I would be curious as to what types of nonconformances registrar auditors are finding during ISO 9001:2000 audits. Is anyone willing to share this type of information? It would give us all a better idea of what auditors are expecting to see with the new standard.

I'm planning on attending a seminar on ISO 9001:2000 later this month and I'm looking for some good questions to present in order to get the most out of my time there.

Best Regards,
Hank Fowler
:confused:

Having been present at three audits under the 2000 standard I found the majority of "findings" to be under section 5, QA's nemesis, MANAGEMENT. Approximately 75% of the findings at any of the audits (mostly minors) were a direct result of top level management, as documented in the Manual, having little or no knowledge of the QMS. I was able to "take care of" almost all of these findings by the end of the audits by showing the auditor the documentation and explaining that the top level bozo didn't understand the questions. In one case the auditor was willing to let me rephrase the questions in terms management could understand. Of course, management blamed everything on the MR for not explaining things fully before the audit.

The other area of contention was Section 8.5.3, Preventive Action. Seems to be disagreement between auditors as to what constitutes Preventive Action and what constitutes Corrective Action.

Hello KenS,

The other area of contention was Section 8.5.3, Preventive Action. Seems to be disagreement between auditors as to what constitutes Preventive Action and what constitutes Corrective Action.

I wonder if you could expand on this a little more. I would be intersted to know what the disagreements are.

Regards,
CarolX

Had to look over my notes last night so I get this right. Understand that this was a company of about 60 employees that jumped into ISO with both feet, 110%. For some reason they thought that if they worked with this it would make their jobs easier and they would have less problems. Crazy, isn't it?

Anyway, the MR set up a system that documented ALL problems during production. She generated CARs as necessary and also utilized the system to "look for" areas of preventive action. The action that started the problem concerned an o-ring problem. She generated a CAR for that o-ring and knowing there were four others in the assembly wrote a Work Instruction on proper assembly of the component. She documented this complete with up reved drawings.

This worked so well that she continued in this mode, using corrective actions to identify preventive actions. The registrar looked at he first one and determined they were all corrective actions and the company had no preventive action system. Major finding. I convinced a very PO'd MR to challange this. After sending several pounds of documentation to the Registrar's headquarters the finding was dropped and the system approved. This also was a company that had a major in the area of management. For that the president took the manual, the standard and a few other things home for the weekend and answered the finding himself. He figured it was his lack of knowledge that was the problem and took action to correct that. These were the only findings in the audit.

Another company based their preventive actions on internal audit results. Registrar didn't like it too much, said it was a kind of chicken s--t way to do it. A minor requiring better documentation to distingush between corrective and preventive. The MR set up a seperate file for each and designed a coversheet. Auditor was happy.

Seems there is more emphasis (read confusion) in the area of corrective and preventive actions under the new standard. Under 1994 registrars seemed to accept anything thrown at them if you called it preventive action.

Cant believe that this discussion is still going strong. Corrective action is something you do to prevent a nonconformance re-occurring, Preventive action is things you do to stop a nonconformance occuring in the first place. Corrective action is reactive, Preventive action is pro-active.

For Prevetive actions I would cite many of the things I do in my ISO9000 system. As the 1994 version used to say the object of the standard was to prevent nonconformance. Hence everything you do, such as contract review, design controls, etc, etc, are preventive actions.

How you establish if your preventive actions are effective is a tricky one, as how will you know if a defect would have occurred if you hadnt done what you did ?

SPC is also often quoted as prevetive action, as an operator adjusts a machine as a series of points on a control chart near an upper or lower warning limit, i.e. you take action before nonconformance is produced.

Sounds like good preventive action measures to me. For a small company to seriously look at CA's that way is great. Good for you to have it challenged and good for her to have all the documentation.

At the Lead assesor class I took in '99 (old standard) I remember one of the questions being "which requirements are preventive action by nature?" There were several - according to my trainers....Training, Quality Planning, Design Reviews, FMEA's (QS) and Internal audits - anything done before something "goes wrong" in production. Auditors seem to have problems with companies doing these things and not have a PA form filled out. Other documentation is available, but not a CA/PA form.

Originally posted by Laura M
Auditors seem to have problems with companies doing these things and not have a PA form filled out. Other documentation is available, but not a CA/PA form.

Laura,

Why does one need a PA form? It's not enough to mention those things that satisfy the PA requirement in a procedure? Where would it even mention the use of a form to document PA's? Or is this just an Auditor's attempt to bust stones? Why can't we go to an Audit Report, documented Contract review or design review documentation when asked what our Preventive Action System is? If the procedure says you use these methods, how can he/she say it's not good enough? Isn't it saying what you do? I like the way this is going. Up until now, I had no idea how we would address this. And, thanks to M. Greenway for the approach, too!:ko: :smokin:

Absolutely Laura - as my previous post said.

You are right that auditors are looking for a procedure and a form for Preventive action, and a procedure is still mandated in ISO9001:2000 for this. I would simply quote as bullet points in my procedure all the things that I do in my QMS to prevent non-conformances.

Energy and Greenway - I think we all agree here-

I don't think you do need a form. I've seen systems set up with forms with a box to check for CA or PA and none are submitted for PA. I agree that you should be able to state the methodologies you use for PA and show that you do those. Some auditors like it cut and dry - show them a filled out form and they are happy (WRONG) but others want to see that you have a PA SYSTEM which is the right way.

That would require a form each time you do perform "Contract review, etc..I will be interviewing a possible Registrar this month. I think I will ask him about it. Think he will tell me?:rolleyes: :ko: :smokin:

I think both Greenway and I are saying another form is not needed. What reply are you referring to?

And yes - I would question the registrar about PA. They can't require a form - only ask you for objective evidence. It's up to you to determine how you will document the evidence.

Originally posted by Laura M
I think both Greenway and I are saying another form is not needed. They can't require a form - only ask you for objective evidence. It's up to you to determine how you will document the evidence.

I guess I was still laboring under the impression that some auditors would like to see a form.:rolleyes: It seems to be a bone of contention. As for determining the method of documenting objective evidence, there are lots of existing documentation in design and contract review and internal auditing. When asked about Preventive Action, and showing the procedure where these things are "bulleted", do we just go to a job folder and show him/her approval documents? Or the auditing folder containing internal findings? It's that simple?:ko::smokin:

Originally posted by energy


I guess I was still laboring under the impression that some auditors would like to see a form.:rolleyes:

Just like the fish like to see your worms coming their way. It's not required, but maybe the easiest way to catch a fish. Objective evidence that you actually went fishing! :ca: (Not that all auditors are fish swimming aimlessly looking for something to chow on....)

The standard requires a procedure and documented evidence - not forms. K.I.S.S. - no forms, but integrated into the rest of your quality management system. IMHO its that simple.

Absolutely - do not generate a form for Preventive Action. I cannot even imagine what a Preventive Action form would look like.

There are many records generated in a QMS that demonstrate the QMS (hence preventive actions) are being implemented. These may be forms for each activity, or may just be the documented output of each activity, i.e. the output of management review may be a set of action minutes, the output of internal audit may be an audit report, etc etc.

Ken S.

Thank you for your helpful information. That gives me two areas to pay close attention to. I can understand how both, Management Responsibility and Preventive Action could be found as weak areas in a Quality Management System.

I hope to hear of more experiences during ISO 9001:2000 audits.

Best Regards,
Hank Fowler
:)

I normally use the same form (basically an 8D) for both corrective and preventive action. There is a checkbox at the top to indicate if it is corrective (something blew up) or preventive (stopped it before it blew up). I have found that teaching people the difference is difficult, and people spend too much time trying to figure out if something is corrective or preventive, so we handle them the same way. There is a definintion of each in the procedure, with examples, but even if they pick the wrong catagory, the right process still happens. I have used this on around 20 clients now and never had an auditor question it.

I also had one client (QS/TE) define corrective actions = only nonconforimng product found by the customer. Preventive actions are nonconforming product, or anything else, found internally. I strongly disagreed with his standpoint, but by going through the definitions in QS, he was able to present an argument. I was not present for the audit, but I know they were certified. His point for setting up this definition was to make it easier for employees to understand, but I have a hard time telling the CEO that we just scrapped a $1,000,000 tool, and it is a preventive action.

We also use one form with a check box to identify whether it is corrective or preventive action. This just helps to document what has been done.

This issue has been covered numerous times, so please make use of the search feature for history & additional information.

Eileen

Ken - I believe there is more emphasis on Preventive Action under the new standard because of the requirement of continual improvement. If an organization cannot achieve preventive action on potential problems, they are unlikely to achieve continual improvement. Perhaps auditors allow the absence of effective preventive action under the present standard because the organization is expending all of the available management resources on corrective action only.

I am concerned that this discussion is failing to recognize the intent and benefit of the preventive action procedure. It is not prudent to claim that all procedures are de facto preventive actions and further, not to use a preventive action procedure is a disservice to the quality system.

At first it might appear sensible to avoid using a specific preventive action procedure by declaring that all of your quality systems procedures are "preventive action" since the principle of the 94 standard is to prevent nonconformities. Why did the standard writers go to the trouble (and embarrassment) of including a separate procedure on preventive action when in fact it is addressed by all of the other procedures?

I would be cautious on presuming all procedures, such as contract review, are innately preventive actions.
The preventive action requirement requires the documented procedure to show how a potential nonconformity is detected and determined. What step in a typical documented contract review procedure shows how potential nonconformities are detected? Where are the results of the determination recorded? During the contract review, what steps are identified to prevent the occurrence of the previously detected potential nonconformity? How is the need for action evaluated and subsequently implemented and reviewed in the contract review procedure?
If one claims that the quality procedures themselves address the preventive action requirements, then all of the above mentioned requirements must be documented each and every procedure.
The output of an effective preventive action procedure is the identification of the potential nonconformities and the actions taken. The output of the contract review procedure, and any other procedure claiming preventive action characteristics, must systematically show this detection and evidence of action taken. If the contract review procedure rarely detects and handles potential nonconformities (because it is typically not designed to do such) is it effective as a preventive action procedure?
The point of clause 4.14.3(a) is to have the preventive action procedure serve as the means of capturing potential nonconformities, system wide, that the other procedures and processes encounter. For example, the procedure for landing an airplane is not a preventive action procedure. However, if during the landing procedure a near miss occurs, then the separate preventive action procedure kicks in where it requires the pilot to report the potential nonconformity to the appropriate managers.
The preventive action procedure intends that all potential nonconformities are collected and reviewed under a systematic or managerial view, not under the isolated procedure view. Detected potential nonconformities are usually not isolated orphans. They must be evaluated under a systematic light, not just by a procedure owner.
Management is short sighted if they do not systematically look for nonconformities under a preventive action procedure. For example, good management should proactively search for problems occurring in similar industries or sister facilities and determine the probability of these problems occurring locally.
Aside from this topic, if you ever have an argument with an auditor, most likely you can avoid the written corrective action request by complaining to the auditor's office. The typical registrar wants your business first and foremost and the auditor wants to keep his job.
Thanks for allowing me to express my opinion. I look forward to any clarifying or illuminating remarks.

Lou

Lou, I understand your argument, and it is correct that that is how the 94 standard was written - in the context that preventive action is a seperate thing to other preventive measures undertaken as part of the QMS.

However I believe that the argument stands that activities such as contract review are inherently designed to be a preventive action. You are basically assessing your companies ability to provide a product or service prior to accepting a contract to supply. A result of this process might well be that you decline to quote on a potential order - hence a potential nonconformity has been detected, the records are there to show resultant actions taken. If your contract review procedure is written to correctly address the requirements of the 94 standard (and 2000 standard ?) then it will include all of the elements that you mention in your post.

Also in your analogy of a plane landing I would consider action taken as the result of a near miss to actually be corrective action, as you are taking action as a result of an undesirable occurrence. Preventive action would be to have systems (in the broadest sense) in place in the flight deck and on the ground to ensure near misses (or even hits) never happen.

Lou,
Excellent post! I really enjoyed reading it.

I agree that a QMS is essentially all about preventive action. That processes like contract review have preventive elements. That all procedures have an element of preventive action to them. They are most definitely all about heading off problems at the pass.

But you have made a clear case for what ISO means by isolating preventive action on its own merit. It is because there needs to be a central, concerted effort to monitor, analyse, and predict where future problems may arise. More so perhaps in the 2000 version than in 94 because now we are concerned with a whole process and especially where the interfaces are.

While the indiv. dept. and process procedures may focus on their little piece of the world, there needs to be a process in place to draw back and look at all the pieces fit together to see how it impacts the org.

And this is what needs to be documented and demonstrated in its own right.

Wouldnt a good Management Review process do this ?

Just wanted to put my tid bit on this discussion. I have always looked to preventive action as actions you identify from a current process you are currently using to prevent something from going wrong.

Well, I had a consultant blow my theory right out of the water. He told me that from the new standard auditors will be looking for preventive actions such as.....

The example we used during our discussion was in relation to my company. We have currently purchased an injection molding machine and have since implemented a new Injection Molding Department. The consultant told me that our Upper Management should have sat down before ever purchasing the machine and initiated a preventive action to identify anything they could think of that might go wrong and identify the methods to be used to prevent these actions.

This to seems to be a little off the deep end.

This is part of quality planning - again a clause in its own right within the standard.

Next !

Jamie,

I must concurr with you comment I think your auditor went way overboard. Don't be afraid to question or challenge this train of thought.

And welcome to the cove!!!


Lou,

I am concerned that this discussion is failing to recognize the intent and benefit of the preventive action procedure. It is not prudent to claim that all procedures are de facto preventive actions and further, not to use a preventive action procedure is a disservice to the quality system.

Take a look at the forums on CA and PA...this thread kinda got off on a tangent from the original thread start. And thanks for the great post.

CarolX

Originally posted by HFowler
I would be curious as to what types of nonconformances registrar auditors are finding during ISO 9001:2000 audits. Is anyone willing to share this type of information? It would give us all a better idea of what auditors are expecting to see with the new standard.

I'm planning on attending a seminar on ISO 9001:2000 later this month and I'm looking for some good questions to present in order to get the most out of my time there.

Best Regards,
Hank Fowler
:confused:

Since I am the one that originated this thread before it turned into a discussion on Preventive Action, I would like to ask for more specifics from people that have already undergone ISO 9001:2000 audits. What are auditors finding?

Thanks,
Hank
:)

I would be curious as to what types of nonconformances registrar auditors are finding during ISO 9001:2000 audits.
Sorry this got off track and then dies out. It was a good thread and is a good topic.

Comments folks? What types of nonconformances are you seeing?

I'll admit to nonconformances. At registration audit, our organization got a major nonconformance in 6.2.2 CAT. It was two minors combined into one major actually. Under 6.2.2c) for demonstrating staff competence we rely heavily on performance evaluations and several were found to be delinquent. The second was under 6.2.2d), the auditor was unsatisfied with the answers to questions concerning quality objectives and peoples roles in achieving these objectives. The auditor received about 50/50 in terms of good answers and insufficient answers. The lead auditor at the closing meeting said that the registrar was finding this to be by far the biggest issue with ISO9001:2000. Net result of this was I conducted 480 one on one 30 minutes interviews covering 3 mills and 12 shifts. OUCH! Got excellent answers at the close out though.

During our last audit, we were hit with a finding in regards to clause 6.2. our training records were not up to snuff with the 2000 revision. The auditor made it a minor, stating that the defisiency did not directly affect th customer

During our last audit, we were hit with a finding in regards to clause 6.2. our training records were not up to snuff with the 2000 revision. The auditor made it a minor, stating that the defisiency did not directly affect th customer

This is interesting. If the records are to be "appropriate", then how could the auditor find them "not up to snuff with the 2000"? Was the auditor stating that your definition of "appropriate" was inadequate? :confused:

Don't miss this thread, either!

http://Elsmar.com/Forums/showthread.php?t=7193

What would that procedure look like - please could you provide me with an example?

I have attached a copy of our preventive action flowchart and would be grateful for your comments.

//Roger.