Audit non-compliance - API Spec Q1 9th Ed 5.6.1.2 b

Nidayes

Registered
Hello everyone,

I've got a problem about API Q1 audit.

Description
Initial evaluation of suppliers shall include b) verification of the type and extent of control applied by the supplier, internally and to their supply chain, in order to meet the organization’s requirements

Nonconformance/Concern Description
The process of evaluation of critical suppliers presented in the procedures does not comply with API Q1 requirements.

I showed supplier evaluation report but auditor wrote :
Supplier evaluation report dated 24.12.2019 for critical supplier XXXXXXX
Type and extend of controls applied the supplier to its supply chain, was not verified.

What action can I take in this regard? Could you hep me please?
What are you doing to evaluate the supply chain?

Thank you
 

Cowbilly

Registered
I am interested in what you find out, Nidayes. I am currently writing our initial Purchasing Procedure for API Q2 and the same requirement applies.
 

jmech

Trusted Information Resource
This is a new requirement that was added in Q1 9th Edition Addendum 2 (published June 2018, effective June 2019, so this is probably the first time that you are being externally audited on it). Auditors seem to be writing a lot of findings on it.

This is a "choose your own adventure" requirement. Per 5.6.1.1, your organization shall "maintain a documented procedure" that addresses "type and extent of control applied to the supply chain for critical products, components or activities". You get to define the type and extent of control that you will apply to your supply chain, but per 5.6.1.2, you also have to verify that the supplier is meeting your requirements for controls internally and their supply chain. This verification must occur at your initial evaluation and every re-evaluation (5.6.1.4 now requires re-evaluation to meet the same requirements as initial evaluation).

You get to define both type of control (such as "maintain a calibration procedure") and extent of control (such as direct supplier only, supplier and first tier sub-supplier, or everyone in the supply chain between you and the steel mill but not beyond the steel mill). You can define both the type and extent however you want, but you need to make sure that you can get evidence that you verified this, which makes it difficult if you define the extent to go far past your direct suppliers.

Verifying that organizations have an ISO 9001 certificate is generally not considered to be sufficient verification of type and extent of control - API generally wants more than this, even if the supplier would have to meet your requirement in order to conform with ISO 9001.
 

mmasiddiqui

Involved In Discussions
We satisfy this criteria with Supplier Selection process for new suppliers that include supplier audit before the initial order to ensure supplier is competent to provide defect free product on time within the stipulated cost.
For the existing supplier we use the PPAP process on these parts along with Validation test to ensure defect free product on time to the line to keep the product moving.
 

Nidayes

Registered
This is a new requirement that was added in Q1 9th Edition Addendum 2 (published June 2018, effective June 2019, so this is probably the first time that you are being externally audited on it). Auditors seem to be writing a lot of findings on it.

This is a "choose your own adventure" requirement. Per 5.6.1.1, your organization shall "maintain a documented procedure" that addresses "type and extent of control applied to the supply chain for critical products, components or activities". You get to define the type and extent of control that you will apply to your supply chain, but per 5.6.1.2, you also have to verify that the supplier is meeting your requirements for controls internally and their supply chain. This verification must occur at your initial evaluation and every re-evaluation (5.6.1.4 now requires re-evaluation to meet the same requirements as initial evaluation).

You get to define both type of control (such as "maintain a calibration procedure") and extent of control (such as direct supplier only, supplier and first tier sub-supplier, or everyone in the supply chain between you and the steel mill but not beyond the steel mill). You can define both the type and extent however you want, but you need to make sure that you can get evidence that you verified this, which makes it difficult if you define the extent to go far past your direct suppliers.

Verifying that organizations have an ISO 9001 certificate is generally not considered to be sufficient verification of type and extent of control - API generally wants more than this, even if the supplier would have to meet your requirement in order to conform with ISO 9001.

Thank you for your answer.. really useful information
I understand, I will first determine the scope of the supplier
Can you give information about the control method for the supplier directly ? We do supplier evaluation, first check, sample check
but it was not enough. I would appreciate if you give an idea
 

Nidayes

Registered
We satisfy this criteria with Supplier Selection process for new suppliers that include supplier audit before the initial order to ensure supplier is competent to provide defect free product on time within the stipulated cost.
For the existing supplier we use the PPAP process on these parts along with Validation test to ensure defect free product on time to the line to keep the product moving.

Tahnk you for answer
We are actually doing these but for sub-supplier : we wrote in the procedure'' Evaluation results of the supplier are taken. The obtained results are added to thesupply assessment as material and delivery assurance.'' and we showed an example.
The auditor asks the supply chain... "You should do the same directly at the supplier," she said.
How will I get the evaluation from the manufacturer. Can there be a raw material assessment or a purchase risk analysis?
 

mmasiddiqui

Involved In Discussions
Tahnk you for answer
We are actually doing these but for sub-supplier : we wrote in the procedure'' Evaluation results of the supplier are taken. The obtained results are added to thesupply assessment as material and delivery assurance.'' and we showed an example.
The auditor asks the supply chain... "You should do the same directly at the supplier," she said.
How will I get the evaluation from the manufacturer. Can there be a raw material assessment or a purchase risk analysis?

Well, it depends on the Standard. What does the standard call out? Some time the Auditors are not very well versed or not able to correctly interpret the standard. I would put the Onus at your supplier door to do the same to their supplier. You can fix this by adding a clause in your Supplier Quality Manual that this would be the responsibility of your supplier to ensure compliance from their suppliers. Interested to know, what you find from the Standard.
In my short experience of 20 years, I have not seen OEM perform this at their tier 2 or tier 3 suppliers. You cover this in your supplier agreement to ensure compliance from their suppliers. Yes, there will be a technical review for each of the supplier to assess the purchase risk. It is done by the Procurement team during the technical review (or supplier audits) before getting them on board.
 

jmech

Trusted Information Resource
Can you give information about the control method for the supplier directly ? We do supplier evaluation, first check, sample check
but it was not enough. I would appreciate if you give an idea
Sample checks, first checks, PPAPs, validation testing, review of quality performance, etc. may be helpful and may fulfill other requirements, but they do not fulfill the requirement to specify and verify the supplier's controls. You need to specify controls and evidence that you verified that the supplier has the controls you specified. Evidence of verification of the supplier's controls should be included in your evaluation (and every re-evaluation).

One possible control example is to require that your direct supplier maintains a procedure for their approval/evaluation of their suppliers. You then need evidence that you verified this - such as a copy of their supplier approval/evaluation procedure or notes from your on-site audit of the supplier that references their supplier approval/evaluation procedure (preferably with the document number or title and revision number). You need to verify this every time you re-evaluate this supplier - for future re-evaluations, having them send an email that their supplier approval/evaluation procedure is still the same (including revision number) as when you last reviewed it may be sufficient evidence.

The controls that you specify are up to you, but they should relate to the critical elements of what is being supplied. For example, for a heat treat supplier, you might require controls related to calibration, traceability, and version control of specifications.
 

Nidayes

Registered
Thank you all for the useful information
I understand what I'm going to do right now nd start working .:)
I will mail my suppliers on the subject
Thanks again
 
Top Bottom