Management system guidance
8.4 Control of externally provided products and services
ISO Navigator Pro™ is a free tool that provides practical, expert guidance for businesses wishing to interpret and better implement the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018.
Our range of templates cover the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018, and offer an easy way to implement your next management system.
8.4.2 Type and extent of control
This requirement is comparable to the requirements from ISO 9001:2008 Clauses 7.4.1 – Purchasing Process and Clause 7.4.3 - Verification of Purchased Product. You should seek and record evidence that your organization has ensured that the supplied product or service meets the specified requirements. If you need a procedure and forms to help control your business's purchasing and procurement process, click here.
Extent of supplier control
The extent of supplier control needs to be consistent with supplier performance and an assessment of product, material, or service risk. Control mechanisms may include a check of products at delivery, site acceptance tests, second-party supplier audits, etc. If supplier audits are required, this should be written in to the contracts with the suppliers.
Your organization's criteria for determining the need, type, frequency, and scope of second-party supplier audits must be based on a risk analysis. Issues that could trigger the need for a second-party supplier audit will include inputs from supplier performance indicators; risk assessment results, and follow-up of open issues from process and product audits.
The identification of applicable statutory and regulatory requirements needs to consider the country of receipt, shipment, and delivery. When special controls are required, your organization must implement these requirements and cascade those requirements down to your suppliers.
Externally provided processes must remain under your organizations QMS control and can be achieved through documented information that is aligned to ensure common inputs, outputs, controls, ownership, governance etc., between your organization's requirements and those that are used to interface with the supplier.
Controls and output
Purchase orders for items that are essential to fulfil customer requirements and directly affect the quality of your products and services should only be raised by the Purchasing Manager, or the Accounts Department (at the request of the Purchasing Manager). Purchase orders may be raised by the use of the computerised purchasing system or soft backed purchase order books. Purchase orders should contain:
- Purchase Order Number;
- Items required;
- Required delivery date;
- Quoted prices where applicable or known;
- Any other information deemed critical for the supply of the material should also be noted.
Ensure that purchase orders or purchasing specifications include, where appropriate the requirements for the approval and acceptance of products, services, procedures, processes or equipment. Purchasing documentation should also define the requirements for approval of the supplier’s personnel, verification arrangements, or quality management system requirements as necessary.
All purchase orders or purchasing specifications must be reviewed and approved before they are released to the supplier. Where appropriate, ensure the requirements for certification, inspection reports, statistical data, approval of samples, etc. are included in purchasing documents.
Some purchasing documents may include an agreement obligating your suppliers to give notification of changes to their product or service. When notification is received, the Quality Manager and the Purchasing, or Contracts Manager should evaluate how, and whether the changes affect the quality of your completed products or services.
More information on PDCA
Want to know more?
- Read our customer's feedback
- Client list - who's using our templates?
- How the templates are formatted and download examples
- Why we use turtle diagrams and process maps
- What's the difference between a process and a procedure?
- About documented information
A certificate guarantees the information your internet browser is receiving now originates from the expected domain - https://www.iso9001help.co.uk. It guarantees that when you make a purchase, sensitive data is encrypted and sent to the right place, and not to a malicious third-party.
Free PDCA guidance
ISO Navigator™ is our FREE online training tool that shows you how to apply the principles of PDCA to your operations. We also offer many helpful templates that get you on the road to documenting your management system, please visit the download page.