ISO 9001 Clause 8.4 Control of externally provided processes, products and services

In this article, I am going to cover clause 8.4 Control of externally provided processes, products and services. I’m going to break this clause down and turn it into something you can all understand. You'll then be able to apply this to your own organization's system and understand what the requirements will look like for you. 

This clause starts off with the subclause of 8.4.1 which states…

The organization shall ensure that externally provided processes, products and services conform to requirements. The organization shall determine the controls to be applied to externally provided processes, products and services when:

As a business, we are required to manage any services provided by contractors, subcontractors, labour hire, or external providers of products or even services, like consultants. And it’s up to the business to determine what the controls are to manage them. Let’s keep working through and you’ll see when we start talking about criteria further on, this will help us to understand what controls we can put in place. 

You are to determine the controls to be applied when:

a) products and services from external providers are intended for incorporation into the organization’s own products and services

As an example, if the business purchase parts to be used in an engine restore, then the parts provider is considered an external provider.

Then these controls also need to be applied when:

b) products and services are provided directly to the customer(s) by external providers on behalf of the organization and

c) a process, or part of a process, is provided by an external provider as a result of a decision by the organization.

An example here might be if you own a plumbing business and you contract some work out to other qualified plumbers that are independent contractors, not employees. They are dealing directly with YOUR customer delivering a product and service ordered from you. This could also be a process or part of a process, like using a consultant to conduct a review and provide a report for your business to then action.

This clause then goes on to state…

The organization shall determine and apply criteria for the evaluation, selection, monitoring of performance, and re-evaluation of external providers, based on their ability to provide processes or products and services in accordance with requirements.

What are the criteria that we use to evaluate, select and monitor our external providers?

It could be criteria such as:

• cost
• location
• certification – you may require your suppliers to be certified against quality, environment or OH&S.
• work history – has the supplier been good to deal with on previous projects? Have they delivered a quality product or service?

It is up to the business to determine what criteria should be relevant to what products and services they deliver. The main area to remember for this is that you need evidence of the evaluations, selection, and monitoring using this criteria. So it’s not just lip service.

And I haven’t made this up as the final part of this clause states that …

The organization shall retain documented information of these activities and any necessary actions arising from the evaluations.

There it is in black and white for you! You need to retain documented information of these activities (so evaluation and selection) and then any actions that occur as a result of this. This might mean you conducted a re-evaluation of a supplier and there had been issues with them not supplying the correct product and therefore the action may have been a nonconformance raised. In extreme cases, the action may be that they are no longer an approved supplier.

This clause then moves on to subclause 8.4.2 Type and extent of control and states…

The organization shall ensure that externally provided processes, products and services do not adversely affect the organization’s ability to consistently deliver conforming products and services to its customers.

The organization shall:

a) ensure that externally provided processes remain within the control of its quality management system

b) define both the controls that it intends to apply to an external provider and those it intends to apply to the resulting output

This means that you can’t use the excuse that ‘they were a contractor’ it wasn’t me! I had this happen to me years ago when I had a water tank delivered to my house. When the delivery driver unloaded the water tank the forklift damaged our fence. When I arrived home and saw this, I contacted the supplier we’d purchased the tank from and they advised me that this wasn’t their issue to fix, as the delivery driver was a contractor and it was not their responsibility. I promptly explained to them my take on the matter and needless to say they paid for the fence to be fixed!

The next section of the clause states…

c)take into consideration:

1) the potential impact of the externally provided processes, products and services on the organization’s ability to consistently meet customer and applicable statutory and regulatory requirements and

2) the effectiveness of the controls applied by the external provider

This means that the controls you have in place to ensure that your external providers are meeting your requirements and your customer's requirements will be higher for those providers who would have a higher impact on your own product or customer experience.

For example, years ago I was doing a stage 1 audit (I still audit this same company now, so we’ve had a long relationship) and I was reviewing their processes and records for conformance to this clause. I asked what the process was that they followed to review their external providers, what criteria they used, and so on. They told me that they completed a checklist with scoring against the set criteria, so I asked to see these completed checklists.

They proceeded to pull out about 3 lever-arch folders full of these completed checklists in hard copy. I started to flick through the various suppliers they had evaluated and discovered that they had in fact included absolutely EVERY supplier, even those that did not have an impact on their product.

They sell new and repaired 2^nd hand marine engines, so the evaluation of the coffee shop around the corner was really not necessary. Nor was the evaluation of the supermarket where they purchased their kitchen supplies. Not even their office supplies and stationery supplier was important to evaluate for this process. All they needed to do was to identify the providers who had or could have a direct impact on their product and their customer and conduct the evaluations and implement the controls on them.

Then finally the last section of this subclause is…

d) determine the verification, or other activities, necessary to ensure that the externally provided processes, products and services meet requirements.

What checks or monitoring are you going to plan and conduct to ensure that your external providers are meeting your requirements, what they stated they would provide, and the customers’ requirements? This could be your own internal audits, planned monitoring of the work conducted, sign-offs or approvals as part of the process, inspections, and so on. This all depends on the type of activities, products, and services you provide. So, figure out what you need to do and implement it.

This clause then moves on to the final subclause 8.4.3 Information for external providers and states…

The organization shall ensure the adequacy of requirements prior to their communication to the external provider.

The organization shall communicate to external providers its requirements for:

a) the processes, products and services to be provided

b) the approval of:

1) products and services

2) methods, processes and equipment

3) the release of products and services

c) competence, including any required qualification of persons

d) the external providers’ interactions with the organization

e) control and monitoring of the external providers’ performance to be applied by the organization

and finally…

f) verification or validation activities that the organization, or its customer, intends to perform at the external providers’ premises.

I chose to share the entire subclause all at once, because when I read through each point all I see is some sort of Supplier Agreement or Contract. All of these requirements would be included in the Agreement that you have with the external provider.

• what scope of work are they providing?
• what processes or equipment will they be supplying or need access to?
• what is their process and even your process for authorizing the release of the final product?
• is the provider interacting with your customer or other workers? If so, what does this interaction look like? What is acceptable?
• what monitoring are you conducting and when? So the external provider knows exactly what is going to be checked and at what stage of the work.

Put all of this information in an Agreement, with both parties signing off on it. And do you know what you have ended up with now? A fantastic audit tool. Use this Agreement to conduct your internal audits against to verify the conformance of your external provider against the agreed contract or agreement.

Now that you have a better understanding of these requirements, it's time to take action and implement them in your own organization and ISO 9001 quality management system.

If you're itching to expand your knowledge on ISO 9001, make sure to check out our other articles on the topic, starting with a comprehensive breakdown of What is ISO 14001:2015 Environmental Management Systems?

But if you're more of a visual learner, head over to our ATOLTV ISO 9001 playlist on YouTube; and if you're ready to become an expert in ISO 9001 quality management systems, take a look at our range of courses and qualifications today.