Audit Nonconformances (?) for Suppliers Not Registered to ISO and No Supplier Quality Agreement Exists

[GStough]

Here's another scenario to ponder....You have a supplier that is not registered to any ISO standard, is not familiar with those requirements nor any other federal agency requirements (i.e. 21 CFR 820), and where there is not a supplier quality agreement in place (yet). Yet, you are required to audit this supplier to verify that they have the basic QMS processes in place until a supplier quality agreement can be drafted and approved by both parties. You do the audit and find that for the most part they have the basic processes we normally look at during an audit. However, there are some items that are not in place (no formal PM, no formal calibration program, no formal pest control program, to name a few).

Are these findings then classified as concerns or observations? Or should they be classified as nonconformances? Has anyone else had to work through this type of situation? What did you do?

(I know that we are currently working on SQ Agreements, but not all suppliers have them yet.)

 

[Jim Wynne]

This sounds more like gap analysis than an audit, per se. You need non-fulfillment of a requirement in order to characterize something as nonconforming. Before classifying anything as a concern or observation you need to be sure that there are standard definitions for those things. The best thing (perhaps) is to report what was found vs. what you expected to find, and go from there.

 

[Mike S.]

Without a requirement there cannot be a nonconformance.

I would write up "observations" and decide whether or not we could do business with them as-is. If not, flow down to them requirements that they can either decide to accept and become compliant to, or else they could no-bid.

 

[GStough]

This sounds more like gap analysis than an audit, per se. You need non-fulfillment of a requirement in order to characterize something as nonconforming. Before classifying anything as a concern or observation you need to be sure that there are standard definitions for those things. The best thing (perhaps) is to report what was found vs. what you expected to find, and go from there.

In retrospect, I have to agree, Jim - it does sound more like a gap analysis. My instructions were to just go in and make sure they have the basic QMS processes, such as inspections, control of nonconforming product, complaint handling, product ID and traceability, management review, corrective/preventive action, etc. And they had all of these and more, except for a few things that I listed in the original post above.

I'll try that. Thanks, Jim!

 

[GStough]

Without a requirement there cannot be a nonconformance.

I would write up "observations" and decide whether or not we could do business with them as-is. If not, flow down to them requirements that they can either decide to accept and become compliant to, or else they could no-bid.

And that's exactly what I've been saying. I'm getting push-back to write nonconformances, but I don't see how I can do that if there is not a requirement! You and Jim have given me options to consider. Thanks, Mike S.!

 

[Rene Minassian]

Hi, i also would not raise a non-conformance nor an obsevation since there not registered and might not familar with. But, i would like them to know that my strategy is to qualify a supplier to main processes of ISO 9001 and any gaps identified i would raise as minor or major finding not in compliance with the requirements. Hope this helps.....

 

[Ed Panek]

I think focusing in on a "we are on the same team" type solution could help. Explain what your requirements are and how you value their work as your supplier but you have a few challenges approving them with your current requirements. I am not sure if your sales volume matters to them but if it does allow them to speak first. Hear what they are willing to do before you push on them.

If they can meet you half or 2/3 the way maybe you can help them implement the required controls.

If it turns out not to work perhaps you can modify your own supplier controls with a new type of supplier; a special controls supplier. Identify the unusual risks presented and describe how your handling of this supplier will reduce those risks to an acceptable level.

I once dealt with a gigantic company who refused to listen to us but I was able to add a special onsite test they agreed to perform and include the results with each shipment. Auditors understood our challenges and how we mitigated those.

 

[GStough]

I think focusing in on a "we are on the same team" type solution could help. Explain what your requirements are and how you value their work as your supplier but you have a few challenges approving them with your current requirements. I am not sure if your sales volume matters to them but if it does allow them to speak first. Hear what they are willing to do before you push on them.

If they can meet you half or 2/3 the way maybe you can help them implement the required controls.

If it turns out not to work perhaps you can modify your own supplier controls with a new type of supplier; a special controls supplier. Identify the unusual risks presented and describe how your handling of this supplier will reduce those risks to an acceptable level.

I once dealt with a gigantic company who refused to listen to us but I was able to add a special onsite test they agreed to perform and include the results with each shipment. Auditors understood our challenges and how we mitigated those.

For this audit, I felt that I needed to approach it differently from other supplier audits. Going through the checklist, I just explained what I wanted to see and why, and they were very receptive and appreciated the experience. They had no documented procedures, but they knew the processes and walked me through each one and even had records for me to review. This supplier and my employer have a positive and long history of working together - way back to the days when a gentleman's word and a handshake was it took to make/seal a deal. So, they've been an approved and mostly preferred supplier for many years.

Good stuff! Thank you, Ed!

 

[Sidney Vianna]

Has anyone else had to work through this type of situation?

When you are conducting second party audits and find weaknesses in a supplier quality system, they must be reported, irrespective of mimicking 3ʳᵈ party audits categorization of findings or not. But, and in my opinion, much more important than categorizing the findings is to have a clear understanding of the expectations going forward; even before a quality agreement is in place. Having found risks in the supply chain, an organization must have the supplier addressing it; otherwise the supplier qualification and monitoring processes become a liability.

Pity the foolish organization caught in a (potential) scandal of releasing unsafe products to the market place and undergoing an investigation that uncovers supplier audit reports that show unaddressed failures. A supplier audit should not be seen as a ceremony, but an event with clear actionable items.

 

[malasuerte]

For this audit, I felt that I needed to approach it differently from other supplier audits. Going through the checklist, I just explained what I wanted to see and why, and they were very receptive and appreciated the experience. They had no documented procedures, but they knew the processes and walked me through each one and even had records for me to review. This supplier and my employer have a positive and long history of working together - way back to the days when a gentleman's word and a handshake was it took to make/seal a deal. So, they've been an approved and mostly preferred supplier for many years.

Good stuff! Thank you, Ed!

So here is my take, similar to Sidney:
In 8.4.1 & 8.4.2, the customer is ultimately accountable for its suppliers (meeting requirements, etc), plus how suppliers are selected/approved
In 8.4.3, the customer provides its requirements to its suppliers

So as part of the selection process and holding the supplier to meeting customer requirements, any non-conformances should be identified as such.

I am guessing your supplier selection process and approval doesn't say: "Suppliers are approved if they are kinda doing what we expect them to do".