AS9100 Surveillance Audit - advice on drafting strong responses

[classical_quality]

Hi everyone. I started at my small company (>50 staff) in August and received a month of on the job training before picking up where the old QMR left off. The we had our AS9100 surveillance audit December 2019. I had no experience with quality, office, or manufacturing work beforehand and it really seems like the QMR who trained me left some very big gaps in the system due to their lack of previous experience as well. Despite my difficulties right now I am hooked on the quality management industry.

For background, we were certified to ISO 9001 2013-2016, and then certified AS9100 2016-present (passing one re-certification audit at the end of 2018). Since 2016 there has been several changes of QMR position, each time to an individual with less experience until we reach me in the present.
We've had the same auditor for the last 4 years, and just 4 hours into the past audit they had identified 4 nonconformances. We were told very clearly that our QMS isn't at the level it should be for its age.

All that established, its now up to me to respond to the 9 corrective actions, 2 major and 7 minor, and clean up our MRP with 150 incomplete NCR records.
Not to mention wrapping up a client audit that happened in November that identified our ESD procedure was a wreck/totally ineffective, and another client special process that has had several escapes over the past year creating the risk of shutting the process down entirely for a lack of personnel to complete the extra paperwork requirements. Did I mention 101 of those records are incomplete corrective actions more than a year old??

I've had some of my first corrective actions submitted to the auditor rejected, as expected. Is it normal for auditors, especially from your CB to lack any constructive feedback in their rejection though? I know I'm an odd case with my lack of knowledge, but I expected at least some feedback when we pay such a price for their services, aerospace or not. And while my company is very cognizant that they are to blame for how poorly the audit has gone, I can't help but stress over my performance during this time. I've at least sent the auditor an email recognizing my shortcomings and asking for some advice as well.

While my company didn't make the best choice in hiring the person with the least relevant experience, I am taking them to task to get me trained - next month I'll go to Montreal for a course on AS9100 auditing to start. And I'm spending time at home to do reading on quality management concepts.
In the meantime though, I am alone and things need to get done. The amount of work needing to be done makes even my best laid time management plans feel fruitless the last few weeks.

Do you have resources you found helpful in investigating root cause analysis and creating quality corrective actions, aside from on-the-job learning?

 

[normzone]

Welcome to the party!

Experts will be along to assist you shortly, but I wanted let you know that you're not alone, and that you've come to the right place.

It also sounds like you're taking the correct approach.

You're not an odd case for your lack of knowledge - often somebody brave/foolish enough to accept these challenges is chosen from the ranks of the ready, willing, and ... well, at least you were ready and willing. All else will come with time.

And your auditor may share in the responsibility for this situation. Your predecessors do, and top management does as well.

When drafting responses, ensure that your corrective action directly addresses the root cause. Easy for me to say, fun for you to do. If you want to detail the nonconformanaces here or communicate them through back channels out of public view we'll see what we can do to help.

 

[Golfman25]

A couple of thoughts. First, your CB can't consult, so they really won't be at liberty to provide much guidance.

Second, since you have so many issues and a limited time frame to respond, I would find a consultant (someone with knowledge) to come it and help work thru and correct the issues. Trying to get you trained up and doing root cause and corrective actions for 9 issues is going to be an uphill battle. The best course of action is to get the CB off your back ASAP and then sit back and regroup.

If you choose to go it alone, start with the 5 why methodology to determine root causes. Google around, it's pretty easy to understand. Once you determine your root cause, then do your corrective action.

Since you have been registered and passed previous audits, it sounds like things have slipped rather than didn't exist. You'll need to stay on top of that.

 

[yodon]

Certainly good council from @normzone and @Golfman25. The most common mistake I've seen in root cause analysis is just a re-statement of the problem. Another frequent misstep is to try to do it all yourself (and close on the heels to that one is trying to get everything done at once). You need to engage with the folks closest to the issue to really understand and eliminate the causes. If you find yourself thinking the cause is just poor execution by someone, keep thinking.

Is your management team committed to resolving these issues (i.e., willing to spend some $$ and dedicate resources to get things on track)?

As the others have indicated, this is a great resource with the most willing-to-help group of folks I've ever seen. The more specific your questions (and with supporting info when possible), the better the responses will be.

 

[Mike S.]

Oh my, you must be a glutton for punishment. Most of us QA folks are. If you really wanna do this quality thing, this site has many very knowledgable people and they can help you tremendously.

You have been put in a VERY difficult situation. Your management has been asleep at the wheel. I only hope for your sake they wake up.

I agree with Golfman, since the time is short, I think you should get a consultant in to help you get those audit findings taken care of, and teach you at the same time.

You may consider having the company pay for your membership in the ASQ - they have lots of articles, webinars, etc. that may be of help to you.

Subscribe to Quality Digest online for free and read interesting articles, new and archived (many deal with RCCA and auditing).

Trying to do this alone right now is next to impossible under a tight schedule with no one to teach and mentor you.

If the company tries to do this without spending any money and supporting you , well..... Indeed is a good job search website, you should make use of it. It sounds to me like a seasoned QA professional would have their hands full with the mess you are in.

 

[classical_quality]

Wow, thank you everyone for your responses! It's lovely to be back on an active forum board after so many years. It has already been a great resource in researching processes operating at both ISO9001 and AS9100 levels... That is a can of worms for another post.

since you have so many issues and a limited time frame to respond, I would find a consultant

I think you should get a consultant in to help you get those audit findings taken care of, and teach you at the same time.

I agree with the input re: consulting. But based on some soft monthly numbers and layoffs last week, it might not be in the cards. Before we go down that road, I have one trick up my sleeve. One of the original members of the QMS team that got us ISO 9001 certified is still with the company. He is in QC now, but has 9001 training so our GM has okayed for him and I to have a working session tomorrow. We'll review and improve my corrective action plans. He has already provided some great help in properly interpreting the phrasing of nonconformances; I may have studied linguistics but boy is technical language a whole other ball game.
Of course, our CB replied and confirmed what Golfman25 said about CB's - since I come from an education background, feedback has been an essential part of rejection, but I understand why that is not the case with auditing. Obviously I'm still learning how the industry works.
Our CB has also offered to review my responses before I formally submit them into their web portal, so that should help even more.

Is your management team committed to resolving these issues (i.e., willing to spend some $$ and dedicate resources to get things on track)?

I'm able to meet 1 on 1 with my GM and managers as needed, but the convincing of spending money let alone the time they should have been committing to this is a bit of an uphill battle. Let's say that there's been progress since we had such grim CB audit results at least.

Since you have been registered and passed previous audits, it sounds like things have slipped rather than didn't exist

Golfman25 is also very accurate in this assessment. I am slightly reassured by this, but it only makes a very difficult situation into a pretty difficult situation at my skill level.

You may consider having the company pay for your membership in the ASQ

Yes, this is very much in my personal goals for this year. I was reviewing the certifications I could get, and it looks like I'd be able to become a CQIA this summer. Something I'd like to have ready by March is a 'personal development plan' to propose to my GM. I can see myself staying here at least 5 years (pending appropriate investment and participation by everybody), and I think there is much the company should be doing in order to ensure my (and thereby its own) success.

 

[normzone]

So you're serving a sentence of one to life, eligible for parole at five years.

Or you've signed up with the paramilitary group for a term of duty - this is like one of those "choose your own adventure" stories.

If you choose to become confrontational with your external auditor, turn to page seventy five.

But if all the nonconformances documented are valid, and you choose to court your external auditor's approval, turn to page one hundred.

 

[pziemlewicz]

My suggestion would be to start with some Root Cause Analysis and/or Problem Solving Training: both to help in audit replies, but also to ensure you're getting solid solutions for the current state of affairs. BSI and ASQ both offer good courses.

I'm unsure of the scope of your open corrective actions, but suspect some should be assigned to other functional areas. You might facilitate meetings with the managers involved (purchasing, engineering, production) to come up with a workable solutions. as well as keep them working at the pace the auditor expects.

As mentioned previously, the auditor can't consult. Submitting to them early may keep you from having formal rejection records in the system, however you may still not get the feedback needed to do a good one. I'd be happy to read one and provide some direction if you want to DM.

 

[Kronos147]

Great advice so far.

I have not seen you reference OASIS. Is the assessor not posting feedback for plan rejection on OASIS?

For each finding, as a containment, consider re-familiarizing yourself with the requirement and make sure the finding is verifiable (meaning you can see the same issue the assessor did).

I would be willing to bet that half of the findings have a root cause that has to do with lack of a formalized "change control" process, or that the training is not effective for having people take over positions. Was a lack of resources that prevented the company from making sure you were properly trained (time, money, or a training plan)?

Good luck!

 

[classical_quality]

Hi everyone, just wanted to check in from the trenches!
A lot of issues with the 9 nonconformances come from habits falling out of practice after too many changes to processes, or from documentation not being clear about what is actually being done on the ground that meets requirements.
For example, we have a major NCR for not assessing and managing risk when selecting providers for products - but upon further investigation, our purchaser does assess risk for availability, pricing, and customer requests etc; it is tied into the part ID in the system when first entered, and is maintained each time it is called out on a purchasing request form. This wasn't explained well by the purchaser to the CB auditor, and also isn't described in our purchasing procedure.
Unfortunately these problems aren't exactly easy to solve, because across the board I see a lack of understanding from all roles about what's expected when it comes to AS9100 certification - but for the most part people's attitudes are positive towards learning and improving.

The biggest frustration has been the simple fact that I am new to the job, let alone the company and industry, making me that much slower at doing anything than an experienced quality management role would be.
I really value all the feedback that's been given by you all. It's going to be a hard grind, but by this week's end I will have finally produced some much better corrective actions to submit to our CB auditor, hopefully they find them agreeable. I would have used you all for help, but unfortunately I just don't have enough hours in the day to handle this on top of all the other things you can imagine are kind of falling apart after not being taken care of for a year or two, or ever. In good news, 160 unreviewed records has been cut down to 58 - hooray!

And just to confirm, yes, in my 'green lack of wisdom' I did not realize everyone uses IAQG OASIS too, I wasn't sure if I should have that much detail when summarizing so many other things. I cannot grumble enough about how useless the help section of that website is! But thankfully I'm tech-literate enough to have figured it out on my own.

I hope in another month I'll be able to check back in and confirm my head is still above water. I have an AS9100 Auditing course in two weeks, and right after the CB auditor will be visiting for the effectiveness review. I look forward to reading more from all of you in the forums once things get to an even keel over here.

Thanks everybody!