ISO9001 and the Type and Extent of Controls

 ISO9001:2015 Clause 8.4.2 is all about expanding on what type of controls and the extent that you need to manage these controls on your suppliers to ensure that they meet the necessary requirements to deliver you good products or services in line with your requirements and that their processes don't adversely impact your products or services. It does have that nasty word SHALL in the clause so again you need to do this one to comply, here are the key points

Control is within the Quality Management System

The controls of the external provider or process are within the organisations Quality Management System, what does this mean? Well if you followed through on ISO9001:Clasue 8.4.1 then you have these things in place, you just need to follow through on what you have defined there and apply it to your suppliers.

Define Controls Applied to External Providers Resulting Outputs

Again, if you followed through on Clause 8.4.1 properly you already comply to this where you defined the controls that you would use to ensure your supplier meets what you want. As long as you also follow through on the evaluation parts then you will comply.

Consider the Impacts on Customer or Legal Requirements

 You must consider the impacts of the external supplier's processes on any Customer or legal requirements that you need to meet, for example your customer may have specified ethical sourcing of parts so you need to look at your suppliers and ensure they can guarantee this and of course prove it! There may also be clauses within your customers agreements that mean that while you can use a supplier they cannot use an 3rd tier supplier and so on.

Consider The Effectiveness of Controls For External Providers

Here you are looking at how well the controls that you as an organisation is putting in place will be robust enough to ensure effective control stays in place without you needing to step in with remedial action. You can look at this as a form of risk assessment of your controls, what happens if this isn't robust enough?

Determine Verification activities for external provider processes, products and service

Finally, you need decide on what level of verification activity is needed to ensure that the products or services the supplier is providing you meets your requirements. So there are many ways of doing this, but something as simple as say an inwards goods check would do that with checks of quality, quantity and so forth. You can decide at what level this inspection is required, if at all, based on the performance and your confidence levels with the supplier for which of course, you will have recorded supporting documentation.

Summary 

This may seem like a lot of work but at the end of the day it's about ensuring that the quality of your product or service meets both customer and legal requirements. Your customers (or authorities) don't care if your non compliant product fails because of a part a subcontractor made for you, its your name on the box and so it's associated with you. Think about all of the issues over the years with numerous mobile phone manufacturers, or car manufacturers, most of these are actually a result of errors on sub-contractor parts, but when you have to take your car or your phone back for repair, who's name is on your lips?

The process doesn't have to be onerous but it does have to be robust and applied consistently and have the supporting documentation to support the process within the Quality Management System.