8.4 Control of Externally Provided Processes, Products, and Services

8.4.1 General

The organization shall ensure that externally provided processes, products, and services conform to requirements.

The organization shall be responsible for the conformity of all externally provided processes, products, and services, including from sources defined by the customer.

The organization shall ensure, when required, that customer-designated or approved external providers, including process sources (e.g., special processes), are used.

The organization shall identify and manage the risks associated with the external provision of processes, products, and services, as well as the selection and use of external providers.

The organization shall require that external providers apply appropriate controls to their direct and sub-tier external providers, to ensure that requirements are met.

The organization shall determine the controls to be applied to externally provided processes, products, and services when: 

a.   products and services from external providers are intended for incorporation into the organization’s own products and services;

b.       products and services are provided directly to the customer(s) by external providers on behalf of the organization;

c.       a process, or part of a process, is provided by an external provider as a result of a decision by the organization.

The organization shall determine and apply criteria for the evaluation, selection, monitoring of performance, and re- evaluation of external providers, based on their ability to provide processes or products and services in accordance with requirements. The organization shall retain documented information of these activities and any necessary actions arising from the evaluations.

NOTE: During external provider evaluation and selection, the organization can use quality data from objective and reliable external sources, as evaluated by the organization (e.g., information from accredited quality management system or process certification bodies, external provider approvals from government authorities or customers). Use of such data would be only one element of an organization’s external provider control process and the organization remains responsible for verifying that externally provided processes, products, and services meet specified requirements.

8.4.1.1 The organization shall:

a.   define the process, responsibilities, and authority for the approval status decision, changes of the approval status, and conditions for a controlled use of external providers depending on their approval status;

b.  maintain a register of its external providers that includes approval status (e.g., approved, conditional, disapproved) and the scope of the approval (e.g., product type, process family);

c.   periodically review external provider performance including process, product and service conformity, and on- time delivery performance;

d.  define the necessary actions to take when dealing with external providers that do not meet requirements; 

e.       define the requirements for controlling documented information created by and/or retained by external providers.

8.4.2          Type and Extent of Control

The organization shall ensure that externally provided processes, products, and services do not adversely affect the organization’s ability to consistently deliver conforming products and services to its customers.

The organization shall:

a.       ensure that externally provided processes remain within the control of its quality management system;

b.   define both the controls that it intends to apply to an external provider and those it intends to apply to the resulting output;

c.       take into consideration:

1.       the potential impact of the externally provided processes, products, and services on the organization’s ability to consistently meet customer and applicable statutory and regulatory requirements;

2.       the effectiveness of the controls applied by the external provider;

3.   the results of the periodic review of external provider performance (see 8.4.1.1 c);

d.   determine the verification, or other activities, necessary to ensure that the externally provided processes, products, and services meet requirements.

Verification activities of externally provided processes, products, and services shall be performed according to the risks identified by the organization. These shall include inspection or periodic testing, as applicable, when there is high risk of nonconformities including counterfeit parts. 

NOTE 1: Customer verification activities performed at any level of the supply chain does not absolve the organization of its responsibility to provide acceptable processes, products, and services and to comply with all requirements.

NOTE 2:  Verification activities can include:

−        review of objective evidence of the conformity of the processes, products, and services from the external provider (e.g., accompanying documentation, certificate of conformity, test documentation, statistical documentation, process control documentation, results of production process verification and assessment of changes to the production process thereafter);

−        inspection and audit at the external provider’s premises;

−        review of the required documentation;

−        review of production part approval process data;

−        inspection of products or verification of services upon receipt;

−        review of delegations of product verification to the external provider.

When externally provided product is released for production use pending completion of all required verification activities, it shall be identified and recorded to allow recall and replacement if it is subsequently found that the product does not meet requirements.

When the organization delegates verification activities to the external provider, the scope and requirements for delegation shall be defined and a register of delegations shall be maintained. The organization shall periodically monitor the external provider’s delegated verification activities.

When external provider test reports are utilized to verify externally provided products, the organization shall implement a process to evaluate the data in the test reports to confirm that the product meets requirements. When a customer or organization has identified raw material as a significant operational risk (e.g., critical items), the organization shall implement a process to validate the accuracy of test reports.

8.4.3          Information for External Providers

The organization shall ensure the adequacy of requirements prior to their communication to the external provider. The organization shall communicate to external providers its requirements for:

a.   the processes, products, and services to be provided including the identification of relevant technical data (e.g., specifications, drawings, process requirements, work instructions);

b.       the approval of:

1.   products and services;

2.   methods, processes, and equipment;

3.   the release of products and services;

c.       competence, including any required qualification of persons;

d.       the external providers’ interactions with the organization;

e.       control and monitoring of the external providers’ performance to be applied by the organization;

f.        verification or validation activities that the organization, or its customer, intends to perform at the external providers’ premises;

g.  design and development control;

h.  special requirements, critical items, or key characteristics;

i.         test, inspection, and verification (including production process verification);

j.         the use of statistical techniques for product acceptance and related instructions for acceptance by the organization;

k.   the need to:

−        implement a quality management system;

−        use customer-designated or approved external providers, including process sources (e.g., special processes);

−        notify the organization of nonconforming processes, products, or services and obtain approval for their disposition;

−        prevent the use of counterfeit parts (see 8.1.4);

−        notify the organization of changes to processes, products, or services, including changes of their external providers or location of manufacture, and obtain the organization’s approval;

−        flow down to external providers applicable requirements including customer requirements;

−        provide test specimens for design approval, inspection/verification, investigation, or auditing;

−        retain documented information, including retention periods and disposition requirements;

l.         the right of access by the organization, their customer, and regulatory authorities to the applicable areas of facilities and to applicable documented information, at any level of the supply chain;

m.     ensuring that persons are aware of:

−        their contribution to product or service conformity;

−        their contribution to product safety;

−        the importance of ethical behavior.