Outsourcing or Externally Provided Processes, Products, Services and Property in ISO 9001:2015

Keshav Ram Singhal

'Outsourcing' is an important external source activity for an organization. 'Outsource' can be defined as 'making an arrangement where an external organization performs part of the organization's role, function or process (interrelated and interacting activities).

ISO 9001:2008 QMS standard however mentioned requirements to ensure controls over outsource process, but it was not specific on the externally provided products and services. According to ISO 9001:2008 QMS standard, where an organization chooses to outsource any process, the organization needs to ensure control over such process.

Forthcoming ISO 9001:2015 QMS standard not only deals with externally provided process or processes, but it also mentions detailed requirements of the control on externally provided processes, products, services and property. There may be situations, when:
(i) outsource products and services are intended for incorporation into the organization's products and services,
(ii) an external provider on behalf of the organization provides products and services directly to the customer,
(iii) an external provider provides a process or part of a process to the organization,
(iv) an external provider provides its property for use or incorporation into the organization's products and services.

With respect to the externally provided processes, products, services and property, requirements mentioned in following clauses are relevant:
Clause 8.4 - Control of externally provided processes, products and services
Clause 8.5.3 - Property belonging to customers or external providers

According to the requirements of forthcoming ISO 9001:2015 QMS standard, an organization needs to carry out the following activities:

Consider
(i) Potential impact of externally provided processes, products and services on the organization's ability to meet requirements (customer and legal)
(ii) Effectiveness of the controls applied by external providers

Determine
(i) Controls to be applied to the externally provided processes, products and services
(ii) Criteria for the evaluation, selection, performance monitoring and re-evaluation of external providers
(iii) Verification and other activities to ensure that externally provided processes, products and services meet requirements

Ensure
(i) Externally provided processes, products and services conform to requirements
(ii) Externally provided processes, products and services remain with the organization's control
(iii) Adequacy of requirements to be communicated to the external providers

Define
Controls to be applied to
(i) External providers, and
(ii) Resulting output

Communicate to the external providers adequate requirements for the
(i) Processes, products and services
(ii) Approval of products and services
(iii) Approval of methods, processes and equipment
(iv) Release of products and services
(v) Required competence (including qualification)
(vi) External providers' interactions with the organization
(vii) Control and monitoring of the external providers' performance to be applied
(viii) Verification and validation activities to be performed at the external providers' premises by the organization or its customers

Apply
Determined controls, criteria and other activities


Controls on external providers' property

The organization is also required to exercise care with the property (such as material, components, tools, equipment, premises, intellectual property and personal data) belonging to the external providers while the same is under the organization's control or being used by the organization. The organization needs to identify, verify, protect and safeguard the property provided for the use or incorporation into the products and services.

When any property belonging to an external provider is lost, damaged or otherwise found to be unsuitable for use, the organization must (i) report the same to the external provider, and (ii) retain documented information of the same.

Please note:
International Organization for Standardization (ISO) has released ISO/FDIS 9001:2015 for voting to be completed on 9 September 2015 and thereafter ISO 9001:2015 QMS standard will be published. This article is based on the draft versions of the forthcoming standard and there may be some changes after the final standard is published.

VOTE STARTS ON ISO/FDIS 9001:2015

We informed our readers vide our earlier post that ISO/FDIS 9001:2015 has been issued by the International Organization for Standardization (ISO) and the revision to ISO 9001 standard has reached to final stage of the revision process.

Now ISO member countries have less than 2 months to form a national position and vote on the latest draft of the standard before the 9 September deadline.

With best wishes,

Keshav Ram Singhal

ISO/DIS 9001 - OPERATION - Determination of requirements for products and services - Customer communication

ISO/DIS 9001 - OPERATION - Determination of requirements for products and services - Customer communication

Keshav Ram Singhal

Requirements in clause 8.2.1 of ISO/DIS 9001 are similar to clause 7.2 of ISO9001:2008 QMS standard, however now organization needs to establish the processes for customer communication.

As per requirements of ISO/DIS 9001, the organization needs to establish processes for communicating with customers for
- products and services information,
- enquiries,
- contracts,
- order handling,
- changes with regard to enquiries, contracts, order handling,
- obtaining customer views,
- obtaining customer perceptions,
- obtaining customer complaints,
- handling of customer property, if applicable,
- handling treatment of customer property, if applicable,
- contingency actions' specific requirements, when relevant.

Effective customer communication plays a important role in all above activities. Make sure that the organization understand the importance of customer communication. The organization can meet customer's requirements in a better way when it has effective customer communication processes.
Effective customer communication can be done by establishing processes for providing product information, catalogues, specifications, samples etc. Product information may also be communicated in hard copy or soft copy. For handling enquiries, contracts, order handling and obtaining customer's views, perceptions, complaints, the organization must establish processes for dealing them.

ISO/DIS 9001 has also included the significance of establishing processes for handling and treating customer property and also for contingency (a future or possible event or circumstance which is possible but cannot be predicted with certainty) actions.


.... to be continued

ISO/DIS 9001 - OPERATION - Operational planning and control

ISO/DIS 9001 - OPERATION - Operational planning and control

Keshav Ram Singhal

Clause 8 of ISO/DIS 9001 provides requirements related to the operation. All phases, involved in the development of products and services, come under operation.

The relevant sub-clauses are as under:

8.1 - Operation
8.1.1 - Operational planning and control

8.2 - Determination of requirements for products and services
8.2.1 - Customer communication
8.2.2 - Determination of requirements related to products and services
8.2.3 - Review of requirements related to products and services

8.3 - Design and development of products and services
8.3.1 - General
8.3.2 - Design and development planning
8.3.3 - Design and development inputs
8.3.4 - Design and development control
8.3.5 - Design and development outputs
8.3.6 - Design and development changes

8.4 - Control of externally provided products and services
8.4.1 - General
8.4.2 - Type and extent of external provision
8.4.3 - Information for external providers

8.5 - Production and service provision
8.5.1 - Control of production and service provision
8.5.2 - Identification and traceability
8.5.3 - Property belonging to customers or external providers
8.5.4 - Preservation
8.5.5 - Post-delivery activities
8.5.6 - Control of changes

8.6 - Release of products and services

8.7 - Control of nonconforming process outputs, products and services

Operational planning and control

Requirements in this clause are similar to the requirements as mentioned in clause 7.1 of ISO 9001:2008 QMS standard under the heading 'Planning of product realization', however ISO/DIS 9001 requires more emphasis on control of processes. According to the requirements, the organization needs to plan, implement and control all determined processes that are needed to (i) meet requirements for the provision of products and services, and (ii) implement the determined actions to address identified risks and opportunities. For controlling all determined processes, the organization needs to:
- determine requirements for products and service,
- establish criteria for all processes,
- establish criteria for acceptance of products and services,
- determine the resources needed to operate and control processes so as to achieve conformity to products and service requirements, and
- implement control of processes according to the established criteria.

The organization is also required to retain documented information that provides evidence and confidence that (i) processes have been carried out as per planning, and (ii) products and services are as per requirements.

The output of planning must suit to organization's operations.

The organization is also required to control planned changes, review the results or effects of unintended changes and take necessary action to reduce the gravity of any adverse effects.

The organization is also required to control outsourced processes as per requirements mentioned in clause 8.4 of ISO/DIS 9001.


... to be continued

ISO/FDIS 9001:2015 Released

ISO/FDIS 9001:2015 Released

FDIS = Final Draft International Standard

We are glad to inform our readers that ISO/FDIS 9001:2015 has been issued by the International Organization for Standardization (ISO) and the revision of ISO 9001 QMS standard has now reached the final stage.

Around 90% members approved the earlier released ISO/DIS 9001, however over 3,000 comments with suggestions on possible improvements were received by the committee responsible for revision. The ISO committee responsible for ISO 9001 revision has met twice, in Ireland and Lithuania, and also carried out extensive online discussions to analyze and decide on every comment received during the vote on ISO/DIS 9001. Now ISO/FDIS 9001:2015 has been issued on 09 July 2015 and ISO members will proceed with a national consultation before submitting their final vote on ISO/FDIS 9001:2015. ISO members have 2 months time to form their national position and vote the latest draft of the standard (ISO/FDIS 9001:2015) before 9 September 2015 deadline.

Compared to ISO/DIS 9001, changes in ISO/FDIS 9001:2015 are relatively minor. The terms and definitions have now been removed from the standard and these will now be part of ISO 9000. Some of the explanatory text has been moved to an informative Annex.

If you wish to read ISO/FDIS 9001:2015, you should contact national standards body in your country who is the member of ISO. In India Bureau of Indian Standards is the national standards body, who is the member of ISO.

More information in forthcoming posts.

With best wishes,

Keshav Ram Singhal
Email:
keshavsinghalajmer@gmail.com
krsinghal@rediffmail.com

Please keep visiting the blog 'Forthcoming ISO 9001:2015 QMS Revision' at http://qmsawareness.blogspot.in/.

Those interested in 'Awareness Training on Forthcoming ISO 9001:2015 QMS' may contact us by mentioning their requirements.

Thanks.

ISO/DIS 9001 - SUPPORT - Documented information ....

Continue from the last post ...

ISO/DIS 9001 - SUPPORT - Documented information ....

Keshav Ram Singhal

DOCUMENTED INFORMATION

Details, format and type of documented information related to the quality management system of one organization may differ from another organization due to various reasons and some of the reasons may be as under:
- size of the organization
- activities of the organization
- processes of the organization
- complexities and interactions of organization's processes
- products and services of the organization
- competence of the people of the organization

The organization is required to ensure appropriate measures (mentioned below) at the time of creating and updating documented information, such as:
- identification and description
- format
- media
- review and approval for suitability and adequacy

Identification of documented information means the action or process of identifying the documented information. Identification and description of documented information can be done by mentioning the classification title, date, author, reference (identification) number, page number etc.

Format of documented information means the way in which the documented information is arranged or set out. Ensure: (i) language used in the documented information, (ii) whether the documented information is in software version, (iii) whether graphics are to be used in the documented version.

Media of documented information means the means of communication used in the documented information. It can be either hard copy (paper) or Soft copy (electronic).

Review of documented information means another look at the documented information and this is a task, which should be carried out at the time of creating and updating of the documented information by the appropriate person, who is linked with the affairs of the documented information. Review of the documented information may be carried out randomly or periodically, but ISO/DIS 9001 requires review of documented information at the time of creating and updating of documented information.

Approval of documented information means that some authority has agreed the contents and data of the documented information.


The organization needs to control the documented information required by the quality management system and ISO/DIS 9001 by ensuring the following:
(i) The documented information is available and suitable for use.
(ii) The documented information is adequately protected from the loss of confidentiality, improper use and loss of integrity.
The organization needs to address the following activities for the control of documented information:
- distribution
- access (permission to view)
- retrieval
- use
- storage
- preservation including preservation of legibility

The organization needs to determine and control documented information of external origin that are necessary for the planning and implementation of the quality management system. In order to control documented information of external origin, the organization should establish appropriate process or mechanism for identification, classification, distribution and availability of such documented information.

ISO/DIS 9001 does not specify requirements to control obsolete (out of date) documented information. However, it is better to have control on such documented information, as use of obsolete documented information may lead to errors, failures or hazards, which can be an evidence of nonconformity. Sometimes superseded or obsolete documented information needs to be retained by an organization for a variety of reasons, such as legal or reference purpose, and for this the organization must have a method of identifying the status of such documented information to prevent their accidental use in place of current documented information. In practice, organizations put 'Obsolete Document' or 'Obsolete Documented Information' stamp in red ink on the face of obsolete documented information.

ISO/DIS 9001 - SUPPORT - Documented information

Keshav Ram Singhal

DOCUMENTED INFORMATION

ISO 9001:2008 QMS standard has its clause 4.2 that describes documentation requirements including general requirements (sub-clause 4.2.1), requirements for quality manual (sub-clause 4.2.2), control of documents (sub-clause 4.2.3) and control of records (sub-clause 4.2.4) and accordingly the standard describes two types of documentation (documents and records). Records are a special types of document and many people confuse between a document and a record. ISO/DIS 9001 attempts to reduce the confusion between a document and a record by introducing a common term 'documented information' and thus the implementation will be more transparent. ISO/DIS 9000:2014 defines documented information as the information (meaningful data) required to be controlled and maintained by an organization and the medium on which it is contained. Documented information can be: (i) in any format, (ii) in any media, and (iii) from any source. Documented information can refer to: (i) the quality management system, (ii) any related processes, (iii) information (meaningful data) relevant for the organization's operation, and (iv) evidence of results achieved.

The terms 'documented procedure' and 'record' (used in ISO 9001:2008 QMS Standard) have both been replaced throughout the requirements text in ISO/DIS 9001 by 'documented information'. Where ISO 9001:2008 QMS standard refers to documented procedure, this now expressed as to maintain documented information in ISO/DIS 9001. Where ISO 9001:2008 QMS standard refers to records, this now expressed as to retain documented information in ISO/DIS 9001.

Clause 7.5 (documented information) of ISO/DIS 9001 has following sub-clauses:
7.5.1 - General
7.5.2 - Creating and updating
7.5.3 - Control of documented information

As per the requirements of ISO/DIS 9001, the quality management system of the organization must include (i) documented information required by ISO/DIS 9001, and (ii) documented information determined by the organization for the organization's effective quality management system.

Documented information required by ISO/DIS 9001

Documented information required by ISO/DIS 9001(with clause number) are given below:

4.3 - Scope of the quality management system mentioning the products and services covered and justification for any instance where any ISO/DIS 9001 requirement cannot be applied

4.4 - (i) Necessary to support the operation of processes, and (ii) to have confidence that the processes are being carried out as planned

5.2 - Quality policy

6.2 - Quality objectives

7.1.5 - (i) Monitoring and measuring resources - evidence of fitness, and (ii) Basis used for calibration or verification where no international or national measurement standard exists

7.2 - Evidence of competence

8.1 - Operation planning and control - (i) Processes are carried out as planned and (ii) Conformity of products and services

8.2.3 - (i) Result of the review of requirements, including any new or changed requirements for the products and services, and (ii) Where requirements for products and services are changed, amendment of relevant document information

8.3.2 - Confirmation that design and development requirements are met

8.3.3 - Design and development inputs

8.3.4 - Design and development control activities

8.3.5 - Results from design and development outputs

8.3.6 - Design and development changes, results of reviews, authorization of changes and the actions taken to prevent adverse effects

8.4.1 - (i) Results of evaluation, (ii) Monitoring of performance, and (iii) Re-evaluation of external providers

8.5.1 - Information that defines the characteristics of the products and services to be produced/provided, activities to be performed, and the results to be achieved

8.5.2 - Necessary to maintain traceability

8.5.6 - (i) Results of the review of changes, (ii) Personnel authorizing the change, and (iii) Any necessary action

8.6 - Traceability to the person(s) authorizing release of products and services for delivering to the customer

8.7 - (i) Action taken on nonconforming process outputs, products and services, (ii) Any concession obtained, and (iii) Person or authority that made the decision regarding dealing with the nonconformity

9.1.1 - Evidence of results in monitoring, measurement, analysis and evaluation

9.2 - (i0 Evidence of the implementation of the internal audit programme, and (ii) Internal audit results

9.3 - Evidence of the results of management review

10.2 - Evidence of (i) nature of nonconformities and subsequent actions , and (ii) Results of any corrective action


Although ISO/DIS 9001 does not mention the requirement to have documented information for the following, however, it would be better in the opinion of the author of this article if the organization determines to have documented information for the following:

5.3 - Organizational roles, responsibilities and authorities

6.1 - Actions to address risks and opportunities

8.3.4 - Clearly defining the results to be achieved by the design and development activities

- To be continued ....

ISO/FDIS 9001:2015 EXPECTED SOON

As per the latest information, the Final Draft International Standard (FDIS) for forthcoming ISO 9001:2015 QMS standard is expected to be issued in July 2015.

More information/relevant articles may be seen in this blog.

- Keshav Ram Singhal

ISO/DIS 9001 - SUPPORT - Competence, Awareness and Communication

ISO/DIS 9001 - SUPPORT - Competence, Awareness and Communication

Keshav Ram Singhal


COMPETENCE

Competence is defined as the ability to apply knowledge (available collection of information, i.e. meaningful data being a justified belief and having a high certainty to be true) and skills to achieve desired outputs or intended results. When competence is demonstrated, it sometimes referred to as qualification. Competence is a standardized requirement for an individual to properly perform a specific job. It encompasses a combination of knowledge, skills and behaviour to improve performance. Competence can be measured by the achievement of results.

Clause 7.2 of ISO/DIS 9001 deals with the requirements for competence. As per requirements, the organization is required to: (i) determine the necessary competence of people, who work under organization's control and whose work affects quality performance of the organization, (ii) ensure that the people working in the organization are competent on the basis of appropriate education, training or experience, and (iii) retain documented information as evidence of competence. Where there is need to acquire the necessary competence, the organization is required to take actions (such as providing training, mentoring of people, reassignment of people, hiring, contracting of competent persons) to acquire the necessary competence and evaluate the effectiveness of actions taken. It should be noted that the documented information should provide information on (i) determined necessary competence, and (ii) competence of people.

AWARENESS

Awareness is common knowledge or understanding about any issue and training is a way to foster awareness and competence. Organizations need to check their employees' competence, awareness and training regularly.

Clause 7.3 of ISO/DIS deals with the requirements of awareness. As per the requirements, people working in organization (for example - employees, contract workers, contractors) must be aware of the (i) quality policy of the organization, (ii) relevant quality objectives established at relevant functions, levels and processes, (iii) their individual contribution to the effectiveness (i.e. successful in achieving the desired results) of the quality management system, (iv) benefits of improved quality performance (action or process of performing a task). and (v) implications (conclusions that can be drawn) of non-conformance (non fulfillment) of requirements.

How to improve competence and awareness?

Organizations can compare the current competence of the people, working in the organization, against what they require. This may be termed as 'awareness and competence gap analysis'. The gaps determined should be filled through training or by acquiring additional awareness and competence. Training may be at the actual workplace (as on the job training), in-house or at some external location. It is not sufficient to just provide (and record) training, the organization must evaluate it.


COMMUNICATION

Effective communication is significant in an organization to perform its planning and functioning in a systematic way. Communication helps employees to perform their jobs and responsibilities. It serves as a foundation for planning. Communication promotes motivation. It is a source of information and information is very essential for every organization. In brief, we can say that communication (i) establishes effective leadership, (ii) helps toward motivation and morale development, (iii) helps in smooth working, (iv) promotes cooperation among people and teams, (v) acts as a basis of coordination and cooperation, (vi) acts as a basis for decision making, and (vii) increases managerial and employees efficiency.

Clause 7.4 of ISO/DIS 9001 deals with the requirements of communication. As per ISO/DIS 9001, the organization needs to determine appropriate (suitable and proper) internal and external communication processes relevant to the quality management system of the organization by determining the following:
- Contents of the communication
- Time of the communication
- Receivers of the communication
- Mechanisms of the communication

Although ISO/DIS 9001 states to determine 3Ws1H (What, When, Whom and How) with regard to communication, however we suggest to determine the following 2Ws (where to communicate and why to communicate) also, so that your communication becomes significant, effective and purposeful.

ISO 9001:2008 QMS standard has two clauses relevant to communication:
Clause 5.5.3 - Internal communication
Clause 7.2.3 - Customer communication

Customer communication is a part of external communication, and now ISO/DIS 9001 has one clause (titled communication) instead of two (titled internal communication and customer communication) as in ISO 9001:2008 QMS standard.

Mechanism of communication may include periodic meetings, email,, bulletin boards, suggestion boxes, circulars, product information brochures, catalogues, specifications, information etc.

To be continued ....

ISO/DIS 9001 - SUPPORT

Keshav Ram Singhal

Clause 7 of ISO/DIS 9001 provides requirements related to support. It includes requirements related to resources (including human resources, infrastructure, environment for the operation of processes, monitoring and measurement resources, organizational knowledge), competence, awareness, communication and documented information. More or less similar requirements under the heading 'Resource management' are mentioned in clause 6 of ISO 9001:2008 QMS standard. Documentation requirements of clause 4.2 of ISO 9001:2008 QMS standard are now part of the support requirements in clause 7.5 of ISO/DIS 9001.

Clause 7 of ISO/DIS 9001 now deals with support requirements, whose relevant sub-clauses are as under:

7.1 - Resources
7.1.1 - General
7.1.2 - People
7.1.3 - Infrastructure
7.1.4 - Environment for the operation of processes
7.1.5 - Monitoring and measuring resources
7.1.6 - Organizational knowledge

7.2 - Competence

7.3 - Awareness

7.4 - Documented information
7.4.1 - General
7.4.2 - Creating and updating
7.4.3 - Control of documented information

RESOURCES

Clause7.1 of ISO/DIS 9001 deals with the requirements of resources needed for the quality management system. As per requirements, the organization is required to determine and provide the resources (such as people, infrastructure, environment, monitoring and measuring resources, organizational knowledge) needed for implementing, maintaining and continually improving the quality management system of the organization. The organization needs to consider:
- the capabilities of existing internal resources available in the organization,
- the constraints on existing internal resources, and
- resources needs to be sourced from external providers.

The organization needs to ensure to consistently meet customer and applicable legal (statutory and regulatory) requirements to achieve conformity of products and services for which the organization is required to provide:
(i) competent persons for effective operation of the quality management system including the processes needed for the quality management system,
(ii) infrastructure for the operation of processes,
(iii) environment (including physical, social, psychological, environmental and other factors such as temperature, humidity, ergonomics and cleanliness) necessary for the operation of the processes,
(iv) monitoring and measuring resources to ensure valid and reliable results.

Infrastructure needed may include:
- buildings and associated utilities,
- hardware and software equipments,
- transportation,
- information and communication technology.

Evidence of conformity of products and services to specified requirements are essential for a robust quality management system for which there are instances where monitoring and measuring resources are used for collection the evidence of conformity of products and services to specified requirements. In such instances the organization needs to determine the resources needed (such as monitoring and/or measuring equipments) to ensure valid and reliable monitoring and measuring results. The organization needs to ensure that the monitoring and measuring resources are suitable and fit (useful) for the purpose they are being used and the organization needs to retain appropriate documented information as evidence of fitness of such resources.

There may be instances where measurement traceability (history) may be a legal (statutory or regulatory) requirement, customer expectation, relevant interested party expectation or organization's consideration to be necessary of providing confidence in the measurement results' validity. In such instances the organization must (i) verify or calibrate the measuring instruments at specified intervals or prior to use against national or international measurement standards, or where no national/international standard exists, retain as documented information the basis used for calibration or verification, (ii) identify the measuring instrument in order to determine its calibration status, (iii) safeguard from adjustments, damage or deterioration that may invalidate calibration status or measurement results.

The organization must: (i) determine if the validity of previously measurement results has been adversely affected, (ii) determine when a monitoring/measuring instrument is found to be defective during its planned verification or calibration or during its use, and (iii) take appropriate corrective action as required.

ISO/DIS 9001 has included new requirements related to organizational knowledge. As a resource, organizational knowledge (such as information on intellectual property and lessons learned) may be necessary for the operation of organization's processes and to achieve conformity of products and services to specified requirements, for which the organization is required to: (i) determine the knowledge, (ii) determine ways or methods to acquire or access the necessary additional knowledge, (iii) maintain the knowledge, (iv) make available the knowledge to the extent necessary, and (v) consider its current knowledge when addressing changing needs and trends.

When team knowledge from several subunits, departments or groups of an organization is combined and used to create new knowledge, the resulting knowledge can be called organizational knowledge.

The organization is required to:
- determine the knowledge necessary for the operation of organization's processes and to achieve conformity of products and services to requirements,
- maintain the knowledge, and
- make available the knowledge to the extent necessary.

When addressing changing needs and trends, there is a need to acquire or access the additional knowledge for which the organization needs to consider the organization's current knowledge and determine the ways to acquire or access the necessary additional knowledge. The organization can consider internal and external sources. Internal sources may include learning within the organization from failures and successes, capturing knowledge that is not documented and experience of local experts. External sources may include standards, academic references, conferences, knowledge from customers or others, such as suppliers, providers.

To be continued ....