Q: From your experience as an API auditor, which top issues do auditors and auditees face?
A: Below are some of the most common findings related to Q1, 9th edition.*
*Note: The information gathered below is based upon our clientele, our Q1 training students, and communications throughout the quality community.
1. Documentation of risk assessments, contingency plans, and management of change, but not closing them out.
2. There has been some auditor confusion with what needs to be contained in risk assessment. Some auditors have interpreted the following Q1, 5.3 requirement to mean that a risk assessment is required to be documented for each of the four (4) items identified below.
Q1, 5.3 states in part 5.3:
“The organization shall maintain a documented procedure to identify and control risk associated with impact on delivery and quality of product…
Risk assessment associated with product delivery shall include:
a) facility/equipment availability and maintenance; and
b) supplier performance and material availability/supply.
Risk assessment associated with product quality shall include, as applicable:
c) delivery of nonconforming product (see 5.10.1);
d) availability of competent personnel.”
However, in most cases after a review of the risk procedure with the auditor and demonstration of the risk assessment methodology and reporting, they understood that the process included an assessment of one or more of these items when a risk was present. Q1 does not require a specific risk assessment to be documented for each item independently, only where there is a risk to one or more of these items.
3. There has been some confusion as to when to document a management of change. The most confusion comes from Q1, 5.11.2 (d) which states “changes to the management system procedures, including changes resulting from corrective and preventive actions . . .” The key to understanding this requirement is knowing:
a) Which other Q1 sections have a change control process. As an example, Q1 has change control processes for many elements including document control, the use of external documents, design changes, etc. If these normal change processes do not create a risk, then would an MOC be needed? Remember, 5.11.2 MOC Implementation states in part, “The organization shall use the MOC process for any of the following that may negatively impact the quality of the product . . .”
b) Whether or not the change introduces a risk. See (a) above. For example, if an API product specification was changed via an errata, it is unlikely that any change would have to occur to the quality management system. However, if a significant change were to occur (e.g., API Spec. 6A from the 19th to the 20th edition and shortly coming 21st edition), both a risk assessment and an MOC should be undertaken since changes to the quality management system will be needed.
4. Critical suppliers
a) Not identifying the scope or location of the critical supplier on the AVL.
b) Not paying attention to outsourced processes requiring validation (e.g., heat treating). In a few cases, outsourced processes requiring validation were treated as noncritical, and as a result, sufficient attention was not given to the Q1, 188.8.131.52 which states in part:“Validation shall demonstrate the ability of these processes to achieve planned results. Where an organization chooses to outsource a process that requires validation, the organization shall require that the supplier conform to these requirements (see 184.108.40.206).” This means the identification of controls related to:
- “required equipment;
- qualification of personnel;
- use of specific methods, including identified operating parameters;
- identification of acceptance criteria;
- requirements for records (see 4.5); and
— Bud Weightman
President, Qualified Specialists, International
Who We Are
Qualified Specialists, International (QSI) is a professional consulting, training, and management systems technology firm headquartered in Houston, TX. Founded by R.T. (Bud) Weightman in 1989, QSI has a global presence and has implemented and assessed management systems in over 28 countries world-wide – with certifications ranging from ISO 9001, ISO 14001, OHSAS 18001, API Spec. Q1 / Q2, and more.
Our specialty spans quality, health and safety, and environmental (QHSE), and our products and services have been applied in engineering, manufacturing, fabrication, distribution, service, projects, and operations.
We excel in helping our clients to achieve regulatory compliance, certification, and industry licensing through our superior software solutions, consulting services, and industry-leading training.
Bud Weightman, President of QSI, is an international management systems expert involved with management and technical systems for over 40 years. As President of QSI, Bud is involved with the industry committees responsible for emerging requirements, including: revision of API specifications, leading various API Task Groups, and lead auditor for the accreditation of SEMS Audit Providers through the Center for Offshore Safety. Bud’s experience includes working with ISO 9001, ISO 14000, and OHSAS 18000 management systems, as well as industry-specific certification schemes such as API Q1 and Q2, AS9100, ASME systems, and numerous other standards.
API Spec. Q1
API Spec. Q2
API Lead Auditor
Learn the latest. Stay competitive with training.
Join Our Mailing List