Reviewing, and Closing Nonconformities Arising from Audits Posting
Introduction:
The value provided to an organization is either enhanced or reduced by the review that an auditor conducts on the auditee organization’s response to a nonconformity, as well as by the "close-out" process applied. An auditor will add value by ensuring that the organization has satisfactorily addressed correction, done through root cause analysis, and taken corrective actions, as this will lead to the auditee organization achieving higher customer satisfaction.
This document provides guidance to help auditors in the process of categorizing, reviewing, and closing findings C nonconformities arising from audits.
Review of actions in response to a Nonconformity:
Management system auditors are responsible for reviewing the response to nonconformity and verifying the effectiveness of actions taken.
There should be three parts to the response of an organization to nonconformity:
- correction,
- Root cause analysis, and
- corrective action.
or - Root cause analysis,
- correction, and
- corrective action.
(Note: two different sequences are given above as it may depend on the product type, or the situation of the nonconformity, as to which is the correct one to be followed. However, the three parts to resolving the nonconformity are the same in each case. For example, for product like software, it is inadvisable to implement a correction until the cause is known. Alternately, as a hardware example, if a "Low Brake-pad" warning light were to illuminate in a vehicle and you immediately implemented the correction of replacing the brake pads before examining if the sensor was faulty, you might fail to resolve the problem and would have wasted time and resources.)
The authoritative sources for making the opening statement are some pertinent
Definitions in ISO G000:
Nonconformity: non-fulfilment of a requirement
Correction: action to eliminate a detected nonconformity
Corrective action: action to eliminate the cause of a nonconformity and to prevent recurrence.
"Correction" is action to eliminate a detected nonconformity. For example, correction may involve replacing nonconforming product with conforming product or replacing an obsolete procedure with the current issue, etc.
Corrective action cannot be taken without first making a determination of the cause of nonconformity. There are many methods and tools available to an organization for determining the cause of a nonconformity, from simple brainstorming to more complex, systematic problem-solving techniques (e.g. root cause analysis, fish-bone diagrams, “5 whys", etc). An auditor should be familiar with the appropriate use of these tools. The extent and effectiveness of the corrective actions depends upon identifying the true cause. In some cases this will assist an organization to identify and minimize similar nonconformities in other areas.
An auditor should also check if the organization has taken action to determine if the cause of a nonconformity was systematic in nature or merely accidental. If a systematic failure is treated as an accidental one-off occurrence, then the corrective action will not be successful, and there will be a risk of the problem recurring.
One possible cause that the auditor should give particularly attention to is whether the nonconformity occurred because of something outside of what is covered and controlled by the organization's ǪMS, i.e. whether the absence of the ǪMS itself is the cause, or part of the cause, of the nonconformity. In such cases, the failure is usually related to insufficient understanding of customer expectations by the organization.
As mentioned above, one useful technique for systemic root cause analysis is the "5 Whys”.
The "5 Whys" Approach to Root Cause Analysis |
|
Ǫuestion Focus |
Answer Focus |
1st Why: Incident |
5 M’s C E [men (people), machine, material, method, measurement, environment]. |
2nd Why: 5 M’s C E 1 |
1st Level System |
3rd Why: 1st Level System |
2nd Level System |
4th Why: 2nd Level System |
3rd level System |
5th Why: 3rd Level System |
System Root Cause |
When investigating the root cause of a nonconformity, there may be several different possible factors, or contributing factors, to the root cause (e.g. poor-quality raw materials or supplied sub-components; inappropriate measurement systems; inadequate training etc.). Iterative process should be used to determine which factor is the actual root cause; the organization should not be identifying the first failure factor it finds as being the root cause.
For example, a list of such possible factors should be drawn up and be examined in relation to the nonconformity; they should then be categorized as being either "not able to confirm", "possible", or "confirmed", in terms of their potential impact on the root cause. In each case the factor and its categorization should be noted. For the "not able to confirm" category of factors, records should also be kept of any analysis that was performed, and the conclusions leading to this categorization being given.
Further work should then be undertaken to see if the "possible" or "confirmed" factors are the actual root cause. In some cases, it may not be able to finally determine if a factor is truly the root cause or not, so the results of this work should lead to a further categorization of the factors as either being a "possible root cause" or as the "confirmed root cause". In each case, further records should be kept of the actions taken and the conclusions leading to their categorization.
In reviewing the response of an organization to a nonconformity, the auditor should confirm that documented information and objective evidence for all three parts (correction, analysis of the cause, and corrective action) are provided by the organization, and are appropriate, before accepting the response. Important elements to verify in the review process include:
- statements of actions; are they clear and concise?
- descriptions of actions; are they thorough and do they accurately reference specific
- documents, procedures etc., as appropriate?
- the use of the past tense (was, has or have been, were), as an indicator that the actions taken have been completed.
- the date of completion of the corrective actions; past dates should be found that indicate that the actions have been taken (dates indicating future action are not good practice).
- evidence supporting the claim that a corrective action has been fully and effectively implemented and that the corrective action has been performed in the way that it was described.
Additionally, the auditor should verify that the organization has ensured that the corrective action taken does not itself create further problems relating to product or service quality, or to implementation of the Management System.
It should be noted that both correction and corrective action are not always appropriate and that either correction or corrective action may be sufficient on their own. This may happen, for example, in cases in which it can be demonstrated that the nonconformity was absolutely accidental, and the management system is effectively implemented, and the probability of reoccurrence is very low. This also applies in cases where correction is not possible (e.g. updating existing records), but the need for corrective action may be justifiable. The need for comprehensive root cause analysis should also be evaluated, based on the nature of findings and whether they appear to indicate a systemic failure.
Effective corrective action should prevent the recurrence of the nonconformity, by eliminating the cause.
Analysis of the causes of detected nonconformities may identify potential nonconformities on a wider scale in other areas of the organization and provide input for planning based on risk based thinking.
Closing nonconformities:
As nonconformities tend to be individual in their nature, a variety of methods or activities may be used to demonstrate the effectiveness of actions taken. For example, some will require direct examination on site (which may require the need for additional site visits), while others may be closed-off remotely (by review of submitted documentary evidence).
Before deciding to agree to close a nonconformity, an auditor should review what the organization did in respect of containment, correction, cause analysis and corrective action results. The auditor needs to ensure that there is objective evidence (including supporting documentation) to demonstrate that the described corrective action has been fully implemented and is effective in preventing the nonconformity from re-occurring. Only once the situation is satisfactory, should the nonconformity be closed.
Disclaimer:
The information contained within is available for educational and communication purposes.
Normative References:
BSCIC Procedures
www.iaf.nu
www.iso.org/tc176/ISO9001AuditingPracticesGroup
Craig Cochran blogs