Outsourced Processes - Type and Extent of Control to be Applied - ISO 9001:2008

[Helmut Jilling]

Re: Outsourced Processes - Type and Extent of Control to be Applied - ISO 9001:2008 D

We covered it by stating that, All current suppliers are grandfathered, and that all new suppliers must either be ISO certified or approved by the company president.

We just had our Stage II audit and this was fine with our auditor.

That's disappointing. Grandfathering current suppliers has nothing to do with defining controls for outsourced processes.

I suggest you reread clauses 4.1 and 7.4. It might be a good idea for your auditor to do so as well...

By the way, though it is a common practice, "grandfathering" suppliers is not a concept that is found in the ISO standard. In many cases it is compliant simply because the suppliers are good. But grandfathering a bad supplier does not turn them into a good or compliant supplier. It is an outdated concept and should be put to rest.

Disappointing if your auditor "was fine with it."

 

[Jim Wynne]

Re: Outsourced Processes - Type and Extent of Control to be Applied - ISO 9001:2008 D

That's disappointing. Grandfathering current suppliers has nothing to do with defining controls for outsourced processes.

I suggest you reread clauses 4.1 and 7.4. It might be a good idea for your auditor to do so as well...

By the way, though it is a common practice, "grandfathering" suppliers is not a concept that is found in the ISO standard. In many cases it is compliant simply because the suppliers are good. But grandfathering a bad supplier does not turn them into a good or compliant supplier. It is an outdated concept and should be put to rest.

Disappointing if your auditor "was fine with it."

I think you're correct in saying that grandfathering doesn't address the definition of controls, but I can't agree with the poo-pooing of grandfathering in general. If the number of suppliers is large it's usually the only practical way to go. It doesn't mean that "bad" suppliers are deemed "good" or that there are even definitions of "good" and "bad," or that such definitions are needed. 7.4.1 says that the organization shall:

...evaluate and select suppliers based on their ability to supply product in accordance with the organization's requirements. Criteria for selection, evaluation and re-evaluation shall be established.

(My emphasis)

There is still the requirement to exert control over outsourced processes in accordance with 4.1, whether suppliers are grandfathered or new.

 

[AndyN]

Re: Outsourced Processes - Type and Extent of Control to be Applied - ISO 9001:2008 D

Grocery shopping tips is all I need to know to understand controls over outsourced processes. That is the message I got from your previous post.

In my judgement, it is not "that simple".

When an organization outsources sterilization processes of their medical devices, the controls to be exercised by the customer go beyond what I do when buying milk and eggs at Costco.

I agree and, now we have a place to start that discussion - since this is the 'vanilla' ISO 9000 forum, I didn't intend to complicate things with the details of those complex situations for regulated businesses.

Prototyper is correct (IMHO) for those organizations which procure to custom specifications. My comments were made for the preponderance of organizations making purchases. I wasn't aware we were talking specifically about a regulated industry here.......is that the context of Karen's question?

 

[howste]

Re: Outsourced Processes - Type and Extent of Control to be Applied - ISO 9001:2008 D

That's disappointing. Grandfathering current suppliers has nothing to do with defining controls for outsourced processes.

I suggest you reread clauses 4.1 and 7.4. It might be a good idea for your auditor to do so as well...

By the way, though it is a common practice, "grandfathering" suppliers is not a concept that is found in the ISO standard. In many cases it is compliant simply because the suppliers are good. But grandfathering a bad supplier does not turn them into a good or compliant supplier. It is an outdated concept and should be put to rest.

Disappointing if your auditor "was fine with it."

In my opinion, grandfathering of existing suppliers is only acceptable if the organization has been evaluating their performance of the suppliers on an ongoing basis and has found they have demonstrated the ability to consistently meet requirements.

Supplier grandfathering by itself (as Helmut states) does not address "controls" for outsourced processes. However, if we have communicated (contractually) controls for the outsourced process to the provider, and have been evaluating their performance, it could be an acceptable practice.

 

[Jim Wynne]

Re: Outsourced Processes - Type and Extent of Control to be Applied - ISO 9001:2008 D

In my opinion, grandfathering of existing suppliers is only acceptable if the organization has been evaluating their performance of the suppliers on an ongoing basis and has found they have demonstrated the ability to consistently meet requirements.

Supplier grandfathering by itself (as Helmut states) does not address "controls" for outsourced processes. However, if we have communicated (contractually) controls for the outsourced process to the provider, and have been evaluating their performance, it could be an acceptable practice.

There are no retroactive requirements in the standard. By that I mean that the standard doesn't require that we show evidence of compliance with it in the past (when initially audited). What is required is that there is evidence of control of outsourced processes, and evidence of criteria for evaluating a supplier's ability to meet the organization's requirements--not the requirements of the standard. I can determine what those requirements are, including deeming existing suppliers acceptable en masse based on any number of factors (price, proximity, nepotism, whatever).

 

[howste]

Re: Outsourced Processes - Type and Extent of Control to be Applied - ISO 9001:2008 D

I agree there are no retroactive requirements. However, if the company chooses not to evaluate the suppliers/service providers now (grandfather), past evaluations are acceptable.

 

[Jim Wynne]

Re: Outsourced Processes - Type and Extent of Control to be Applied - ISO 9001:2008 D

I agree there are no retroactive requirements. However, if the company chooses not to evaluate the suppliers/service providers now (grandfather), past evaluations are acceptable.

My point was that the nature of the evaluations is left to "the organization" by the standard. An incumbent supplier may meet the organization's requirements by being an existing supplier. At the time of the initial CB audit there will have to be evidence of the organization's control of outsourced processes (appropriate to the degree of risk invoved), not detailed evidence of requalification of existing suppliers.

 

[howste]

Re: Outsourced Processes - Type and Extent of Control to be Applied - ISO 9001:2008 D

I agree.

 

[Helmut Jilling]

Re: Outsourced Processes - Type and Extent of Control to be Applied - ISO 9001:2008 D

I think you're correct in saying that grandfathering doesn't address the definition of controls, but I can't agree with the poo-pooing of grandfathering in general. If the number of suppliers is large it's usually the only practical way to go. It doesn't mean that "bad" suppliers are deemed "good" or that there are even definitions of "good" and "bad," or that such definitions are needed. 7.4.1 says that the organization shall:

(My emphasis)

There is still the requirement to exert control over outsourced processes in accordance with 4.1, whether suppliers are grandfathered or new.

We agree that grandfathering does not address defining controls.

On the other aspect, I was trying to carefully chose my words. I did say in many cases "grandfathering is compliant," and I have accepted it in principle many times. But, it is not the act of "grandfathering" that is compliant, rather that the underlying suppliers meet the defined performance criteria. Thus a "bad" (non-performing) supplier does not become good or acceptable by "grandfathering." In other words, the grandfathering is kind of moot. ISO requires that suppliers meet the defined criteria. Those that do, can be grandfathered with no further records or qualification activities.

If no criteria for suppliers are defined, I think there is a nonconformity. And if outsourced processes and controls are not defined and documented, I think there is a nonconformity there too.

 

[chayumi]

Re: Outsourced Processes - Type and Extent of Control to be Applied - ISO 9001:2008 D

hi, these are good suggestions... however, my confusion is like this.. I have documented a Supplier Accreditation and Supplier Evaluation under purchasing process. But, there are services that are outsourced that are not under Purchasing like the General Admin services such as security and messengerial and utility works, and some other services of other departments. What shall i do? Will it be enough that those departments will set their criteria, monitoring and evaluation? Or is it alright to incorporate it with the procedures I have in Purchasing manual? Need your suggestions please...
thanks so much