Completing the Operations Clause
Clauses 8.4 through 8.7 complete the operational framework. Clause 8.4 covers control of externally provided processes, products, and services — managing suppliers and outsourced work. Clause 8.5 covers production and service provision control — the day-to-day operational controls that ensure conformity. Clause 8.6 covers release of products and services to customers — the verification that conformity has been achieved before delivery. Clause 8.7 covers management of nonconforming output — how to handle products or services that do not meet requirements. Together with Clauses 8.1 through 8.3, these constitute the complete operational framework for consistent quality production and service delivery.
Clause 8.4: Control of Externally Provided Processes, Products and Services
In modern business, most organizations rely on external providers for some portion of their value delivery. Clause 8.4 requires that externally provided processes, products, and services are managed and controlled to ensure they meet organizational requirements. The organization must determine what external provision arrangements exist, what controls are needed for each type, and how to monitor supplier performance.
There are three categories of external provision: (1) outsourced processes that are incorporated into the organization's products or services (for example, PCB assembly subcontracted by an electronics manufacturer), (2) purchased products or services that are incorporated into the organization's final product or service (for example, electronic components, raw materials), and (3) externally provided services delivered directly to the customer (for example, subcontracted installation, logistics, or consulting).
| External Provision Type | Example | Required Control Level | Evidence |
|---|---|---|---|
| Outsourced process | PCB assembly subcontracted to external manufacturer | Process audit, product inspection, approved supplier qualification | Supplier audit records, incoming inspection records, quality agreements |
| Purchased product in final product | Electronic components in device, raw materials in product | Incoming inspection, approved supplier list, technical specifications | Supplier evaluation records, inspection records, supplier performance data |
| Service delivered to customer | Subcontracted installation, logistics, training | Customer feedback, site supervision, subcontractor KPIs, contract terms | Customer acceptance sign-off, monitoring records, performance metrics |
| Cloud/SaaS services affecting QMS | QMS documentation system, data storage, communication platform | SLA management, data integrity monitoring, backup verification | SLA reports, backup test records, availability reports |
Supplier Controls and Approved Supplier Management
Clause 8.4 requires that the organization evaluates suppliers against defined criteria, maintains an approved supplier list, communicates quality requirements to suppliers, and monitors supplier performance. The evaluation criteria typically include quality capability, delivery reliability, responsiveness, and financial stability. Suppliers must be formally approved before orders are placed (unless they are pre-approved by customer contract). The approved supplier list is a key document in the QMS.
For each supplier, the organization should communicate what quality requirements apply: the specifications for products or services, the quality standards required, the regulatory requirements that must be met, and the organization's right to audit or inspect. The organization must monitor supplier performance through metrics (on-time delivery, defect rate, responsiveness) and conduct periodic supplier audits or assessments. Poor-performing suppliers must be addressed — either through supplier development actions or by finding alternative sources.
Clause 8.5: Production and Service Provision
Clause 8.5 specifies the controlled conditions under which production or service delivery must occur. These controlled conditions include documented work instructions and procedures for each significant process, suitable infrastructure and environment for process execution, assignment of competent and authorized personnel, monitoring and measuring activities at appropriate points in the process, implementation of product identification and traceability, customer property protection (when applicable), and prevention of human error through training, procedure, or technology controls.
The production control requirement is not theoretical — it is operational. Auditors will visit the production floor or service delivery location and verify that the work instructions specified in documented procedures are actually being followed, that monitoring activities are being conducted at the specified points, that records of monitoring are being maintained, and that nonconforming output is being identified and managed.
| Control Type | Requirement | Indonesian Manufacturing Example |
|---|---|---|
| Work instructions | Documented instructions for each significant operation where absence could affect quality | Assembly procedure for each product variant, testing checklist, packaging procedure |
| Suitable infrastructure | Equipment and facilities appropriate to production/service requirements, properly maintained | Calibrated measurement equipment, clean work areas, maintained tooling, functioning test equipment |
| Process monitoring | Monitoring at appropriate stages to detect out-of-control conditions | In-process inspection checkpoints, SPC charts for critical parameters, visual inspection standards |
| Competent personnel | Assignment of trained and competent individuals to work affecting quality | Training records, competence verification, work authorization |
| Identification and traceability | Clear identification of output throughout production, traceability to source materials | Batch traceability, serial number assignment, batch documentation linking to inputs |
| Customer property protection | Protection of customer-provided items (drawings, materials, equipment) | Secure storage, tracking, protection from damage, reporting if lost |
Clause 8.6 and 8.7: Release and Nonconforming Output
Clause 8.6 requires that products and services cannot be released to customers until evidence is available that all requirements have been met. The release must be authorized by a designated person or role, and records of release decisions must be retained. Release without verification of conformity is a major nonconformity.
Clause 8.7 addresses nonconforming output — products or services that do not meet specified requirements. When nonconforming output is identified, it must be controlled to prevent unintended use or delivery. The control includes identifying the nonconforming output clearly, segregating it to prevent mix-up, and determining its disposition. There are four possible dispositions: correction (rework), rejection (scrap), use-as-is (customer concession), or return to supplier.
| NCR Disposition | When to Use | Approval Required | Customer Notification |
|---|---|---|---|
| Rework/correction | Nonconformity can be corrected without customer impact; product meets requirements after correction | Internal supervisor approval | Usually not required unless previously delivered |
| Reject/scrap | Nonconformity cannot be corrected; economically or technically unsalvageable | Management approval | Not required unless customer ownership affected |
| Use-as-is (concession) | Nonconformity does not affect fitness for intended use; benefits of use outweigh risk of nonconformity | Usually requires customer approval in writing | Required in most cases; document customer approval |
| Return to supplier | Purchased item is nonconforming; return for credit or replacement | Purchasing approval | Supplier notification required; document communication |
| Customer notification | Nonconforming output has reached customer or may have quality/safety impact | Top management approval | Required; documented communication; regulatory reporting may be required |
Nonconforming Output Management in Practice
The nonconformity report (NCR) process begins when nonconforming output is identified. A simple NCR form typically captures: what is nonconforming (product/service description), why it is nonconforming (the specific requirement not met), who identified it, when it was identified, and initial containment actions. The NCR is assigned to a responsible person, who determines the disposition (correct, reject, use-as-is, return), secures any necessary approvals, and documents the decision.
It is important to distinguish between nonconforming output (Clause 8.7) and nonconformity of the QMS (Clause 10.2). Nonconforming output is a specific product or service instance that does not meet requirements. Nonconformity of the QMS is a failure of a process or procedure within the QMS. These are addressed differently — nonconforming output gets a disposition, while a QMS nonconformity gets a corrective action addressing the root cause.
| KEY IDEA | Clause 8.4 (external provider control) is the most commonly underimplemented clause in Indonesian QMS certifications. Organizations maintain an approved supplier list but never monitor supplier performance, never conduct supplier audits, and never revisit supplier qualification decisions. Supplier management is a living process, not a one-time approval exercise. Build supplier scorecards, conduct periodic audits, and track supplier performance as an ongoing QMS activity. |
| IMPORTANT | Release authority (Clause 8.6) must be clearly defined and documented. Products or services cannot be released to customers without evidence that requirements have been verified as met. "We always check before sending" is not sufficient — the checking activity must be documented in work instructions, the release authority must be named (specific role, not "management"), and the release record must be retained as audit evidence. |
| BITLION INSIGHT | Indonesian manufacturing organizations frequently struggle with nonconforming output documentation because the NCR process adds perceived administrative burden to already-pressured production lines. The key is building simple, fast NCR documentation into the production workflow — a one-page NCR form completed by the line supervisor takes minutes and provides the audit evidence that certification requires. Integrate NCR reporting into daily production meetings rather than treating it as a separate bureaucratic process. |