In section 7.4 of the ISO 9001:2000 standard, Purchasing, we find the requirement that "the organization shall ensure that purchased product conforms to specified purchase requirements". While this requirement in itself is fairly straightforward, a fair degree of latitude is allowed here regarding the type and extent of the controls necessary, as these are simply stating as being "dependent upon the effect of the purchased product on subsequent product realization or the final product".
While the basics for supplier control may seem fairly rudimentary for those organizations with an established Quality Management System (QMS), I'm providing a basic control scheme below for those organizations that may still need a little help:
1. Identify your suppliers – As simple as this may sound, many organizations have never made a point to establish a comprehensive list of their existing (or potential) suppliers, and those that have often haven't distributed this list to all affected parties within the organization. As most purchasing systems are computerized to some point, this first step should be quite easily to perform. You must define who you're using.
2. Identify what's being provided – Once your suppliers have been identified, it's then necessary to define their scope (what are they providing?). Some organizations use simple supplier classifications such as "distributor", "processor", "manufacturer", etc., while other organizations go to great detail using product-specific descriptions such as "bolts", "flanges", "plate/pipe/sheet", etc. The particular classification used should be defined by organization, and should be appropriate to the organization's specific needs. You must define what you're purchasing.
3. Determine the appropriate controls – Controls should be based on both the item(s) being provided and the historical performance of the supplier that's providing them. Critical items that directly affect the end-product (your product) should be candidates for increased control, as should suppliers that have performed poorly in the past (in some cases, this may include a "ban" or other restrictions placed on some or all items from a particular supplier). In contrast, controls for purchases that are not critical, or for suppliers that have a long history of excellence, may be relaxed to some degree. In all cases however, you must make sure to specify what your purchasing requirements are (grade, class, composition, QMS, etc.), and perform some degree of receiving inspection prior to placing any purchased product into inventory. You must what controls are necessary.
4. Monitor and correct as necessary - Adequate records should maintained to demonstrate the effectiveness of the above controls, and for use in periodically evaluating supplier performance as part of an on-going supplier management program. If nonconforming product or services are identified, they must be addressed directly with the supplier, or the supplier will never be aware there has been a problem. Should problems consistently occur, go back to #3 above, and re-adjust your controls accordingly. You must actively manage your suppliers.
Additional considerations can be used, such as if the supplier has a documented quality program, and if the supplier has ISO registration or similar pedigrees. Such certifications are appropriate to consider, however they are based on periodic assessments of a supplier's quality program, and do not reflect the real-time quality performance of the supplier's organization.