ISO 9001_2015 Clause 8.4 External Products and Services.pdf

Full Transcript

8. Operation
8.4 Control of externally provided products and services
General
Does the organization ensure that externally provided processes, products and services conform to requirements?
AS9100-D: The organization shall be responsible for the conformity of all externally provided processes, products, and services, including from sources defined by the customer.
The organization shall ensure, when required, that customer-designated or approved external providers, including process sources (e.g., special processes), are used.
The organization shall identify and manage the risks associated with the external provision of processes, products, and services, as well as the selection and use of external
providers.
The organization shall require that external providers apply appropriate controls to their direct and sub-tier external providers, to ensure that requirements are met.
Does the organization determine the controls to be applied to externally provided, processes, products and services when:
a)       products and services from external providers are intended for incorporation into the organization’s own products and services?
b)       products and services are provided directly to the customer(s) by external providers on behalf of the organization?
c)       a process, or part of a process, is provided by an external provider as a result of a decision by the organization?
Has the organization determined and applied criteria for the evaluation, selection, monitoring of performance and re-evaluation of external providers, based on their ability to
provide processes or products and services in accordance with requirements?
Does the organization retain documented information of these activities and any necessary actions arising from the evaluations?
NOTE: During external provider evaluation and selection, the organization can use quality data from objective and reliable external sources, as evaluated by the organization (e.g.,
information from accredited quality management system or process certification bodies, external provider approvals from government authorities or customers). Use of such data
would be only one element of an organization’s external provider control process and the organization remains responsible for verifying that externally provided processes,
products, and services meet specified requirements.
EN ISO / IEC 80079-34: a): while manufacture, test and final inspection may be sub-contracted, the responsibility for ensuring conformance with the certificate and the technical
8.4.1
documentation shall not be sub-contracted;
b)      external providers providing a product, process, or service that can affect the Ex Product's compliance with the certificate shall only be selected after an evaluation has
provided evidence that they have the capability of ensuring compliance with all specified requirements;
1) documented objective evidence that the external provider can provide product, process or service that is fit for purpose shall be made by one or more of the following
methods:
– the external provider has an acceptable Ex quality management system according to this document assessed by an accredited body,
– the external provider has a quality management system certificate in accordance with the appropriate standard and with an acceptable scope,
NOTE A certificate issued by an accredited body which can demonstrate that it operates in compliance with ISO/IEC 17021 is generally acceptable; depending on the nature of the
product, process, or service, a quality management system in accordance with ISO 9001:2015 might not be sufficient.
– a documented site assessment to ensure that all relevant controls are available, documented, understood and effective.
NOTE The evaluation takes the following into account:
– criticality of the product, process or service;
– degree of difficulty, or variability in the manufacturing process;
– location of the external provider and hence the effectiveness of communications;
– subcontracting of the product, process or service.
2) where the features affecting the Type of Protection cannot be verified at a later stage or are not verified by the manufacturer e.g. encapsulated intrinsically safe circuits, then
the product, process, or service shall only be accepted by one of the following methods:
– the manufacturer can demonstrate that the control process implemented by the external providers ensures Ex compliance,
– the body responsible for the verification of the quality management system performs periodic audits at the external providers.

ISO 9001-2015 Clause Requirements
8. Operation
c)       external providers providing calibration services (including verification on measuring devices by comparison with calibrated equipment) shall be evaluated on their ability to
meet stated requirements as well as the requirements of 7.1.5;
d)       external providers not used for a period exceeding one year shall be re-evaluated in accordance with 8.4.1 b) prior to the placing of a contract or a purchase order;
e)       requirements 8.4.1 b) and 8.4.1 d) are not mandatory for products, processes or services where the manufacturer verifies conformance according to 8.4.2;
f)       the ongoing ability of the external providers to provide conforming product, process or service shall be reviewed at periods not exceeding one year;
8.4.1
NOTE 1 "Review" is a process by which the manufacturer demonstrates the ongoing suitability and performance in accordance with 8.4.1 b) and c) of their external providers e.g.
receiving inspection report analysis.
NOTE 2 The terms "re-evaluation" and "review" have different meanings.
g)       The manufacturer shall facilitate an arrangement whereby the body responsible for the verification of the Ex quality management system may also verify aspects of any
external provider’s operation that affects the Type of Protection.
The organization shall:
a. define the process, responsibilities, and authority for the approval status decision, changes of the approval status, and conditions for a controlled use of external providers
depending on their approval status;
b. maintain a register of its external providers that includes approval status (e.g., approved, conditional, disapproved) and the scope of the approval (e.g., product type, process
8.4.1.1
family);
c. periodically review external provider performance including process, product and service conformity, and on-time delivery performance;
d. define the necessary actions to take when dealing with external providers that do not meet requirements;
e. define the requirements for controlling documented information created by and/or retained by external providers.

ISO 9001-2015 Clause Requirements
8. Operation
Type and extent of control
Does the organization ensure that externally provided processes, products and services do not adversely affect the organization’s ability to consistently deliver conforming products
and services to its customers?
Does the organization:
a)       ensure that externally provided processes remain within the control of its quality management system?
b)       define both the controls that it intends to apply to an external provider and those it intends to apply to the resulting output?
c)       take into consideration:
1)       the potential impact of the externally provided processes, products and services on the organization’s ability to consistently meet customer and applicable statutory
and regulatory requirements?
2)       the effectiveness of the controls applied by the external provider
3)       the results of the periodic review of external provider performance (see 8.4.1.1 c);
d)       determine the verification, or other activities, necessary to ensure that the externally provided processes, products and services meet requirements?
Verification activities of externally provided processes, products, and services shall be performed according to the risks identified by the organization. These shall include inspection
or periodic testing, as applicable, when there is high risk of nonconformities including counterfeit parts.
NOTE 1: Customer verification activities performed at any level of the supply chain does not absolve the organization of its responsibility to provide acceptable processes, products,
and services and to comply with all requirements.
8.4.2
NOTE 2: Verification activities can include:
− review of objective evidence of the conformity of the processes, products, and services from the external provider (e.g., accompanying documentation, certificate of
conformity, test documentation, statistical documentation, process control documentation, results of production process verification and assessment of changes to the
production process thereafter);
− inspection and audit at the external provider’s premises;
− review of the required documentation;
− review of production part approval process data;
− inspection of products or verification of services upon receipt;
− review of delegations of product verification to the external provider.
When externally provided product is released for production use pending completion of all required verification activities, it shall be identified and recorded to allow recall and
replacement if it is subsequently found that the product does not meet requirements.
When the organization delegates verification activities to the external provider, the scope and requirements for delegation shall be defined and a register of delegations shall be
maintained. The organization shall periodically monitor the external provider’s delegated verification activities.
When external provider test reports are utilized to verify externally provided products, the organization shall implement a process to evaluate the data in the test reports to
confirm that the product meets requirements. When a customer or organization has identified raw material as a significant operational risk (e.g., critical items), the organization
shall implement a process to validate the accuracy of test reports.

ISO 9001-2015 Clause Requirements
8. Operation
EN ISO / IEC 80079-34: a): for purchased processes, products and services that can compromise the Type of Protection, the manufacturer shall determine and implement
verification arrangements which demonstrate the product’s compliance with the certificate, considering the nature of the product and the nature of the external provider;
b)      when deciding what type of verification is required for a particular purchased process, product or service, the manufacturer shall consider the nature of the purchased
product, the external provider, and how critical it is to the Type of Protection. In considering whether the external provider should carry out the verification, the manufacturer
should consider the results of their evaluation carried out under 8.4.1. The decision should reflect the competence of the external provider, including whether they have a quality
management system that covers the activity, the resources, e.g. equipment, and the people with sufficient skill and experience to do it. This latter point is particularly significant
when judgement is required, such as when inspecting a flameproof casting. When the manufacturer elects to have the external provider carry out test or inspection that is relevant
to the Type of Protection, the product may be supplied with a declaration of conformity that confirms it has been done;
c)       where the external provider has been evaluated and documented objective evidence has been obtained to demonstrate that the external provider is fully capable of
producing and verifying the process, product or service, no further verification of the process, product or service is required, if a declaration of conformity is supplied for each batch
or product;
d)       where the certificate specifies routine tests or inspections, these shall be carried out on each and every product. They may be carried out by either the external provider or
the manufacturer. When carried out by the external provider they shall be specified on the purchasing documents, e.g. by a quality plan, and confirmed by the external provider
e.g. by a declaration of conformity including test results, if required;
e)       where verification of a purchased product cannot be carried out after manufacture, e.g. the internal parts of an encapsulated intrinsically safe circuit, then the product shall
only be accepted if supplied with a declaration of conformity. This shall specifically state compliance to the purchase documents, e.g. a quality plan, that lists the factors that
8.4.2 together demonstrate conformity of the product;
f)      where sample inspections or tests are permitted, they shall be conducted in a manner which demonstrates conformity of the entire batch;
g)       where either the external provider or the manufacturer requires training or specialist skill or knowledge to carry out a verification, then the training material, specialist skill,
knowledge or background shall be documented and training records maintained;
h)       where the manufacturer chooses not to carry out inspections and tests at its own premises, then inspections and tests shall be performed on the external provider’s premises
under the responsibility of the manufacturer;
i)      where an external provider provides product with evidence of conformity applicable to use in an explosive atmosphere, (e.g. certificate), then further verification is not
required unless the manufacturer considers it necessary;
j)       Where a verification of purchased product is relative to material (metals, alloys, nonmetallic parts, resins and similar), a specific analysis certificate or declaration shall be
k)       One of the following processes shall be used to verify the continued conformity of the materials critical to the applied Type of Protection, used in the production of the Ex
Products:
1) Review the Declaration(s) of Conformity from the external provider of the material within the supply chain that can impact the material characteristics; as applicable; to
demonstrate that the material used in the production of the Ex product is in accordance with the schedule drawings.
2) Review the material manufacturer’s confirmation that the material maintains the particular material properties of concern; e.g. flammability, CTI, RTI, or UV resistance,
chemical composition, physical properties.
3) Review the material manufacturer’s process and data for the validation of material characteristics.
4) Confirmation that equipment testing, necessary to confirm the material is in accordance with the certificate or schedule drawings, is repeated as required.
Alternative processes may be utilized if it can be demonstrated that they provide the same level of conformity. Receipt or acceptance of a declaration of conformity does not

ISO 9001-2015 Clause Requirements
8. Operation
Information for external providers
Does the organization ensure the adequacy of requirements prior to their communication to the external provider?
Does the organization communicate to external providers its requirements for:
a)       the processes, products and services to be provided
including the identification of relevant technical data (e.g., specifications, drawings, process requirements, work instructions);
b)       the approval of:
1)       products and services?
2)       methods, processes and equipment?
3)       the release of products and services?
c)       competence, including any required qualification of persons?
d)       the external providers’ interactions with the organization?
e)       control and monitoring of the external provider’s performance to be applied by the organization?
f)        verification or validation activities that the organization, or its customer, intends to perform at the external provider’s premises?
g)       design and development control;
h)       special requirements, critical items, or key characteristics;
i)       test, inspection, and verification (including production process verification);
j)       the use of statistical techniques for product acceptance and related instructions for acceptance by the organization;
k)        the need to:
− implement a quality management system;
− use customer-designated or approved external providers, including process sources (e.g., special processes);
− notify the organization of nonconforming processes, products, or services and obtain approval for their disposition;
8.4.3
− prevent the use of counterfeit parts (see 8.1.4);
− notify the organization of changes to processes, products, or services, including changes of their external providers or location of manufacture, and obtain the organization’s
approval;
− flow down to external providers applicable requirements including customer requirements;
− provide test specimens for design approval, inspection/verification, investigation, or auditing;
− retain documented information, including retention periods and disposition requirements;
l)      the right of access by the organization, their customer, and regulatory authorities to the applicable areas of facilities and to applicable documented information, at any level of
the supply chain;
m)        ensuring that persons are aware of:
− their contribution to product or service conformity;
− their contribution to product safety;
− the importance of ethical behavior.
EN ISO / IEC 80079-34: a) the purchasing documents shall clearly describe the specific requirements pertaining to externally provided product set out in the certificate and the
technical documentations (e.g. for process control, testing or inspection);
NOTE For particular types of product e.g. castings, machined items and assemblies, the purchasing documents commonly include specific references to required drawings, test
procedures, inspection procedures, material certificates, test reports and Declarations of Conformity.
b)       for items where conformance cannot be verified after manufacture (e.g. encapsulated intrinsically safe circuits), the purchasing information shall set out the specific quality
procedures, resources and sequence of activities relevant to the particular item;
c)       the manufacturer shall define the method by which documents e.g. technical specifications, stated in a particular purchase order remain traceable to the order;
d)       where the manufacturer does not provide such documents with subsequent orders, then the manufacturer shall have documented procedures for ensuring that external
providers have current copies of documents and that their integrity be maintained.

ISO 9001-2015 Clause Requirements