Type and Control of Outsourced Processes - ISO 9001 Clause 4.1

[Marc]

Our auditor raised a nonconformity because we don't have this LIST.

Although controls are in place to make sure that providers of the outsourced processes deliver what we want from them, we did not mention them (i.e. controls) on our quality manual.

According to him ISO 9001 standard requires us to "document" the type and extent of control for the outsourced processes within our QMS documentation.

The requirement is for control(s) to be in your QMS documentation. Your quality manual is only one document of many in your QMS. I would do the standard "Show me the requirement" which states you specifically have to have a list and/or that it must specifically be mentioned in the quality manual (as opposed to being addressed in a different QMS document). A list doesn't show 'control' anyway.

 

[tony s]

The requirement is for control(s) to be in your QMS documentation.

That's what we understand about the ISO 9001 clause 4.1 which says:

The type and extent of control to be applied to these outsourced processes shall be defined within the quality management system.

We told our auditor that most, if not all, controls for the outsourced processes were already established or defined in the existing documents (i.e. we have a lot of other manuals that pre-date the establishment of the ISO 9001 QMS).

He keep on asking: "Where in your QMS documentation (while waving the quality manual before us) that the type and extent of control are identified/defined?" Then he explained that he cannot see any statement defining the controls.

tony s

 

[Marc]

When you control outsourced processes you do so through the quality planning process for product(s) which you are sending out. A quality planning output would define the required controls.

So - You have to show and explain your process/system for quality planning. Also, remember that there is no requirement which says that all of your processes/systems *shall* be documented. There are something like 6 required documented processes.

1. Document Control
2. Records
3. Nonconforming Material
4. Internal Audit
5. Corrective Action
6. Preventive Action

That is not to say you should not have a documented process for quality planning, only that it (if I remember correctly and I'm sure someone will correct me if I'm wrong) is not required to be documented.

It all boils down to your having a quality planning process/system and you should be able to show the outputs of the system as well as how they are communicated to the sub-contractor.

Again, I would ask the auditor to show you the' shall' requirement which says you must have a list, and if s/he can not I would appeal it.

 

[Helmut Jilling]

When you control outsourced processes you do so through the quality planning process for product(s) which you are sending out. A quality planning output would define the required controls.

So - You have to show and explain your process/system for quality planning. Also, remember that there is no requirement which says that all of your processes/systems *shall* be documented. There are something like 6 required documented processes.

1. Document Control
2. Records
3. Nonconforming Material
4. Internal Audit
5. Corrective Action
6. Preventive Action

That is not to say you should not have a documented process for quality planning, only that it (if I remember correctly and I'm sure someone will correct me if I'm wrong) is not required to be documented.

It all boils down to your having a quality planning process/system and you should be able to show the outputs of the system as well as how they are communicated to the sub-contractor.

Again, I would ask the auditor to show you the' shall' requirement which says you must have a list, and if s/he can not I would appeal it.

Maybe 6 procedures are required, but I don't see that applying to cl 4.1. I read cl 4.1 to apply to all processes in an organization. I don't see the 6 procedure clause (4.2.1) putting any limits on cl 4.1.

Cl 4.1: The organization shall
a) identify the processes needed for the quality management system and their application throughout the organization (see 1.2),

I would further suggest the 6 procedure discussion, that only six procedures are required, is just a starting point. Cl 4.2.1.c requires 6 procedures, followed by a comma, followed by cl 4.2.1.d which goes on to say "and other documents needed by the organization..." It would be a tough sell to actually only expect 6 procedures and nothing more. Not sure you were saying that specifically.

 

[Helmut Jilling]

That's what we understand about the ISO 9001 clause 4.1 which says:

The type and extent of control to be applied to these outsourced processes shall be defined within the quality management system.

We told our auditor that most, if not all, controls for the outsourced processes were already established or defined in the existing documents (i.e. we have a lot of other manuals that pre-date the establishment of the ISO 9001 QMS).

He keep on asking: "Where in your QMS documentation (while waving the quality manual before us) that the type and extent of control are identified/defined?" Then he explained that he cannot see any statement defining the controls.

tony s

I would accept your position that the controls are defined in various manuals and such. However, I would expect them to be controlled documents included into your documented quality system. More importantly, I am concerned about something I often see in audits. I will ask where do we document the outsourced processes. They show me various unconnected documents, po's, control plans. I ask, ok, tell me, what are the outsourced processes? Typically, they tell me 2, 3 or 4 processes. Then later we find a few more.

While it does not say a list is required, in the absence of some kind of list or similar, how do you document what the specific outsourced processes?

 

[Marc]

Maybe 6 procedures are required <snip>

Note I specifically addressed required *documented* procedures/systems. There will be required records as well, and records specific to a company's way of 'doing things', if not required by the standard, then by the company's system.

You may feel a list is the best way to track something but that's your opinion. As a consultant you can advise a company on their systems/processes. It is not the function of an auditor to do that. In fact, technically it is a conflict of interest for an auditor to cross the line and tell a company how to do something, even though we know it happens in every audit to some degree. I did it myself "in a round about way" from time to time.

I stand by my point that there is no requirement for a list. This is about being written up and given a non-conformance for not having a list, not whether it is a good idea or not.

<snip> More importantly, I am concerned about something I often see in audits. I will ask where do we document the outsourced processes. They show me various unconnected documents, po's, control plans. I ask, ok, tell me, what are the outsourced processes? Typically, they tell me 2, 3 or 4 processes. Then later we find a few more.<snip>

That is a situation where the company was not prepared for the audit and/or could not describe and explain their system in way which makes an auditor feel comfortable that the people really understand their processes/systems and how they fit together.

This is something I worked very hard on with clients. In part it was typically knowing who to ask. I never had a client that had that problem during an audit because I know how important it is and made sure everyone was prepared. I larger companies I even made sure each auditor had an escort so that when they asked about a specific system the escort could/would ensure the proper person was being asked questions about the specific system(s)/process(es). Often an auditor would ask someone in manufacturing (for example) how their design system worked (as an example). The escort would stop the audit and get the right person there to answer questions. I am not citing that, necessarily, of a problem with auditors. An auditor comes in for the first time and won't necessarily know who s/he should be asking.

The important part is that each person know what their duties and responsibilities are, what documentation affects them and how, things like that.

While it does not say a list is required, in the absence of some kind of list or similar, how do you document what the specific outsourced processes?

As long as they have a system that meets the requirements, it doesn't matter if the auditor can only think of one way (in this case a list). As long as the company can describe and show how they do it, it is not up to the auditor to tell them they need a list.

 

[John Martinez]

That's what we understand about the ISO 9001 clause 4.1 which says:

The type and extent of control to be applied to these outsourced processes shall be defined within the quality management system.

We told our auditor that most, if not all, controls for the outsourced processes were already established or defined in the existing documents (i.e. we have a lot of other manuals that pre-date the establishment of the ISO 9001 QMS).

He keep on asking: "Where in your QMS documentation (while waving the quality manual before us) that the type and extent of control are identified/defined?" Then he explained that he cannot see any statement defining the controls.

tony s

If your documentation the pre-dates your ISO 9001 QMS are NOT a part of your current QMS then your auditor MAY have a valid argument. That said, "define" does not necessairly equate with "document".

It is a valid question to challenge you on how it is defined within your current QMS. It is another to require "documented" within your quality manual.

 

[Helmut Jilling]

Note I specifically addressed required *documented* procedures/systems.

Your post said processes/systems, I assumed that was what you intended. Perhaps that was a typo.

You may feel a list is the best way to track something but that's your opinion. ...
I stand by my point that there is no requirement for a list. ...As long as the company can describe and show how they do it, it is not up to the auditor to tell them they need a list.

I agreed there is no requirement that it must be a "list." I was making the point that a list in the same document where the other internal processes are defined, is a convenient way to meet the requirement.

I would not write an NC because there is no "list." However, about 30-40% of the time when I get a new client, they cannot tell me what their outsourced processes are, they guess... Then I write a nonconformance that they have not adequately identified their outsourced processes.

It really is an issue out there. I would not fight too hard against the NC stated, unless they had a very clear understanding what those outsourced processes were.

 

[Marc]

<snip> I would not write an NC because there is no "list." However, about 30-40% of the time when I get a new client,<snip>

Are you speaking as an auditor or a consultant? As a consultant that's not unusual in my experience. As a consultant I typically found there are quite a few systems/processes that they cannot readily explain. As an auditor, it isn't all that uncommon either, but in those cases the company simply isn't prepared for the audit.

<snip> they cannot tell me what their outsourced processes are, they guess... Then I write a nonconformance that they have not adequately identified their outsourced processes. <snip>

Again, this is about not having a list. It is not about whether the company was prepared for the audit. Typically if they are not prepared to clearly explain what their outsourced processes are and how they are both controlled and tracked, they have more problems than this specific area.

You like the idea of a list, which is fine. That still doesn't make it a requirement which an auditor can write a non-conformance against.

 

[Helmut Jilling]

Are you speaking as an auditor or a consultant? As a consultant that's not unusual in my experience. As a consultant I typically found there are quite a few systems/processes that they cannot readily explain. As an auditor, it isn't all that uncommon either, but in those cases the company simply isn't prepared for the audit.

Again, this is about not having a list. It is not about whether the company was prepared for the audit. Typically if they are not prepared to clearly explain what their outsourced processes are and how they are both controlled and tracked, they have more problems than this specific area.

You like the idea of a list, which is fine. That still doesn't make it a requirement which an auditor can write a non-conformance against.

Speaking as an auditor.

It is not that I want a "list." I really don't require a particular format. I do want them to document them in an appropriate manner.

They already have documented their internal processes. I simply suggest they identify their outsourced processes on the same document, whatever that document is.

Why should they try to "remember" their outsourced processes? Why not handle them in the same manner as whatever method they chose to apply to their internal processes.

I suggest the standard is trying to make the point that processes are processes, whther they are outsourced or not. The only difference is they don't have to define the full details for outsourced processes as they did for their internal ones. Defining the controls, if any, is sufficient.