ISO 9001:2000 Registration Audit Findings by Registrars

[HFowler]

I would be curious as to what types of nonconformances registrar auditors are finding during ISO 9001:2000 audits. Is anyone willing to share this type of information? It would give us all a better idea of what auditors are expecting to see with the new standard.

I'm planning on attending a seminar on ISO 9001:2000 later this month and I'm looking for some good questions to present in order to get the most out of my time there.

Best Regards,
Hank Fowler

[KenS]

Having been present at three audits under the 2000 standard I found the majority of "findings" to be under section 5, QA's nemesis, MANAGEMENT. Approximately 75% of the findings at any of the audits (mostly minors) were a direct result of top level management, as documented in the Manual, having little or no knowledge of the QMS. I was able to "take care of" almost all of these findings by the end of the audits by showing the auditor the documentation and explaining that the top level bozo didn't understand the questions. In one case the auditor was willing to let me rephrase the questions in terms management could understand. Of course, management blamed everything on the MR for not explaining things fully before the audit.

The other area of contention was Section 8.5.3, Preventive Action. Seems to be disagreement between auditors as to what constitutes Preventive Action and what constitutes Corrective Action.

[CarolX]

Hello KenS,

Quote:

The other area of contention was Section 8.5.3, Preventive Action. Seems to be disagreement between auditors as to what constitutes Preventive Action and what constitutes Corrective Action.

I wonder if you could expand on this a little more. I would be intersted to know what the disagreements are.

Regards,
CarolX

[KenS]

Had to look over my notes last night so I get this right. Understand that this was a company of about 60 employees that jumped into ISO with both feet, 110%. For some reason they thought that if they worked with this it would make their jobs easier and they would have less problems. Crazy, isn't it?

Anyway, the MR set up a system that documented ALL problems during production. She generated CARs as necessary and also utilized the system to "look for" areas of preventive action. The action that started the problem concerned an o-ring problem. She generated a CAR for that o-ring and knowing there were four others in the assembly wrote a Work Instruction on proper assembly of the component. She documented this complete with up reved drawings.

This worked so well that she continued in this mode, using corrective actions to identify preventive actions. The registrar looked at he first one and determined they were all corrective actions and the company had no preventive action system. Major finding. I convinced a very PO'd MR to challange this. After sending several pounds of documentation to the Registrar's headquarters the finding was dropped and the system approved. This also was a company that had a major in the area of management. For that the president took the manual, the standard and a few other things home for the weekend and answered the finding himself. He figured it was his lack of knowledge that was the problem and took action to correct that. These were the only findings in the audit.

Another company based their preventive actions on internal audit results. Registrar didn't like it too much, said it was a kind of chicken s--t way to do it. A minor requiring better documentation to distingush between corrective and preventive. The MR set up a seperate file for each and designed a coversheet. Auditor was happy.

Seems there is more emphasis (read confusion) in the area of corrective and preventive actions under the new standard. Under 1994 registrars seemed to accept anything thrown at them if you called it preventive action.

[M Greenaway]

Cant believe that this discussion is still going strong. Corrective action is something you do to prevent a nonconformance re-occurring, Preventive action is things you do to stop a nonconformance occuring in the first place. Corrective action is reactive, Preventive action is pro-active.

For Prevetive actions I would cite many of the things I do in my ISO9000 system. As the 1994 version used to say the object of the standard was to prevent nonconformance. Hence everything you do, such as contract review, design controls, etc, etc, are preventive actions.

How you establish if your preventive actions are effective is a tricky one, as how will you know if a defect would have occurred if you hadnt done what you did ?

SPC is also often quoted as prevetive action, as an operator adjusts a machine as a series of points on a control chart near an upper or lower warning limit, i.e. you take action before nonconformance is produced.

[Laura M]

Sounds like good preventive action measures to me. For a small company to seriously look at CA's that way is great. Good for you to have it challenged and good for her to have all the documentation.

At the Lead assesor class I took in '99 (old standard) I remember one of the questions being "which requirements are preventive action by nature?" There were several - according to my trainers....Training, Quality Planning, Design Reviews, FMEA's (QS) and Internal audits - anything done before something "goes wrong" in production. Auditors seem to have problems with companies doing these things and not have a PA form filled out. Other documentation is available, but not a CA/PA form.

Quote:

Originally posted by Laura M
Auditors seem to have problems with companies doing these things and not have a PA form filled out. Other documentation is available, but not a CA/PA form.

Laura,

Why does one need a PA form? It's not enough to mention those things that satisfy the PA requirement in a procedure? Where would it even mention the use of a form to document PA's? Or is this just an Auditor's attempt to bust stones? Why can't we go to an Audit Report, documented Contract review or design review documentation when asked what our Preventive Action System is? If the procedure says you use these methods, how can he/she say it's not good enough? Isn't it saying what you do? I like the way this is going. Up until now, I had no idea how we would address this. And, thanks to M. Greenway for the approach, too!

[M Greenaway]

Absolutely Laura - as my previous post said.

You are right that auditors are looking for a procedure and a form for Preventive action, and a procedure is still mandated in ISO9001:2000 for this. I would simply quote as bullet points in my procedure all the things that I do in my QMS to prevent non-conformances.