Hello all:

I'm now working with a "client" and re-devloping/updating from the 1994 to the 2000 standards..

What I would really be interested in is what viewpoint should be taken from an internal standpoint as the difference between a Major and Minor nonconformance...

Seems to me that the differences from an external/registrars view is fairly clear --- Majors are required to be corrected within fewer days and there is a $$$$ penealty attached to them.

Does anyone here actually define in their procedures the differences internally? If so what would be an appropriate "penalty" for a Major finding (assuming of course that Top Management would back it up)

Jim,

A major NC would be a systematic breakdown where a minor would be a "Single" lapse in the system. There are many times you can find a few minors that refer to the same lapse in the system. These would typically be combined onto a single NC, but only if they truely are the same instance. Many times the multiple single lapses in the system that occur in different areas are an indication of a systematic breakdown and therefor would constitute a major NC.

As far as response, a Corrective action must be comenserate with the NC. Appropriate responses to a Major would be further follow-up including adjusting the Internal Audit schedule to increase the frequency in the particular area or process.

Having said all that, I would say the most important part to stress in the training and Internal Audit Process is that bigger problems need more effort to correct. I am alway more happy to see this in a system and audit process then the semantics of calling the NC by major or minor, especially when it is borderline.

Hope this helps - Brandon

When classifying NC's you should also consider the effect of the lapse on the actual product and/or customer satisfaction.

i.e. a single gauge beyond its due calibration date might be minor, but if the gauge is subsequently accepting what is actually defective product then this might be considered major.

What I would really be interested in is what viewpoint should be taken from an internal standpoint as the difference between a Major and Minor nonconformance...
As a matter of fact we don't separate the two... We only have one kind of nonconformance.

What we do instead is to treat the deadline differently: For a "normal" nonconformance we agree on action and deadline as usual. They depend on the impact of the nonconformance and the resources available to take action.

What you would call a major would result in a request for immediate action.

/Claes

I tend to agree with Claes, I recommend NOT using majors and minors. I found this is the one area that causes the greatest level of argument: "What do you mean it is a major...?" If it is nonconforming, it must be corrected. Regardless of what you call it. Forget the label and fix it.

The situatin with this client - may or may not be real unique

Seems that their current internal procedures do not clearly define any differences between major/minor findings... (which is not a biggie "as long as" those involved know they need to and actually work on fixing the identified problem)

But.... the audit report they have developed does contain a major/minor checkbox allowing the internal auditors to choose what level the nonconformance is in their opinion. (Due from what I gather was an imrovement suggestion from their external auditor- so effectiveness of the auditing system can be assessed.)

Now after the internal audit system has been in use they have found the attitude of internal auditees to be "If I dont do what I have said I would or disagree and don't fix what "the ISO folks say needs fixed- there is no written or even implied penalty involved - tell me it's major - tell me its minor - I don't care. If I simply disregard what has been identified as a problem - nothing is done.

The situation has now evloved to where the Top Management folks (instead of taking direct management action) have asked the ISO rep to include wording in a "procedure" Defining response days for both catagories and outlining the diciplinary actions that will be taken for not following procedures.

From our "control of nonconformance" Level II procedure (BTW: We have an integrated ISO 9001:2000 and ISO 14001:1996 system):

(SNIP BEGIN)
LEVELS OF NONCONFORMANCE:

Observation:
An observation is an identification of an item that could be of value for the improvement of the quality and environmental management system.

Minor nonconformance:
A minor nonconformance is a system nonconformance that judgment or experience indicates is not likely to result in the failure of the quality and environmental management system. A minor process or product nonconformance does not result in the release of product not suitable for use or not meeting Client requirements. A minor environmental nonconformance does not result in harm to humans, flora or fauna or release of regulated or harmful substances into the environment.

Major nonconformance:
A major nonconformance is a system nonconformance that judgment or experience indicates may result in the failure of the quality and environmental management system. A major process or product nonconformance may result in the release on product not suitable for use or not meeting Client requirements. A major environmental nonconformance may result in harm to humans, flora or fauna or release of regulated or harmful substances into the environment. A major nonconformance will require initiation of Corrective Action (see MSP 23).
(SNIP END)

These definitions are used to determine the level of response required for product, process, vendor and environmental nonconformance.

While the standards do not require defining nonconforming conditions by severity, the system appears helpful in delivering response commensurate to the nonconformance. Also, many (most/all) registrars use such a system when performing registration and surveillance audits to determine conformance of the total system to the standards...

Jim,
One of the things I take into consideration is what is needed to correct the situation, along with the systemic breakdown. Typically I don't separate them in my reports to management. However, there has been instances where the individual responsible for the area felt they needed support to get "Exec Management" to move (i.e. Purchasing) and I issued a Major to open eyes. As Management Rep I once requested a minor to be raised to a major from our registrar for the same reason. (It was a QS audit not just ISO). For the most part, my internal audits don't separate minors from majors either.:bigwave:

What I have seen work in the past and takes some pressure off internal auditors is a simple pass/fail. The same corrective action process is in place for all failures. Same time frame and associated department responsibility.

Internal audit is for improvement. If the same problem keeps creeping up or if corrective actions are not effective and in many cases convene a project team to fix the problem. If the problem gets too large you have to wonder if the internal auditor/management rep. are doing their jobs properly.

I too never categorise NC's - unless asked to.

I prefer to only raise an NC in instances such as has been described for a MAJOR NC.

Minor document correction/maintenance I believe should be done as part of the audit process, documented in the report if you wish, but not raised as any kind of finding. I am talking minor corrections here - not total re-writes.

I noticed in a few posts reference to requiring "Major" NC's to be "corrected" in a shorter time frame than "Minors". To me a "Major" (i.e. system breakdown) requires more effort/corrective action than a "Minor". I do require a plan for correction quickly, but have found in the past requiring corrective action to quickly gets me either a Curad or Johnson & Johnson bandaid.

Only my 2 cents

Originally posted by KenS
I noticed in a few posts reference to requiring "Major" NC's to be "corrected" in a shorter time frame than "Minors".
Only my 2 cents

I think you have the right idea Ken. I was going to say something similar. Our N/C's are typically just reported as pass/fail. The auditors have the authority to write them up in such a way as to quantify them i.e. they might write up the N/C saying "ten of the twelve examples" or that the problem appears to be systemic, or it appears to be isolated. We use the same time frame for all investigations. The key word here is investigations. You have one week to perform the investigation, which includes identifying the root cause. We can make adjustments to that due date if the department can show the need and it has to be outlined as to what their plan of attack is to find the root cause.

When the root cause is determined, a plan of corrective actions to be taken must be established. (dependent of course on the effects/severity/yada yada) The auditors will review those corrective actions, assist in evaluating whether or not the proposed due dates are within reason and a final implementation date for the corrective actions are set. Follow-up audits are set using the implementation date plus a reasonable amount of time to accumulate objective evidence that the actions taken were effective and satisfactory.

We get some actions that are performed even as the audit report is being distributed, and then there are some that take months. It all depends.

I realize that this is getting long, but stick with me here....It is my belief that there are a lot of people out there who confuse a the root cause analysis with corrective actions. I recently discovered that a large percentage of the technical people on our staff did not understand the difference. I asked in one of our meetings why we did not have any investigations on some customer issues (some of those things that happen in a startup that you discover and fix on the fly so actions were not appropriate anymore.) Out of the eight people in the room, five looked at me and said, "We don't have to investigate every issue, it says right in our manual that we can choose not to make changes if the problem isn't worth worrying about." Every one of the people in that room had been in this industry over 10 years. Every one of them had come from an ISO certified plant, and six out of the eight had come from a sister division.

I know that everyone in the division I came from knew the difference between root cause analysis and corrective actions. Why are so many systems lacking what should be basic knowledge of corrective and preventive actions?

OK, I'm stepping down from the soapbox. But if anyone cares to share their opinions on this, I'd sure like to hear them.

The same corrective action process is in place for all failures. Same time frame and associated department responsibility.

I agree with you on that. If you maintain 2 separate 'standards' for the different categories you will find that more minors are found and the Majors are missed - no one wants to spend the time!!!

Why are so many systems lacking what should be basic knowledge of corrective and preventive actions?

This is a real problem and one I have seen also. Too often people look at the interim and think they're done! The other "biggy" is not following up to verify the effectivity of the permanent corrective action.

One of the things I strive for, during our internal audits, is being a coach. As Lead and Management Rep it is my job to ensure our system is compliant and works for us. It has paid off in a lot of ways, I get to teach the purpose and the "Spirit" of the standard, the shop personnel know I'm listening to them and their ideas first hand and they know I'll be there with them when the external gestopo comes along. It has helped me understand the difficulties they have on the floor, I get hands on experience for process improvement, etc. etc..

As some smart individual once said "ISO and QS Standards do not prohibit the use of reason".

In my old company we classified Major/Minor. Minor required no CAR other than correction. Major required formal CAR. Both require a follow-up.

At square #1: The internal audit function should be that which is defined in the procedures of the organization. The use of terms "major," "minor," "critical" or whatever the company may decide is appropriate for them is what counts--and is their decision.
If the company should use the terms "major" and "minor," it is their call to define them. It is not required nor specified how they be defined. Only for the sake of convenience, the company may wish to query their registrar to align the meanings between the two organizations for expediency--but again, this is but one approach.
Registrars use the definitions contained in the ISO/IEC Guide 62 and the International Accreditation Forum Application Guidance to Clauses of ISO/IEC Guide 62:1996 (available for free at www.iaf.nu.) The expanded definitions in the Guidance document contain "nonconformity," and is defined as follows: "The absence of, or failure to implement and maintain, one or more quality management system requirements, or a situation which would, on the basis of available objective evidence, raise significant doubt as to the quality of what the organization is supplying." IMHO, a nonconformity fitting this definition would be classified as a major nonconformance because in para G.3.5.3 of the guidance document, the registrar shall not grant certification until all nonconformities as defined in (the definitions) have been corrected, and the corrective action verified by the registrar (by site visit or other appropriate means.) It serves the registrar and the client to allow those nonconformities not rising to the definition above ("minor") to allow certification to go forward.
Hope this helps!