13485cert

Posts Tagged ‘Internal Auditor’

How to Issue a Major Non-Conformity with a Smile

In Internal Auditing on March 18, 2013 at 5:37 pm

audit_smile_announcement

As an auditor, one of the most important (and difficult) things for you to learn is how to issue a non-conformity—especially a major. This is normally done at the closing meeting of an audit, but the closing meeting is not where the process of issuing the non-conformity begins. Issuing a non-conformity actually starts in the opening meeting.

ISO 19011:2011 is the official guidance document for auditors of Quality Management Systems. Section 6.4.2 of this Standard explains the best practices for an opening meeting. The last five items in this section are critical to preparing the client for potential non-conformities:

  1. the method of reporting audit findings including grading, if any;
  2. the conditions under which the audit may be terminated;
  3. time and place of the closing meeting;
  4. how to deal with possible findings during the audit;
  5. the system for feedback from the auditee on the findings or conclusions of the audit,
  6. the process for complaints and appeals.

Methods of Reporting and Grading

The auditor should be crystal clear in their description of minor and major nonconformities or any other grading that will be used. The auditor should also make it clear that they are looking for conformity rather than non-conformity. This is an audit—not an inspection. Typically, a minor nonconformity is described as “a single lapse in the fulfillment of a requirement” while a major nonconformity is described as one of the following: 1) “a total absence in the fulfillment of a requirement,” 2) “repetition of a previous nonconformity,” 3) “failure to address a previously identified minor non-conformity”, or 4) “shipment of non-conforming product.” When the auditor is in doubt, then the finding is minor and never a major. For a major non-conformity to be issued there can be no doubt.

Conditions for Termination

The option to terminate an audit is typically reserved for a certification audit where a major non-conformity is identified and there is no point in continuing. Termination is highly discouraged, because it is better to know about all the minor and major non-conformities now instead of waiting until the certification audit is rescheduled. The certification body will charge you for their time anyway.

Another reason for termination is when an auditor is being unreasonable or inappropriate. This is rare, but it happens. If the audit is terminated you should always being communicating this to upper management at the certification body and the company—regardless of which side of the table you sit. For FDA inspections this is not an option. For audits performed by Notified Bodies, there is the possibility of suspension of a certificate in response to audit termination. Therefore, I always recommend appealing after the fact instead of termination. Appealing also works for FDA inspections.

Closing Meeting

The closing meeting should be conducted as scheduled and the time/location should be clearly communicated to upper management in the audit agenda and during the opening meeting. Top management won’t be happy about non-conformities, but failure to communicate when the closing meeting will be conducted will irritate them further.

How to Deal with Findings

All guides and auditees should be made aware of possible findings at the time an issue is discovered. This is important so that an auditee has the opportunity to clarify the evidence being presented. Often non-conformities are the result of miscommunication between the auditor and auditee. This happens frequently when the auditor has a poor understanding of the process being audited. It is a tremendous waste of time for both sides when this occurs. If there is an actual non-conformity, it is also important to gather as much objective evidence as possible for the auditor to write a thorough finding and for the auditee to prepare an appropriate corrective action plan in response to the finding.

feedbackFeedback from the Auditee

I always encourage auditees to provide honest feedback to me directly and to management so that I could continue to improve. If you are giving feedback about an internal auditor or a supplier auditor, you should always give feedback directly before going to the person’s superior. You are both likely to work together in the future, and you should give the person every opportunity to hear the feedback first-hand.

When providing feedback from a 3rd party Certification Audit, you should know that there will be no negative repercussions against your company if you complain directly to the Certification Body. At most, the Certification Body will assign a new auditor for future audits and investigate the need for taking action with the auditor. In all likelihood, any action taken will be “retraining.” I never fired somebody for a single incident—unless they broke the law or did something that was unsafe. The key to providing feedback, however, is to be objective. Give specific examples in your complaint, and avoid personal feelings and opinions.

Complaints and Appeals

As the auditee, you should ask for the contact information at the certification body during the opening meeting. Ask with a smile—just-in-case you disagree and so you can provide feedback (which might be positive). As the auditor, you should always make the contact information for the certification body available. If you are conducting a supplier audit or an internal audit, you probably know the auditor’s boss and there is probably no formal complaint or appeals process. In the case of a supplier audit, the customer is always right—even when they are wrong.

During the Audit

During the audit you should always make the guide(s) and process owner(s) aware of any potential non-conformities as you find them. This is their opportunity to clarify the objective evidence for you and to explain why there is not a non-conformity. Often I will refer to the Standard that I am auditing to at this point. I will identify the specific requirement(s) and show the process owner. I will say, “This is what I am trying to verify. Do you have anything that would help address this requirement?” If the process owner is not sure of how to meet the requirement, often I will provide an example of how this requirement is addressed in other areas or at other companies.

If the audit is a multi-day audit, I will review the potential nonconformities at the end of the day and give the auditee the opportunity to provide additional objective evidence in the morning. If it is already the last day of the audit or it is a single-day audit, I will give auditees until the closing meeting to provide the objective evidence. Often I will use this opportunity to explain what would be considered a minor non-conformity and what would be a major non-conformity. Usually I can say, “This is definitely not a major non-conformity, because…”

closingClosing Meeting

At the closing meeting, the auditee should never be surprised. If an issue remains unfulfilled at the closing meeting, the auditee should be expecting a minor non-conformity—unless the issue clearly warrants a major non-conformity. Since a minor nonconformity is described as “a single lapse in the fulfillment of a requirement,” it is difficult for an auditee to argue that an issue does not warrant a minor non-conformity. Typically, the argument is that you are not consistent with other auditors. The most common response to that issue is, “Audits are just a sample, and previous auditors may not have seen the same objective evidence.” The more likely scenario, however, is that the previous auditor interprets the requirements instead of reviewing the requirements with the client and making sure both parties agree before a finding is issued.

A major nonconformity is usually defined as one of the following: 1) “a total absence in the fulfillment of a requirement,” 2) “repetition of a previous nonconformity,” 3) “failure to address a previously identified minor non-conformity”, or 4) “shipment of non-conforming product.” When the auditor is in doubt, then the finding is minor and never a major. For a major non-conformity to be issued there can be no doubt. If a finding is major, the auditee should have very few questions. Also, I find that often the reason for a major non-conformity is a lack of management commitment to address the root cause of a problem. Issuing a major non-conformity is sometimes necessary to get management attention.

Regardless of the grading, all audit findings will require a corrective action plan—even an FDA warning letter requires a CAPA plan. Therefore, a major non-conformity is not a disaster. You just need to create a more urgent plan for action.

Attention Auditors! – Have you read ISO 19011?

In Audit Schedule, Internal Auditing, International Standard, ISO, ISO 19011, PDCA, Procedures, Quality Management Systems on July 20, 2012 at 2:58 pm

If you have ever taken a lead auditor course, one of the critical handouts for the class should have been ISO 19011. The title is “Guidelines for Auditing Management Systems”. In November of last year, this standard was updated and the changes were not superficial.

The background entertainment for this week is one of my favorite modern rock songs, but it never seemed to get much air time. I hope you enjoyed the 90’s.

ISO 19011 covers the topic of quality management system auditing. This Standard provides guidance on managing audit programs, conducting both internal and external audits, and how to determine auditor competency. Improvements to the New 2011 Version of the Standard include:

  1. Broadening the scope to all management systems
  2. Clarifying the relationship between ISO 17021 and ISO 19011
  3. Introduction of the remote audit methods
  4. Introduction of risk as an auditing concept
  5. Confidentiality is a “new” principle
  6. Clause 5, Managing an audit program, was reorganized
  7. Clause 6, Performing an audit, was reorganized
  8. Clause 7, Competence and evaluation of auditors, was reorganized & strengthened
  9. Annex B is new and the contents of the help boxes was moved to this Annex
  10. Annex A now includes examples of discipline-specific knowledge and skills

One of the most common points of confusion in the lead auditor course is the difference between 1st, 2nd and 3rd party audits. In the previous revision of this Standard, this was just a note at the bottom of page 1 and the top of page two. The note was not very clear either. The new version of 19011, in Table 1 (reproduced below), the difference between these three types of auditing is crystal clear:

The above table is just an example of the improvements made to ISO 19011, and of course there is little value-add to clarifying a definition. Figure 1 from the new version, “Process flow for the management of an audit program, is a better example of a “value-add”. This vertical flow chart is reminiscent of Figure 1 from ISO 14971:2007. It categorizes the various stages of audit program management into the Plan-Do-Check-Act (PDCA) cycle. I highly recommend this style for presenting any process in your internal procedures as an example of best practices in writing an SOP. The flow chart even references each of the clauses in the Standard. Unfortunately Figure 2, “Typical audit activities”, does not categorize the stages of audit activities (Clauses 6.2 – 6.7 of the revised Standard) into the PDCA cycle. I guess they needed to leave some improvement for the next revision.

The new version retained the opening meeting checklist that was in the previous revision (Clause 6.4.2), and Clause 6.4.9 has a brief closing meeting checklist. Figure 3, “Overview of the process of collecting and verifying information”, is a poor example of a flow chart. Should I make a better one? (Send me an email if you think I should.)

The most valuable changes in this revision are Clause 5.3.2, “Competence of the person managing the audit program”, and all of Clause 7. Most of the audit procedures I read neglect to define the qualifications and method for determining competency of the audit program manager. Clause 5.3.2 tells you how. Put it in your own procedure. Most of the procedures I read include qualifications for a “Lead Auditor”, but I seldom see anything regarding competency. Unfortunately, this Standard only specifically addresses “Lead Auditor” competency in a two-sentence paragraph—Clause 7.2.5. When I teach people how to be a lead auditor, I spend more than an hour on this topic alone.

The Standard would be more effective by providing an example of how 3rd party auditors become qualified as a Lead Auditor. 3rd party accreditation requires the auditor to be an “acting lead” for audit preparation, opening meeting, conducting the audit, closing meeting, and final preparation/distribution of the audit report. This must be performed for 15 certification audits (i.e. – Stage 2 certification or recertification), and another qualified lead auditor must evaluate you and provide feedback.

The last big additions to this Standard were the Appendices. Annex A provides examples of discipline-specific knowledge and skills of auditors. This section is a little on the boring side. I prefer to tell a story about the internal auditor that was auditing incoming inspection—but they had no idea how to check for calibration or how to measure components. Appendix B, the finale, has a table (Table B.1) that provides some guidance on how to conduct remote audits (i.e. – desktop audits). I was pleased to see that conducting interviews is a major part of remote auditing in this table. Section B.7 provides some suggestions with regard to conducting interviews, but if you exhibit all 13 of the professional behavior traits found in Clause 7.2.2 then you really don’t need any advice on how to speak with people. For the rest of us mortals, we could use a five day course on interviewing alone.

Additional guidelines are available on the ISO website.

The Secret to Successful Training

In Internal Auditing, International Standard, ISO, ISO 13485, Medical Device, QA, QC, Quality, Quality Management Systems, Training on January 7, 2011 at 3:32 am

About 10 years ago my CD collection was stolen and I haven’t heard this tune since. Sass Jordan might be a little raw for your average professional but everyone needs to loosen up sometimes. Just-in-case you were wondering, I think this CD (Rat) was next to the Greatest Hits of Ella Fitzgerald—which they left behind. I love the singing by both women but for very different reasons.

Recently a client asked me to create a training course on how to train operators. I could have taught the operators myself, but there were so many people that needed training that we felt it would be more cost effective to train the trainers.

                Usually I have multiple presentations archived that I can draw upon, but this time I had nothing. I had never trained engineers on how to be trainers before—at least not formally. I thought about what kinds of problems other Quality Managers have had in training internal auditors and how I have helped the auditors improve. The one theme I recognized was that most auditors needed feedback.

                I finally decided to use the Deming Cycle (Plan-Do-Check-Act, or PDCA) as my framework for the training. Most QA Managers are very experienced and have little trouble planning an audit schedule. The next step is to do the auditing. The problem is that there is very little objective oversight of the auditing process. The Standard requires that “Auditors shall not audit their own work.” Therefore, most companies will opt for one of two solutions for auditing the internal audit process: 1) hire a consultant, or 2) ask the Director of Regulatory Affairs to audit the internal auditing process.

                Both of the above strategies meet the requirements of the Standard, but neither strategy helps to make internal auditors better. I have interviewed a lot of audit program managers, maybe 50+, and the most common feedback for auditors is “change the wording of this finding” or “you forgot to close this previous finding.” This type of feedback is related to the report writing phase of the audit process. I rarely hear program managers explain how they help auditors improve at the other parts of the process.

                When auditors are first being trained we typically will provide examples of best practices for audit preparation, checklists, interviewing techniques AND reports. After the auditors have been “shadowed” by the program manager for an arbitrary three times the auditors are now miraculously “trained.” Let’s see if I can draw an analogy that will make my point…

                That kind of sounds like watching your 16 year-old drive the family car three times and then giving them a license. I guess that’s why my new Ford Festiva was severely dented on all four sides within 6 months. You might think my father was a Saint, but I think he might have totaled his tenth car by age 18. At least I contained the damage to one vehicle.

                Anyway the key to training auditors to audit, or anyone on anything, is consistent follow-up over a long period of time.

                The question is…was my training successful?

                Well, how much follow-up training of the trainers did the client ask for?

%d bloggers like this: