8.4外部提供的过程、产品和服务的控制
8.4.2、控制类型和程度
组织应确保外部提供的过程、产品和服务不会对组织持续地向顾客交付合格产品和服务的能力产生不利影响。
组织应:
a. 确保外部提供的过程保持在其质量管理体系的控制之中;
b. 规定对外部供方的控制及其输出结果的控制;
c. 考虑:
1. 外部提供的过程、产品和服务对组织持续地满足顾客要求和适用的法律法规要求的能力的潜在影响;
2. 由外部供方实施控制的有效性;
3. 定期评审外部供方业绩的结果(见8.4.1.1 c)
4. 确定必要的验证或其他活动,以确保外部提供的过程、产品和服务满足要求。
外部提供的过程、产品和服务的验证活动应根据组织识别的风险执行。当有不合格含仿冒件的高风险时,适用时,应包括检验或定期试验。
注1顾客对供应链的任何层次所做的验证活动不能免除组织提供可接受的过程、产品,和服务及符合所有要求的职责。
注2验证活动可以包含:
—— 从外部供方处获得过程、产品、和服务符合性的客观证据(例如:随产品文件,合格证明,试验文件,统计文件,过程控制文件,生产过程验证的结果和之后生产过程更改的评估);
—— 在外部供方的检验和审核;
—— 对要求的文件的评审;
—— 生产件批准过程数据的评审;
—— 接收时对产品的检验或者对服务的验证;
—— 对外部供方生产验证代表的评审。
在等待所有要求的验证活动完成期间,外部提供的产品如被发放用于生产,应对其进行标识和记录以便如果其随后的验证结果发现产品不满足要求时能召回和更换。
在组织授权外部供方进行验证活动时,应规定授权的范围和要求并保持授权人员登记表。组织应定期监控外部供方的授权验证活动。
当使用外部供方试验报告来验证外部提供的产品时,组织应实施评估试验报告中的数据以确认产品满足要求的过程。当客户或者组织识别原材料存在重大运行风险(例如:关键项目),组织应实施确认试验报告准确性的过程。
8.4.2、Type and extent of control
The organization shall ensure that externally provided processes, products and services do not adversely affect the organization’s ability to consistently deliver conforming products and services to its customers.
The organization shall:
a. ensure that externally provided processes remain within the control of its quality management system;
b. define both the controls that it intends to apply to an external provider and those it intends to apply to the resulting output;
c. take into consideration:
1. the potential impact of the externally provided processes, products and services on the organization’s ability to consistently meet customer and applicable statutory and regulatory requirements;
2. the effectiveness of the controls applied by the external provider;
3. the results of the periodic review of external provider performance (see 8.4.1.1 c);
d. determine the verification, or other activities, necessary to ensure that the externally provided processes, products and services meet requirements.
Verification activities of externally provided processes, products, and services shall be performed according to the risks identified by the organization. These shall include inspection or periodic testing, as applicable, when there is high risk of nonconformities including counterfeit parts.
NOTE 1: Customer verification activities performed at any level of the supply chain does not absolve the organization of its responsibility to provide acceptable processes, products, and services and to comply with all requirements.
NOTE 2: Verification activities can include:
—— review of objective evidence of the conformity of the processes, products, and services from the external provider (e.g., accompanying documentation, certificate of conformity, test documentation, statistical documentation, process control documentation, results of production process verification and assessment of changes to the production process thereafter);
—— inspection and audit at the external provider’s premises;
—— review of the required documentation;
—— review of production part approval process data;
—— inspection of products or verification of services upon receipt;
—— review of delegations of product verification to the external provider.
When externally provided product is released for production use pending completion of all required verification activities, it shall be identified and recorded to allow recall and replacement if it is subsequently found that the product does not meet requirements.
When the organization delegates verification activities to the external provider, the scope and requirements for delegation shall be defined and a register of delegations shall be maintained. The organization shall periodically monitor the external provider’s delegated verification activities.
When external provider test reports are utilized to verify externally provided products, the organization shall implement a process to evaluate the data in the test reports to confirm that the product meets requirements. When a customer or organization has identified raw material as a significant operational risk (e.g., critical items), the organization shall implement a process to validate the accuracy of test reports.