1) Introduction
The aim of this document is to provide guidance on the intent of ISO 9001:2000 clause 4.1, regarding the control of outsourced processes, and to clarify the relationship between this requirement and those contained in ISO 9001:2000 clause 7.4 (Purchasing)
2) Guidance
ISO 9001:2000 clause 4.1 states:
“Where an organization chooses to outsource any process that affects product conformity with requirements, the organization shall ensure control over such processes. Control of such outsourced processes shall be identified within the quality management system.”
2.1) What is an “outsourced process”?
An “outsourced process” is a process that is provided by an external organization.
Note: ISO 9000:2000 clause 3.4.1 defines “process” as “set of interrelated or interacting activities which transforms inputs into outputs”
An outsourced process can be purchased from an independent supplier, or provided by another part of a larger group of organizations. It may be provided within the work environment of the organization, at an independent site or in some other manner.
There is often an ongoing (long-term) relationship between the organization and the provider of the outsourced process.
2.2) Control of Outsourced processes
Outsourced processes typically involve interactions with other processes needed for the organization’s quality management system. These other processes may be carried out by the organization itself, or by other providers of outsourced processes. Where a process is outsourced, therefore, the organization needs to control not only the conformity of the output of the process, but also the process itself, including its interactions with other processes. For any outsourced process that affects the organization’s ability to provide conforming product, the organization has to demonstrate that it exercises sufficient control to ensure this process is performed according to the relevant requirements of ISO 9001:2000. The nature of this control will depend on the nature of the outsourced process and the risk involved. Control may include, for example, a contractual agreement with the provider of the outsourced process including the specification of and/or validation requirements for the process, quality management system requirements, on-site inspections or verifications, and/or audits.
2.3) “Outsourcing” versus “Purchasing”
ISO 9001:2000 clause 7.4 (Purchasing) requirements apply to all purchased products, which typically involve a relatively clear interface between the organization and its supplier, and for which conformity to specified requirements can be verified by inspection of the product or by other activities.
Note: A product is defined in ISO 9000:2000 clause 3.4.2 as “the output of a process”, and includes hardware, software, services, or processed materials
For outsourced processes, it is often not possible, practical or economically viable to verify the conformity of the resulting product by subsequent monitoring or measurement. In some cases, deficiencies may become apparent only after the provider of the outsourced process has delivered the product to the organization’s customer. In these cases, ISO 9001:2000 clause 4.1 also applies, and the organization must ensure control not only of the purchased product, but also of the process that is being outsourced.