In the automotive industry, as in many others, the supply chain can make or break a business’s profitability.  OEMs have indicated that the major of root cause of rejections, warranty concerns and yard holds traced back to failures of supplied parts and components.  With this, the IATF has recognized the need to enhance the requirements related to supplier selection, development and monitoring.

However, this does allow the Organization to become the Customer and implement controls and monitoring of the Supply Chain. The article includes the Supplier Management process from Supplier selection through 2nd party Audits. Each Section includes the Customer Specific Requirements from Ford, GM and FCA to help the Organization understand and integrate these requirements in to their Quality Management system.

Supplier quality starts with picking the right supplier – Supplier Selection Process (IATF

The OEM’s have long recognized the importance of supplier selection, and have flowed this down to the supply chain in related Customer Specific Requirements.

FCA requires: ”that the Organization conduct an on-site Process Audit (or equivalent) and Production Demonstration Run (PDR) for all Parts/suppliers that are NOT considered by FCA US or the organization to be low risk to the vehicle program. In this case, the Organization would need to communicate with FCA to determine what’s considered a “High Risk” Supplier. FCA also required the Organization to develop and maintain a list of approved suppliers for each sub-component, raw material, commodity, technology, or purchased service that is not Consigned or Directed by FCA US. The Organization shall have a documented process and use assigned personnel to monitor and manage performance.”

Ford requires that the Organization’s supplier selection process should include evaluation of the supplier’s supply chain management system. “The Organization shall complete a financial assessment of the supply chain at a minimum annually, in conjunction with the annual audit program (see of IATF 16949), not just at the initial supplier selection.”

General Motors has no specific requirements for Supplier Selection.

Section of IATF is basically a checklist of the requirements for initial Supplier selection. There are 5 “Shall” requirements and several other requirements that have leeway in implementation. The Organization should need to know their Suppliers’ process for change management and adequacy of available resources. Volume of Automotive Business, financial stability and business continuity planning are also valuable considerations when selecting a Supplier. Customer-directed sources (also known as “Directed–Buy”)

OEM’s have required the Organization to purchase product/components/services from sources determined by the OEM. In these cases, all the requirements of IATF section 8.4 are required with the exception of the Supplier Selection process – meaning that directed buys do not alleviate the Organization from the responsibility of monitoring supplier performance or taking action when performance does not meet requirements.

When required by the contract with Ford, the organization shall obtain approval from Ford Motor Company prior to sourcing sub-tier suppliers. The Organization is also asked to contact the Ford Buyer.

FCA requires that when the organization receives Directed parts or materials, the organization is responsible for managing the on-going quality of the supplier components following PPAP, working with FCA US to resolve issues.

General Motors has no specific requirements for this process.

In any case, when the Organization has a significant concern with an OEM directed buy source, they are encouraged to do all due diligence in resolving the concern and bring them to the attention of the OEM.

8.4.2 Type and extent of control

This would be any product, material or component that is received from either an internally selected supplier or directed buy source. This would be any product, material or component that is received from either an internal or directed buy source and forwarded to the OEM. The Organization is responsible to validate that appropriate controls are in place at the point of manufacture to ensure the quality of the product.

Ford clarifies that the organization “shall have incoming product quality measures and shall use those measures as key indicators of sub-tier supplier product quality management.”

FCA and General Motors have no additional clarifications. Statutory and regulatory requirements

When the Customer defines special controls for certain products with statutory and regulatory requirements, the organization needs to ensure they are implemented and maintained as defined, including at suppliers.

Ford has determined that “applicable regulations shall include international requirements for export vehicles as specified by Ford Motor Company, e.g. plastic part marking (E-4 drafting standard –WSS-M99P9999-A1 and European End of Life of Vehicle (ELV) –available on FSP (Ford Supplier Portal ). Material reporting requirements for ELV are specified by WSS-M99P9999-A1 under “Important Documents”.

FCA and General Motors have no additional clarifications. Supplier quality management system requirements

This requirement has probably had the most discussion on the Organizations’ responsibility for Supplier Development. The IATF and the OEMs are basically requiring the Organization to set minimum requirements for a Quality Management System for Suppliers and develop them to an IATF based system.

Previously issued IATF Sanctioned Interpretations (June 2018) also addressed this issue. The Organization is encouraged to develop the Supplier with the ultimate objective of eligible organizations becoming certified to IATF 16949. Using a risk-based model, the organization shall define a minimum acceptable level of QMS development and a target QMS development level for each supplier. The key phrase here is “Risk Based”. Once the Risk to the Organization and the Customer has been established and documented, the development process may begin. The Organization has several options to meet this requirement. 3rd party Certification to IATF or ISO 9001, 2nd Party Audits or certification to ISO 9001 with compliance to other customer-defined QMS requirements (such as Minimum Automotive Quality Management System Requirements for Sub-Tier Suppliers [MAQMSR] or equivalent) through second-party audits.

Ford is a little more prescriptive:

“Where a sub-tier supplier is not third party certified to ISO/TS 16949, Ford reserves the right to require the organization to ensure sub-tier supplier compliance with the “Minimum Automotive Quality Management System Requirements for Sub-tier Suppliers” available through Evidence of effectiveness shall be based on having a defined process and implementation of the process including measurement and monitoring. Where any organization has sub-tier suppliers not third party certified to ISO/TS 16949, the organization is encouraged to require sub-tier supplier compliance with the “Minimum Automotive Quality Management System Requirements for Sub-tier Suppliers”.

FCA is very specific on their expectations:

“ Supplier QMS development effectiveness shall be evaluated on the basis of evidence that the

organization has processes in place that include such elements as:

  • Supplier QMS development strategy (, using risk-based thinking to establish:
  • Minimum and target development levels for each supplier.
  • Criteria for designating “exempt” suppliers.
  • Criteria for granting waivers to select suppliers for compliance to specified elements of
  • ISO 9001 or IATF 16949.
  • Second-party audit administration (
  • Identification of second-party auditors.
  • Criteria for granting self-certification status to qualified suppliers.
  • A schedule for second-party audits.
  • Organization-controlled record keeping (
  • Progress monitoring.

At a minimum, the organization shall require their non-exempt suppliers to demonstrate compliance to

ISO 9001 and MAQMSR.

NOTE: Organizations requiring additional guidance on supplier QMS development should refer to CQI-

19: Sub-tier Supplier Management Process Guideline.

Minimum Automotive Quality Management System Requirements for Sub-Tier Suppliers (MAQMSR)

The organization shall prioritize the QMS development program for non-exempt suppliers to introduce

compliance to the Minimum Automotive Quality Management System Requirements for Sub-Tier

Suppliers (MAQMSR), as the first step beyond compliance with ISO 9001 or certification to ISO 9001.

Ship-Direct Suppliers

Organizations may, with FCA US Purchasing concurrence, identify a supplier location within FCA

Purchasing systems as an organization manufacturing site. (Such a designation allows direct shipment

of manufactured goods to FCA US). Unless otherwise specified by FCA US, such sites shall be subject

to the registration requirements described in Section 1.2.

In the event that FCA US chooses to grant such a supplier site an exemption to IATF 16949 registration,

  • The site shall receive the highest priority for QMS development.
  • The site shall not be designated “exempt”, or a “waiver” shall not be granted, without the written

concurrence of FCA US Supplier Operations.

Suppliers Certified to IATF 16949

Supplier QMS certification by an IATF-recognized Certification Body to IATF 16949 completely satisfies

the requirements for quality management system development. Further QMS development by the

organization is not required while the supplier’s certification is valid.

If the supplier certification expires or is cancelled or withdrawn by their Certification Body, the

organization shall establish and implement a plan for second-party audits to ensure continued

compliance to IATF 16949 until the supplier is recertified.

Exemption shall not be granted as an alternative to recertification without approval from FCA US

Supplier Operations management.”


General Motors requirements for

“This clause applies to suppliers of the organization who are providers of: a) production materials, b) production, service, and accessory parts, or c) heat treating, plating, painting or other finishing services.

This clause does not apply to indirect or providers of services that add no manufacturing value which include, but is not limited to distributors, logistics, sequencers, parts packagers, tooling and equipment.” Automotive product-related software or automotive products with embedded software

None of the OEMs have any specific requirement for these Suppliers. Any 2nd Party auditor of the Organization would need to have this particular skill set to perform an effective 2nd party Audit. Supplier monitoring

Most Organization have been doing this in one form or another since the QS9000 days. The enhancements have served to better determine risks and become an input for the Supplier Development process.

Ford’s expectation is 100 % On-Time Delivery: “In support of Ford’s expectation of 100% on-time delivery, the organization shall also require 100% on-time delivery from sub-tier suppliers. The organization shall communicate any delay or risk to the affected Ford customer.

FCA and General Motors have no additional Requirements. Second-party audits

There are a lot of different approaches to meeting the intent of this process. Some Clients have developed and extensive 2nd Party Audit system and others have struggled with the costs and question the value-add of the requirement.

Let’s start with the first Step: 2nd Party Auditor Competency. There are a lot of expectations for a 2nd Party Auditor. Automotive Process Approach, Risk Based thinking, knowledge of OEM Customer Specific Requirements and Core Tools are minimum competencies. The auditor will also need to be competent in the type of manufacturing at the Supplier.

Surprisingly, neither Ford, FCA nor General Motors have any specific requirements for 2nd Party Auditor Competency.

Determining the need for a 2nd Party audit is the responsibility of the Organization based on a risk analysis, including product safety/regulatory requirements, performance of the supplier, and QMS certification level, at a minimum, the organization shall document the criteria for determining the need, type, frequency, and scope of second-party audits.

FCA has several requirements for 2nd Party Audits including duration and self-certification.

“The second party must annually audit each non-exempt supplier for whom it has performed the second party service.

For suppliers not certified to ISO 9001, the duration of these audits must conform to the full application of the audit day requirements of the Rules, Section 5.2. For ISO 9001 certified suppliers, audit length may vary to suit individual supplier requirements and audit resource availability in accordance with the documented development strategy.

Audit reports shall be retained as organization-controlled records (

The following second party qualifications shall apply:

  1. The organization must be certified to IATF 16949:2016 by an IATF-recognized Certification


  1. The IATF 16949 certification of the second party cannot be in “suspended” status.

Supplier self-certification

If the organization has suppliers for whom self-certification is an effective alternative to second-party audits for QMS development, the organization shall have a documented process for identifying and qualifying self-certifiable suppliers. Qualification criteria shall include a preliminary evaluation (audit) of the supplier’s QMS, an analysis of the supplier’s quality performance and an assessment of the incremental risk to organization products.

Self-certification qualifications shall be documented and subject to periodic review. Such documents shall be managed as organization-controlled records (”

General Motors also has some specific expectations for 2nd Party audits including duration.

“ Second-party auditors performing QMS audits must meet the requirements in clause 7.2.4 Second-Party Auditor Compliance in IATF 16949:2016 plus meet these additional requirements:

  1. The organization must be IATF 16949:2016 certified and not on suspension.
  2. The Second Party Auditor must be a qualified ISO Lead Auditor, or a qualified internal auditor with evidence of their successful completion of training, and a minimum of five internal ISO/TS 16949:2009 and/or IATF 16949:2016 audits under the supervision of a qualified lead auditor.


The organization may conduct (2nd party) audits of their supplier per their supplier development risk management analysis.

For initial certifications, the first second party audit should use the initial audit days from Table 5.2*. For subsequent second party audits use the recertification days Table 5.2*.

*See Automotive Certification Scheme for IATF 16949, Rules for Achieving and Maintaining IATF Recognition, section 5.2, Table 5.2 Minimum audit days.

The second party audits shall identify an acceptable passing level and include a scoring or ranking to determine which suppliers have passed. The organization shall have documented evidence that they review and follow up on all non-conformances identified in the second-party audit with the intent to close these non-conformances.” Supplier development

There are several inputs for this process including supplier monitoring results, 2nd and 3rd Party audits and the all-important risk analysis.

FCA requires a strategy for “Exempt” Supplier and the Organization is still required to ensure the quality of the provided product or service.

“ The organization strategy for supplier development of its active suppliers shall include a documented process for designating “exempt” suppliers – those suppliers who are unable or unwilling to fully certify a quality management system to IATF 16949 or ISO 9001.

The organization development strategy shall include provisions for granting partial exemptions (“waivers”) to suppliers providing commodities for which specific sections of ISO 9001 or IATF 16949 do not apply. Except as noted in Section, declaring a supplier as “exempt” does not relieve the organization of the responsibility for supplier QMS development for any sections of ISO 9001 or IATF 16949 not explicitly waived. Supplier development prioritization, exemption and waiver decisions, as well as the scope of individual exemptions or waivers, shall be documented and subject to periodic review. This documentation shall be retained as an organization-controlled record.”

General Motors has a more common sense approach.

“When a supplier to an organization is so small as to not have adequate resources to develop a system according to IATF 16949:2016 or ISO 9001:2015, certain specified elements may be waived by the organization. The organization shall have decision criteria for determining “specially designated small suppliers”. Such decision criteria shall be in writing and applied consistently in the application of this provision. The existence and use of such decision criteria shall be verified by 3rd party auditors.

NOTE 1: ISO 9001:2015 and IATF 16949:2016 Minimum Automotive Quality Management System Requirements for Sub-Tier Suppliers contain fundamental quality management system requirements of value to any size of provider of production materials, production, service, and accessory parts, or heat treating, plating, painting or other finishing services. There are a number of methods to implement a compliant system, so it is recognized that a simpler Quality Management System approach could be used for the smaller suppliers of organizations to which IATF 16949:2016 clause applies.

NOTE 2: “Small” may also refer to volume supplied to automotive.”

Ford has no additional requirements for this process.

There are several things an Organization need to take in to consideration. Not just from getting ready for a DQS IATF Audit, but for the benefit to the Organization.

  • Determine the risk that each of supplied product/component / material has on both the Organization and the Customer
  • Document your decision process
  • Verify with your Customer their expectations for the Supplier Development process.
  • Determine any Supplier that may be Exempt and document the decision process and evidence of concurrence with your Customer.
  • Communicate the Organizations expectations to all Suppliers and verify implementation either by an on-site 2nd Party audit or the other options allowed by your Customers.
  • Document all these decisions and be prepared to present your evidence at your IATF DQS Audit.
Chuck Blair

Chuck Blair, Automotive Program Manager for DQS Inc., has 25 years of professional experience in the fields of Automotive related manufacturing and IATF 16949. He is a lead auditor of ISO 9001, IATF 16949, ISO 14001, ISO 45001, and OHSAS 18001. Additional qualifications include IATF Veto Power Reviewer, Competency Verifier, Qualifier and DQS Corporate Auditor. Chuck supports automotive clients' continual improvement and variation reduction to minimize risk in this sector.