AS9100 8.4.1 Supplier Selection/Evaluation criteria and reevaluations

[brekke777]

Hi guys. I'm in the process of making some adjustments to our QMS and one of the areas, due to past external audits and my first internal, is supplier quality. We're a small sized machine shop (30ish) employees. So our providers are typically raw material, hardware, and any special processes (mostly plating, heat treat, paint, and some weld specs we aren't certified to). We do have an approved supplier list but due to some QM turnover, it hasn't been maintained. What I'm here to ask about is if what I have in mind in terms of selection and evaluation criteria, and reevaluations would work to satisfy the standard. Currently there is no stated criteria listed in our QMS for how we select or evaluation vendors. It's stated that external provider perfomance is monitored (which is true in conformity and on time delivery) and reported on during management reviews. What I'd like to do is write up a Supplier Quality procedure, and state the criteria as something along the lines of

Vendors will be approved if they hold a current AS9100 or NADCAP certification. Vendors not currently certified may be approved by the President, and monitored on product or service conformity and OTD.

Luckily this is already the case with most of our product and service providers, I'm in the tedious process of storing a copy of their certifications in our software as a record, and making sure the expiration dates are correct on our approved vendor list. My re-evaluation would be to check our approved vendor list annually and reach out to any vendors who's certification has expired. Between that and an annual review of external providers conformity and OTD, is this enough level of control in your view? I'm trying to keep it lean, as most of our providers have been in business with us for quite some time, and do not contribute very often to nonconformities, but I want to do what is required.

The only other aspect of the standard I have to figure something out on is what to do is what actions to take when external providers do not meet requirements. Luckily we haven't had much trouble but there's no criteria set for what we do. I'm interested to see other peoples opinions on this. I'm thinking something as simple as "2 or supplier corrective action requests send in a 12 month period will cause vendor to be placed on a conditional standing, or provoke an on site visit, I'm not real sure. Any thoughts?

 

[John Predmore]

Section 8.4.1 of AS9100 includes the NOTE: "the organization can use quality data from objective and reliable external sources, (e.g., information from accredited quality management system ... Use of such data would be only one element of an organization’s external provider control process and the organization remains responsible for verifying that externally provided processes, products, and services meet specified requirements" [emphasis added]. That means evidence of AS9100 or NADCAP certification should not be your only qualification.

Section 8.4.2 lists different examples of control over vendors, and your decision should be balanced against risk. Whatever review you say you do in your procedure, be sure a record exists. You stated your QMS allows your President to approve an exception (Vendor not currently certified) but it would be wise to enact additional controls on the exception supplier(s) and the product/service provided, to address risk in line with section 8.4.2. My company wrote a separate Supplier QMS Exception procedure to document in detail how that exception scenario is handled.

 

[brekke777]

Section 8.4.1 of AS9100 includes the NOTE: "the organization can use quality data from objective and reliable external sources, (e.g., information from accredited quality management system ... Use of such data would be only one element of an organization’s external provider control process and the organization remains responsible for verifying that externally provided processes, products, and services meet specified requirements" [emphasis added]. That means evidence of AS9100 or NADCAP certification should not be your only qualification.

Section 8.4.2 lists different examples of control over vendors, and your decision should be balanced against risk. Whatever review you say you do in your procedure, be sure a record exists. You stated your QMS allows your President to approve an exception (Vendor not currently certified) but it would be wise to enact additional controls on the exception supplier(s) and the product/service provided, to address risk in line with section 8.4.2. My company wrote a separate Supplier QMS Exception procedure to document in detail how that exception scenario is handled.

Good points John. Our company has used surveys in the past and I have been trying to move away from them, but it might be an option in one or both of these cases. I've already considered a procedure for the exceptions, glad to see that recommendation as well.

 

[Kronos147]

It may help to keep a log of receipts or methods to measure supplier OTD and Quality. What makes a lot of sense is to use the key metrics used for your organization.

A simpler log may just be issues and or kudos that are used as part of your annual eval.

I just mentioned the use of OASIS on another thread. You can register all of your AS9100 suppliers on your OASIS watch list and issues (decertification) would be communicated to you. It also makes it easy to access their current certificates.

 

[Big Jim]

Section 8.4.1 of AS9100 includes the NOTE: "the organization can use quality data from objective and reliable external sources, (e.g., information from accredited quality management system ... Use of such data would be only one element of an organization’s external provider control process and the organization remains responsible for verifying that externally provided processes, products, and services meet specified requirements" [emphasis added]. That means evidence of AS9100 or NADCAP certification should not be your only qualification.

Section 8.4.2 lists different examples of control over vendors, and your decision should be balanced against risk. Whatever review you say you do in your procedure, be sure a record exists. You stated your QMS allows your President to approve an exception (Vendor not currently certified) but it would be wise to enact additional controls on the exception supplier(s) and the product/service provided, to address risk in line with section 8.4.2. My company wrote a separate Supplier QMS Exception procedure to document in detail how that exception scenario is handled.

First of all I think it a bad practice to approve a vendor based solely on AS9100 or NADCAP certification / accreditation.

But I also must note that notes in the standard are not auditable. You can't audit to a note by itself. Pay attention to the word "should" in the note. Should is a recommendation, not a requirement.

 

[CanadianQA]

First of all I think it a bad practice to approve a vendor based solely on AS9100 or NADCAP certification / accreditation.

Hi Jim,

Can you explain why it is bad practice? AS9100 / NADCAP certification gives a level of confidence that a QMS is in place, processes and customer satisfaction / OTD are being monitored, audits are being done internally and by an independent 3rd party and corrective action processes are in place. Why would it be bad practice to use these sought after certifications as the basis for any vendor approval? What other criteria should companies be using to approve their suppliers in addition to AS9100 / NADCAP approvals?

 

[outdoorsNW]

Even companies with AS9100 can still have big problems. I have not seen the same level of system failures or repeat problems with Nadcap, but we also have fewer requirements to use Nadcap suppliers.

There are several suppliers we are forced to use for various reasons that are AS9100 but they have frequent quality problems. Reasons for continuing to use the problem suppliers include being customer mandated or they provide such specialized services or products they have little to no competition.

There is one outsourced process we purchase where there are only two AS9100 suppliers in the entire US, and one is poor and the other is much worse. The much worse supplier has a great webpage and I suspect the person behind the webpage is able to talk their way out of problems with auditors and customers. If a customer requires an AS9100 certified supplier for this service, we are stuck because most of our work is ITAR.

One supplier has had many problems, including several repeat problems, that indicate system level problems. Their corrective actions, even on problems that could easily affect any and all customers, are awful. I don't understand how they keep their AS9100 certification. Either they have been lucky several times in the audit samples or they have a poor auditor. I think they had better quality in the past which may be how they became the incumbent customer specified supplier.

 

[CanadianQA]

Agreed, that some AS9100 companies are better than others. Some of the reason that the not so good ones are able to keep their certificates may be an uneven application of the rules by the various registrars or even between auditors. I have seen one line corrective actions in OASIS signed off by an auditor that would never have been signed off by the auditor that audits my company.

These things aside, what other criteria would you use if not AS9100 / NADCAP to evaluate and approve a supplier? I've heard others say what Big Jim said a number of times, but no one has ever given me a solid answer as to what would be a better method of evaluating / approving suppliers if not their AS / NADCAP certifications.

 

[Jim Wynne]

Agreed, that some AS9100 companies are better than others. Some of the reason that the not so good ones are able to keep their certificates may be an uneven application of the rules by the various registrars or even between auditors. I have seen one line corrective actions in OASIS signed off by an auditor that would never have been signed off by the auditor that audits my company.

These things aside, what other criteria would you use if not AS9100 / NADCAP to evaluate and approve a supplier? I've heard others say what Big Jim said a number of times, but no one has ever given me a solid answer as to what would be a better method of evaluating / approving suppliers if not their AS / NADCAP certifications.

Visit candidate suppliers and see their processes in operation, and ask questions. There is little or no value in formal audits, but a visit from a person who understands the processes in question can be helpful.

 

[CanadianQA]

Thanks Jim. I agree and have done that with some of our local suppliers, however that type of oversight gets more difficult the further they are geographically from you and will also depend on the budget. Also if your supply base is small (15 - 30 suppliers) that approach will work well, but for companies that have need of a larger number of suppliers, I don't know how realistic it would be to visit each of them.