ISO9001:2015 Clause 8.4 Control of External Processes and Purchased Goods & Materials

[MikeSeymourAtl]

I'm trying to interpret how the requirements for "purchased goods" have changed from 2008 to 2015.

We purchase raw materials / commodities to manufacture our finished product. I get it that what were "purchased goods" are now "external processes", and there is a nuance there that should not be overlooked. BUT, in practical terms, what needs to be changed in our purchasing, receiving, and supplier management function?

My take? We pretty much need to have a good ole control plan ( a la the automotive model) for our purchasing, receiving, and supplier management process. Key sentence here: " ..should define both the controls that it intends to apply to an external provider and those it intends to apply to the resulting output. " Which is to say, we (the purchaser) don't necessarily need to crawl inside the vendor's equipment - unless our risk analysis, and the ensuing control plan, dictates that level of granularity. More likely, we will have a document that lists out what we need to monitor, how and who, and what the metrics are.

What do you think?

 

[howste]

Re: ISO9001:2015 8.4 Control of External Processes

... Key sentence here: " ..should define both the controls that it intends to apply to an external provider and those it intends to apply to the resulting output. " Which is to say, we (the purchaser) don't necessarily need to crawl inside the vendor's equipment - unless our risk analysis, and the ensuing control plan, dictates that level of granularity. More likely, we will have a document that lists out what we need to monitor, how and who, and what the metrics are.

What do you think?

While I'm not against using a control plan meet this requirement, the 2008 version already stated:

Purchasing information shall describe…
a) requirements for approval of product, procedures, processes and equipment,
b) requirements for qualification of personnel, and
c) quality management system requirements.

and

The organization shall establish and implement the inspection or other activities necessary for ensuring that purchased product meets specified purchase requirements.

Doesn't that already include both the controls applied to the supplier and to the resulting output?

My understanding is that the ISO 9001 changes to this clause include just a little more detail that we may not have had, including:

- As you implied - a requirement to verify conformity of processes from suppliers (pretty much already stated in 2008), not just purchased product. This includes consideration of "the effectiveness of the controls applied by the external provider."
- A requirement to communicate to suppliers your requirements for product release.
- A requirement to communicate to suppliers any required interactions with your organization.
- A requirement to communicate to suppliers your requirements for monitoring their performance.

I think that adding a control plan may be overkill unless you really want to do one for other reasons. I think the first bullet could be addressed in incoming methods or process validations (depending on what is outsourced). The other three bullets could be added to purchase order T&Cs or to individual POs as needed.