Supplier management under clause 8.4

ISO 9001:2015 clause 8.4 was among the most strengthened in the 2015 revision. It requires controlling externally provided products, services and processes when they affect own-product conformity. Most companies still rely on an annual evaluation form. Seasoned auditors spot it in minutes.

What clause 8.4 requires

Three sub-requirements:

8.4.1 General. Establish criteria to evaluate, select and re-evaluate suppliers.
8.4.2 Type and extent of control. Control must be proportional to supplier impact on conformity.
8.4.3 Information for suppliers. Communicate product, process, competence, interaction requirements.

The critical point is 8.4.2: a Tier 1 supplier can't have the same control as the stationery provider.

Criticality classification

Three levels work well:

Critical. Failure stops production or impacts product safety. Typically single-source components, regulated services (calibration, NDT), outsourced special processes (welding, heat treatment).

Important. Failure impacts quality or timeline but alternatives exist. Standard raw materials with second sources, major-maintenance services.

Non-critical. Failure doesn't affect the QMS. Stationery, catering, general cleaning.

80% of the 8.4 effort goes to critical and important suppliers. The rest needs minimum documented control.

Initial evaluation

An annual form isn't an evaluation. Initial evaluation of a critical supplier typically includes:

Supplier certifications (ISO 9001 or sector-specific)
On-site second-party audit (at least for critical)
Sample parts with documented inspection
Technical and financial capacity review
Signed quality agreement with SLAs

This evaluation takes 2 to 6 weeks by criticality. It's not done by email.

Continuous monitoring

Control level during the relationship must be proportional:

Critical: monthly KPIs (OTD, PPM, claims), quarterly joint review, system audit every 2 years
Important: quarterly KPIs, annual reevaluation
Non-critical: reevaluation every 3 years or on incident

Typical KPIs: on-time delivery, dimensional conformity, complete documentation, nonconformity response.

Information to suppliers

Clause 8.4.3 requires communicating expectations. Documents that must exist:

Technical specification of product or service
Applicable quality requirements (including standard if any)
Personnel qualification requirements
Frequency and method of supplier interaction
Controls the supplier must apply

Without these, 8.4.3 isn't met, even if the supplier delivers well.

Outsourced processes

Process outsourcing (not just product purchase) has additional requirements. Galvanizing, painting, testing, calibration done off-site is an outsourced process. The standard requires equivalent control to internal: process validation, operator competence, execution records.

What to do this week

Classify your top 20 suppliers as critical/important/non-critical. For critical ones, verify you have updated clause 8.4.3 documents. If more than two don't, that's the silent risk that will appear in the next external audit.

What clause 8.4 requires

Three sub-requirements:

8.4.1 General. Establish criteria to evaluate, select and re-evaluate suppliers.
8.4.2 Type and extent of control. Control must be proportional to supplier impact on conformity.
8.4.3 Information for suppliers. Communicate product, process, competence, interaction requirements.

The critical point is 8.4.2: a Tier 1 supplier can't have the same control as the stationery provider.

Criticality classification

Three levels work well:

Critical. Failure stops production or impacts product safety. Typically single-source components, regulated services (calibration, NDT), outsourced special processes (welding, heat treatment).

Important. Failure impacts quality or timeline but alternatives exist. Standard raw materials with second sources, major-maintenance services.

Non-critical. Failure doesn't affect the QMS. Stationery, catering, general cleaning.

80% of the 8.4 effort goes to critical and important suppliers. The rest needs minimum documented control.

Initial evaluation

An annual form isn't an evaluation. Initial evaluation of a critical supplier typically includes:

Supplier certifications (ISO 9001 or sector-specific)
On-site second-party audit (at least for critical)
Sample parts with documented inspection
Technical and financial capacity review
Signed quality agreement with SLAs

This evaluation takes 2 to 6 weeks by criticality. It's not done by email.

Continuous monitoring

Control level during the relationship must be proportional:

Critical: monthly KPIs (OTD, PPM, claims), quarterly joint review, system audit every 2 years
Important: quarterly KPIs, annual reevaluation
Non-critical: reevaluation every 3 years or on incident

Typical KPIs: on-time delivery, dimensional conformity, complete documentation, nonconformity response.

Information to suppliers

Clause 8.4.3 requires communicating expectations. Documents that must exist:

Technical specification of product or service
Applicable quality requirements (including standard if any)
Personnel qualification requirements
Frequency and method of supplier interaction
Controls the supplier must apply

Without these, 8.4.3 isn't met, even if the supplier delivers well.

Supplier management under clause 8.4

What clause 8.4 requires

Criticality classification

Initial evaluation

Continuous monitoring

Information to suppliers

Outsourced processes

What to do this week

Keep reading

End-to-end traceability without spreadsheets

Operational control: from SOP to automated record

Internal communication that doesn't drown in email

Supplier management under clause 8.4

What clause 8.4 requires

Criticality classification

Initial evaluation

Continuous monitoring

Information to suppliers

Outsourced processes

What to do this week

Keep reading

End-to-end traceability without spreadsheets

Operational control: from SOP to automated record

Internal communication that doesn't drown in email