This blog makes the case for taking a risk-based auditing strategy for evaluating suppliers.
None of us has unlimited resources. In fact, the pendulum has swung so far that “do more with less” has now become “do everything with nothing.”
Here’s a familiar situation…During your most recent annual surveillance audit, the auditor gave you the bad news…“The Canadian MDR requires that you audit critical suppliers that do not have ISO 13485 certification, and these two contract manufacturers should be added to the critical supplier category.” Once your blood pressure drops enough, so that you are not in immediate danger of having an aneurism, you might think to ask your auditor how frequently these audits need to be performed. Most auditors will allow a three-year cycle between supplier audits, but this is because of the three-year recertification cycle.
Your company should really adopt a risk-based strategy for evaluating suppliers. For high-risk suppliers, an annual or six-month cycle is appropriate. For moderate-risk suppliers, biannual or three-year cycles might be more appropriate. A supplier I audited recently told me a story that illustrates this concept.
Their company noted that the FDA was inspecting them every seven years—instead of every two years (FDA’s goal for Class 2 devices). The FDA investigator explained that the local office only had enough resources budgeted to perform 50 inspections per year. Each year, they start at the top of their priority list and work their way down the list. Each year that this company fell below the 50-company cut-off, the company moved up the list for the next year. It took them about seven years to reach the top 50.
In your company, you have a limited number of Supplier Quality Engineers (SQEs) that are available to audit your suppliers. Since SQEs have lots of other job duties, in addition to on-site auditing, I recommend the “Take 5” approach. What I mean is: 1) prioritize your list of suppliers based upon risk (including how long it has been since their last audit), 2) pick the top five highest risk suppliers and schedule those audits throughout the year, and 3) hire another SQE for every fifteen suppliers (five supplier audits/year/SQE x three years/cycle = 15 supplier audits/SQE/cycle) that require onsite auditing. The number “5” is arbitrary, but “5” is in the right order of magnitude.
SQE’s are responsible for monitoring supplier performance, issuing Supplier Corrective Action Requests (SCAR), follow-up on SCARs, updating drawings, communicating revision changes to suppliers and qualifying new suppliers. If an SQE is doing more than five onsite supplier audits per year, it will be important for these suppliers to be local. Otherwise, these valuable employees will get burned out fast.
Review your own Approved Supplier List (ASL) and ensure you have properly identified “critical” suppliers. Review your supplier evaluation procedure to ensure that it gives you the flexibility to revise the audit frequency on a risk basis. Finally, review your SQE resources…hiring, recruiting and training a new SQE every two years will cost as much as adding an SQE when the ratio of supplier audits per auditor has exceeded the magical number “5.”