Control Of Externally Provided Processes, Products, And Services
ISO 9001 Control of External Providers (section 8.4) focuses on control and management of an organization’s supply chain and procurement activities. This includes two distinct but closely related processes:
- Purchasing Controls
- Supplier Controls
We’ll explore both processes within this article, however, you may consider breaking this into two separate (but linked) processes and procedures within your organization. They also be easily combined into to one continuous process. Your call.
These processes link to and are dependent on several other key ISO processes including:
- Control of External Providers,
- Verification & Release of Products & Services,
- Management Review,
- Control of Nonconforming Outputs, and
- Production Planning & Control.
Also note that “external provider” is just ISO’s terminology for vendor or supplier. We’ll stick with “provider” in our writing but you are free to use whatever terminology you wish.
Almost every organization has some type of purchasing process and activities for control of external providers. These are the methods and activities used to obtain products, materials, supplies, services, etc. from external providers (suppliers or vendors), usually through the creation and issuance of a purchase order (PO). In addition to the purchase order activity on the front end, the purchasing controls process should provide a method, or be closely linked to a separate process, for verifying that orders are fulfilled correctly and accurately, and for closing out purchase orders.
The purchasing process fulfills several important aspects of your management system:
- Obviously, this process provides the general process for creating, managing, and closing purchase orders,
- Second, purchasing provides controls that ensure items are only procured from appropriate approved providers. Your supplier control process should establish the requirements to evaluate and approve providers and purchase orders should only be placed with approved providers. Your purchasing system needs to ensure that this control is established and maintained,
- Third, this process should provide a mechanism that clearly communicates order requirements and applicable specifications to your providers,
- Fourth, it provides the methods and criteria for verifying that received materials and services meet established specifications and requirements,
- Finally, it ties to a process for entering received materials into the material / inventory control system.
General Requirements (ISO 9001:2015 – 8.4.1)
The general output of this process should be products and services that meet established requirements, specifications, and criteria. The way this is done is to establish and maintain controls to ensure everything you purchase meets predetermined requirements or specifications. You must ensure that raw materials, supplies, and services received are adequate, appropriate, and won’t produce nonconformities or negative results with customers. ISO 9001 states that you must establish these controls for:
- Products and services that are to be incorporated into the end products you produce and provide to customers. These are the raw materials, sub-assemblies, supplies, equipment, etc. that you use within your production environment.
- Products and services provided directly to customers by your suppliers. These are usually finished goods produced by a contractor and direct shipped to the customer (fulfillment) without ever coming into your possession or directly touched by you. This could also be contracted services provided to customers on your behalf.
- Lastly, are the outsourced processes that augment or supplement your internal operations. These are generally processes that are required to produce products and services, but which don’t make sense to establish and maintain internally. These might be processes like printing, painting or coating, cleaning, sterilization, welding, molding, etc.
Beyond these three categories, you can define any other processes, products, or services that need to be controlled. All inputs of external origin which are incorporated into products or services delivered to end customers should be controlled and managed under this process. Also include equipment, supplies, and consumables used in production or delivery of products and services along with items used to maintain the ISO 9001 management system. Additional items to consider might include:
- Production or manufacturing equipment,
- Product or manufacturing supplies (lubricants, cleaners, filters, gasses, solvents, etc.),
- Test and measurement equipment (including calibration, maintenance, and repair service providers),
- Delivery, transportation, installation, or service providers,
- ISO 9001 providers (ISO 9001 Registrar and/or consultants),
- Packaging and printing services,
- Outsourced product development or engineering services,
- Product testing labs,
- Service delivery equipment,
Really, the only items that don’t need to be controlled are basic office and administrative providers such as office furniture, office supplies and computers, copier/printer providers, janitorial supplies or services, catering services, etc., which are not directly related to the production and delivery of products and services.
Some service providers may fall into both categories. If your technology includes computer networks, workstations, software, applications, etc. that are integral to production activities in addition to general office computers, then your IT services and computer hardware provider may need to be controlled. Your IT service provider may also be involved in validation efforts for QMS, ERP, or other mission critical systems which would require appropriate external provider controls.
Another provider to consider is you HVAC service provider. This will be critical if you have specifications for the production environment for temperature, humidity, or other environmental controls. If in doubt, take the conservative route and include the provider within the scope of your external provider controls.
This section of the ISO 9001 standard also stipulates that you must have a process for evaluating, selecting, monitoring, and controlling your external providers and that records of these activities and results must be retained. We covered this in more detail later in his article.
Type and Extent of Control (ISO 9001:2015 – 8.4.2)
Now that you have determined what externally provided processes, products, and services need to be controlled, you will need to define the actual controls to be implemented. Your controls must be appropriate to ensure that external providers don’t impact your ability to deliver products and services to customers. ISO 9001 stipulates the following sub-clauses:
- External processes remain under the control of your management system: This is satisfied by establishing and maintaining the processes defined in this article.
- Define the controls for external providers: How will you evaluate, select, monitor, and control your external providers? We will discuss this later.
- Define the controls for external provisions: Establish a process for verifying and ensuring that the products and services from external providers meet establish specifications and requirements. This is usually some type of incoming receiving inspection process. The EBS ISO 9001 eCoach system provides one alternative for such a process. ISO 9001 sub-clauses state:
- That your processes and controls should be commensurate to the potential level of impact these provisions might have on your ability to satisfy customers and meet other applicable requirements. This is best addressed by taking a “risk-based” approach (risk-based thinking) to evaluating and controlling external providers and provisions.
- That you should consider the level of controls established by the external provider. Weaker or lacking controls by the external provider means that you must account for these deficiencies and establish stronger controls on your end. Picking providers with well-established management systems and robust control processes provides confidence that received external provisions will conform to specifications and limits the amount of verification effort applied on your end. The reverse is also true.
- Determine verification activities: So, based on the results from items two and three above, define and establish the verification activities needed to verify that external provisions conform to established specifications and requirements.
Information for External Providers (ISO 9001:2015 – 8.4.3)
The first statement under this clause is kind of a no-brainer. I would expect any good organization to verify that information is correct prior to communicating it to the world. A simple way to do and document this would be an appropriate signature, initials, or electronic acknowledgment on the purchase order indicating that it is complete and accurate prior to sending it to the provider.
This clause then goes on to define all the information that must be communicated to the provider. Of course, only those things which are appropriate and relevant to your organization are required. This can usually be completed by including all required information on purchase orders, contracts, agreements, statements of work (SOWs), or other methods of communicating with your providers. Let’s look at each of these items:
- Process, products, and services: Clearly communicate, usually on your purchase order, the specifics of what you need and expect from the provider. Just be clear on what is needed and provide or reference all required information including, drawings, prints, specifications, requirements, revision levels, delivery dates, cost/pricing, quantity, etc.
- Required approvals: Define any approvals required by either provider or yourself during the process.
- Competence:Any special competencies, skills, abilities, experience, knowledge, education, capabilities that the provider’s personnel must possess or provide. This is of most importance with contractors and service providers.
- Provider’s interactions: Any specific information concerning interactions or communications between yourself and the provider.
- Performance monitoring:It is always good to know how you will be measured, so let the provider know what attributes, controls, and measures will be used to assess the providers performance.
- Verification / Validation activities: Inform the provider of any actions or activities that will need to be completed at the provider location or site. This can be general assessment activities such as an audit or actions specific to processes, products, or services provided.
At the end of the day, your external provider process(es) should:
- Evaluate and approve external providers based on established criteria and perceived risk to the organization and customers.
- Establish and maintain controls which ensure processes, products, and services meet established criteria, requirements and specifications, and prevent adverse impacts to customers.
- Determine and establish appropriate verification, inspection, or other activities to ensure externally provided products and services meet requirements.
- Provide appropriate information to providers to ensure that providers clearly understand the requirements for processes, products, and services.
- Continuously monitor and measure the performance of external providers.
- Take action to address provider nonconformities (corrective actions) when they arise.
This article specifically addresses the activities, methods, and tools established within your organization to evaluate, select, approve, and control your external providers as required by ISO 9001. How you actually accomplish these activities is up to you and should be driven by and proportionate to the amount of risk to your business, products, services, and customers inherent in the supply chain and in the products and services you obtain from your providers. Organizations where the supply chain presents little impact or risk to the ability to delivery products or services that meet specifications and requirements may only need minimal methods and controls. Companies where there is greater risk may need to establish higher and tighter levels of control.
Let’s breakdown the specific ISO 9001 control of external providers requirements associated with this clause.
This section of the ISO 9001 standard stipulates that you must have a process for evaluating, selecting, monitoring, and controlling your external providers. In general, your process should:
- Define the criteria for determining the level and type of due diligence required for your providers. Your process should consistently identify the requirements for evaluation and approval based on risk, regulations, potential impact to your organization and customers, etc. One solution might be to establish provider categories (3-6?) based on predefined provider attributes with each category associated with specific assessment and approval requirements. For more complex or high-risk supply chains, a detailed risk assessment might be warranted. The EBS ISO 9001 eCoach system defines such a process and provides associated tools. This might be overkill for some organizations so evaluate your needs and adopt and create methods and tools which are appropriate for your situation.
- Provide the methods and tools for completing due diligence requirements and adequately evaluating providers. This might include provider surveys, demonstrated compliance or certification to a specific management system standard, provider audits, executed contracts or agreements, demonstration of adequate controls or systems, etc. Low risk providers may require little or no due diligence while riskier providers may require significant effort to approve. You determine what is appropriate for your situation.
- Complete required provider assessments and evaluations based on criteria and methods defined above. Consider designing some level of flexibility into the process which allows for alternative evaluation and approval methods when needed. Just be sure to justify any deviations and explain why the alternative methods are acceptable. As an example, if the ability to audit a provider in a foreign country isn’t practical, perhaps tighter internal controls could be established to ensure product or services are conforming.
- Establish and implement appropriate monitoring and measuring methods which provide timely feedback and insight towards provider performance. Be sure to identify measures appropriate for the provider and application and which align with the critical aspects of the products and services provided. Also, ensure that methods are implemented to address provider issues when performance doesn’t measure up. Consider corrective actions, increased controls, re-evaluation (audits, surveys, etc.) of the provider, or when needed, downgrading the providers approval status to probationary or unapproved, until the issue is resolved.
The final sentence in clause 8.4.1 states that records of these activities and results must be retained. Be sure that you generate and retain records for all the above listed actions and activities. We recommend that you retain documented information for all external provider activities, not just the evaluation of providers.
Approved Provider List (APL)
One common output of the provider approval process is some type of control to ensure that products and services are procured only through approved providers. Many organizations create and maintain some form of Approved Provider List (APL). This list can be a controlled spreadsheet, table, or other electronic document that is shared throughout the organization. Some purchasing, ERP, or ISO 9001 software applications also provide a mechanism to maintain such a list. When maintained in some type of purchasing system, the system can be configured to not allow the issuance of purchase orders to providers that are not on the APL which provides a very effective control. Consider how you might create and maintain an APL and associated controls.
Many organizations underestimate the importance of maintaining and controlling their external providers and overall supply chain. The need to establish well defined specifications and criteria for externally provided materials and services and to evaluate a provider’s ability to meet the criteria has gained significant attention over the past couple of decades. Industries such as pharmaceuticals, medical devices, and aerospace have greatly increased their requirements and regulations for supplier and purchasing controls to ensure that products and services meet the highest level of quality, safety, and efficacy for end customers and users. As you develop and implement your ISO 9001 management system consider how key providers impact your products and services and establish appropriate controls to ensure customers aren’t impacted by supply continuity or quality issues.