ISO 9001:2015 Clause 8.4.2 Type and extent of control

ISO 9001:2015 15 Minutes

ISO 9001:2015 requirements

The organization shall ensure that externally provided processes, products and services do not adversely affect the organization’s ability to consistently deliver conforming products and services to its customers.
The organization shall:

  1. ensure that externally provided processes remain within the control of its quality management system;
  2. define both the controls that it intends to apply to an external provider and those it intends to apply to the resulting output;
  3. take into consideration:
    • the potential impact of the externally provided processes, products and services on the organization’s ability to consistently meet customer and applicable statutory and regulatory requirements;
    • the effectiveness of the controls applied by the external provider;
  4. determine the verification, or other activities, necessary to ensure that the externally provided processes, products and services meet requirements.

1) The organization shall ensure that externally provided processes, products and services do not adversely affect the organization’s ability to consistently deliver conforming products and services to its customers.

This clause emphasizes the importance of ensuring that externally provided processes, products, and services do not adversely affect an organization’s ability to consistently deliver conforming products and services to its customers. Here’s how organizations can ensure compliance with this requirement:

  1. Supplier Evaluation and Selection:
    • Establish a robust supplier evaluation and selection process. This involves assessing potential suppliers based on their ability to meet your organization’s requirements and quality standards.
    • Consider factors like supplier reputation, performance history, financial stability, and adherence to relevant standards and regulations.
  2. Contractual Agreements:
    • Clearly define expectations, requirements, and quality standards in contracts or agreements with external providers.
    • Specify the criteria for evaluating the performance of external providers, including key performance indicators (KPIs) and service level agreements (SLAs).
  3. Risk Assessment:
    • Conduct a thorough risk assessment to identify potential risks associated with externally provided processes, products, or services.
    • Evaluate the impact of these risks on your organization’s ability to deliver conforming products and services to customers.
  4. Monitoring and Measurement:
    • Implement a robust monitoring and measurement system to track the performance of external providers against established criteria.
    • Continuously collect data on supplier performance, such as on-time delivery, product quality, and adherence to contractual obligations.
  5. Auditing and Assessment:
    • Conduct regular audits and assessments of external providers to ensure compliance with requirements and quality standards.
    • Use audit findings to identify areas for improvement and corrective actions.
  6. Communication and Collaboration:
    • Foster open communication and collaboration with external providers. Maintain transparent channels of communication to address issues, share feedback, and resolve any discrepancies promptly.
  7. Corrective Actions and Improvement:
    • Implement corrective actions when non-conformities or performance issues are identified in externally provided processes, products, or services.
    • Collaborate with suppliers to develop improvement plans aimed at preventing recurrences.
  8. Supplier Development:
    • Invest in supplier development initiatives to help external providers enhance their capabilities and performance.
    • Provide training, guidance, and support as needed to improve their alignment with your organization’s requirements.
  9. Change Management:
    • Implement a change management process to assess and manage any changes in externally provided processes, products, or services.
    • Ensure that changes do not adversely impact your organization’s ability to meet customer requirements.
  10. Continuous Improvement:
    • Continuously seek opportunities to improve the management of externally provided processes, products, and services.
    • Encourage suppliers to propose innovative solutions and process improvements.
  11. Documentation and Records:
    • Maintain comprehensive documentation and records related to supplier evaluations, contracts, audits, corrective actions, and performance reviews.
    • These records serve as evidence of compliance and support decision-making.
  12. Management Review:
    • Include supplier performance and the impact of externally provided processes in management review meetings.
    • Use these reviews to make informed decisions and allocate resources for improvement initiatives.

By following these steps and implementing a systematic approach to managing externally provided processes, products, and services, organizations can ensure that these external factors do not adversely affect their ability to consistently deliver conforming products and services to customers.

2) The organization shall ensure that externally provided processes remain within the control of its quality management system;

Ensuring that externally provided processes remain within the control of your organization’s quality management system (QMS) is critical to maintaining the quality and consistency of your products and services. Here are steps to help you achieve this:

  • Begin by selecting external providers (suppliers or contractors) who align with your organization’s quality objectives and standards.
  • Establish a robust supplier evaluation process that assesses the capabilities and quality performance of potential providers.
  • Consider factors like supplier history, quality management systems, certifications, and past performance.
  • Define clear and comprehensive contractual agreements with external providers. These contracts should include specific quality requirements, standards, and expectations.
  • Specify the scope of work, deliverables, quality control measures, and acceptance criteria.
  • Clearly communicate your organization’s quality requirements and standards to external providers.
  • Provide detailed specifications, drawings, quality plans, and any applicable standards or regulations that must be followed.
  • Establish SLAs that outline performance expectations and key performance indicators (KPIs) related to externally provided processes. Include metrics for quality, delivery, timeliness, and any other critical aspects.
  • Conduct regular quality audits and assessments of external providers’ processes.
  • Verify compliance with your quality requirements and standards during these audits.
  • Use audit findings to identify areas for improvement and ensure corrective actions are implemented.
  • Implement a robust monitoring system to track supplier performance against established criteria.
  • Collect data on performance metrics, such as on-time delivery, product quality, and adherence to contractual obligations.
  • Maintain open channels of communication with external providers.
  • Foster collaboration to address issues, provide feedback, and resolve discrepancies promptly.
  • Invest in supplier development initiatives to enhance the capabilities and performance of external providers.
  • Provide training and support as needed to align them with your quality requirements.
  • Maintain comprehensive documentation and records related to supplier evaluations, contracts, audits, corrective actions, and performance monitoring.
  • These records serve as evidence of compliance and support decision-making.
  • Continuously seek opportunities to improve the management of externally provided processes.
  • Encourage suppliers to propose innovative solutions and process improvements.
  • Include supplier performance and the control of externally provided processes in regular management reviews.
  • Make informed decisions and allocate resources for improvement initiatives.
  • Ensure that external providers are aware of and comply with all relevant legal and regulatory requirements that impact the quality of the processes they provide.

By implementing these steps, your organization can establish effective controls to ensure that externally provided processes remain within the control of your QMS. This proactive approach helps maintain and enhance the quality and consistency of your products and services, even when certain processes are outsourced to external providers.

3) The organization shall define both the controls that it intends to apply to an external provider and those it intends to apply to the resulting output

Defining controls for both the external provider and the resulting output is a critical step in managing external processes effectively. Here’s how an organization can define these controls:

  • Begin by identifying the critical processes or activities that you intend to outsource to an external provider. These are typically processes that significantly impact the quality and conformity of your products or services. Clearly define the expected outputs or deliverables of these processes.
  • Conduct a thorough risk assessment for the processes and outputs to be outsourced. Identify potential risks and their impact on your organization’s objectives, quality, and compliance.
  • Establish clear control objectives for both the external provider’s processes and the resulting output. Control objectives should be specific, measurable, and aligned with your organization’s quality and compliance requirements.
  • Define the controls that the external provider must implement to ensure the quality and conformity of the processes they perform on your behalf. These controls may include:
    • Quality management system requirements (e.g., ISO 9001 compliance).
    • Compliance with specific industry standards or regulations.
    • Inspection and testing protocols.
    • Training and qualification requirements for personnel.
    • Documentation and reporting obligations.
    • Communication and collaboration processes.
  • Specify the controls that must be applied to the resulting output or deliverable to ensure it meets your organization’s quality and conformity requirements. These controls may include:
    • Inspection and testing criteria.
    • Quality checks and acceptance criteria.
    • Packaging and labeling requirements.
    • Traceability and documentation standards.
    • Validation and verification processes.
    • Reporting and documentation obligations.
  • Ensure that control requirements align with all relevant legal and regulatory requirements that pertain to the outsourced processes and resulting output.
  • Document these control requirements in contractual agreements with the external provider. Contracts should specify the control objectives, requirements, and the consequences of non-compliance.
  • Foster open communication and collaboration with the external provider. Ensure they understand their responsibilities and the importance of adhering to the defined control requirements.
  • Implement a monitoring and evaluation process to assess the external provider’s compliance with the defined controls for their processes. Conduct inspections, audits, and performance reviews as necessary.
  • Implement controls and inspections to verify that the resulting output or deliverable meets your organization’s requirements and conforms to quality standards.
  • Establish a process for addressing non-conformities or deviations from the defined controls, whether they pertain to the external provider’s processes or the output. Collaborate with the provider to implement corrective actions.
  • Continuously seek opportunities to improve the controls applied to both the external provider’s processes and the resulting output. Encourage feedback and suggestions for improvement from the provider.
  • Maintain comprehensive documentation and records related to control requirements, inspections, audits, corrective actions, and performance reviews for both the provider’s processes and the resulting output.

By following these steps, organizations can define and implement effective controls for both external provider processes and the resulting output, ensuring that quality and conformity requirements are met while minimizing risks associated with outsourcing critical activities. Effective communication, collaboration, monitoring, and continuous improvement are key elements in the successful implementation of these controls.

4) The organization shall take into consideration the potential impact of the externally provided processes, products and services on the organization’s ability to consistently meet customer and applicable statutory and regulatory requirements;

Ensuring that externally provided processes, products, and services consistently meet customer and applicable statutory and regulatory requirements is essential for maintaining the quality and compliance of your organization’s offerings. Here are steps to help your organization achieve this:

  • Begin by selecting external providers (suppliers or contractors) that have a proven track record of meeting customer requirements and complying with relevant regulations.
  • Establish a robust supplier evaluation process that assesses their quality, compliance, and performance history.
  • Define clear and comprehensive contractual agreements with external providers. These contracts should explicitly outline customer and regulatory requirements, including specifications, standards, and expectations.
  • Clearly communicate your organization’s quality requirements and standards to external providers.
  • Provide detailed specifications, drawings, quality plans, and any applicable standards or regulations that must be followed.
  • Ensure that external providers are aware of and comply with all relevant statutory and regulatory requirements that impact the processes, products, or services they provide.
  • Monitor changes in regulations and communicate updates to external providers as necessary.
  • Establish SLAs that outline performance expectations, including meeting customer requirements and regulatory compliance.
  • Include metrics for quality, delivery, timeliness, and any other critical aspects.
  • Conduct regular audits and assessments of external providers to verify their compliance with customer requirements and regulatory obligations.
  • Use audit findings to identify areas for improvement and ensure corrective actions are implemented.
  • Implement a robust monitoring and measurement system to track supplier performance against established criteria.
  • Continuously collect data on performance metrics, such as on-time delivery, product quality, and adherence to contractual and regulatory obligations.
  • Maintain open channels of communication with external providers.
  • Foster collaboration to address issues, provide feedback, and resolve discrepancies promptly.
  • Establish a change management process to assess and control any changes in externally provided processes, products, or services.
  • Ensure that changes are communicated, reviewed, and approved to prevent adverse impacts on customer requirements and compliance.
  • Address non-conformities and performance issues promptly through corrective actions.
  • Collaborate with suppliers to develop improvement plans aimed at preventing recurrences.
  • Invest in supplier development initiatives to enhance the capabilities and performance of external providers.
  • Provide training and support as needed to align them with customer requirements and regulatory compliance.
  • Maintain comprehensive documentation and records related to supplier evaluations, contracts, audits, corrective actions, and performance monitoring.
  • These records serve as evidence of compliance and support decision-making.
  • Continuously seek opportunities to improve the management of externally provided processes, products, and services to better align with customer requirements and regulatory obligations.
  • Encourage suppliers to propose innovative solutions and process improvements.
  • Ensure that external providers are informed about and stay updated on relevant changes in laws, regulations, and customer requirements that impact their work.
  • Solicit and analyze customer feedback to assess whether externally provided processes, products, and services consistently meet customer expectations.
  • Use customer reviews to drive improvements and adjustments as needed.

By following these steps, your organization can establish effective controls and processes to ensure that externally provided processes, products, and services consistently meet customer requirements and comply with statutory and regulatory obligations. Effective communication, collaboration, monitoring, and continuous improvement are key elements in achieving and maintaining this consistency.

5) The organization shall take into consideration the effectiveness of the controls applied by the external provider

Ensuring the effectiveness of controls applied by external providers is crucial to maintaining quality, compliance, and performance standards. Here are steps that an organization can take to achieve this:

  • Start by clearly defining the control requirements in contracts, agreements, or service level agreements (SLAs) with external providers.
  • Specify the key performance indicators (KPIs), quality standards, and compliance requirements that providers must meet.
  • Implement a rigorous supplier evaluation and selection process to identify providers with a track record of effective controls and quality performance.
  • Assess their quality management systems and past performance in meeting control requirements.
  • Require external providers to develop and provide documented control plans that outline how they will meet the defined requirements.
  • These control plans should detail the processes, methodologies, and tools they will use to ensure control effectiveness.
  • Conduct regular audits and assessments of external providers’ control measures to verify compliance with agreed-upon requirements.
  • Audit findings should assess control effectiveness and identify any non-conformities or areas for improvement.
  • Implement a robust performance monitoring system that tracks supplier performance against established control requirements.
  • Continuously collect data on key performance metrics, including quality, timeliness, and compliance.
  • Require external providers to provide periodic reports on their performance, including compliance with control requirements.
  • Use these reports to assess control effectiveness and identify trends or areas requiring attention.
  • Foster open communication and collaboration with external providers to discuss control effectiveness and improvement opportunities.
  • Encourage providers to proactively share insights and recommendations for enhancing controls.
  • Develop a process for addressing non-conformities and control deficiencies identified during audits or monitoring.
  • Collaborate with suppliers to implement corrective actions and preventive measures to enhance control effectiveness.
  • Provide training and support to external providers to help them improve their control measures.
  • Share best practices and industry standards to enhance their understanding of effective control strategies.
  • Encourage a culture of continuous improvement among external providers, where they actively seek opportunities to enhance control measures and overall performance.
  • Conduct periodic performance reviews with external providers to evaluate their adherence to control requirements and identify areas for improvement.
  • Use these reviews to provide feedback and guidance.
  • Ensure that external providers are aware of and comply with all relevant legal and regulatory requirements that pertain to their controls.
  • Verify compliance during audits and assessments.
  • Maintain comprehensive documentation and records related to control requirements, audits, assessments, corrective actions, and performance monitoring.
  • These records serve as evidence of compliance and support decision-making.
  • Establish a feedback mechanism where both the organization and the external provider can share insights, lessons learned, and suggestions for control improvement.

By implementing these steps and maintaining a proactive approach to assessing and enhancing the effectiveness of controls applied by external providers, organizations can minimize risks, ensure quality, and maintain compliance with their requirements and standards. Regular communication, collaboration, and feedback are vital components of this process.

4) The organization shall determine the verification, or other activities, necessary to ensure that the externally provided processes, products and services meet requirements.

Determining the verification and other activities necessary to ensure that externally provided processes, products, and services meet requirements is a critical aspect of supplier and external provider management. Here’s how an organization can effectively determine these activities:

  1. Identify Critical Requirements:
    • Begin by identifying the critical requirements that must be met by externally provided processes, products, or services. These are typically requirements related to quality, performance, safety, and compliance.
  2. Review Customer and Regulatory Requirements:
    • Review and understand the specific customer requirements and regulatory obligations that apply to the processes, products, or services provided by external providers.
    • Ensure that these requirements are clearly documented and communicated to the providers.
  3. Define Verification Activities:
    • Based on the identified critical requirements, define the verification activities that are necessary to ensure compliance.
    • Verification activities may include inspections, testing, audits, document reviews, and performance evaluations.
  4. Specify Acceptance Criteria:
    • Establish clear acceptance criteria that outline the standards and expectations for the externally provided processes, products, or services.
    • These criteria should be measurable and objective, allowing for consistent evaluation.
  5. Document Control Requirements:
    • Document the control requirements that external providers must follow. This includes any specific processes, procedures, and documentation that are required to meet the identified requirements.
  6. Performance Metrics and Key Performance Indicators (KPIs):
    • Develop performance metrics and KPIs that can be used to measure the effectiveness of the verification activities.
    • These metrics should align with the critical requirements and acceptance criteria.
  7. Supplier Collaboration:
    • Collaborate with external providers to discuss and align on the verification activities and acceptance criteria.
    • Ensure that providers understand the importance of meeting these requirements.
  8. Contractual Agreements:
    • Clearly specify the verification and compliance requirements in contractual agreements or service level agreements (SLAs) with external providers.
    • Detail the consequences of non-compliance and the processes for dispute resolution.
  9. Audit and Inspection Plans:
    • Develop audit and inspection plans that outline the frequency and scope of audits or inspections that will be conducted to verify compliance.
    • Include specific checklists or criteria for auditors or inspectors.
  10. Training and Qualification:
    • Ensure that external providers have the necessary training and qualifications to perform their processes or deliver their products and services effectively.
    • Verify the qualifications as part of the verification process.
  11. Documentation and Record-Keeping:
    • Establish a robust documentation and record-keeping system to capture the results of verification activities, including records of inspections, audits, and test results.
  12. Monitoring and Measurement:
    • Implement a monitoring and measurement system to track the ongoing performance and compliance of external providers.
    • Regularly collect data and assess performance against acceptance criteria.
  13. Corrective Actions and Continuous Improvement:
    • Develop a process for addressing non-conformities or deviations identified during verification activities.
    • Collaborate with external providers to implement corrective actions and drive continuous improvement.
  14. Communication and Reporting:
    • Maintain open communication with external providers regarding verification activities and results.
    • Provide timely feedback and reports on their performance and compliance.
  15. Legal and Regulatory Compliance:
    • Ensure that external providers are aware of and comply with all relevant legal and regulatory requirements.
    • Verify compliance during audits and inspections.

By following these steps, organizations can determine the verification and other activities necessary to ensure that externally provided processes, products, and services consistently meet their requirements. Effective communication, collaboration, and ongoing monitoring are essential components of this process.

Documented information Required:

There is no mandatory requirement for Documented information for this clause. Here are the some documents and records that may prove helpful as an evidence for implementation of Clause 8.4.2 of ISO 9001:2015:

  1. Control Plans:
    • Organizations are required to document control plans that outline the specific controls to be applied to externally provided processes, products, or services.
    • Control plans describe the type and extent of control measures necessary to ensure conformity with requirements, including quality, safety, and regulatory requirements.
  2. Risk Assessments:
    • Organizations must document risk assessments related to externally provided processes, products, or services.
    • These assessments help determine the level of control needed, considering factors like the criticality of the processes, the impact of non-conformities, and the capability of the external providers.
  3. Control Criteria:
    • Document the criteria used to evaluate and define the type and extent of control. These criteria may include factors like complexity, criticality, regulatory requirements, and customer expectations.
  4. Audit and Assessment Records:
    • Maintain records of audits and assessments conducted to evaluate the controls applied by external providers.
    • These records should include findings related to the type and extent of control and any non-conformities identified.
  5. Supplier Communication:
    • Document records of communication with external providers regarding control requirements, expectations, and any changes in control measures.
    • Records of communication ensure that external providers are aware of and aligned with the organization’s control decisions.
  6. Contractual Agreements:
    • Retain copies of contractual agreements or service level agreements (SLAs) that specify the type and extent of control required from external providers.
    • Contracts should outline control requirements, acceptance criteria, and consequences for non-conformance.
  7. Change Management Records:
    • Document any changes in the type or extent of control applied to externally provided processes, products, or services.
    • Records of change management help ensure that control decisions remain up-to-date and aligned with evolving needs.
  8. Performance Monitoring Records:
    • Maintain records related to the monitoring and measurement of external provider performance in terms of control effectiveness.
    • These records may include performance metrics, compliance assessments, and audit results.
  9. Corrective Action Records:
    • Document records of corrective actions taken in response to non-conformities or deficiencies in control measures applied by external providers.
    • Corrective actions should address the type and extent of control issues.
  10. Records of Control Reviews:
    • Document records of periodic reviews of the type and extent of control applied to externally provided processes, products, or services.
    • These reviews should assess the ongoing appropriateness and effectiveness of control measures.
  11. Documented Criteria for Control Changes:
    • Specify the documented criteria and process for making changes to the type and extent of control.
    • These criteria should consider risk assessments, performance reviews, and evolving requirements.
  12. Communication Records with Relevant Stakeholders:
    • Maintain records of communication with relevant stakeholders, such as customers, regulatory authorities, and internal personnel, regarding control decisions and their impact.

These documents and records are essential for demonstrating compliance with ISO 9001:2015 Clause 8.4.2, as they provide evidence of the organization’s decisions regarding the type and extent of control applied to externally provided processes, products, and services. Effective control planning, risk assessments, and ongoing monitoring and improvement are critical aspects of this clause.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply