SBS - The best value in QMS software

Type and Control of Outsourced Processes - ISO 9001 Clause 4.1

Marc

Hunkered Down for the Duration with a Mask on...
Staff member
Admin
#21
Our auditor raised a nonconformity because we don't have this LIST.:frust:

Although controls are in place to make sure that providers of the outsourced processes deliver what we want from them, we did not mention them (i.e. controls) on our quality manual.

According to him ISO 9001 standard requires us to "document" the type and extent of control for the outsourced processes within our QMS documentation.
The requirement is for control(s) to be in your QMS documentation. Your quality manual is only one document of many in your QMS. I would do the standard "Show me the requirement" which states you specifically have to have a list and/or that it must specifically be mentioned in the quality manual (as opposed to being addressed in a different QMS document). A list doesn't show 'control' anyway.
 
Elsmar Forum Sponsor

tony s

Information Seeker
Trusted Information Resource
#22
Marc said:
The requirement is for control(s) to be in your QMS documentation.
That's what we understand about the ISO 9001 clause 4.1 which says:

The type and extent of control to be applied to these outsourced processes shall be defined within the quality management system.

We told our auditor that most, if not all, controls for the outsourced processes were already established or defined in the existing documents (i.e. we have a lot of other manuals that pre-date the establishment of the ISO 9001 QMS).

He keep on asking: "Where in your QMS documentation (while waving the quality manual before us) that the type and extent of control are identified/defined?" Then he explained that he cannot see any statement defining the controls.:(

tony s
 

Marc

Hunkered Down for the Duration with a Mask on...
Staff member
Admin
#23
When you control outsourced processes you do so through the quality planning process for product(s) which you are sending out. A quality planning output would define the required controls.

So - You have to show and explain your process/system for quality planning. Also, remember that there is no requirement which says that all of your processes/systems *shall* be documented. There are something like 6 required documented processes.

1. Document Control
2. Records
3. Nonconforming Material
4. Internal Audit
5. Corrective Action
6. Preventive Action

That is not to say you should not have a documented process for quality planning, only that it (if I remember correctly and I'm sure someone will correct me if I'm wrong) is not required to be documented.

It all boils down to your having a quality planning process/system and you should be able to show the outputs of the system as well as how they are communicated to the sub-contractor.

Again, I would ask the auditor to show you the' shall' requirement which says you must have a list, and if s/he can not I would appeal it.
 

Helmut Jilling

Auditor / Consultant
#24
When you control outsourced processes you do so through the quality planning process for product(s) which you are sending out. A quality planning output would define the required controls.

So - You have to show and explain your process/system for quality planning. Also, remember that there is no requirement which says that all of your processes/systems *shall* be documented. There are something like 6 required documented processes.

1. Document Control
2. Records
3. Nonconforming Material
4. Internal Audit
5. Corrective Action
6. Preventive Action

That is not to say you should not have a documented process for quality planning, only that it (if I remember correctly and I'm sure someone will correct me if I'm wrong) is not required to be documented.

It all boils down to your having a quality planning process/system and you should be able to show the outputs of the system as well as how they are communicated to the sub-contractor.

Again, I would ask the auditor to show you the' shall' requirement which says you must have a list, and if s/he can not I would appeal it.
Maybe 6 procedures are required, but I don't see that applying to cl 4.1. I read cl 4.1 to apply to all processes in an organization. I don't see the 6 procedure clause (4.2.1) putting any limits on cl 4.1.

Cl 4.1: The organization shall
a) identify the processes needed for the quality management system and their application throughout the organization (see 1.2),

I would further suggest the 6 procedure discussion, that only six procedures are required, is just a starting point. Cl 4.2.1.c requires 6 procedures, followed by a comma, followed by cl 4.2.1.d which goes on to say "and other documents needed by the organization..." It would be a tough sell to actually only expect 6 procedures and nothing more. Not sure you were saying that specifically.
 

Helmut Jilling

Auditor / Consultant
#25
That's what we understand about the ISO 9001 clause 4.1 which says:

The type and extent of control to be applied to these outsourced processes shall be defined within the quality management system.

We told our auditor that most, if not all, controls for the outsourced processes were already established or defined in the existing documents (i.e. we have a lot of other manuals that pre-date the establishment of the ISO 9001 QMS).

He keep on asking: "Where in your QMS documentation (while waving the quality manual before us) that the type and extent of control are identified/defined?" Then he explained that he cannot see any statement defining the controls.:(

tony s
I would accept your position that the controls are defined in various manuals and such. However, I would expect them to be controlled documents included into your documented quality system. More importantly, I am concerned about something I often see in audits. I will ask where do we document the outsourced processes. They show me various unconnected documents, po's, control plans. I ask, ok, tell me, what are the outsourced processes? Typically, they tell me 2, 3 or 4 processes. Then later we find a few more.

While it does not say a list is required, in the absence of some kind of list or similar, how do you document what the specific outsourced processes?
 

Marc

Hunkered Down for the Duration with a Mask on...
Staff member
Admin
#26
Maybe 6 procedures are required <snip>
Note I specifically addressed required *documented* procedures/systems. There will be required records as well, and records specific to a company's way of 'doing things', if not required by the standard, then by the company's system.

You may feel a list is the best way to track something but that's your opinion. As a consultant you can advise a company on their systems/processes. It is not the function of an auditor to do that. In fact, technically it is a conflict of interest for an auditor to cross the line and tell a company how to do something, even though we know it happens in every audit to some degree. I did it myself "in a round about way" from time to time.

I stand by my point that there is no requirement for a list. This is about being written up and given a non-conformance for not having a list, not whether it is a good idea or not.

<snip> More importantly, I am concerned about something I often see in audits. I will ask where do we document the outsourced processes. They show me various unconnected documents, po's, control plans. I ask, ok, tell me, what are the outsourced processes? Typically, they tell me 2, 3 or 4 processes. Then later we find a few more.<snip>
That is a situation where the company was not prepared for the audit and/or could not describe and explain their system in way which makes an auditor feel comfortable that the people really understand their processes/systems and how they fit together.

This is something I worked very hard on with clients. In part it was typically knowing who to ask. I never had a client that had that problem during an audit because I know how important it is and made sure everyone was prepared. I larger companies I even made sure each auditor had an escort so that when they asked about a specific system the escort could/would ensure the proper person was being asked questions about the specific system(s)/process(es). Often an auditor would ask someone in manufacturing (for example) how their design system worked (as an example). The escort would stop the audit and get the right person there to answer questions. I am not citing that, necessarily, of a problem with auditors. An auditor comes in for the first time and won't necessarily know who s/he should be asking.

The important part is that each person know what their duties and responsibilities are, what documentation affects them and how, things like that.

While it does not say a list is required, in the absence of some kind of list or similar, how do you document what the specific outsourced processes?
As long as they have a system that meets the requirements, it doesn't matter if the auditor can only think of one way (in this case a list). As long as the company can describe and show how they do it, it is not up to the auditor to tell them they need a list.
 
J

John Martinez

#27
That's what we understand about the ISO 9001 clause 4.1 which says:

The type and extent of control to be applied to these outsourced processes shall be defined within the quality management system.

We told our auditor that most, if not all, controls for the outsourced processes were already established or defined in the existing documents (i.e. we have a lot of other manuals that pre-date the establishment of the ISO 9001 QMS).

He keep on asking: "Where in your QMS documentation (while waving the quality manual before us) that the type and extent of control are identified/defined?" Then he explained that he cannot see any statement defining the controls.:(

tony s
If your documentation the pre-dates your ISO 9001 QMS are NOT a part of your current QMS then your auditor MAY have a valid argument. That said, "define" does not necessairly equate with "document".

It is a valid question to challenge you on how it is defined within your current QMS. It is another to require "documented" within your quality manual.
 
Last edited by a moderator:

Helmut Jilling

Auditor / Consultant
#28
Note I specifically addressed required *documented* procedures/systems.
Your post said processes/systems, I assumed that was what you intended. Perhaps that was a typo.


You may feel a list is the best way to track something but that's your opinion. ...
I stand by my point that there is no requirement for a list. ...As long as the company can describe and show how they do it, it is not up to the auditor to tell them they need a list.
I agreed there is no requirement that it must be a "list." I was making the point that a list in the same document where the other internal processes are defined, is a convenient way to meet the requirement.

I would not write an NC because there is no "list." However, about 30-40% of the time when I get a new client, they cannot tell me what their outsourced processes are, they guess... Then I write a nonconformance that they have not adequately identified their outsourced processes.

It really is an issue out there. I would not fight too hard against the NC stated, unless they had a very clear understanding what those outsourced processes were.
 

Marc

Hunkered Down for the Duration with a Mask on...
Staff member
Admin
#29
<snip> I would not write an NC because there is no "list." However, about 30-40% of the time when I get a new client,<snip>
Are you speaking as an auditor or a consultant? As a consultant that's not unusual in my experience. As a consultant I typically found there are quite a few systems/processes that they cannot readily explain. As an auditor, it isn't all that uncommon either, but in those cases the company simply isn't prepared for the audit.

<snip> they cannot tell me what their outsourced processes are, they guess... Then I write a nonconformance that they have not adequately identified their outsourced processes. <snip>
Again, this is about not having a list. It is not about whether the company was prepared for the audit. Typically if they are not prepared to clearly explain what their outsourced processes are and how they are both controlled and tracked, they have more problems than this specific area.

You like the idea of a list, which is fine. That still doesn't make it a requirement which an auditor can write a non-conformance against.
 
Last edited:

Helmut Jilling

Auditor / Consultant
#30
Are you speaking as an auditor or a consultant? As a consultant that's not unusual in my experience. As a consultant I typically found there are quite a few systems/processes that they cannot readily explain. As an auditor, it isn't all that uncommon either, but in those cases the company simply isn't prepared for the audit.

Again, this is about not having a list. It is not about whether the company was prepared for the audit. Typically if they are not prepared to clearly explain what their outsourced processes are and how they are both controlled and tracked, they have more problems than this specific area.

You like the idea of a list, which is fine. That still doesn't make it a requirement which an auditor can write a non-conformance against.
Speaking as an auditor.

It is not that I want a "list." I really don't require a particular format. I do want them to document them in an appropriate manner.

They already have documented their internal processes. I simply suggest they identify their outsourced processes on the same document, whatever that document is.

Why should they try to "remember" their outsourced processes? Why not handle them in the same manner as whatever method they chose to apply to their internal processes.

I suggest the standard is trying to make the point that processes are processes, whther they are outsourced or not. The only difference is they don't have to define the full details for outsourced processes as they did for their internal ones. Defining the controls, if any, is sufficient.
 
Last edited by a moderator:
Thread starter Similar threads Forum Replies Date
Sidney Vianna Outsourced Processes - Type and Extent of Control to be Applied - ISO 9001:2008 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 40
A Fabric roll inspection - What type of Control Chart to use? Inspection, Prints (Drawings), Testing, Sampling and Related Topics 2
A IATF Sanctioned Interpretation No. 7 - Type and Extent of Control (supplemental) IATF 16949 - Automotive Quality Systems Standard 4
I AS9100 8.4.2 Type and Extent of Control - External provider test reports Manufacturing and Related Processes 24
B Documented process for type and extent of control IATF 16949 - Automotive Quality Systems Standard 6
S Complying with IATF 16949 Cl. 8.4.2.1 - Type and extent of control IATF 16949 - Automotive Quality Systems Standard 1
S Family / Generic type of FMEA & Control Plan and Symbols FMEA and Control Plans 3
K Document Control - Type-able Forms vs. Ink Quality Manager and Management Related Issues 10
P SPC Data Collection and Control Chart Type question Statistical Analysis Tools, Techniques and SPC 4
M TS 16949 Cause 7.4.1: Type of Control vs. Extent of Control (Definitions) IATF 16949 - Automotive Quality Systems Standard 5
B QCP (Quality Control Plan) from client with EN 10204 type 3.1 Material Certificates Various Other Specifications, Standards, and related Requirements 2
R 820.50 (A) (2)Define the Type and Extent of Control to be exercised over Vendor Misc. Quality Assurance and Business Systems Related Topics 5
S S-Type Tolerances: How to calculate Cs? Control Limit(s)? Statistical Analysis Tools, Techniques and SPC 8
J Nadcap HT - Furnace Instrumentation Type - Control Zone definition AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 2
M Outsourcing - Type of Control - Request for Interpretation on Clause 4.1 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
2 What type of Control Chart? USL of 3 and a lower spec limit of 1 Statistical Analysis Tools, Techniques and SPC 1
G Is 100% Inspection a Control or does a Process need another type of control? FMEA and Control Plans 9
B What type of Control Chart should I use for this Data Statistical Analysis Tools, Techniques and SPC 1
D Does the type of out control point indicate root cause? Problem Solving, Root Cause Fault and Failure Analysis 19
D What type of control chart should I use? Statistical Analysis Tools, Techniques and SPC 18
R What type of control chart... Statistical Analysis Tools, Techniques and SPC 3
A Microsoft Access APQP type database for Process Flow, FMEA, Control Plan, etc. Quality Assurance and Compliance Software Tools and Solutions 44
Nihls MSA Study Type 2 (special conditions ) IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
M Class II type machine , and its compliance with 60601-1 IEC 60601 - Medical Electrical Equipment Safety Standards Series 14
W What is the difference between TYPE B and TYPE BF? IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
Nihls MSA Study Type 1 (CMM) Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 1
D Separation of F-type applied part and remaining parts IEC 60601 - Medical Electrical Equipment Safety Standards Series 7
M MSA Study Type 1 not capable. We are at the limit. And manufacturing wants to continue producing. Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 7
cnbrosa Study Type 1 on a CMM using a measuring support Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 4
A AMSQQP416E Class 2 type 2 AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 0
S Are EC type examinations still being conducted under MDR? EU Medical Device Regulations 5
S Medical watch Class II (AP Type CF) with USB connection IEC 60601 - Medical Electrical Equipment Safety Standards Series 7
Johnnymo62 Non Aerospace topics - Anything for military trucks, trailers, Humvee type vehicles? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 8
N BF-type applied part MOPP vs secondary IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
Marcel DS GOST-R (Type approval for Vehicles in Russia) Other ISO and International Standards and European Regulations 0
S Type 1 Gage R&R or something else? Reliability Analysis - Predictions, Testing and Standards 6
I Old Time Scatter diagrams for defect type and location- software Quality Tools, Improvement and Analysis 7
P Surgical masks ( type IIR) - Cleanroom Requirements EU Medical Device Regulations 3
W Insulation requirements of BF type infant skin temperature probe IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
Jane's Like-for-like critical raw material change qualification - type of testing/ number of lots required ISO 13485:2016 - Medical Device Quality Management Systems 4
N Infant radiant warmer - Heater Quartz Element type Other Medical Device Related Standards 0
N % Tolerance - Type 1 study on the gages, then a gage R&R (ANOVA) Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 4
M Definitive answer on Type 1 vs Type 2 vs Type 3 Gage Study Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 0
K Validation of new machine (second machine of the same type) Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 2
F Operator Manual and Type B Uncertainty Measurement Uncertainty (MU) 3
B Minitab Type 1 Gage Study on True Position Question Measurement Uncertainty (MU) 1
M SI #7 8.4.2.1 Type and extent of control_supplemental IATF 16949 - Automotive Quality Systems Standard 3
B F-type applied part - Separation from ALL(?) other parts IEC 60601 - Medical Electrical Equipment Safety Standards Series 8
A Gage type 1 study on CMM Capability, Accuracy and Stability - Processes, Machines, etc. 2
K F-TYPE APPLIED PART IEC 60601 - Medical Electrical Equipment Safety Standards Series 0

Similar threads

Top Bottom