Each organisation deals with a number of vendors, suppliers, teaming partners, outsourcing agencies, external consultants, etc throughout the course of their business. These external providers may be supplying certain material to your organisation or delivering a service. These may include raw materials, tools, machinery, components, equipment, etc. At times, you may also need to outsource your processes. For example, a manufacturer may outsource painting or welding processes to an external provider or a software development company may outsource testing activities. Clause 8.4 requirements apply to all the items that are critical to manufacture the product, check or deliver the product/service. This clause specifies the requirements to control the purchased product/service, outsourced process, evaluation of suppliers, and the purchasing process.

As an organisation receiving the processes, products, or services, it is your responsibility to check that the items you receive meet the specified requirements. You need to apply adequate controls to ensure this. These controls shall be applied in any of the following cases:

• When you are receiving products and services from an external provider to incorporate into your organisation's own products and services. For example, raw material received from suppliers.
• When an external provider is providing products and services directly to the customer on behalf of your organisation. For example, an arrangement with a partner company or vendor/supplier to directly provide products or services to the customer.
• When you have outsourced processes or parts of processes from an external provider.

Consider the following scenarios:

1. You selected a new vendor as they were cost-effective without evaluating them on any other parameter. You receive sub-standard raw material and it was incorporated into your product without any checking. What would be the quality of the final product?
2. You obtain the raw material from a new supplier based on informal verbal communication and material received is not as per the requirement. You end up returning the whole batch and explained the requirement again. How will you meet your delivery timelines?
3. You are outsourcing testing activities and based on the communication of successful testing by your outsourcing company, you deliver the product to your client. The client complained that the product does not meet his specification. Will this customer repeat the contract with you?

These situations can occur in any organisation if the supplier evaluation, control of purchase process, control of material received, or monitoring of the performance of vendors is not done. The quality of your final product or service greatly depends on the products, processes, or services that are provided by an external provider. This clause covers all the critical areas like selection criteria for external provider evaluation, continuous monitoring of their performance and re-valuation, purchasing process, checks and control on the product or service you receive and information that you should pass on to the external provider to ensure that quality is maintained and your end customers are always happy with what you deliver.

If you plan to purchase material or outsource some of your processes, the first step is the selection of a suitable external provider. ISO 9001 requires that you determine the criteria for external provider selection. This may include financial capability, product quality, technical capability, manufacturing capacity, reputation, service provided, cost, etc. The criteria may differ for different products and services that you plan to purchase or processes that you are outsourcing. Based on the selection criteria, external providers shall be evaluated and a list of all qualified external providers shall be maintained.

In addition to the initial evaluation and approval of external providers, you need to implement ongoing monitoring and measurement of their performance. You may set performance indicators to evaluate their consistency and performance on aspects of quality, timeliness, services provided, etc. Non-conformities, if any in the product/services they deliver or issues with their performance shall be taken up with the external providers, root causes identified and corrective actions taken.

Re-evaluation of the supplier shall also be done based on their performance. These are typically done in management reviews or in consultation with senior management. Any documents which may be the output of these process shall be retained and any necessary action arising out of the evaluation or re-valuation documented.

This clause requires that you determine the factors of the purchased product/service or outsourced process that are important to your design, production, and the end product/service. These may include quality, maintainability, reliability, durability, compliance to industry standards or specifications, etc. Performance parameters like timeliness of delivery may also be important criteria for you to ensure that you deliver your products or services on time. An organisation needs to define the controls required on external providers and products or services they supply based on all such criteria.

Once you have identified all the criteria, the next step is to identify the extent and frequency of the control or verification required. You may do it when you receive the product or service or any time before the use of the product or service in production.

At the time of receipt of the product or service, you may conduct a visual inspection, a detailed inspection against the requirement or specifications, check necessary documentation like certifications, etc. You may also review supplier quality plans, inspection plans, conduct an audit at the supplier’s site to ensure that the supplier meets the required specification or processes mandated by you/customer, regulatory bodies, or industry standards prior to the product/service being delivered.

Based on the criticality of the materials supplied by your external provider or to ensure their performance, you may require that your external providers follow all or some of the ISO 9001 requirements or go for certification. Such controls may also be applied and can be made part of your contract with the external provider.

Similar controls need to be applied to outsourced processes. You need to determine adequate controls to ensure that the processes outsourced are conforming to the requirements of ISO 9001. This can be done by providing the vendor with your quality manual or procedures to comply with, provide them with product specifications, review their inspection and test results, or conduct audits of your vendor; etc. The amount and nature of controls that you want to apply on your external provider will depend on the risk involved and the nature of the outsourced process.

A purchasing process can be written identifying all the required controls. The extent of documented records or controls may be decided based on the risk involved.

It is also important that the organisation communicates the requirements to their supplier/vendor clearly. Unclear requirements may lead to non-conforming or defective products or services being delivered to you. This clause provides the details that the organisation shall communicate to external providers. This information must include:

• Adequate details on the products and services to be provided or the processes that the external provider will perform on behalf of the organization;
• Methods of approval or release of products and services, processes, or equipment; These may include acceptance criteria, quality parameters,  specifications that need to be met, etc.
• Competency requirements including qualification.
• Information on the interactions with your quality management system in the form of your quality manuals or procedures relevant to them. Supply details on how you will review their performance as per your quality management system, etc.
• Details on how you will control or monitor the external provider performance. This may be done through performance indicators, etc.
• Verification activities that the organisation, or its customer, plans to perform at the external provider’s sites. For example, supplier audits

You need to ensure that the requirements that you intend to communicate to the external provider are reviewed for adequacy before they are communicated. These may be communicated to the external provider through the contractual documents, statement or scope of work, requirements specifications, or other such documents before the commencement of work or during the course of the assignment as per your contract. The intent is to ensure enough communication is provided to the external provider so that the product/service provided or processes executed by them will meet customer, regulatory or other specified requirements.