Audit non-compliance - API Spec Q1 9th Ed 5.6.1.2 b

#1
Hello everyone,

I've got a problem about API Q1 audit.

Description
Initial evaluation of suppliers shall include b) verification of the type and extent of control applied by the supplier, internally and to their supply chain, in order to meet the organization’s requirements

Nonconformance/Concern Description
The process of evaluation of critical suppliers presented in the procedures does not comply with API Q1 requirements.

I showed supplier evaluation report but auditor wrote :
Supplier evaluation report dated 24.12.2019 for critical supplier XXXXXXX
Type and extend of controls applied the supplier to its supply chain, was not verified.

What action can I take in this regard? Could you hep me please?
What are you doing to evaluate the supply chain?

Thank you
 
Elsmar Forum Sponsor
#2
I am interested in what you find out, Nidayes. I am currently writing our initial Purchasing Procedure for API Q2 and the same requirement applies.
 

jmech

Trusted Information Resource
#3
This is a new requirement that was added in Q1 9th Edition Addendum 2 (published June 2018, effective June 2019, so this is probably the first time that you are being externally audited on it). Auditors seem to be writing a lot of findings on it.

This is a "choose your own adventure" requirement. Per 5.6.1.1, your organization shall "maintain a documented procedure" that addresses "type and extent of control applied to the supply chain for critical products, components or activities". You get to define the type and extent of control that you will apply to your supply chain, but per 5.6.1.2, you also have to verify that the supplier is meeting your requirements for controls internally and their supply chain. This verification must occur at your initial evaluation and every re-evaluation (5.6.1.4 now requires re-evaluation to meet the same requirements as initial evaluation).

You get to define both type of control (such as "maintain a calibration procedure") and extent of control (such as direct supplier only, supplier and first tier sub-supplier, or everyone in the supply chain between you and the steel mill but not beyond the steel mill). You can define both the type and extent however you want, but you need to make sure that you can get evidence that you verified this, which makes it difficult if you define the extent to go far past your direct suppliers.

Verifying that organizations have an ISO 9001 certificate is generally not considered to be sufficient verification of type and extent of control - API generally wants more than this, even if the supplier would have to meet your requirement in order to conform with ISO 9001.
 

mmasiddiqui

Involved In Discussions
#4
We satisfy this criteria with Supplier Selection process for new suppliers that include supplier audit before the initial order to ensure supplier is competent to provide defect free product on time within the stipulated cost.
For the existing supplier we use the PPAP process on these parts along with Validation test to ensure defect free product on time to the line to keep the product moving.
 
#6
This is a new requirement that was added in Q1 9th Edition Addendum 2 (published June 2018, effective June 2019, so this is probably the first time that you are being externally audited on it). Auditors seem to be writing a lot of findings on it.

This is a "choose your own adventure" requirement. Per 5.6.1.1, your organization shall "maintain a documented procedure" that addresses "type and extent of control applied to the supply chain for critical products, components or activities". You get to define the type and extent of control that you will apply to your supply chain, but per 5.6.1.2, you also have to verify that the supplier is meeting your requirements for controls internally and their supply chain. This verification must occur at your initial evaluation and every re-evaluation (5.6.1.4 now requires re-evaluation to meet the same requirements as initial evaluation).

You get to define both type of control (such as "maintain a calibration procedure") and extent of control (such as direct supplier only, supplier and first tier sub-supplier, or everyone in the supply chain between you and the steel mill but not beyond the steel mill). You can define both the type and extent however you want, but you need to make sure that you can get evidence that you verified this, which makes it difficult if you define the extent to go far past your direct suppliers.

Verifying that organizations have an ISO 9001 certificate is generally not considered to be sufficient verification of type and extent of control - API generally wants more than this, even if the supplier would have to meet your requirement in order to conform with ISO 9001.
Thank you for your answer.. really useful information
I understand, I will first determine the scope of the supplier
Can you give information about the control method for the supplier directly ? We do supplier evaluation, first check, sample check
but it was not enough. I would appreciate if you give an idea
 
#7
We satisfy this criteria with Supplier Selection process for new suppliers that include supplier audit before the initial order to ensure supplier is competent to provide defect free product on time within the stipulated cost.
For the existing supplier we use the PPAP process on these parts along with Validation test to ensure defect free product on time to the line to keep the product moving.
Tahnk you for answer
We are actually doing these but for sub-supplier : we wrote in the procedure'' Evaluation results of the supplier are taken. The obtained results are added to thesupply assessment as material and delivery assurance.'' and we showed an example.
The auditor asks the supply chain... "You should do the same directly at the supplier," she said.
How will I get the evaluation from the manufacturer. Can there be a raw material assessment or a purchase risk analysis?
 

mmasiddiqui

Involved In Discussions
#8
Tahnk you for answer
We are actually doing these but for sub-supplier : we wrote in the procedure'' Evaluation results of the supplier are taken. The obtained results are added to thesupply assessment as material and delivery assurance.'' and we showed an example.
The auditor asks the supply chain... "You should do the same directly at the supplier," she said.
How will I get the evaluation from the manufacturer. Can there be a raw material assessment or a purchase risk analysis?
Well, it depends on the Standard. What does the standard call out? Some time the Auditors are not very well versed or not able to correctly interpret the standard. I would put the Onus at your supplier door to do the same to their supplier. You can fix this by adding a clause in your Supplier Quality Manual that this would be the responsibility of your supplier to ensure compliance from their suppliers. Interested to know, what you find from the Standard.
In my short experience of 20 years, I have not seen OEM perform this at their tier 2 or tier 3 suppliers. You cover this in your supplier agreement to ensure compliance from their suppliers. Yes, there will be a technical review for each of the supplier to assess the purchase risk. It is done by the Procurement team during the technical review (or supplier audits) before getting them on board.
 

jmech

Trusted Information Resource
#9
Can you give information about the control method for the supplier directly ? We do supplier evaluation, first check, sample check
but it was not enough. I would appreciate if you give an idea
Sample checks, first checks, PPAPs, validation testing, review of quality performance, etc. may be helpful and may fulfill other requirements, but they do not fulfill the requirement to specify and verify the supplier's controls. You need to specify controls and evidence that you verified that the supplier has the controls you specified. Evidence of verification of the supplier's controls should be included in your evaluation (and every re-evaluation).

One possible control example is to require that your direct supplier maintains a procedure for their approval/evaluation of their suppliers. You then need evidence that you verified this - such as a copy of their supplier approval/evaluation procedure or notes from your on-site audit of the supplier that references their supplier approval/evaluation procedure (preferably with the document number or title and revision number). You need to verify this every time you re-evaluate this supplier - for future re-evaluations, having them send an email that their supplier approval/evaluation procedure is still the same (including revision number) as when you last reviewed it may be sufficient evidence.

The controls that you specify are up to you, but they should relate to the critical elements of what is being supplied. For example, for a heat treat supplier, you might require controls related to calibration, traceability, and version control of specifications.
 
#10
Thank you all for the useful information
I understand what I'm going to do right now nd start working .:)
I will mail my suppliers on the subject
Thanks again
 
Thread starter Similar threads Forum Replies Date
N Audit non-compliance API Q1 - Use of External Documents 4.4.4 in Product Realization Oil and Gas Industry Standards and Regulations 5
B Audit Non-Compliance (Nonconformance) form example needed Document Control Systems, Procedures, Forms and Templates 3
D Do non-IATF customers need to be included in audit scope? IATF 16949 - Automotive Quality Systems Standard 23
G Addressing Non-Conformances from an Internal Audit that are not product related ISO 13485:2016 - Medical Device Quality Management Systems 11
W Non-Conformance from recent Audit carried out on Purchasing AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 11
G Non Conformance During ISO 9001 Audit - Not All Internal Audits Completed General Auditing Discussions 19
Ed Panek Are audit non conformances also risk based? ISO 13485:2016 - Medical Device Quality Management Systems 1
W ISO standards /Social Audit Franchise (Accredited & Non Accredited) Service Industry Specific Topics 7
I "We don't have enough resources" as an Audit Non-conformance Response General Auditing Discussions 14
E Example of 9001:2015 audit report with non-conformances ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
E Non Conformity due to Outsourced Internal Audit Error ISO 14001:2015 Specific Discussions 2
P Scope of a TS 16949 Audit (Non-Automotive Products) - What?s your opinion? IATF 16949 - Automotive Quality Systems Standard 6
D Consequences of Major Non-Conformances during a Registration Audit ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
G Writing up BRC audit non-conformance Internal Auditing 9
B Root Cause Analysis for Minor Non-Conformities identified in an Audit Nonconformance and Corrective Action 13
W Internal Audit Non Conformance Tracking Logs and NC Systems ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
Q Non Conformity in Audit: Missing Deputy Rule ISO 13485:2016 - Medical Device Quality Management Systems 10
S Internal Audit - Non conformity not easily fixable (Sales and Contracts) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 30
A Non-Conforming Product vs. Supplier Audit Finding Supplier Quality Assurance and other Supplier Issues 8
J Developing Plans for Corrective Actions for Audit Non-Conformities ISO 13485:2016 - Medical Device Quality Management Systems 5
P Objecting to Registrar Audit Non-conformances General Auditing Discussions 43
S External Audit Non-Conformance - Control Plan and Inspection Issues IATF 16949 - Automotive Quality Systems Standard 1
Y Audit Non Conformance or not? General Auditing Discussions 6
R Your views and comments on these AS 9100 Related Audit Non Conformities AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
K AS 9100 Related Audit Non Conformities AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 10
B EU MDD Requirement on impact of Rev STDs and audit non-conformance EU Medical Device Regulations 6
V Documenting the Root Causes for Internal Audit Non-Conformance Findings Problem Solving, Root Cause Fault and Failure Analysis 5
V Auditing Treatment, Storage and Disposal Facilities - Non-Visit Audit ISO 14001:2015 Specific Discussions 20
I TS 16949 Audit Minor non conformance - Outside Calibration Laboratory IATF 16949 - Automotive Quality Systems Standard 15
L Non-medical device is in the ISO 13485 audit scope? ISO 13485:2016 - Medical Device Quality Management Systems 11
R Valid Date to Close Internal Audit Non-conformance Internal Auditing 1
C Internal Audit Concerns including Escalation of Non-Conformances General Auditing Discussions 6
M One weakness of audit non-conformance reports is the poor writing Miscellaneous Environmental Standards and EMS Related Discussions 10
Douglas E. Purdy Non-Conformance due to obsolete ISO/TS 16949 audit checklist General Auditing Discussions 36
A Non-conformance logged following a TS16949 Stage 2 audit - APQP Control Plan IATF 16949 - Automotive Quality Systems Standard 15
K Using an "obsolete" test method - TS 16949 Audit Non-Conformance General Measurement Device and Calibration Topics 13
D TS 16949: 2002 section 7.6.1 - MSA non conformity at registration audit IATF 16949 - Automotive Quality Systems Standard 2
K Major Non-Conformity During Initial TS16949 Audit Nonconformance and Corrective Action 2
S Can a registrar recommend with minor non-conformities closed before end of audit? General Auditing Discussions 7
B IATF16949 audit requirement - Auditor request UCL and LCL must be show Xbar-R, IATF 16949 - Automotive Quality Systems Standard 7
T COVID, Furlough and ISO9001 Surveillance Audit Coffee Break and Water Cooler Discussions 2
R External Audit and Certificate prorogation due to the pandemic General Auditing Discussions 10
Dean Bell Implementation of Controls as per SOA for Stage 2 Audit IEC 27001 - Information Security Management Systems (ISMS) 0
G Logistic organization and controls - IATF/ISO 9001 audit Nonconformance and Corrective Action 2
Geoff Cotton Performing a Delta Audit General Auditing Discussions 12
N ISO 19011:2018 - 5.4.2 "...audit program should engage in appropriate continual development..." Training - Internal, External, Online and Distance Learning 4
G MSA check list to audit IATF 16949 - Automotive Quality Systems Standard 8
L Open Positions During AS9100 Audit AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
L Stage 2 audit - Requirement for 3 months of records ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
F Who can sit in/perform an API audit? Oil and Gas Industry Standards and Regulations 2

Similar threads

Top Bottom