and that includes the responsibility of having reasonable arrangements to 'control' whatever you choose to outsource so that, ultimately, your customer gets what you agreed to supply to them. (All very reasonable and good business sense IMO)

Thus, as clause 7.4 requires, you need to make sure that you adequately convey to your supplier what your requirements are, and then ensure that you got what you specified, etc. You don't necessarily have to worry about how it is controlled internally at your supplier's - that is usually their job and definitely sounds so in this case. But it's also a reason why ISO requires you to pay attention to how you select and monitor your suppliers, as well as check whatever stuff you have 'done externally' rather than simply hand it straight across to your customer & disclaim all responsibility.

I'm not suggesting it's not an interesting question to debate (a process or not? an activity?) but you may get a range of opinions even among experts, and just end up confused.

Ultimately, I see very little distinction between:

what is a purchase of a service or product versus what is a subcontracted or outsourced process.

All those additional Notes and info are just clarifying - or trying to!

 

[Stijloor]

Re: Outsourced Processes - Type and Extent of Control to be Applied - ISO 9001:2008 D

Friends,

Karen's head must be spinning by now....

Us Covers never give up!

Stijloor.

 

[Sidney Vianna]

Re: Outsourced Processes - Type and Extent of Control to be Applied - ISO 9001:2008 D

It's just that simple!

Sorry, Andy, but it isn't. This kind of analogy is used by many instructors during ISO 9000 courses, trying to use day to day cases as examples, so people can "relate".

But if it were that simple, the TC 176 would have not developed a guidance document on the subject.

To attempt to simplify is good. To trivialize the issue is not.

 

[AndyN]

Re: Outsourced Processes - Type and Extent of Control to be Applied - ISO 9001:2008 D

Sorry, Andy, but it isn't. This kind of analogy is used by many instructors during ISO 9000 courses, trying to use day to day cases as examples, so people can "relate".

But if it were that simple, the TC 176 would have not developed a guidance document on the subject.

To attempt to simplify is good. To trivialize the issue is not.

Do you think I was trivializing it? I did only use the word 'simple'.....I'm not sure that because a guidance document was issued it indicates any specific condition exists. We all see many (complex) implementation issues discussed here, but no TC 176 document exists for all of them, so I believe that there's no greater gravity to the requirement (simply) because a guidance document exists.

And, yes, I did use this example when I was an instructor. Often people make waaaaaay to much of requirements - as you are well aware. So what's the problem with helping people relate? Don't forget, Sidney, that many (most) folks come to ISO without the benefit of any prior knowledge (of similar requirements) at all!

The process of food 'manufacturing' is outsourced by many of us (I tried to grow stuff but wasn't entirely successful) - I buy based on past performance, relying on USDA/FDA requirements etc. In some cases (as with veg/fruit) I have to do inspections before I agree to purchase. Because I can't taste milk before I buy, I have to rely on the FIFO process at the supplier and date coding of products. With eggs, my experience is that all those controls can be in place, but there may also be damage, so I open the container and check them for damage.......

What's being trivialized here? Is there some 'rocket science' I'm not privileged to know or understand?

 

[Sidney Vianna]

Re: Outsourced Processes - Type and Extent of Control to be Applied - ISO 9001:2008 D

What's being trivialized here?

Grocery shopping tips is all I need to know to understand controls over outsourced processes. That is the message I got from your previous post.

In my judgement, it is not "that simple".

When an organization outsources sterilization processes of their medical devices, the controls to be exercised by the customer go beyond what I do when buying milk and eggs at Costco.

 

[prototyper]

Re: Outsourced Processes - Type and Extent of Control to be Applied - ISO 9001:2008 D

Andy's analogy covers the supplier selection, risk assessment and determination of the level of appropriate incoming inspection elements of the process pretty well and is a good model for buying "off the shelf" products or services.
What it doesn't cover is the ordering of bespoke products or services. The specification must be clearly defined to the supplier, you may need to audit the supplier to ensure their competence, there may be a requirement for project management and periodic review, there may be a requirement for PPAP, supplier performance must be monitored and a CAPA process in place.
Things are complicated further when special processes or regulatory requirements are involved and additional controls and records are needed.

 

[Howard Atkins]

Re: Outsourced Processes - Type and Extent of Control to be Applied - ISO 9001:2008 D

So, I would like to start a debate on what quality professionals, knowledgeable about ISO 9001 on the adequacy of controls which would be deemed acceptable. We know that it is not a requirement for ISO 9001 compliant organizations to flow down ISO 9001 compliance to their suppliers. However, just specifying certain requirements for outsourced processes in a contract and/or PO is no guarantee that the supplier will perform adequately.

I have read all the posts and I would like to state my opinion in an independent manner.
IMO The requirement for control over outsourced processes is there to ensure that the company can not waive its responsibility for ensuring the maintenance of customer requirements by saying that it was someone else.
In most cases I have seen the control has been through the purchasing procedure which has ensured the evaluation and monitoring of the subcontractor, the correct definition of the requirements and the method of acceptance of the goods/service.
One of the differences between ISO 9001:2000 and ISO 9001:2008 is the addition of a reference to clause 7.4.
I suggest that in the fact the controls available in 7.4 are enough to control the outsourced supplier.