Chapter 19: What Clause 8.4 Actually Requires for Externally Provided Processes and Materials

ISO 9001:2015 groups external provision into three categories: products and services you buy, outsourced processes, and outsourced functions. Each category needs a different control strategy—and that's where many Canadian manufacturers stumble. They treat all suppliers the same.

The standard requires that you:

1. Establish and document criteria for evaluating and selecting external providers before you hand them a purchase order. This sounds obvious, but criteria for a commodity fastener supplier should look different from criteria for a plastic injection moulder who runs a critical tolerance dimension. Most plants we audit have a generic "we need ISO certification and a clean audit" rule. That's incomplete.
2. Define and monitor the specific requirements for each external provider—both what you're buying and the standards of performance you expect. This includes technical specifications, delivery windows, quality expectations, and right of access for your audits.
3. Evaluate and re-evaluate performance regularly, not just once at approval. This is the hard part. A supplier who was excellent in 2024 might be cutting corners in 2026 due to cost pressure or staffing changes.

The distinction matters because it shapes your control effort. If you outsource your heat-treating to a local vendor you can visit, you need active monitoring and periodic audits. If you buy catalog fasteners from a distributor, you might skip supplier audits entirely but implement statistical incoming inspection instead.

If a supplier manufactures a product to your design but you've verified their process capability upfront, you might reduce incoming inspection to a visual check and lab testing only on first articles.

Here's what a defensible selection criteria document looks like in practice:

• Fasteners and standard parts: ISO certification, on-time delivery rate >95%, price competitiveness within 10% of market average, evidence of SPC (statistical process control) for critical dimensions.
• Custom injection-molded components: ISO certification, process capability study (Cpk) data for critical features, documented mold change control, right of access for audits, sample approval letter on first production run.
• Sheet metal and fabrication: ISO certification, tolerance certification or CMM reports for critical features, documented traceability system, on-time delivery rate >92%, evidence of documented corrective action system.
• Outsourced assembly operations: ISO or equivalent certification, documented work instructions aligned to your product drawings, operator training records, audit access, zero-tolerance for undocumented changes to process.

Notice these are *specific and measurable*. "We like working with them" is not criteria. "They replied quickly to our RFQ" is not criteria.

Once you've selected a supplier, you need documented records of *how* they were evaluated. That might be a simple approval memo for a low-risk vendor, or a multi-page assessment form that includes site visit notes, document reviews, and a scoring summary. The key is that the effort matches the risk and the record is traceable.

Re-evaluation is where most plants fail. You approved a supplier in 2024, and now it's 2026. Have you checked their performance in the past 24 months? Do you have data on on-time delivery, quality issues, responsiveness to change requests? If not, you're not meeting Clause 8.4(2).

Many plants we work with discover that their "approved" supplier list is out of date—vendors have changed hands, quality has drifted, or they've quietly shifted production to a subcontractor you don't know about. The solution is a documented re-evaluation schedule tied to supplier criticality. A critical supplier might be re-evaluated annually or twice per year. A standard vendor might be re-evaluated every two years based on performance data. The point is that it's scheduled, documented, and linked to actual performance metrics, not just calendar dates.