ISO 9001 Requirements
ISO 9001 Requirements-What are outsourced processes?
What is the definition of an outsourced process?
An “outsourced process” is a process that the organization has identified as being needed for its operations and quality management system (QMS), but one which it has chosen to be carried out by an external provider outside the managerial control of your facility and may not be subject to the same QMS as your organization.
An outsourced process may be performed by a external provider that is totally independent from the organization, or which is owned by the same parent organization (e.g., a separate department or division not subject to the same QMS). It may be provided on-site within the physical premises or work environment of the organization or off-site at an independent site.
Examples of such processes include: – strategic planning done at head office; purchasing or design done at head office or another location; heat treating; painting; welding, calibration; testing; sort; human resources; information technology; etc., performed by an outside organization. A manufacturing company may outsource welding, heat treatment or painting of product. A software company may outsource software development. A bank may outsource check clearing services.
How should outsourced processes be controlled?
The intent of Clause 4.1 is to emphasize that when an organization chooses to outsource (permanently or temporarily) a process that affects product or service conformity with requirements, it cannot simply ignore this process or exclude it from the QMS. The organization has to demonstrate it exercises sufficient control to ensure the process is performed according to the relevant ISO 9001:2000 requirements, as well as, the requirements of the organization’s QMS.
The nature of control will depend on the importance of the outsourced process, the risk involved, and the competence of the external provider or supplier. Also, the outsourced process will interact with other processes (either carried out by the organization or outsourced). These interactions must be managed as required by ISO 9001:2015 clauses 4.4.1.
The outsourcing of a needed process will normally be subject to the requirements of both ISO 9001:2015 clause 8.4 (Control of external providers and clause 4.4 (QMS and its processes). In some situations, the organization might not actually “purchase” the outsourced process. It might receive the service from head office or from another division, without a monetary transaction taking place. Regardless of these circumstances, ISO 9001:2008 Clauses 8.4 and 4.4 are still applicable.
An organization will typically face two situations that frequently must be considered when deciding the appropriate level of control of an outsourced process:
1. Where an organization has the competence and ability to carry out a process, but chooses to outsource that process (for commercial or other reasons), the process control criteria should already have been defined and can be transposed into requirements for the supplier to comply with, if necessary. Evidence of compliance to such defined requirements should be obtained from the organization providing the outsourced activity.
2. Where the organization does not have the competence to carry out the process itself, and chooses to outsource it, the organization has to ensure the controls proposed by the supplier of the outsourced process are clearly defined and are adequate. In some cases, it may be necessary to involve external specialists in making this evaluation. Evidence of compliance to such defined requirements should be obtained from the organization providing the outsourced activity.
It may be convenient, or even necessary, to define some or all of the methods to be used for control of the outsourced processes in a contract between the organization and the external provider. Care should be taken, however, not to inhibit the supplier from proposing innovations to the outsourced process.
In some situations, it might not be possible to verify the output from the outsourced process by subsequent monitoring or measurement. In these cases, the organization needs to ensure that the control over the outsourced process includes process validation in accordance with ISO 9001:2015 clause 8.4.2.
1. Make sure you include all outsourced processes affecting product quality, in the scope of your QMS. You must be able to identify, define and demonstrate evidence of sufficient controls over external providers of outsourced processes to ensure that such processes are performed according to the relevant requirements of ISO 9001:2015. The nature and scope of such control will depend on the nature of the outsourced or subcontracted process and the risk involved.
2. Outsourced processes may be controlled in any number of ways, e.g., providing the external provider with product specifications; your supplier quality manual that they must meet; asking for inspection and test results or certificates of compliance; validation of outsourced process; conducting product and QMS audits of your outsourcer; providing drawings, checklists and forms, etc. The expectation here is that you flow down to your external provider, the relevant ISO 9001 requirements that you would have to implement had the process been performed in your own facility under your QMS control.
For more information on outsourced processes, please check out the eCourse “Understanding ISO 9001:2015″