The company ensures that externally provided processes, products and services conform to requirements. The company determines the controls to be applied to externally provided processes, products and services and when: products and services from external providers are intended for incorporation into the company's own products and services and; products and services are provided directly to the customer by external providers on behalf of the company; a process or part of a process provided by external provider because of a decision by the company; The company shall determine and apply criteria for the evaluation, selection, monitoring of performance, and re-evaluation of external providers, based on their ability to provide processes or products and services and in accordance with requirements. The company retains documented information of these activities and any necessary actions arising from the evaluations.
The company ensures externally provided processes, products and services do not adversely affect the company's ability to consistently deliver conforming products and services to its customers. The company: ensures that externally provided processes remain within the control of its Quality Management System; defines both the controls that it intends to apply to an external provider and those it intends to apply to the resulting outputs; takes into consideration the: potential impact of the externally provided processes, products and services and the company's ability to consistently meet customer and applicable statutory and regulatory requirements; effectiveness of the controls applied by the external provider; determines the verification, or other activities, necessary to ensure that the externally provided processes, products and services and meet requirements.
The company ensures the adequacy of requirements prior to their communication to the external provider. The company communicates to external providers its requirements for: the processes, products and services to be provided; the approval of: products and services and; methods, processes and equipment; release of products and services and; competence, including any required qualification of persons; the external provider’s interactions with the company; control and monitoring of external providers' performance to be applied by the company; verification or validation activities that the company, or its customer, intends to perform at the external provider’s premises.
Oh my. That is a lot to digest. But digest we must. Here is the plain English version…
The elephant in the room is that this clause not only looks at the providers of materials you use in the delivery of your products and services, but also the services you incorporate into the deliver as well. Not a biggy to most, but a shift in thinking never the less.
And ‘control’ you must. How, is up to you. Whilst the standard has imposed a heap of criteria and have mandated retained documented information (records only) it still leaves it up to you. The best advice is to look at all your providers, treat them as an interested party, apply a risk profile and then determine the need for and amount of ‘control’ you will need to remain commercially viable. ‘Horses for courses’ is the key. Then there are the criteria for selection of your providers on these three aspects. Price, quality, service. Please keep in mind you can only have two of these three. Most of this we all do in all commercial transactions, we just need to have it recognised and managed through the quality management system. And if there is reluctance from the wider business stakeholders then the model being proposed / used is not right.
As part of this process look at the entire inventory or project delivery procedures so you establish when the product or service is approved, delivered, released for use, monitored, verified, validated at either the providers premises, your premises, your customers premises and so on.
Once defined, and I do recommend at least a process (automated would be best) if not a documented procedure, you need to communicate these needs and criteria with your providers. Establishing the ground rules, theirs, yours, ours for moving forward.
So here are the main points we need to consider. What is to be sourced from an external provider; How do you select your providers; How do providers provide; What are the criteria of acceptance and release; Communication; What is controlled, monitored, verified, validated and or fixed when it goes off specification. Big words, well quality-speak words, but really very simple words. Just put them into the context of your commercial process around suppliers and inventory management and draw a line. If it works, keep doing it. If it needs modification, start the continuous improvement process and make it work for you.