Dear all,
During the recent audit, the auditor detected that the personnel record of one of our employees was not updated the trainings taken though all the training certificates were filed as per our procedure.
The root cause is that the HR Manager really forget and the corrective proposed is retrain our HR Manager so hat he will apply well our procedure. But the auditor does not accept it.
Please advice me what I have to reply the auditor.
hank you in advance.
Clara

Dear all,
During the recent audit, the auditor detected that the personnel record of one of our employees was not updated the trainings taken though all the training certificates were filed as per our procedure.
The root cause is that the HR Manager really forget and the corrective proposed is retrain our HR Manager so hat he will apply well our procedure. But the auditor does not accept it.
Please advice me what I have to reply the auditor.
hank you in advance.
Clara

Hello Clara,

If this is really a single isolated nonconformity, tell the auditor that you accept the NC, but because this is really a one-time occurrence, you are not going to waste your company's resources on it. This is perfectly in line and in compliance with 8.5.2. Period.

Stijloor.

If the finding is limited to only one case and the root cause is due to human error not due to absence of any procedure or not awareness of that procedure by the HR Manager then it is not an NCR at all.

See Auditor has the rights limited to raise an NC but not to give proposed corrective action unless the auditee asks. So, Accept if it is an NC as per her his words, but do root cause analysis and corrective action with respect o your purview since you are the process owner.

Suresh Kumar
RTW Consultant

Welcome to The Cove Suresh! Good first post.

I agree that retraining is not a fix for this process problem. It is a simple matter, since evidence of training existed in the file. In fact, I am interested in the fact that the registrar did not treat it as an observation because evidence of training did exist in the file.

I have a question about your training record. If you have certificates etc. as evidence of training in the file, why is it important for the HR Manager to enter data in a separate record? I can imagine the human brain's response to filing the certificates as being: "Okay, evidence of training filed. Done."

If it really is important for the separate training record to be updated, then the process could be error proofed somehow. Since people's brains don't have computer routines, training wouldn't ensure the fix will endure. I would ask the HR Manager:

1. If the separate record is really needed, and why.
2. If the separate record really is needed, is there another reasonable way to show this training has taken place?
3. If the separate record is really necessary and there is no better method, what sort of reminder would help make sure the information gets entered every time? Take the answer, try it, see if it works. If it works, go with it. This way, the problem has become part of the solution.

Let's be clear that I am not trying to overthink this. But in the face of a discovery that a procedure is not being followed, the logical course of action is to examine the procedure first to see if it is appropriate, and then to examine ways to follow it if it's really needed. As an internal auditor I advocate simplifying when possible.

Given that this is a useful problem solving exersize, I would not tell the registrar I won't waste my company's resources on it. I would just get through it, and apply the lesson learned to other discoveries.

Welcome to The Cove Suresh! Good first post.

I agree that retraining is not a fix for this process problem. It is a simple matter, since evidence of training existed in the file. In fact, I am interested in the fact that the registrar did not treat it as an observation because evidence of training did exist in the file.

I have a question about your training record. If you have certificates etc. as evidence of training in the file, why is it important for the HR Manager to enter data in a separate record? I can imagine the human brain's response to filing the certificates as being: "Okay, evidence of training filed. Done."

If it really is important for the separate training record to be updated, then the process could be error proofed somehow. Since people's brains don't have computer routines, training wouldn't ensure the fix will endure. I would ask the HR Manager:

1. If the separate record is really needed, and why.
2. If the separate record really is needed, is there another reasonable way to show this training has taken place?
3. If the separate record is really necessary and there is no better method, what sort of reminder would help make sure the information gets entered every time? Take the answer, try it, see if it works. If it works, go with it. This way, the problem has become part of the solution.

Let's be clear that I am not trying to overthink this. But in the face of a discovery that a procedure is not being followed, the logical course of action is to examine the procedure first to see if it is appropriate, and then to examine ways to follow it if it's really needed. As an internal auditor I advocate simplifying when possible.

Given that this is a useful problem solving exersize, I would not tell the registrar I won't waste my company's resources on it. I would just get through it, and apply the lesson learned to other discoveries.

I agree. I think many times we make our systems too complicated. However, if the separate record is needed, then reverse the procedure to enter the information into this separate record before filing the certificate away. Reverse the order so you don't forget.

If the finding is limited to only one case and the root cause is due to human error not due to absence of any procedure or not awareness of that procedure by the HR Manager then it is not an NCR at all.

See Auditor has the rights limited to raise an NC but not to give proposed corrective action unless the auditee asks. So, Accept if it is an NC as per her his words, but do root cause analysis and corrective action with respect o your purview since you are the process owner.

Suresh Kumar
RTW Consultant

That is too broad a statement. Being one incident only or being human error does not determine whether it is an NCR? If the process failed to do what it required, then it is an NC.

Quantity has nothing to do with whether it is an NC, only the severity.

Jennifer makes excellent points, as always. Our brains think a little differently than computers (or most do).

A bigger problem, as I see it, is that your system while attempting to be electronic, still relies upon filing paper copies of certificates (tests, evaluations, etc.) While I am with everyone else in "fixing" the records that the auditor found, I think I would start looking for an alternative that would allow me to keep electronic copies of all those pieces of paper that you are stuffing into a file folder within the training documentation software itself.

We will always have to have private (legal) HR files that are not for ordinary public consumption...but why not find a long term solution for your training, testing, evaluation results that allows you to pull up information from any computer you decide to load your training record software on to? (i.e. scanned copies of tests, certificates, etc., in the training software instead of in some paper file locked in HR?)

Jennifer's point concerning the duplicate records is a pivotal one. It seems that all other actions are based on this.

Typically, a training record for an individual is a compliation of all things are trained to do. This is an excellent AID to the person or supervisor when assigning tasks. A matrix of all available employees and their training status is even more helpful. However, both of these are a compilation of a set of individual records.

An electronic system makes this easy.

a paper system makes this fraught with error opportunities..

That is too broad a statement. Being one incident only or being human error does not determine whether it is an NCR? If the process failed to do what it required, then it is an NC.

Quantity has nothing to do with whether it is an NC, only the severity.The basic problem with that approach is: once a NC is written, corrective action is required. Root cause analysis and corrective action implementation have an associated cost. To incur unnecessary costs to "fix" robust processes is unwise.

Auditors should evaluate the impact of writing an NC. Most experienced auditors do that. Even a process operating at a six-sigma level will have 3.4 defects (NC's) per million opportunities. Should we write up every process that is less than perfect?

A bigger problem, as I see it, is that your system while attempting to be electronic, still relies upon filing paper copies of certificates (tests, evaluations, etc.) ..., I think I would start looking for an alternative that would allow me to keep electronic copies of all those pieces of paper

Steel

Our procedure says that once the paper record is entered into our electronic system, the hard copy is discarded. This has survived numerous customer and several different registrar audits. In fact it was suggested by a registrar (I know they aren't supposed to consult, but the best ones always offer up good ideas).

Dear all,
Thank you for your advices.
According to our procedure, besides the such training records as certificates, attestations... to be filed, the HR Department have to update all the trainings taken on every individual record.
This task is done in order that the HR Dept and managers should know instantly the training status of every employee when evaluating their competence and assigning task.
In my opinion, this finding is limited to only one case and the root cause is due to human error, not due to absence of any procedure or not awareness of that procedure by the HR Manager. So the retraining is a raisonable corrective action. I don’t understand that why the auditor does not accept our prposed corrective action.
I will contact the auditor to explain once again.
Thanks and regards,
Clara

In my opinion, this finding is limited to only one case and the root cause is due to human error, not due to absence of any procedure or not awareness of that procedure by the HR Manager. So the retraining is a raisonable corrective action. I don’t understand that why the auditor does not accept our prposed corrective action.Maybe that registrar is aware that there is a difference between error and awareness.

Training is designed to raise awareness and knowledge. But to my understanding, your HR Mgr knows what to do, but just forgot one. (are you sure it was only one?) So let's see how the training might go:

Trainer: "Now remember, make your entry in XYZ record as well as file the certificate." :whip:

HR Mgr: "Okay."

The question I ask while auditing is this: "Suppose you win the Powerball this weekend and decide to retire and go live the good life. How do we make sure that someone can come right along behind you and take over this process without error or a big delay?"

Have you asked the HR Mgr what would help? If not, why not? You have said, "In my opinion", but this isn't your process. And besides: if this were to happen again (and why wouldn't it? I'm over 45, and I forget stuff) and the registrar caught it (and they are supposed to check again) it would be a repeat finding. And that would not be good.

Please think this through some more before contacting that registrar again.

Steel

Our procedure says that once the paper record is entered into our electronic system, the hard copy is discarded. This has survived numerous customer and several different registrar audits. In fact it was suggested by a registrar (I know they aren't supposed to consult, but the best ones always offer up good ideas).

I agree wiht this method, wholeheartedly, but....there are some things like certifications that you really would like to have copies of. Like Level 3 nondestructive test certifications for example. Or maybe a Journeyman's License? How about EMT certification for plant medical responders? If you pay extra for these skills, you want to keep a record in the training that the skills are there, it would be nice to not have to throw away the copy of the cert/license.

If you have certificates etc. as evidence of training in the file, why is it important for the HR Manager to enter data in a separate record?

This is what I like to do when we have similar audit observations - ask: why are doing this in the first place?

One warning here - the term "human error" is nowadays constantly being recognized as "use error" because the problem the majority of the time is on the process or system or device design instead of the user - this is a usability concern.

In your case it seems that the problem, as mentioned, is related to the commom/special cause NC. If it happened just once, this is something that cannot be corrected because it´s a spkie, not a trend in your process. But i advise you rethink your process trying to find if the root cause isn´t really the process itself.

I agree wiht this method, wholeheartedly, but....there are some things like certifications that you really would like to have copies of. Like Level 3 nondestructive test certifications for example. Or maybe a Journeyman's License? How about EMT certification for plant medical responders? If you pay extra for these skills, you want to keep a record in the training that the skills are there, it would be nice to not have to throw away the copy of the cert/license.

This is probably too radical for most, but once we enter an electronic record of the cert (and its expiry date) we tell the people to keep them in their wallets or take them home for their resume.

Only one reality - the database, otherwise sooner or later there will be a disagreement between paper and computer.

Now someone will ask what if a mistake is made entering the data into the computer. Of course it happens. Basically, I don't care. Enough is enough. We're not going to set up a checker on the checker.

Let's add value, right? I'm working with the boss on the business plan, with design trying to prevent them making the same mistake on the next project, and with sales on understanding what they are signing us up for when they quote. Millions of dollar$ lost in just those 3.

Calibration stickers, rev levels on forms, memorize the quality policy, training records, chicken shi# - that's why executives see no benefit to ISO/TS. Its our fault for bleating on about this stuff.

Let's work the value side (and there is HUGE value) and put forth the minimum effort to comply with the trivia.

The basic problem with that approach is: once a NC is written, corrective action is required. Root cause analysis and corrective action implementation have an associated cost. To incur unnecessary costs to "fix" robust processes is unwise.

Auditors should evaluate the impact of writing an NC. Most experienced auditors do that. Even a process operating at a six-sigma level will have 3.4 defects (NC's) per million opportunities. Should we write up every process that is less than perfect?

Yes, I agree with your premise. Before writing it, evaluate if the issue is worthy of applying formal corrective action.

I was challenging the blanket statement that if it just happened once, it is not an NC. That is not the appropriate criteria. The magnitude of the problem or risk IS the correct criteria.

...Let's add value, right? I'm working with the boss on the business plan, with design trying to prevent them making the same mistake on the next project, and with sales on understanding what they are signing us up for when they quote. Millions of dollar$ lost in just those 3.

Calibration stickers, rev levels on forms, memorize the quality policy, training records, chicken shi# - that's why executives see no benefit to ISO/TS. Its our fault for bleating on about this stuff.

Let's work the value side (and there is HUGE value) and put forth the minimum effort to comply with the trivia.

I certainly agree with your premise, I preach the same thing. However, I do not agree with the broad list of things you dismiss as chicken sh**.

Some of those can lead to very significant issues. They should not be the focus, but they are indicative of a system that is not nailed down, and should be. Then, you have the time to focus on the big stuff.

.... If it happened just once, this is something that cannot be corrected because it´s a spike, not a trend in your process...

A lot of one time problems can and should be fixed. Let's quit making these inappropriate blanket statements.

The standard says the corrective action shall be appropriate to the effects (risks) of the nonconformance. That is a simple statement that gives us flexibility in how to act. That should be the criteria.

I was taught and known from most auditors the definition of NC are these:

1) Major NC is those that could cause breakdown to system or there is an indication of breakdown to the system, or that nonconforming product could be released to customer.

2) Minor NC is other than the above, it is an isolated incidence which could be due to human error.

Throughout my experience with isolated issues, some of the auditors raised a minor NC while others raised it as an OFI.

I was not sure when they should be NC or OFI.

Almost majority of the incidence we had were due to human error, be it:
1) isolated, or
2) many repetitions, or
3) totally not doing to comply with the procedures.

I learned here from Helmut Jilling to apply magnitude principe, and classify them as such:
1) isolated:
1.1) isolated but trivial, be it human error or not, not NC and not OFI.
1.2) isolated but pretty serious or important to correct it to prevent repetition, be it human error or not, could raise an Observatrion or OFI.
1.3) isolated but severe, be it human error or not, shall be an NC, minor or major depend on magnitude.

2) many repetitions:
2.1) even if it is not severe, be it human error or systemic, could raise minor NC.
2.2) if it is severe, be it human error or systemic, raise minor NC if it may not lead to breakdown, or else raise major NC if it could lead to breakdown to the system.

3) totally not doing to comply with the procedures:
3.1) minor NC if not led to breakdown. Corrective action could lead to changes in procedures that are not good instead of retraining human that do not comply with it.
3.2) major NC if could lead to breakdown.

Now one last thing, I am not sure of when should constitute a BREAKDOWN. Could one isolated incidence of a nonconforming product released to customer constitute a breakdown and a major NC, according to the definition posted above?

Can you share with me and teach me from 1,2,3 above, how do you classify them, whether OFI or NC, Minor or Major, or require further consideration with more evidence, etc.

A million thanks to all the covers!:thanks::thanx:

I was taught and known from most auditors the definition of NC are these:

1) Major NC is those that could cause breakdown to system or there is an indication of breakdown to the system, or that nonconforming product could be released to customer.

2) Minor NC is other than the above, it is an isolated incidence which could be due to human error.

Throughout my experience with isolated issues, some of the auditors raised a minor NC while others raised it as an OFI.

I was not sure when they should be NC or OFI.

Almost majority of the incidence we had were due to human error, be it:
1) isolated, or
2) many repetitions, or
3) totally not doing to comply with the procedures.

I learned here from Helmut Jilling to apply magnitude principe, and classify them as such:
1) isolated:
1.1) isolated but trivial, be it human error or not, not NC and not OFI.
1.2) isolated but pretty serious or important to correct it to prevent repetition, be it human error or not, could raise an Observatrion or OFI.
1.3) isolated but severe, be it human error or not, shall be an NC, minor or major depend on magnitude.

2) many repetitions:
2.1) even if it is not severe, be it human error or systemic, could raise minor NC.
2.2) if it is severe, be it human error or systemic, raise minor NC if it may not lead to breakdown, or else raise major NC if it could lead to breakdown to the system.

3) totally not doing to comply with the procedures:
3.1) minor NC if not led to breakdown. Corrective action could lead to changes in procedures that are not good instead of retraining human that do not comply with it.
3.2) major NC if could lead to breakdown.

Now one last thing, I am not sure of when should constitute a BREAKDOWN. Could one isolated incidence of a nonconforming product released to customer constitute a breakdown and a major NC, according to the definition posted above?

Can you share with me and teach me from 1,2,3 above, how do you classify them, whether OFI or NC, Minor or Major, or require further consideration with more evidence, etc.

A million thanks to all the covers!:thanks::thanx:


I think you are starting to understand, my friend...:applause:

Failures do not become OFI's. They need to be fixed. If the magnitude is there, fix it formally as an NC. If it is tiny, just fix it. OFI's are for making pretty good things better.

This is probably too radical for most, but once we enter an electronic record of the cert (and its expiry date) we tell the people to keep them in their wallets or take them home for their resume.

Only one reality - the database, otherwise sooner or later there will be a disagreement between paper and computer.This could work fine in many cases, but the decision should be based on who would care about the certifications, and why.

There would be some that I really would like to keep a copy of: Level III NDT would be one of them, since this person is approving competence of NDT inspectors. The tie breaker is the question of what they are inspecting. If they are inspecting critical systems, then keeping a copy of the certificate--even just a scanned e-copy--seems like a reasonable effort as compared to what might ensue if the courts or regulators asked for it.

But there are a whole lot of circumstances where that wouldn't be the case. Unless the customer, regulator or some other entity says otherwise, just an entry in a database could be enough to serve almost all needs. The organization is tasked with weighing risk and benefit to decide.

I was challenging the blanket statement that if it just happened once, it is not an NC. That is not the appropriate criteria. The magnitude of the problem or risk IS the correct criteria. If it happened just once, this is something that cannot be corrected because it´s a spkie, not a trend in your process. But i advise you rethink your process trying to find if the root cause isn´t really the process itself.A lot of one time problems can and should be fixed. Let's quit making these inappropriate blanket statements.

The standard says the corrective action shall be appropriate to the effects (risks) of the non-conformance. That is a simple statement that gives us flexibility in how to act. That should be the criteria.But correcting a single, isolated, non-systemic failure is not corrective action, but correction. If auditors (internal or external) start writing up findings, for single, isolated, non-systemic issues, they are no longer auditors, but inspectors.

I will grant that, sometimes, an auditor might trigger a corrective action request, in case s/he found a single, but critical problem, and expects the organization to verify more extensively, during root cause analysis, if other instances of the same problem exist. Audits are time constrained and, many times, the auditors can not expand the sample to verify if other occurrences of a non-conformity exist.

But correcting a single, isolated, non-systemic failure is not corrective action, but correction.

No it´s not. A correction is performed to correct a NC that has ocurred . A corrective action is performed to prevent the same NC from ocurring again. A correction acts on the NC that has happened and was detected. A corrective action acts on the root cause of that NC. This is all related to the process and it´s boundaries.

What i was saying is that a ocurrence from a special cause (a "spike" on your process) cannot be classified as a NC simply because you cannot act on the process to correct it´s root cause. Auditors tend to think of ANY ocurrences as non-conformity, and that´s is the problem.

No it´s not. A correction is performed to correct a NC that has ocurred . A corrective action is performed to prevent the same NC from ocurring again. A correction acts on the NC that has happened and was detected. A corrective action acts on the root cause of that NC. This is all related to the process and it´s boundaries.

What i was saying is that a ocurrence from a special cause (a "spike" on your process) cannot be classified as a NC simply because you cannot act on the process to correct it´s root cause. Auditors tend to think of ANY occurrences as non-conformity, and that´s is the problem.

Per ISO 9000:2005:

3.6.6
correction

action to eliminate a detected nonconformity (3.6.2)

NOTE 1 A correction can be made in conjunction with a corrective action (3.6.5).

NOTE 2 A correction can be, for example, rework (3.6.7) or regrade (3.6.8).

No it´s not. A correction is performed to correct a non-onformance that ocurred . A corrective action is performed to prevent the same non-conformance from ocurring again. A correction acts on the non-conformace that has happened and was detected. A corrective action acts on the root cause of that non-conformance. This is all related to the process and it´s boundaries.

What i was saying is that a ocurrence from a special cause (a "spike" on your process) cannot be a non-conformance, simply because you cannot act on the process to correct it´s root cause.

My head has almost exploded from the language-torture that's going on in this thread. First, a "special cause" can be identified and corrected, or done away with, or squished, or whatever you want to call it. We do SPC to help us identify and do away with special causes. Sometimes the causes are elusive and not worth pursuing, true enough, but to say that "...you cannot act on the process to correct..." the root of a special cause is wrong.

Now, having said that, it's doubtful that a CB auditor will be interested in tracking down a "spike," but should be interested in how the auditee has treated it.

Finally, "corrective action" includes fixing the immediate problem ("correction") and attempting to prevent keep it from happening again. If the immediate problem has been addressed, but there is no attempt to identify its cause and prevent stop it from happening again, it might be because the auditee has been negligent, or it might be because there was no good reason to do so. The former case should be an NC in most cases, but not the latter.

What i was saying is that a ocurrence from a special cause (a "spike" on your process) cannot be classified as a NC simply because you cannot act on the process to correct it´s root cause. Auditors tend to think of ANY ocurrences as non-conformity, and that´s is the problem.I agree with that. That is the point I was also trying to make in my previous post.

No it´s not. A correction is performed to correct a NC that has ocurred . A corrective action is performed to prevent the same NC from ocurring again. A correction acts on the NC that has happened and was detected. A corrective action acts on the root cause of that NC. This is all related to the process and it´s boundaries. I am not sure why you say it is not. That is exactly what I said. Correction is fixing the problem. Corrective action is preventing the same problem from recurring.

Hello Sidney

I am not sure why you say it is not. That is exactly what I said. Correction is fixing the problem. Corrective action is preventing the same problem from recurring.

What i was trying to say is, in terms of the standard (as defined), correction and corrective action applies to a NC. As i pointed out, i think that a "single, isolated, non-systemic failure" is not a NC, so the correction and corrective action would not be applicable to the these events. This in terms of requirements from the standards.

As pointed out, a "single, isolated, non-systemic failure" can in fact be corrected and it´s root cause found (altough i still think that it´s very difficult to correct the root cause in terms of process because generally this events have a root cause that are outside your process boundaries or not related to them) but this, in my opinion, would fall outside the scope of the standard (and thus of the auditing).

As i pointed out, i think that a "single, isolated, non-systemic failure" is not a NC, so the correction and corrective action would not be applicable to the these events. This in terms of requirements from the standards.

From ISO 9000:2005

3.6.2
nonconformity
non-fulfilment of a requirement (3.1.2)

Any time a requirement is not met, it is per definition a nonconformity.

Stijloor.

As pointed out, a "single, isolated, non-systemic failure" can in fact be corrected and it´s root cause found (altough i still think that it´s very difficult to correct the root cause in terms of process because generally this events have a root cause that are outside your process boundaries or not related to them) but this, in my opinion, would fall outside the scope of the standard (and thus of the auditing).

How can something that causes a failure in a process not be related to the process?

3.6.2
nonconformity
non-fulfilment of a requirement (3.1.2)

Any time a requirement is not met, it is per definition a nonconformity.

Just because the standard has a broad definition and doesn´t explain the whole literature on quality management, it doesnt mean that everything is everything.

From my point of view, tehre´s some points that have to be taken into account when reading the definition of noncorformity. First, as i said, is that the basics of these standard is the process, and it´s boundaries and special and commom causes and, important but not always remembered, how many times the problem happened. I cannot see a NC when an incident, or whatever, is a "spike" that happened once in a particular time frame, and when uou investigate the root cause you discover that it´s not actionable (mainly because the root cause is not really relkted to the process).

The other, important point is, aswering the question:

How can something that causes a failure in a process not be related to the process?

It can be, when it´s something unforeseeable.

The standards have boundaries. One of the boundaries is that you have to manage things manageable, not natural disasters. So if something is unforeseeable, i cannot see how it can be managed, and, thus, related to the standard, or to the process, or whatever.

Let me try to give an example

...personnel record of one of our employees was not updated the trainings taken though all the training certificates were filed as per our procedure...The root cause is that the HR Manager really forget

Do another training will make the Manager not forget again? Better yet, why he forgot? Let´s say he forgot because he had a terrible headache and a little memory loos, or disorientation.

Now, is a headache foreseeable? Does it happen in a way that can be characterized as a negative trend in the process? Is it related to the process? And what would be the corrective action, give the manager an aspirin everyday to prevent him from having a headache? This i the kind one-of-a-kind, unforeseeable event that might be the real root cause of the problem. Would this be NC? Not in my opinion.

Sorry for the lame example, but you know, it´s saturday night and the beer cans are stocking up :-)))

But correcting a single, isolated, non-systemic failure is not corrective action, but correction. If auditors (internal or external) start writing up findings, for single, isolated, non-systemic issues, they are no longer auditors, but inspectors.

I will grant that, sometimes, an auditor might trigger a corrective action request, in case s/he found a single, but critical problem, and expects the organization to verify more extensively, during root cause analysis, if other instances of the same problem exist. Audits are time constrained and, many times, the auditors can not expand the sample to verify if other occurrences of a non-conformity exist.

Sidney, we are going in a circle here.

"correcting a single, isolated, non-systemic failure is not corrective action, but correction..." OK, but that is not what I said. When you add "non-systemic" to my statement, it changes what I said. If it is non-systemic, it probably won't be significant enough to need a formal corrective action.

But, as I said twice now, the standard does not exempt single events from corrective action. That is not the criteria stated by the standard. It is significance and risk.

I agree that auditors should not focus on nickle dime stuff. But, if there is a single incident customer complaint, they are probably going to request/demand corrective action.

The criteria clearly stated is based on the significance and risk. "non-systemic failure" probably would not meet that level, but single failures that are significant or have risk DO usually need corrective action.

Auditors must use their judgement as to significance, not whether it is single or a number of incidents.

That is what the standard states pretty clearly. We should not make other rules, as some in this thread were beginning to. That is why I spoke up.

That is not the criteria stated by the standard. It is significance and risk.

The criteria clearly stated is based on the significance and risk.

That is what the standard states pretty clearly. We should not make other rules, as some in this thread were beginning to. That is why I spoke up.Actually, the standard states that the organization must evaluate the need for action to ensure that nonconformities do not recur, which gives an opening for a decision as to no corrective action necessary for a non-conformity. And then the standard states
Corrective actions shall be appropriate to the effects of the nonconformities encountered. So, significance and risk are not clearly stated anywhere in the standard, even though it is a sensible proposition that they should be considered, in order to determine appropriateness of a corrective action. Since you are trying to ensure that we don't create rules, I am just pointing out that significance and risk are not clearly stated in the standard, contrary to your assertion.

Actually, the standard states that the organization must evaluate the need for action to ensure that nonconformities do not recur, which gives an opening for a decision as to no corrective action necessary for a non-conformity. And then the standard states

So, significance and risk are not clearly stated anywhere in the standard, even though it is a sensible proposition that they should be considered, in order to determine appropriateness of a corrective action. Since you are trying to ensure that we don't create rules, I am just pointing out that significance and risk are not clearly stated in the standard, contrary to your assertion.


You are correct, I was going on memory, and should not do that.

ISO 9001:2000:

"8.5.2 Corrective action
The organization shall take action to eliminate the cause of nonconformities in order to prevent recurrence.
Corrective actions shall be appropriate to the effects of the nonconformities encountered."

TS adds:

"8.5.2.1 Problem solving
The organization shall have a defined process for problem solving leading to root cause identification and elimination.
If a customer-prescribed problem-solving format exists, the organization shall use the prescribed format."




My previous wording was paraphrased from the previous TS1/QS-9000 (which is of course obsoleted):

General - 4.14.1

The supplier shall establish and maintain documented procedures for implementing corrective and preventive action.

Any corrective or preventive action taken to eliminate the causes of actual or potential nonconformities shall be to a degree appropriate to the magnitude of problems and commensurate with the risks encountered.

This specific wording is obsolete, however I think it would be fair to make the case that while worded differently, it is still saying essentially the same thing -

Corrective actions shall be appropriate to the effects of the nonconformities...


The actions shall be appropriate to the [bad] effects (ie: significance, risks, magnitude, etc.). Whether it is one occurance or several is not the criteria. The more significance or bad effects an NC issue has, the more significant the corrective action must be.


We both agree the auditor or issuer of the CA must exercise judgement as to how significant the effects are, and apply that judgement when deciding whether a formal CA must be exercised. Nickel and dime things can often just be fixed.


I was just trying to make the case that we cannot make blanket rules that if it was just one occurance, then corrective action is not possible, or required. That may or may not be accurate. That assertion is not appropriate, and misdirects this vital activity.

I see a lot of discussion, with most of our friends giving various useful solutions. However I would like to go back to the point mde initially. And I quote

"During the recent audit, the auditor detected that the personnel record of one of our employees was not updated the trainings taken though all the training certificates were filed as per our procedure."

Note, 'All the training certificates were filed as per our procedure'. As per the Standard, evidence of training having been satisfactorily imparted is available since there is a certificate issued after the training. Non-updating of employee's record is really a clerical work which if missed is at most an observation, even if you have included it in your procedure. The NC therefore in my opinion, ignores the spirit of the ISO standard requirement.

As a QMS consultant and also as an auditor. I would recommend you simplify your procedures. At every step ask your self "why is this procedure necessary" and "which clause of the standard calls for this"

Please explain to the certifying body and request them to down grade this"no-conformity" to Observation.

Good luck!

I see a lot of discussion, with most of our friends giving various useful solutions. However I would like to go back to the point mde initially. And I quote

"During the recent audit, the auditor detected that the personnel record of one of our employees was not updated the trainings taken though all the training certificates were filed as per our procedure."

Note, 'All the training certificates were filed as per our procedure'. As per the Standard, evidence of training having been satisfactorily imparted is available since there is a certificate issued after the training. Non-updating of employee's record is really a clerical work which if missed is at most an observation, even if you have included it in your procedure. The NC therefore in my opinion, ignores the spirit of the ISO standard requirement.

As a QMS consultant and also as an auditor. I would recommend you simplify your procedures. At every step ask your self "why is this procedure necessary" and "which clause of the standard calls for this"

Please explain to the certifying body and request them to down grade this"no-conformity" to Observation.

Good luck!

Welcome to the Cove, Jupitor:bigwave:

An excellent first post that gets to the heart of the matter and brings things back into focus. It does indeed appear to be a minor clerical error, and there doesn't appear to be any evidence of a systemic problem.

Welcome Jupiter! That was a very good first post. :applause:

I am going to make a guess that since this was a part of the procedure, and our poster has said it is important, the registrar is unlikely to downgrade the nonconformance.

But your advice is still correct. I would just like to add "How we will ensure it gets done" to your steps. My "training won't help" argument wasn't received well by everybody, but this situation shows us just what problems can arise from a labor intensive process. The standard is being satisfied as far as records go: the training certs existed. (We won't go into the question of competence. That is a topic for another day)

Since the poster has declared the e-entry is important, I advised to go back and ask the process owner what would help. I don't accept notions that sound like the QA person's opinion when it's not his or her process. I want Clara to take the problem to its source: the HR manager.

I am going to make a guess that since this was a part of the procedure, and our poster has said it is important, the registrar is unlikely to downgrade the nonconformance.


Clara has two posts in this thread, including the original, and she doesn't characterize the error as "important" in either of them. She says, This task is done in order that the HR Dept and managers should know instantly the training status of every employee when evaluating their competence and assigning task.

We don't know if it's important for the managers to be able to ascertain training status "instantly," and if it is important, how important. If the degree of importance rises to the level of human error being unacceptable, then there is probably need for the process to be reconsidered, and the NC would be justified. The expense attendant upon totally error-proofing a process like this must be weighed against the potential benefits and risks, and in most cases it wouldn't be justifiable.

You're right Jim. Those were good points. :agree1:

No it´s not. A correction is performed to correct a NC that has ocurred . A corrective action is performed to prevent the same NC from ocurring again. A correction acts on the NC that has happened and was detected. A corrective action acts on the root cause of that NC. This is all related to the process and it´s boundaries.

What i was saying is that a ocurrence from a special cause (a "spike" on your process) cannot be classified as a NC simply because you cannot act on the process to correct it´s root cause. Auditors tend to think of ANY ocurrences as non-conformity, and that´s is the problem.

Is this line of reasoning really sound? I question it in the light of this real-life situation:

Process - change hydraulic fluid
Nonconformity - spill 600 gallons
Cause - employee forgot to close drain valve
Correction - clean up mess
Corrective action - ????

The quoted reasoning seems to say corrective action is not possible here. It is, after all, a "spike" in the process. The employee forgot to close the drain valve just as the HR manager in the parent post forgot to make an entry in the training database.

But I don't think it follows that acting on the system won't reduce the chances of this happening again. How better visual signals? Or error proofing the drain valve with a dead-man switch? These are actions within the boundary of the system, and would qualify as corrective action, I believe.

I think the confusion here is the mis-use of the operational definitions of common cause and assignable/special cause. We must remember that these are operatational definitions, limited in scope and useful for a very special situation: responding to process fluctuations with actions that are looking for something that changed or did not. The definition does not apply to "inside" or "outside" the process. It refers to normal levels of all input factors. A factor that suddenly changes levels is still part of the process, it's just that the factor ahs gone to a level not normally seen. All processes can improved regardless of common or special causes of variation. or whether or not the 'defect' is a result of variation or error as in this case.

we really don't have that situation going on and the standard doesn't overtly recognize the applicablility of "SPC thinking" when identifying and requiring action on nonconformities. This particular event is not a NC to the standard but to internal procedures. it is relatively trivial. can corrective action to prevent re occurence be taken. Absolutely. from changing the process to eliminate teh need for dual records to automating the process so that a single entry can be reported multiple ways: by operation, operator or department etc.

It is interesting that the standard requires correction as to cause for internal audits but not for registration or other second or third party audits.

Is this line of reasoning really sound? I question it in the light of this real-life situation:

Process - change hydraulic fluid
Nonconformity - spill 600 gallons
Cause - employee forgot to close drain valve
Correction - clean up mess
Corrective action - ????

The quoted reasoning seems to say corrective action is not possible here. It is, after all, a "spike" in the process. The employee forgot to close the drain valve just as the HR manager in the parent post forgot to make an entry in the training database.

But I don't think it follows that acting on the system won't reduce the chances of this happening again. How better visual signals? Or error proofing the drain valve with a dead-man switch? These are actions within the boundary of the system, and would qualify as corrective action, I believe.

Hello CliffK
I don´t see things as you put it. In my opinion:

Process - change hydraulic fluid
Nonconformity - employee forgot to close drain valve (because the requirement, which wasn´t fulfilled, was to close the drain valve)
Cause - why did the forget? The cause is the cause of his forgetfullnes
Correction - clean up mess
Corrective action - this depends on why the employee forgot to drain the valve.

Altough the reasons for the forgetfullnes could be difficult to discern, let´s focus on another side of the problem, the situation of the process at the time of the problem.

If there´s no controls or not enough control (as in your examples, there´s not enough visual signals, or there´s no switch), then the process could be acted upon, but keep in mind that if the process is in this poor condition, the probability that this situation happen would be high. And again, in my opinion, if it happened once, there´s no way i would say it´s a NC in an auditing. Surely the auditee would need to investigate, and even make an corrective action if he found that the controls are not enough.

But what i was thinking in my example was the situation when the process already has enough controls (which seems to be the case on the example that started this discussion). There´s visual signs. Theres a control switch. And even then the employee forgot to close the drain valve. What can be done?

Well, i don´t think anything could be done to the process. More controls in this situation is not a guarantee that the problem would not happen again.

As always, the point is "does it add value"?

I know that this line of thinking is not the usual one, but i try to stick to it as a counterpoint to auditors that give a NC for every event that´s a NC in the system (i think it would be a really improvement if people tried to differentiate system NCs from audit NCs).

Cheers :-)

Dear mmantunes,

I know what you mean. Auditor should only raise NC when it is good for the auditee and aims at customer satisfaction for the auditee.

But I think Cliffk is right that "spill 600 gallons" is a Nonconformity, not "employee forgot to close drain valve". I think "employee forgot to close drain valve" is the cause for "spill 600 gallons". And, "his forgetfullnes" could be the "root" cause for "employee forgot to close drain valve".

Anyway, I agree, we may not need to raise it as an NC that require Corrective Action as a quality management system auditor, because it is an isolated incidence and if it does not cause quality issue.

However, I think, as we all agree here, as an auditor, we may not be sure of its impact and may not have time to explore further, we should just raise it as an Observation for the auditee to take note. But the auditee may initiate an action to prevent it from recurrence as "spill 600 gallons" is very costly and adversely impact the environment. Is this Corrective Action as there is not nonconformity but just an Observation from the auditor? Or just a Preventive Action because there isn't a nonconformity yet? Yes, it doesn't matter, most importantly is to solve the problem.

You know that the purpose of Error-proof or so-called idiot-proof is to prevent human error? It could be used to prevent us from forgetting to close the drain valve!

Heloo Pinpin

Good points!

Still, i do not agree with the interpretation of what is the NC.

As Stijloor remembered some posts ago

From ISO 9000:2005

3.6.2
nonconformity
non-fulfilment of a requirement (3.1.2)

So if what you and CliffKsay is correct ("spill 600 gallons" is the NC - and i´m pretty sure a lot of poeple thinks that way) then the requirement would be "do not spill 600 gallons" or "do not spill anything"? This seems to me more of a commercial issue than a requirement for an auditor to check (as you yourself know when you said "spill 600 gallons is very costly and adversely impact the environment"). I do know it´s very costly and all, but these are not really QMS requirements, they´re commercial issues that came from QMS requirements. In my opinion, as they´re different to each manufacturer (it might be that 600 gallons are not this costly to some, and even that they may not impact the environment) they should not be included in the audit criteria, simply because the the opinion of it´s impact depends on the auditee, not on the auditor.

That´s why i still think the NC here, from a QMS auditor perspective, would be that someone forget to follow a procedure.

I know that a lot of people would say that the NC is "spill 600 gallons" simply because it´s the action that´s easy to see. And it´s easy to point as a NC and to request a corrective action. But this is just one of the cases i was talking about, a mistakenly identified NC with a mistakenly requested corrective action that will add no value to the process (keep in mind that this situation has to have the boundaries i mentioned before, i.e., the process already have enough controls).

Hello Bev D

...the standard doesn't overtly recognize the applicablility of "SPC thinking" when identifying and requiring action on nonconformities

You´re correct, the standard does not asks for this SPC thinking.

But, as in all standards, just because it doen´t say it doen´s mean you should not use ( i always think that a standard cannot explain all the past research on the subject because it would become a bible - so this depends on the knowledge of the reader about the subject)

There´s 3 fact i always try to remember in this case:

1 - QMS standards were born based on these quality control thinking

2 - the standards are based on the "process approach" so why should we not use process tools (the SPC thinking for example) to apply the standard?

3- not having a clear, technical and sound approach to identifying and requiring action on NCs leave this decision up to the auditor, which means that it´s real easy to go beyond what is required by an audit. And this happens a lot.

I agree with caster statements. But, registrar shall consider the severity of the error and impact on the QMS before defining it as a NCR. But, we cant define it as an NC but as an observation.

Suresh kumar

I agree with caster statements. But, registrar shall consider the severity of the error and impact on the QMS before defining it as a NCR. But, we cant define it as an NC but as an observation.

Suresh kumar

Can you be sure that when there is an NC there must be a CA? Anywhere in ISO/TS or Certification Bodies' definition say so?

Some posts here already pointed out that:
1) A NC is a nonfulfillment....
2) CA shall be commensurate ....

So why can't a NC be raised as an Observation for auditee to take note to prevent?

Heloo Pinpin

Good points!

Still, i do not agree with the interpretation of what is the NC.....

That´s why i still think the NC here, from a QMS auditor perspective, would be that someone forget to follow a procedure.

.....



Actually, Cliffk just simply quoted an example without putting a lot of attention in the description about the requirement of "Process - change hydralic fluid". Let's treat it to include not to spill ok?:D

Anyway, as per what you said that the NC is "someone forget to follow a procedure", then you actually mean the requirement shall be "SHALL NOT FORGET to follow the procedure"! Is this correct?;):)

Again, anywhere in ISO/TS or Certification Bodies' definition say that when there is a NC there must be a CA? Why can't a NC be raised as an Observation for auditee to take note to prevent rather than saying it must be resulted in CA?

Does the audit involved in verifying the differentiation between an Observation and a NC?

Anyway, as per what you said that the NC is "someone forget to follow a procedure", then you actually mean the requirement shall be "SHALL NOT FORGET to follow the procedure"! Is this correct?

Haha, you got me...in fact, the requirement would be to follow the procedure and the NC that the procedure wasn´t followed. But the cause would still be "why it wasn´t followed", and, in my example, as the employee forgot, the real root cause would be "why did he forget?".

Again, anywhere in ISO/TS or Certification Bodies' definition say that when there is a NC there must be a CA? Why can't a NC be raised as an Observation for auditee to take note to prevent rather than saying it must be resulted in CA?

Well, to me this is the problem, because (using the generic ISO 9001) the standard requires that every NC needs a correction and corrective action.

See, for example, in the ISO 9001 auditing practices group webpage (http://isotc.iso.org/livelink/livelink/fetch/2000/2122/138402/138403/3541460/customview.html?func=ll&objId=3541460&objAction=browse&sort=name) the document "Guidance for reviewing and closing nonconformities (http://isotc.iso.ch/livelink/livelink.exe/3634667/APG-ReviewNonconformity.doc?func=doc.Fetch&nodeid=3634667)"

So, if the auditor gives a NC, therem must be a correction and corrective action. My point in this discussion is that there are some situations which cannot have further controls, and no corrective action, so they should not be given as an NC in an audit.

Dear mmantunes,

These were extracted from the document you mentioned:

Nonconformity: non-fulfillment of a requirement (ISO 9000:2000, clause 3.6.2)

Correction: action to eliminate a detected nonconformity (ISO 9000:2000, clause 3.6.6)

Corrective action: action to eliminate the cause of a detected nonconformity or other undesirable situation (ISO 9000: 2000, clause 3.6.5)

Please note, correction can be by its own to eliminate the NC without the need for CA! So, raise a NC does not mean must lead to CA!:D

Also, let's think of the benefit to be derived before we continue on the root causes for why it is forgotten further and furher ok?;)

Hello Pinpin

I think you´re misunderstading what is written. Quoting myself from some posts ago:

A correction is performed to correct a NC that has ocurred . A corrective action is performed to prevent the same NC from ocurring again. A correction acts on the NC that has happened and was detected. A corrective action acts on the root cause of that NC. This is all related to the process and it´s boundaries.

The corrent corrects the error. In the example, a corrction would be to close the valve. The correction do eliminate the NC that has hapened, but does not prevent it from happening.

The CA correct s the root cause of the error to prevent it from happening again. In my example, the root cause would be the forgetfullness. So you have to act on that, which in some cases cannot be acted. This is what the standard requires.

And, about the benefit, that´s what i´m saying, there´s no need to look further because there would be no value in any action.

So, if the auditor gives a NC, therem must be a correction and corrective action. My point in this discussion is that there are some situations which cannot have further controls, and no corrective action, so they should not be given as an NC in an audit. I am not aware of any auditor who will first determine if a situation cannot have further controls before assigning a nonconformance. That is not the registrar's prerogative.

That is right, no need to go furhter for such an isolated issue which is not serious. :lol:

I found that the problem is that people used to think that a NC is meant for severe ones and must lead to CA, and not agreeing that an isolated and not serious indicence is also an NC but worded as Observation.

Anywhere in those APG documents say that NC is meant for severe ones? You would say it is implied right? Neither did it says that an isolated and not serious incidence ia not a NC which a simple correction is enough.

Anyway, we decide base on severity, be it Correction or CA, as long as it is commensurate....I want a simple life.:lol::magic:

I have pushed the issue of training down to our department levels. The department managers know their people best and the type of training they require. An annual training plan is required from each manager prior to the new year and it is posted on our public QMS drive. Training records are maintained by the department manager as well, not HR. It is much easier to talk to the manager about training during an internal and external audit.

This is the third company I have worked with on ISO 9001:2000 and this has worked really well.

Thank you all for making me think! :thanx:

ISO Chick

Now does anyone have a great Corrective Action training presentation?!

I have pushed the issue of training down to our department levels. The department managers know their people best and the type of training they require. An annual training plan is required from each manager prior to the new year and it is posted on our public QMS drive. Training records are maintained by the department manager as well, not HR. It is much easier to talk to the manager about training during an internal and external audit.

This is the third company I have worked with on ISO 9001:2000 and this has worked really well.

Thank you all for making me think! :thanx:

ISO Chick

Now does anyone have a great Corrective Action training presentation?!

I also think this is the best way to manage the training program.

What happens if the first-line manager responds with "no training needed?"

Cliff,

The managers don't have that progrative. ISO 9001:2000 training must occur annually as well as any OSHA required training (portable fire extingishers). If a nonconformance is found within the department during an internal or external audit and the root cause analysis reveals a failure in the process, I insist on additional training. I monitor the training plans, CARs and audit results to be sure the managers are being responsible.

:D