Companies decide about making or buying a product or service based on economic considerations.  When taking this decision, they rely on a vendor to provide a level of quality consistently which they would ensure through in-house processes.  This is the reason why the clause is so crucial for the quality system management.

Clause 8.4 of ISO 9001 certfication:2015 stipulates that the organization must ensure that externally provided (outsourced or purchased) products, processes as well as processes conform to specified requirements.

Extent of control

Extent of control will depend upon whether externally provided services and products are

1. Directly incorporated into company’s products/service or
2. Services and products are directly provided to organization’s customers or
3. One of the processes of the company (or a part of the process) is provided/operated by external provider.

“For each of these cases the company (organization) must separately determine and apply criteria for

Evaluating,

 Selecting,

 Performance monitoring and

 Re-evaluating

Based on the ability of external provider to provide products, processes and services, as per the requirements, appropriate action shall be taken. Documented info must be retained for these control activities as well as the actions arising out of the evaluation”.

Communication of requirements

Clause 8.4.2 describes the type of control and extent of control required

The company  must ensure that the externally provided products/ processes/services don’t affect adversely the organization’s capability to deliver services and products consistently conforming to requirements.

1. Processes provided externally must remain within control of the quality management system of the organization;
2. Controls to be applied on external provider as well as,  those to be applied on output of products and services must be defined separately by the organization

1. The organization must consider:

“1) the potential impact of the externally provided processes, products and services on the organization’s ability to consistently meet customer and applicable statutory and regulatory requirements”; and

2)” the effectiveness of the controls applied by the external provider”;

1. d) “Organization (company) must determine the verification, or other activities, necessary to ensure that the externally provided processes, products and services meet the requirements”

Clause 8.4.3 contains Information to be communicated to External Providers.

Organization must communicate applicable requirements to external providers as noted below:

1. processes to be performed or services and products to be provided on behalf of the organization (company);
2. requirements of approval for methods, processes or equipment and for release of products and services;
3. required competence as well as necessary qualification of personnel;
4. requirement of interactions with the organization’s quality management system;
5. requirement of controlling, measurement and monitoring of the performance of the external providers  by the organization;
6. requirement of verification activities intended to be performed at external provider’s premises by the organization, or its customer.

Organization must verify and ensure adequacy of specified requirements, prior to the communication of requirements to external providers.

Process interactions and role of ISO 9001 consultants

While formulating the quality management system, the process interaction between vendor’s (external providers) processes and the organization’s processes must be understood accurately. An ISO 9001 consultant can provide valuable guidance for building an effective QMS.