If any clause in ISO 9001 has increased in importance since the release of the standard’s 2000 edition, it must be subclause 7.4 on purchasing. Not that the relative importance of the words has changed, but rather purchasing and outsourcing have become much more common and important in our day-to-day business. So the relatively small subclause on controlling purchasing may be much more important now than it was back in 2000. (I addressed outsourced processes in my May column, “Is a Controlled QMS Possible?” More about them later.)

The requirements described in ISO 9001’s subclause 7.4.1 on the purchasing process permit an organization to decide the “type and extent of control” to be used for purchasing. The organization’s selection of controls should be based on the effect of the purchased material or services on the product realization processes and on the finished products delivered by the organization to its customers. If purchased materials or services have little effect (e.g., a threaded fastener that’s used inside a noncritical subassembly), then minimal control is needed.

If purchased materials or services have a high potential effect on either the final product or the realization processes, then more robust control is required. If, for example, the fastener mentioned previously is used for connecting aircraft fuselage sections together, then the controls will be more extensive than if the bolt is used in a noncritical application.

When determining the nature of the necessary controls, an organization must consider customer, regulatory, industry, and other appropriate requirements applicable to the specific procurement. ISO 9001’s intent is to require the organization to think about what makes sense from the customer’s perspective. There’s certainly a need to consider these controls from a business perspective, also. Controls must meet external requirements while being cost-effective.

ISO 9001 also requires an organization to evaluate suppliers, and to define the criteria used to select and periodically reevaluate them. These evaluations should focus more on obtaining conforming material and services than on maintaining approved-supplier lists. During the past two years, the failure to conduct professionally planned and routine follow-up evaluations has embarrassed and financially damaged several large organizations . Proper planning and an attitude of prevention can keep this from happening to you.

In addition to providing general requirements for purchasing-control processes, ISO 9001 also requires simple, specific controls of purchasing documents and verification of purchased product.

Subclause 7.4.2 on purchasing information requires that purchasing documents such as purchase orders clearly communicate to suppliers what the organization wants to purchase. This subclause also requires organizations to control how purchase documents are issued. A process is required to ensure that purchasing documents adequately state all the requirements for items to be purchased. This could be as simple as a sign-off of a purchase order, or a process with several checkpoints that might involve several layers of review and approval. Perhaps the more complex process might be used for high-value or high-risk purchased items, while the same organization may use a simpler process for noncritical and inexpensive items. In any case, the process is often embedded in the web-based purchasing systems commonly in use today.

ISO 9001, subclause 7.4.3 on verification of purchased product has two distinct requirements. The first is to verify purchased material to ensure that it conforms to requirements. Second, subclause 7.4.3 requires that if verification is needed at a supplier’s facility, the purchase documents must provide the verification arrangements and method of product release in the purchasing information.

ISO 9001’s subclause 4.1 requires an organization to control processes it chooses to outsource to another organization. Although subclause 7.4 on purchasing doesn’t directly address outsourced processes, the purchasing rules can certainly be applied to outsourced processes.

Controls in these areas have become a critical consideration for quality professionals and top managers when developing the organization’s quality management system. Choosing, implementing, and sustaining proper controls in this area can be critical to business success.

For further information on this subject, see Chapter 7 of ISO 9001:2000 Explained, Second Edition, by Charles A. Cianfrani, Joseph J. Tsiakals, and me (ASQ Quality Press, 2001).