Conformance1

Tools for conforming to standards, goals and processes

External Processes

  • What are external processes and why should companies be concerned with them?
  • What does it mean to have control of externally provided products and services? How much control is required?
  • What are some common auditing questions about external processes?
Image Source: https://www.youtube.com/watch?v=B2babXT_nNk

What are External Processes and Why Should I Care?

ISO asks organizations to have control plans for externally provided products and services because it is critical to overall quality and customer satisfaction and the impacts of oversight in this area can be devastating. 

For example, imagine choosing a new vendor because they were cheaper than your existing one. You never conducted a formal evaluation of the new supplier and ended up receiving poor quality material that was used in your product. Your final product quality suffers, and your customers aren’t pleased. This ultimately impacts profit margins and can damage your reputation. 

Imagine finding material from a new supplier based on information learned during a phone conversation. When you receive the material, you realize it doesn’t meet your requirements and you need to return the shipment. You can’t fill orders and deliveries are ultimately delayed. 

These are common situations that can occur without proper supplier evaluation, purchasing process control, quality testing, and ongoing quality monitoring. The requirements in this clause ensure both you and your customers are pleased with the products and services provided.

Clause 8.4 of ISO 9001:2015 requires control over externally provided products and services. This applies to everything essential to manufacturing, checking and testing, and delivering the product or service. This clause outlines the requirements to control whether or not the purchased products and services meet your expectations. This includes quality control, outsourced process, supplier evaluation, and the purchasing process. 

An external provider is anyone who provides goods, materials, expertise, parts, assemblies, services, software, etc. that are somehow incorporated into any of your organization’s product or service offerings. Control of external providers is critical to ensuring products and services meet company requirements, and, ultimately customer expectations. Think about all of the different vendors, suppliers, outsourcing agencies, business consultants, community partners, etc. your organization engages with and you’ll begin to see the umbrella this clause covers. Any of these external providers might supply a product or service that is useful to your organization. 

Control of external providers and processes is not optional (or something organizations must merely “consider”). The control of external providers and processes is mandatory, and the planning and implementation must be documented.

What Does It Mean to Have Control of Externally Provided Products and Services?

Evaluating Potential Suppliers

There are a variety of ways organizations control their suppliers. Evaluations are completed to determine if each supplier is capable of meeting quality, shipping, and performance requirements. Suppliers are often evaluated using:

  • Research/data analysis (on logistics, quality, performance, etc.)
  • Self-assessment questionnaires 
  • QMS audits (of the supplier) 
  • On-site assessments/audits of the supplier’s processes
  • Risk assessments
  • Integration assessments
  • Quality agreements/contracts

Suppliers may be approved or dismissed depending on a variety of factors, including the results of any of the above evaluations and current budget flexibility. Additionally, it’s important to document and approve selection criteria for potential suppliers, and the subsequent justification for the approval of suppliers. 

Monitoring Suppliers

Once suppliers are approved, companies are expected to consistently monitor their performance. Common ongoing monitoring practices include reviewing performance in:

  • On-time delivery
  • Ongoing cost
  • Nonconformities or defective parts per million (PPM)
  • Corrective action 
  • General availability/communication
  • Response time
  • A receiving, inspection, or acceptance records review

How much control is required? 

What is the extent to which an organization must demonstrate control? You will need to determine the elements of your purchase process or outsourced processes that are critical to the design, manufacturing and delivery of your product or service. Examples of areas organizations might consider include:

  • Overall quality
  • Performance
  • Sustainability
  • Durability
  • Product lifespan
  • Industry compliance
  • Reliability
  • Reputation
  • Specifications
  • Delivery time
  • Production speed

Once an organization determines these critical processes, they will begin defining controls needed for all of the external providers who supply those products or services. But to what extent does an organization maintain control and for how long? Control activities happen upon delivery as well as before the product or service is used. Organizations should document any inspections required upon receipt of a product or service (inspections, review, certification/documentation checks, etc.). Additionally, companies should document any official supplier evaluations they conduct that were mentioned above.

Outsourced processes demand similar controls. Organizations must determine how they can ensure their outsourced processes are conforming to ISO 9001 requirements. They can communicate quality standards via a quality manual or other written documents as well as reviewing inspection and audit results. This process should be documented. The extent of the controls you’ll use on your external providers will depend on the amount of risk involved and the type of outsourced processes used.

Communication with Suppliers

Communicating expectations to suppliers is covered in clause 8.4.3. Clear, thorough communication helps suppliers meet expectations and minimize the delivery of defective or nonconforming products and services. The standard offers specific guidance in this area, stating that companies must communicate the following to external providers:

  • Adequate details regarding the products, services, or processes the external provider is expected to complete;
  • Methods of approval or release of products and services, processes, or equipment; 
  • Personnel competency, including all qualifications; 
  • Information on the interactions with your quality management system in the form that is relevant to them;
  • Guidance on how your organization will control or monitor the external provider performance; 
  • Verification activities that the organization (or its customers) plans to perform at the external provider’s work site. 

These expectations may be communicated to external providers through a work contract, requirements specifications, or other such documents before the work takes place or during the duration of the work, if the contract permits. The standard expects adequate communication of the specified requirements to take place. 

Common Auditing Questions About External Processes

Could an external provider be considered as peripheral as an electrical contractor, a food truck, or a caterer, for example? This seems different from the traditional “supplier” that companies have been considering for years.

The above examples are technically not considered external providers because they are outside of the scope of an organization’s QMS.

Are companies expected to advise external providers on what equipment to use, how to use it and how to train their people? 

“Advising our external providers” in this standard refers to the type and extent of control you have over them. You’ll need to determine what your specific requirements are and how you will ensure they are met. You may want to specify the equipment or training an external provider must use in some situations, if it matters to the performance of your product/service. Will your providers need to be ISO 9001:2015 certified? Or perhaps your parts need to be calibrated at a company certified to ISO 17025. This will depend on the application. 

Regarding communications to the external provider about how they will be measured, is it acceptable that these communications take place through email or phone? Or is there a more formal process that must be documented? What method is most commonly used to meet this requirement?

There are many different ways external providers can be measured and this communication can be documented. Clause 8.4.1 states that companies “retain documented information of these activities and any necessary actions arising from the evaluations.” It’s up to individual companies to decide a method that is clear and efficient; however, they must retain a record.

How often do external providers need to be evaluated?

There is no firm rule here; however, organizations must demonstrate adequate evaluation procedures. Evaluations and on-site audits should occur periodically and regularly as is appropriate to the organization and industry. Sometimes an issue might instigate the need for an evaluation or audit, such as quality issues, equipment or design changes, process changes, manufacturing location changes, or increased demand or critical need of a product or service.

ISO 9001:2015 requires organizations to have a sound system for selecting and evaluating external providers so that quality can be ensured and reproduced. Organizations are ultimately responsible for the quality of their products and services and therefore must develop positive, strategic partnerships with their suppliers that will lead to quality improvements and ensure continual delivery of products and services that meet or exceed customer expectations.