A New Approach to Supplier Qualification After COVID-19
Traditional supplier qualification processes have been forced to rapidly change to new approaches as suppliers have been affected by shelter-in-place directives across the globe. On-site supplier audits are no longer a viable method to review a supplier’s facility and controls. Customers have been forced to rely on the supplier self-audit checklist, resulting in higher scrutiny of supplier quality procedures and increased incoming quality inspection of first article or pilot production lots.
These mitigation steps add a higher level of administrative burden to customers by creating non-value-add activities that may not result in proper risk assessment. The need to reconfigure supplier qualification processes is a top priority for many manufacturing organizations. Before we discuss process effectiveness qualification reviews, let’s go over the fundamentals of assessment definitions of conformance, effectiveness, risk, and intellectual property (IP).
Conformance vs. Effectiveness
The traditional ISO-based self-audit checklists, where quality system documentation is provided by a supplier, confirms that the supplier has a quality system in place. Conformance to a quality system standard is important, as it informs the supplier qualification team that procedures are in place and objectives have been defined. However, it does not indicate that procedures have been effectively implemented nor if the process is monitored to achieve process or quality objectives. The definition of “effectiveness” is the ability to meet objectives and be successful in producing the desired result. Thus, supplier qualification requires an effectiveness review to properly assess the risk of working with a supplier .
Practical Approach to Risk Evaluation
The foundation of supplier qualification is based on risk evaluation. Risk management has taken a higher level of importance in recent quality system standards of ISO 9001, ISO 13485, and AS9100, among other quality system standards. But first, we need to understand risk. The new ISO 31000:2018 risk management guidelines offer the following definition of risk in section 3.1 :
Risk: Effect of uncertainty on objectives
- Note 1 to entry: An effect is a deviation from the expected. It can be positive, negative, or both and can address, create, or result in opportunities and threats.
- Note 2 to entry: Objectives can have different aspects and categories and can be applied at different levels.
- Note 3 to entry: Risk is usually expressed in terms of risk sources (3.4), potential events (3.5), their consequences (3.6), and their likelihood (3.7).
In essence, supplier qualification requires risk assessment before approving a new supplier to the supply chain. Companies need to establish risk evaluation procedures for qualifying new suppliers. Risk assessment allows companies to objectively determine the qualification level required for a new supplier depending on the supplier’s performance impact and supply chain to the company. Table 1 provides considerations needed when determining the qualification level for a new supplier.
Higher risk suppliers require a process effectiveness qualification and a quality system conformance qualification. Medium-risk suppliers are only required to do a quality system conformance qualification. Low-risk suppliers may be sufficient to complete a questionnaire or demonstrate an ISO certification.
Suppliers typically have no concerns providing quality systems documentation to customers as a method to demonstrate conformance to established quality systems standards. This practice has been commonly accepted in all industries for many decades. However, when it comes to process effectiveness qualification, suppliers are required to provide process conformance information to demonstrate the ability to perform to expectations.
Suppliers may initially be hesitant to do this if process knowhow is requested as part of the process effectiveness qualification. It is important to protect a supplier’s IP during any review of process effectiveness exercise. The focus should be to monitor performance vs. plan on key process characteristics.
Process Effectiveness Qualification Plan
The foundation of process effectiveness is to have an unbiased way to measure performance results in comparison to the plan. Suppliers are required to demonstrate performance with empirical data. Performance effectiveness qualification activities can be done remotely.
Table 2 provides guidance on how to set up a process effectiveness qualification plan. The requirement is for the supplier to complete this table and provide periodic reports to demonstrate effectiveness for the agreed-upon measurements. This plan allows customers to assess risk and monitor the performance of key suppliers.
Every item provided below should have a defined measurement target and frequency of when this measure is taken and reported. Include an evaluation section for each line item to assess the ability of the supplier to provide this data periodically and the results to the plan.
The expectation is for the supplier to provide historical performance data of product lines similar to what they will be providing you as a new customer. This data will serve as a baseline to compare to how the supplier performs to your product requirements in the future against baseline measurements established in Table 2.
Once the process effectiveness plan has been completed, then the supplier can provide periodic updates—usually monthly or quarterly—of new performance data. The data can be trended to monitor improvements over time.
The qualification team should review the data provided by the supplier to determine the adequacy and assess qualification risk. This document should then be retained in the file as a quality record for supplier qualification before the supplier is added to the AVL.
- D. Banister-Hazama, J. Moreci, & K. England, “Increase project team effectiveness: step-by-step,” PMI® Global Congress 2012—North America, Vancouver, British Columbia, Canada. Newtown Square, PA: Project Management Institute, 2012.
- ISO, “ISO 31000:2018(en): Risk management—Guidelines.”
This column originally appeared in the October 2020 issue of SMT007 Magazine.