13485cert

Posts Tagged ‘ISO’

How to Issue a Major Non-Conformity with a Smile

In Internal Auditing on March 18, 2013 at 5:37 pm

audit_smile_announcement

As an auditor, one of the most important (and difficult) things for you to learn is how to issue a non-conformity—especially a major. This is normally done at the closing meeting of an audit, but the closing meeting is not where the process of issuing the non-conformity begins. Issuing a non-conformity actually starts in the opening meeting.

ISO 19011:2011 is the official guidance document for auditors of Quality Management Systems. Section 6.4.2 of this Standard explains the best practices for an opening meeting. The last five items in this section are critical to preparing the client for potential non-conformities:

  1. the method of reporting audit findings including grading, if any;
  2. the conditions under which the audit may be terminated;
  3. time and place of the closing meeting;
  4. how to deal with possible findings during the audit;
  5. the system for feedback from the auditee on the findings or conclusions of the audit,
  6. the process for complaints and appeals.

Methods of Reporting and Grading

The auditor should be crystal clear in their description of minor and major nonconformities or any other grading that will be used. The auditor should also make it clear that they are looking for conformity rather than non-conformity. This is an audit—not an inspection. Typically, a minor nonconformity is described as “a single lapse in the fulfillment of a requirement” while a major nonconformity is described as one of the following: 1) “a total absence in the fulfillment of a requirement,” 2) “repetition of a previous nonconformity,” 3) “failure to address a previously identified minor non-conformity”, or 4) “shipment of non-conforming product.” When the auditor is in doubt, then the finding is minor and never a major. For a major non-conformity to be issued there can be no doubt.

Conditions for Termination

The option to terminate an audit is typically reserved for a certification audit where a major non-conformity is identified and there is no point in continuing. Termination is highly discouraged, because it is better to know about all the minor and major non-conformities now instead of waiting until the certification audit is rescheduled. The certification body will charge you for their time anyway.

Another reason for termination is when an auditor is being unreasonable or inappropriate. This is rare, but it happens. If the audit is terminated you should always being communicating this to upper management at the certification body and the company—regardless of which side of the table you sit. For FDA inspections this is not an option. For audits performed by Notified Bodies, there is the possibility of suspension of a certificate in response to audit termination. Therefore, I always recommend appealing after the fact instead of termination. Appealing also works for FDA inspections.

Closing Meeting

The closing meeting should be conducted as scheduled and the time/location should be clearly communicated to upper management in the audit agenda and during the opening meeting. Top management won’t be happy about non-conformities, but failure to communicate when the closing meeting will be conducted will irritate them further.

How to Deal with Findings

All guides and auditees should be made aware of possible findings at the time an issue is discovered. This is important so that an auditee has the opportunity to clarify the evidence being presented. Often non-conformities are the result of miscommunication between the auditor and auditee. This happens frequently when the auditor has a poor understanding of the process being audited. It is a tremendous waste of time for both sides when this occurs. If there is an actual non-conformity, it is also important to gather as much objective evidence as possible for the auditor to write a thorough finding and for the auditee to prepare an appropriate corrective action plan in response to the finding.

feedbackFeedback from the Auditee

I always encourage auditees to provide honest feedback to me directly and to management so that I could continue to improve. If you are giving feedback about an internal auditor or a supplier auditor, you should always give feedback directly before going to the person’s superior. You are both likely to work together in the future, and you should give the person every opportunity to hear the feedback first-hand.

When providing feedback from a 3rd party Certification Audit, you should know that there will be no negative repercussions against your company if you complain directly to the Certification Body. At most, the Certification Body will assign a new auditor for future audits and investigate the need for taking action with the auditor. In all likelihood, any action taken will be “retraining.” I never fired somebody for a single incident—unless they broke the law or did something that was unsafe. The key to providing feedback, however, is to be objective. Give specific examples in your complaint, and avoid personal feelings and opinions.

Complaints and Appeals

As the auditee, you should ask for the contact information at the certification body during the opening meeting. Ask with a smile—just-in-case you disagree and so you can provide feedback (which might be positive). As the auditor, you should always make the contact information for the certification body available. If you are conducting a supplier audit or an internal audit, you probably know the auditor’s boss and there is probably no formal complaint or appeals process. In the case of a supplier audit, the customer is always right—even when they are wrong.

During the Audit

During the audit you should always make the guide(s) and process owner(s) aware of any potential non-conformities as you find them. This is their opportunity to clarify the objective evidence for you and to explain why there is not a non-conformity. Often I will refer to the Standard that I am auditing to at this point. I will identify the specific requirement(s) and show the process owner. I will say, “This is what I am trying to verify. Do you have anything that would help address this requirement?” If the process owner is not sure of how to meet the requirement, often I will provide an example of how this requirement is addressed in other areas or at other companies.

If the audit is a multi-day audit, I will review the potential nonconformities at the end of the day and give the auditee the opportunity to provide additional objective evidence in the morning. If it is already the last day of the audit or it is a single-day audit, I will give auditees until the closing meeting to provide the objective evidence. Often I will use this opportunity to explain what would be considered a minor non-conformity and what would be a major non-conformity. Usually I can say, “This is definitely not a major non-conformity, because…”

closingClosing Meeting

At the closing meeting, the auditee should never be surprised. If an issue remains unfulfilled at the closing meeting, the auditee should be expecting a minor non-conformity—unless the issue clearly warrants a major non-conformity. Since a minor nonconformity is described as “a single lapse in the fulfillment of a requirement,” it is difficult for an auditee to argue that an issue does not warrant a minor non-conformity. Typically, the argument is that you are not consistent with other auditors. The most common response to that issue is, “Audits are just a sample, and previous auditors may not have seen the same objective evidence.” The more likely scenario, however, is that the previous auditor interprets the requirements instead of reviewing the requirements with the client and making sure both parties agree before a finding is issued.

A major nonconformity is usually defined as one of the following: 1) “a total absence in the fulfillment of a requirement,” 2) “repetition of a previous nonconformity,” 3) “failure to address a previously identified minor non-conformity”, or 4) “shipment of non-conforming product.” When the auditor is in doubt, then the finding is minor and never a major. For a major non-conformity to be issued there can be no doubt. If a finding is major, the auditee should have very few questions. Also, I find that often the reason for a major non-conformity is a lack of management commitment to address the root cause of a problem. Issuing a major non-conformity is sometimes necessary to get management attention.

Regardless of the grading, all audit findings will require a corrective action plan—even an FDA warning letter requires a CAPA plan. Therefore, a major non-conformity is not a disaster. You just need to create a more urgent plan for action.

If I had a rocket launcher…

In Elsmar Cove, International Standard, ISO, ISO 13485, Management Representative, Management Responsibility, QA, Quality, Quality Management Systems on January 21, 2011 at 12:53 am

This week’s music video selection was recommended by my friend Greg. We were eating dinner together at 1776, and he was kind enough to share this amazing musician with me. I’m not a guitarist but he pointed out that Bruce Cockburn has a very unique style. He plays three different parts simultaneously. His thumb plays base on the top string while the other fingers play two separate melodies. WOW!

                 Are you frustrated? Do you wish for a rocket launcher? Maybe you would aim it at the C-level offices and pull the trigger.

                Sometimes we hear phrases like: “Well that’s just an ISO requirement.” This obvious lack of support by top management is what frustrates every Management Representative in the world.

                There was a question posted on the Elsmar Cove website on January 10th (see previous blog for the link). In just 10 days there have been 153 postings in response to the original question. As I read through the various postings I saw several comments about a lack of support by top management. Rocket launchers are NOT the answer, but maybe a heavy bat…

                A little over a decade ago I was still learning how to supervise people. In an effort to educate myself further, I read a book (sorry can’t be sure which book anymore). In this book, the boss gave an employee a card with a picture of a baseball bat on it. The instructions provided with this magical card were to use it only when the boss failed to pay attention and the employee had something important to tell him.

                We all wish for a magical baseball bat, but unfortunately we are M-A-N-A-G-E-R-S. Along with the awesome title comes awesome responsibility. Managers are responsible for leading others. Subordinates are not the “others” I am referring to. The “others” are peers. If you cannot persuade your peers to support you, then you will fail as a manager. The Quality Department cannot fix all the problems. In fact, my philosophy is that Quality is responsible for recommending improvements, training people, and helping to implement. We assign corrective actions, but we should be assigning them to the process owner (i.e. – Manager) that is responsible for the area where the problems were created.

                If you need help persuading the unenlightened, try picking a project that is critical to the success of the stubborn one. If you can show someone that is currently a detractor how they can apply the Quality principles to help solve their problems, then you will have a convert. Converts become strong supporters. If the stubborn one happens to be at the top, figure out what the CEO’s initiatives are. Initiatives are easy to identify; they talk about it at least twenty times a week. Try showing the CEO how their initiatives can become Quality Objectives. Show them with graphs. Show up with solutions to their problem. Use the CAPA process as a framework. Show them how the management TEAM can fix it.

                If nothing seems to be working, you can always try reviewing some FDA MedWatch reports too–just to scare the crap out of the boss.

Management Representative

In Elsmar Cove, ISO, ISO 13485, Management Representative, Management Responsibility, QA, Quality, Quality Management Systems on January 18, 2011 at 5:05 pm

The video music selection for this week was a tune I heard at a restaurant called “1776” in Crystal Lake, IL. The restaurant played Chris Isaak recordings for the entire meal. Maybe the satellite radio station was stuck on the letter “I”.

 The idea for this posting was from a thread I found on Elsmar Cove:

http://elsmar.com/Forums/showthread.php?t=45658

One person posted a question about the requirement for the Management Representative (MR) to be a member of the organization’s management (see section 5.5.2 of ISO 9001:2008). Companies that are seeking initial certification sometimes struggle with this requirement. Some struggle because they do not have anyone in-house that is sufficiently trained to be the MR. Other companies struggle, because they are very small and outsource their QA functions to a consultant. The following blog is targeted at helping these companies.

     I audit companies to the ISO 13485 (medical QMS) & 9001 (QMS) Standards. The intent of both Standards was always to have the MR be part of management, but some companies did not interpret the Standards in this way. With the 2008 revision of 9001, the possibility of misinterpreting the meaning is much less likely. The companies that receive findings during the Stage 1 or Stage 2 audit for this requirement usually fall into one of two categories. Category #1: our company is small and the only person that really knows enough about ISO requirements is not a member of management. Category #2: our company is small and we outsource QA functions.

   The good news is that any manager can be assigned the responsibility of being MR. One of my clients assigned this responsibility to the VP of Sales. Another company assigned this responsibility to the Director of R&D. Both of these individuals had to put in the time to learn about Quality Management Systems, but both have embraced the challenge and I have learned a lot from them. They have a different perspective and bring a lot of value to the MR role.

    The bad news is: whomever you assign has to learn enough to be competent in the role.

   The definition of “Management” is typically a stumbling block. Most people think of managers requiring that they have other people reporting to them. This is not an absolute. The MR should report directly to a top manager such as the President or CEO to prevent conflicts of interest. As a manager, they should not require a lot of direct supervision and the President or CEO should not be overly burdened by adding one person to their list of direct reports.

   Some auditors like to see a “deputy MR” identified. My advice is to have the CEO or President sufficiently trained that they can be the “back-up” when the MR is on vacation. Every manager should know enough about their subordinate’s job duties that they can “fill in.”

   MR’s should be involved in senior staff meetings too, but not necessarily at the same frequency as every other senior staff manager. Typically operations and sales have the most frequent meetings with the CEO–often weekly. Finance is typically monthly. HR and the MR might be bi-monthly or Quarterly. Communication of the status of Quality Objectives should be regular reports to all senior staff, but you don’t have to have a Management Review to communicate the status. If the company is small enough to have only one QA person, there probably isn’t a need for more than one or two management review meetings per year.

   If your company has a finding against clause 5.5.2, I recommend the following actions:

1. Assign a person that is already a member of your senior staff as MR

2. Document the responsibility in the person’s job description

3. Document the responsibility in the org chart

4. Assign the person’s direct supervisor (typically the CEO or President) as a “deputy MR”

5. Find a good webinar on ISO training for the new MR and their boss (ideally one with a quiz and a certificate)

6. Have the new MR develop a 45 minute presentation for the senior staff on the topic of Management Responsibilities. This training should cover all of section 5 in the Standard.

7. Give the senior staff a 15 minute multiple choice quiz to evaluate effectiveness of the training.

8. Have the new MR discuss delegation of various management review inputs (see section 5.6.2) with their boss. Quality should be a shared responsibility and Management Reviews will be more effective if everyone takes part.

%d bloggers like this: