1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

9001:2015 8.4 Control of externally provided processes, products and services

Discussion in 'ISO 9001:2015 - Quality Management Systems' started by callmechuck, Jun 24, 2019.

  1. callmechuck

    callmechuck Member

    Joined:
    Feb 17, 2017
    Messages:
    13
    Likes Received:
    5
    Trophy Points:
    2
    Hi All,
    I work in an engineering heavy manufacturing site where we design and build one of one per contract. We are not 9001:2015 certified yet, but it is my task to spearhead the effort to make this a possibility. lately I have been struggling with these requirements:
    8.4.1 The organization shall determine and apply criteria for the evaluation, selection .......(of providers)
    and,
    8.4.2.a The organization shall: ensure that externally provided processes remain within the control of it's quality management system
    Because we design and build per contract, we are constantly searching for new providers and we are often put in a position where we need the provider more than they need us. We have tried to evaluate them by having them answer questions on a form or email or even just agree (in writing) that they will conform to all purchase order requirements. Some of these providers know that they have a very high demand niche market and they will only work with us on their own terms, so we just have to accept and mitigate any potential risk on our end. As far as how we should evaluate them prior to approving them as a source, I'm thinking that we can only do a risk analysis and plan any mitigation actions that might make sense. Once we approve a provider, monitoring their performance is easier but re-evaluation may just be a review of their performance.
    I am interested to hear if any of you are in the same boat and if so how you approach this.
    Thanks,
     
  2. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    It's not that unusual to wrestle with these issues! Firstly, your selection criteria might be "They do similar work". Secondly, once "approved for use, you probably have some kind of project manager visiting the site and viewing the work done. Towards the end of the project, there's often a review and a punch list of work to remediate the results of inspection. Timeliness is also a criterion you can use.

    Do you require a project quality plan for them to lay out how they intend to do work? Inspections points? Responsibilities and authorities on both sides? If not, that's a great place to start to gain better control and protect both of you.
     
  3. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    This could help you in obtaining information for your suppliers profile but It's not really a control. Controls on external providers can include:
    • entering to a contract where both parties agreed to conform;
    • ensuring the output/product/service of supplier conform to specifications;
    • performing site inspections and/or second party audits;
    • reviewing the suppliers accomplishment reports;
    • setting performance targets that suppliers need to fulfill, etc.
     
  4. callmechuck

    callmechuck Member

    Joined:
    Feb 17, 2017
    Messages:
    13
    Likes Received:
    5
    Trophy Points:
    2
    This is the type of situation that gives us trouble.
    Let's say (hypothetical) we need to find someone new to laser cut some special type of material, so we create an engineering drawing with all the details. We find that it can be done, but only by a couple vendors. We tell them that we need C of C, lot batch information or other special requirements flowed down to us from our customer. They tell us that they don't care about any of that, they will do the work and assure us that that it will be right but they aren't doing any extra paperwork or anything outside of their normal process. We cannot design around the laser cutting so we are stuck with using a supplier although highly competent, is definitely not conforming to our QMS.
    I may be interpreting the standard too literally and straying away from the intent. Perhaps we will have to live with more risk entering the relationship with a new vendor and make up for it with stronger controls on their output i.e., thorough inspection and measuring their performance. In this type of scenario the re-evaluation would just be a repeat of the same.
    I appreciate you weighing in, sometimes I wonder if other QMSs have the same issues. Not operating in a production environment, we have no leverage with most of our vendors so I guess we just need to get used to mitigating the risk by our own effort.
     
  5. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    It sounds like, if I understand correctly, your QMS is too restrictive. I guess you don't mean literally that your supplier doesn't conform to your QMS (since they would conform to theirs), so it looks to me that you have (or someone did) painted yourselves into a corner.
     
  6. callmechuck

    callmechuck Member

    Joined:
    Feb 17, 2017
    Messages:
    13
    Likes Received:
    5
    Trophy Points:
    2
    I probably am making it too restrictive and ultimately more complicated than it needs to be, I am known to do that. That's why it helps me to know what others in this situation do. Ultimately I just want to "ensure that externally provided processes, products and services conform to requirements." I suppose I can do that by:
    1) ensuring adequacy of requirements communicated to the provider
    2) applying controls (inspection)
    3) monitoring results (supplier performance data)
    And forget about approving suppliers outside of them agreeing to the requirements that have been communicated to them.
    Am I getting closer?
     
  7. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Hi Rick! Why do you believe Chuck needs training in ISO? He seems to have a supply chain issue which might exist even without ISO 9001...
     
  8. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Maybe just some good old guidance on this issue? He seems to have a good grasp on the 8.4 requirements and what might be done.
     
  9. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    An adult educator wouldn't agree.

    Why? It's not on the list of ISO/IEC 17021 "stage 1" requirements to check upon if I recall. Experience shows it's not once been an issue.

    How would it jeoprodise (sic) the result of the "Stage 1"? The client has to prove readiness of their QMS to undergo the "Stage 2". Not debate whether training was necessary or not.

    Of course, from your introduction, I wouldn't expect you to be totally familiar with the arcane, "inside baseball" requirements of CB management. Most clients have little clue about that kind of thing and have never hear of ISO/IEC 17021 (it's not in the ISO 9001:2015 bibliography) and it's not until they are contracted with a CB do they (usually) discover what a stage 1 and 2 are about.
     
  10. callmechuck

    callmechuck Member

    Joined:
    Feb 17, 2017
    Messages:
    13
    Likes Received:
    5
    Trophy Points:
    2
    I have had training but of course they don't tell anyone how they should evaluate or select providers because it's different across business types. I worked as the QMS rep. for my previous employer, but we were high production and providers would bend over backwards to do business with us. I was also operating a QMS that was already in place, so I didn't go through the exercise of creating the system.
    Allow me to reframe and narrow the scope of my request;
    I am looking for ideas on what criteria to apply, for the evaluation and selection of external providers that are critical to our ability to deliver conforming products to our customer. The standard says "based on their ability to provide processes or products and services in accordance with requirements". If I have never done business with them before, how do I know their ability to meet requirements?
     
    Andy Nichols likes this.
  11. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Just as you would do with most purchases in life: Ask their other customers! Ask for referrals and then you select who to speak with so they can't coach them. Also, ask to visit a similar project - or obtain their historic files on what they've done. You can ask them to submit a plan, you can ask them to do a phased review with payments contingent on satisfactory completion of each phase. The list is pretty comprehensive.
     
  12. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    By whom?

    Who is going to train someone? Are you suggesting that when ISO 9001:2008 went to ISO 9001:2015 training is necessary? For someone who has been in Quality Management from before 1987, they can read the requirements, without having someone (without any greater knowledge) train them, there should be zero issue. What is going to qualify them to do the training? And where did that training come from? It's borderline ridiculous to suggest that training is the panacea for all changes to a standard.
     
    Last edited: Jun 28, 2019
    tony s likes this.
  13. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    How do you tell who knows how to do the training?? Did you ever notice, there's no accredited "Development & Implementation" course available? Care to guess why? It's the same circular argument. TC 176 folks wrote the standard, where did they get their training? TC 175? CSA folks? BSI folks? Nope, the argument doesn't hold water...

    To prove a point, you yourself claimed in another post that you didn't learn anything from Lead Auditor training that your experience didn't already tell you. It's disingenuous to make such a claim and then suggest everyone else needs training.
     
  14. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    So, training to implement a Quality System is, then (by your description) not needed, especially since there are no rules (unlike being a IRCA/Exemplar/PECB Lead Auditor). End of discussion.
     
  15. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Plenty of people do this daily. It seems to me that it's not only a circular argument but it's also Catch 22. I note you've avoided an answer to a couple of questions which I'll take as confirmation that there is, indeed, no answer. Incidentally, the OP was only struggling with one aspect of ISO 9001 - 8.4. How was it determined they have no other knowledge to bring to the QMS?
     
  16. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Why is this any different to say, NATO AQAP 1? I fail to see the rationale for training, when it's clearly not the only route available. You stated the CB would write an NC for the QM not being competent - I'd be rejecting that NC, kicking the auditor out and finding another CB if they didn't withdraw the finding.
     
  17. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Why during an audit?

    That's NOT what the standard requires. It requires people to be competent. Training is ONE action to provide the required competency.

    Did you have training in ISO 9001:2015?
     
    tony s likes this.
  18. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    True, but the phrase "deemed incompetent" would result in an NC by a CB auditor, wouldn't it?
     
  19. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Why? Is it required? If so, by whom? Frankly, if I encountered an auditor who asked that question, they'd be asked to leave. BTW - care to answer the question about who trains the trainer?
     
  20. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    Read carefully 7.2c of the standard. It says "where applicable, take actions to acquire the necessary competence". Then the NOTE says "Applicable actions can include, for example, the provision of training to, the mentoring of, or the reassignment of currently employed persons; or the hiring or contracting of competent persons".
     
    Andy Nichols likes this.