8.4.2 Type and extent of control of external provision
Last week, we reviewed 8.4.1 where the requirements of how the standard applies. This week, we begin to peel back the layers, so to speak, about what must actually be done to be compliant.
Before we get down to business, I’d like to point out the potential in this area for “risk based thinking”. This stuff is pretty common sense, but the language is pretty “squishy” and I suspect it will be difficult to audit. Let’s read on……
“In determining the type and extent of controls to be applied to the external provision of processes, products and services, the organization shall take into consideration:
a) the potential impact of the externally provided processes, products and services on the organization’s ability to consistently meet customer and applicable statutory and regulatory requirements;”
So, this leaves the door wide open for a “judgment call” on the part of the organization. There would be little reason to apply its external provision process to those processes, products and services that are unlikely to impact their ability to make good product. Organizations have historically taken this approach when defining how and where the process applies. In other words, “No, we don’t send a vendor performance report card to our vending machine provider in the break room, because we doubt a breakdown in their service would affect our ability to make shipments today”. Wherever the ideas of likely or unlikely appear, so does the idea of risk based thinking.
“b) the perceived effectiveness of the controls applied by the external provider.”
Again, the organization must ask itself what controls it intends to implement and whether its controls are or will be effective. Many organizations do a full rescreening of products/services from external sources prior to incorporating them into their process. And those organizations typically feel pretty confident that their controls will be effective. Other organizations defer back to “if they have achieved registration to ISO9001, they’re good to go”. Which is why the standard goes on to require additional requirements beyond just accepting certification.
“The organization shall establish and implement verification or other activities necessary to ensure the externally provided processes, products and services do not adversely affect the organization’s ability to consistently deliver conforming products and services to its customers.”
Most organizations use some combination of verification activities such as requiring certificates of analysis or SPC data in tandem with random audits of inbound materials, products, etc to monitor the risk associated with the external provider and/or the practice of outsourcing a process, product or service. Vendor performance information should also be considered, because a vendor failure could definitely impact the organization’s ability to perform. Therefore, a whole process of selection, monitoring and maintaining vendors must be integrated to ensure the organization’s quality performance remains unencumbered by outsourcing.
“Processes or functions of the organization which have been outsourced to an external provider remain within the scope of the organization’s quality management system; accordingly, the organization shall consider a) and b) above and define both the controls it intends to apply to the external provider and those it intends to apply to the resulting process output.”
This is a fun little side note indicating that outsourcing a process, product or service does not preclude the organization from responsibility for the output. No, we can’t “exclude” it from our quality system. And “no, we can’t hold a vendor solely responsible” should something they contribute have a negative impact on our product or service. We have to have a process in place to control both provider and output to some extent.
THIS WEEK’S HOMEWORK
Review your process for selecting, evaluating and monitoring externally supplied resources. Does it meet the criteria as shown above? Now, take a random sampling of your outsourced items (your purchasing or procurement group can probably help). Based on the scope of your external sourcing process, are you satisfied that the controls apply to the right vendors and in the right situations? Is any more required? Anything less?
