Clause 8.4 Control of Externally Provided Processes, Products and Services

Table of Contents

• The Difference Between Outsourcing and Subcontracting
• Selection Criteria
• Advantages of using selection criteria:
• Evaluation of Suppliers
• Documented Information
• 8.4.2 Type and Extent of Control
• 8.4.3 Information for External Providers
• Verifying Order Requirements
• For auditors:

Are you purchasing materials, deliveries, advertising, or design services etc? If so, then the requirements of this clause will apply to you. How confident are you that the contractor you have employed to service a ‘widget’ for a customer will perform according to your requirements and the requirements of the service contract? The terms monitoring, measuring and auditing will be relevant to this clause requirement. External providers might include:

• Other departments or office locations within your organisation
• Suppliers
• Contractors
• Maintenance engineers
• Market researchers
• Product testers and reviewers
  
  

External providers of products or services normally have to satisfy a set of ‘selection criteria before they become ‘approved suppliers. The selection criteria might include, but are not limited to:

• Adequate insurance
• ISO standards certification by a UKAS accredited awarding body
• Verified customer recommendations
• Examples of product or service delivery
• Successful completion of a trial period
  
  

ISO 9001:2015 specifies three categories of products and services that your organisation shall control including:

1. Materials/service provision; these are the materials or components that you are purchasing to be used internally for product production or service delivery. This might include anything from a tiny transistor up to a full cockpit for an aircraft etc. You might also purchase the services of a trainer, consultant, lawyer or specialist maintenance technician.
2. Service direct to the customer; this might include delivery, servicing, maintenance or training activities. You might be paying for someone else to assemble a specialist piece of machinery on-site or for the services of a market research company. In all of these examples, how can you be certain that the service provider is operating according to the requirements of the contract? If there is a problem with service delivery to the customer, could it negatively affect you in the mind of the customer?
3. Outsourcing/subcontractors; an example might be that you produce the product but the servicing and maintenance guarantees are provided by subcontractors.
   
   

Your organisation might have a great many more things to control than the categories listed from (a-c) above. Again, the subject of adopting a risk-based approach is relevant here; apply the strictest controls to externally provided products or services that could hurt you the most should they fail. The greater the risk, the stricter levels of controls you will need to apply to mitigate possible failure.

The Difference Between Outsourcing and Subcontracting

Outsourcing is primarily a cost-saving exercise where tasks normally completed in-house are now being performed by individuals or businesses outside of your own organisation. It is often part of an organisation’s drive to reduce labour costs and could apply to many departments within the organisation.

Subcontracting describes when a company hires another individual or company to complete a specialized task that cannot be completed internally. For example, you manufacture gas boilers but you subcontract qualified gas fitters to install and service your products. Subcontracting is normally performed on a contract basis for tasks that you are not qualified or experienced enough to perform in-house.

Selection Criteria

When choosing which contractors to provide or purchase services from, consistency and reliability are the key factors that should influence your choice. If a contractor should perform badly on a maintenance contract or a supplier should suddenly go bankrupt, then your organisation’s reputation could suffer badly. It’s very hard to gain new customers in today’s very competitive environment and so you should be doing everything possible to choose your suppliers and contractors carefully.

Selection criteria can be a very personal thing and will depend upon the context of your organisation, however, there are some common criteria that you should consider including:

Technical:

• Past experience of service provision set to a minimum number of years e.g. 3 years.
• Provision of an org chart and the C.V’s of key personnel.
• Examples of previous completed products or services including the client’s name etc.
• Details of work planning, safety and environmental risk assessments.
• Details of current commitments.
• Details of quality assurance and quality control plans.
• Details of audited balance sheets for 3-years.
• Details of the company’s registration with Companies House (UK)
• Details of the company’s insurance policies for public liability et.
• Copies of ISO 9001, 14001, OHSAS 18001 or any other accreditation and certification as applicable.
  
  

Financial:

• Turnover in each financial year.
• The positive net worth of the financial year.
• Liquidity ratio in each financial year.
  
  

Pre-contract a subcontractor representative should:

• Understand the contract terms and conditions.
• Be able to guarantee health. Safety and environmental requirements.
• Guarantee the monitoring of work for quality, safety and environmental issues.
• Complete a pre-qualification questionnaire process.

Advantages of using selection criteria:

• Improved health, safety, environment and quality assurance.
• Improved consistency of a reliable service.
• Improved contractor alignment before work commences.
• Enables contractor review for the statutory and regulatory requirements in advance.
• Ensures that contractors will work to your organisation’s work processes and standards.
  
  

Evaluation of Suppliers

It’s quite common practice for contractors and suppliers to be put under a trial period to assess their performance. After the trial period has been completed successfully, a more permanent contract will then be awarded. Your organisation should also perform 2^nd-party audits of the external provision periodically to ensure that the required levels of quality, safety and environmental application are maintained. However, performing 2^nd-party audits can be costly in both time and money. If your selection criteria require that your potential partners are certified to ISO 9001:2015, then they should be performing their internal audits and reporting the results back to you. They will require competently trained auditors who have attended an internal auditors training course to do this effectively.

Re-evaluation of Suppliers

There is a requirement in the final part of clause 8.4.1 that your organisation should re-evaluate external providers, but why would you want to do this? Well, if you have a problem-free, happy relationship with your external suppliers then there is no need to re-evaluate them. However, if problems begin to occur with their product or service then re-evaluation might be required. Problems might include but are not limited to:

• Breaking the terms of a contract.
• Late delivery times.
• Non-conforming products.
• Poor service delivery.
• Complaints from customers.
• Poor communications.
• Health, safety and environmental incidents.
• Loss of ISO certification.
  
  

Any of these issues could affect your service delivery, product production or your relationships with customers. Changing external provision as a result of poor service can be a real pain, and costs time and money. Risk plays a role here, if the service provider is linked to a high-risk product or service, then actions are required to happen quickly. Before a relationship is terminated with an external provider you might consider:

• Performing a 2^nd-party audit with them (as mentioned earlier); might help them to identify problems as seen from a different perspective. Problems of internal culture and attitudes can often be hard to identify when viewed from within but are seen quite easily from a fresh, neutral perspective.
• Penalties; you might consider issuing penalties such as reduced payments of reduced-order quantities however, these terms are normally included in the contract of service.
• Corrective actions; could you issue them a corrective action and request that a root cause analysis is performed and change made within a specific time frame.
• Warning; you could issue the service provider with a written warning detailing the loss of contract unless their service provision improves to an expected standard.
  
  

Documented Information

The final part of clause 8.4.1 ISO 9001:2015 requires that you retain (records) of:

• Selection of external providers; this includes your selection criteria, reviews of applications and/or bidding for contracts, meeting minutes and final interviews etc.
• Monitoring of external providers; this might include the results of internal audits, 2^nd-party audits, customer feedback, performance indicators, communications and the minutes from meetings etc.
• Re-evaluation of external providers; records of communications, minutes from meetings, corrective actions, performance indicators, investigation results and contract reviews etc.
  
  

Ensure that all records are entered into the management system and controlled for such things as version number, revision history, authorisation, date and author etc.

8.4.2 Type and Extent of Control

How confident are you that an external provider can successfully and consistently provide products or services that will meet your requirements? As mentioned earlier, a risk-based approach is relevant here. The higher the risk to you or your customers, the greater control you need to apply.

Example: you have placed an order for a large quantity of pens with your bespoke company name printed on them. If this is a one-off order then you might only want to do business with a provider who has your required ISO certifications. However, if you are an organisation that makes and sells medical devices and you have outsourced any bespoke manufacturing requirements then your controls might be stricter to include: materials verification and validation, product trial results, CE marking and labelling requirements and extensive certification to many applicable ISO standards.

There are four controls listed under the requirements of clause 8.4.2 of ISO 9001:2015 including:

1. Ensure control; your organisation shall ensure that control for external provision of products or services remains within your management system. As discussed above, what type and extent of control is for you to decide and will largely be based upon the levels of risk.
2. Define the extent of controls to external provision and their output; will you apply key performance indicators, quality objectives, competence requirements or 2^nd-party audits etc? How will you evaluate their output i.e. their finished product or service delivery? Will you perform verification and validation activities, perform inspections and perform customer feedback surveys etc?
3. 1. Consider potential impacts on customer and/or legal requirements; this again relates to adopting a risk-based approach. If the activities of an external provider have the potential to break the law or be in breach of regulation, then the associated risk to you could be serious. If the external provider is interfacing with the customer directly, then upsetting them with poor service or product provision could negatively affect your reputation and cause you loss of customers and business.
   
   

2. Consider how effective the controls are by the external provider: are they certified to ISO 9001:2015? Are they performing regular internal audits and feeding the results through an effective continual improvement process? Do they run their organisation ethically by honouring equal opportunities and safe working conditions etc? You might remember how certain large clothing sellers (in the UK) were highly criticized and lost customers after it was revealed their manufacturing processes in India were exploiting the workforce due to very low rates of pay and poor, unsafe work
ing conditions.

1. Determine verification activities; how do you ensure that products or services from external providers meet requirements? Simple, you perform a check, right? Verification might simply be a check that the correct quantity was delivered and on time. Alternatively, high-risk product checks might involve substantive checks at many stages including materials acquisition, material properties, material transportation, materials testing, product validation, storage, and reviewing legal requirements. As I was writing that I was thinking of the materials and testing of the vaccines produced for the current Covid pandemic. Dealing with the pandemic also required the service delivery and use of the vaccine products. As you can imagine, strict process checks and records would be required to be required for these processes.
   
   

8.4.3 Information for External Providers

So, I’m doing business with you; what do you want me to know? Or more specifically, what do you want to tell me? Such instructions are best written down into the terms of a contract or entered into the management system rather than simply recorded verbally. You might want to communicate the requirements for:

• Health, safety, and environmental management.
• Statutory and regulatory requirements.
• Competence of staff.
• Production methods and processes.
• Service delivery details.
• Communications.
• Monitoring methods.
• Verification and validation activities.
• Customer details and requirements.
• Order specifics.
• Delivery times.
• Guarantees.
• Servicing and maintenance.
• Payments
  
  

Verifying Order Requirements

By checking and verifying your requirements, you are defining what you require from the external provider ’before’ the order for a product or service commences. Ensure that everything is clear and simple to understand on a form that is easy to read. I would recommend that verification of order requirements be a 2-step process at minimum. Confirmation of the order details should also be made from the service provider.

When purchasing insurance by telephone in the UK, the sale will not be complete until the seller has confirmed all of the order details back to you during the conversation. You then have to state that everything is correct and that you have fully understood the details of the product you are about to purchase.

Maintain all of this information as records and enter it into the management system in a controlled fashion as per the requirements of ISO 9001:2015 clause 7.5.

ISO 14001:2015

There is no similar requirement.

ISO 45001:2018

There is no similar requirement.

For auditors:

• Check the process for controlling external providers.
• Check if the extent of control considers risk.
• Check the process for monitoring external providers.
• Check the process for dealing with issues of external providers.
• Check for any corrective actions and see if they resulted in continual improvement.
• Check how information is provided to external providers.
• Check the process for order verification that occurs before order placement.
  
  

Other questions that I will answer in future articles:

• What are externally provided processes?
• How do you control outsourced processes using ISO 9001?
• What are external providers?
• What does outsourcing mean?
• What does subcontracting mean?
• What is production and service provision?
• How do we control our contractors?