8.4.2、控制类型和程度

组织应确保外部提供的过程、产品和服务不会对组织稳定地向顾客交付合格产品和服务的能力产生不利影响。

组织应：

a）确保外部提供的过程保持在其质量管理体系的控制之中；

b）规定对外部供方的控制及其输出结果的控制；

c）考虑：

1）外部提供的过程、产品和服务对组织稳定地满足顾客要求和适用的法律法规要求的能力的潜在影响；

2）由外部供方实施控制的有效性。

3）定期评审外部供方业绩的结果（见8.4.1.1c）;

d）确定必要的验证或其他活动，以确保外部提供的过程、产品和服务满足要求。

对外部提供的过程、产品和服务的验证活动应根据组织识别出的风险来进行。当存在不合格品或假冒的零件的高风险情况下，如果可行，验证活动应包括检验或定期测试。

注 1：顾客对任何层次的供应链所做的验证活动都不能免除组织应承担的提供可接受的过程、产品和服务以及符合所有要求的责任。

注 2：验证活动可以包括：

—— 评审从外部供方处获得的过程，产品和服务的符合性的客观证据（如随产品文件、合格证明、测试文件、统计文件、过程控制文件、生产过程验证的结果以及对后续生产过程更改的评估）；

—— 在外部供方处的检验和审核；

—— 对要求文件的评审；

—— 评审生产件批准过程的执行情况；

—— 按收货单进行产品检验或服务验证；

—— 对将产品验证委托给外部供方的委托行为进行评审。

当外部提供的产品在全部验证活动完成前被放行用于生产，应对其进行标识和记录，做到如果后续结果发现产品不符合要求，能够对其进行召回和更换。

当组织将验证活动委托给外部供方时，应确定委托的范围和要求，并保持一份委托清单。组织应定期监控外部供方的委托验证活动情况。

当利用外部供方的测试报告来验证外部提供的产品时，组织应运行一个过程来评估测试报告中的数据以确认产品满足要求。当顾客或组织已经识别原材料是一个重要的运行风险时（如关键项目），组织应运行一个过程来验证测试报告的准确性。

8.4.2、Type and Extent of Control

The organization shall ensure that externally provided processes, products, and services do not adversely affect the organization’s ability to consistently deliver conforming products and services to its customers.

The organization shall:

a. ensure that externally provided processes remain within the control of its quality management system;

b. define both the controls that it intends to apply to an external provider and those it intends to apply to the resulting output;

c. take into consideration:

1. the potential impact of the externally provided processes, products, and services on the organization’s ability to consistently meet customer and applicable statutory and regulatory requirements;

2. the effectiveness of the controls applied by the external provider;

3. the results of the periodic review of external provider performance (see 8.4.1.1 c);

Verification activities of externally provided processes, products, and services shall be performed according to the risks identified by the organization. These shall include inspection or periodic testing, as applicable, when there is high risk of nonconformities including counterfeit parts.

NOTE 1: Customer verification activities performed at any level of the supply chain does not absolve the organization of its responsibility to provide acceptable processes, products, and services and to comply with all requirements.

NOTE 2: Verification activities can include:

—— review of objective evidence of the conformity of the processes, products, and services from the external provider (e.g., accompanying documentation, certificate of conformity, test documentation, statistical documentation, process control documentation, results of production process verification and assessment of changes to the production process thereafter);

—— inspection and audit at the external provider’s premises;

—— review of the required documentation;

—— review of production part approval process data;

—— inspection of products or verification of services upon receipt.

When external provider test reports are utilized to verify externally provided products, the organization shall implement a process to evaluate the data in the test reports to confirm that the product meets requirements. When a customer or organization has identified raw material as a significant risk, the organization shall implement a process to validate the accuracy of test reports.