Non-addressed Minor Finding elevated to Major Finding

[Tyler C]

Fellow covers,

I was under the impression that if a minor nonconformance is found during an internal audit, and it is not addressed by the next internal audit, it is automatically elevated to a major nonconformance.

It is not in our internal procedure, nor is it in either ISO 9001:2008 or ISO 9001:2015 standards. I just cannot remember where I read this. Can anyone help me out on this? Is it just a 'best practice' type of thing?

If you want more info...
We are starting our next internal audit for our training process. During the last audit, a minor nonconformance was found against ISO 9001:2008, clause 6.2.2, a) "the organization shall determine the necessary competence for personnel performing work affecting conformity of product requirements." The finding was because we don't have the competencies determined for our trainers. The auditees accepted this finding and said they would correct it. Here we are, almost 1 year later, and it has not been corrected. A fellow internal auditor says they don't think it should be elevated because "it isn't that big of a deal", but I feel it should be elevated to ensure it gets addressed this time around. When asked where this requirement was, I could not find the answer. It is not often that I am stumped on something like this, so any help would be greatly appreciated!

 

[Ninja]

Going by logic...not by clauses...:

You don't know what is required to consider a trainer "able to train".
Leads to more than a few questions about your employees being trained...
I would not apply "not a big deal" to that scenario.

Your internal audit system found a scenario considered unacceptable.
All agreed that it was unacceptable.
All agreed on who/when/why to fix it.
It wasn't fixed.
That's a pretty big deal.
What if that was in your pricing system? In your accounts payable system?

Internal audits are to find what needs fixing.
CA coming out of your audits are to fix that stuff.
If it wasn't done, your IA/CA system isn't working very well and you aren't closing the circle....that's sorta a big deal, no?

HTH

 

[howste]

There is no requirement in ISO 9001 to classify nonconformities as major or minor, so you won't find it there. It is generally accepted practice for certification bodies to elevate NCs from minor to major if the same issue is found in consecutive audits. I know that the TS 16949 Rules document requires this, but it occurs in AS9100 and ISO 9001 audits too.

What ISO 9001 requires is that action is taken "without undue delay" for identified audit nonconformities:

The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes.

The organization shall... e. take appropriate correction and corrective actions without undue delay;

Whether or not you elevate the NC to major is up to you, but I would at a minimum reissue the original nonconformity and also issue a new nonconformity against the clause above for untimely/ineffective actions.

 

[Tyler C]

Thank you both for your input.

Ninja, I agree with you. I feel this is a huge issue that needs resolved, for the reasons you mentioned. Unfortunately, the rest of management and this particular internal auditor seem think we don't need to identify these competencies, but rather we can verify the training effectiveness through other methods. I did bring up the fact that everyone agreed it was a nonconformity last time, so one way or another, it needs to be addressed. I've come the hate the phrase, "We don't want to box ourselves in by putting it into ISO," but this is a common 'cop-out' in this organization.

Howste, I knew it wouldn't be in the standards because they don't specify between major and minor. I was starting to wonder if this came from our registrar. I will do some more research into TS 16949, so thank you for giving me another avenue to look into. Also, thanks for the ideas on other ways to handle it if we don't elevate it. I will leave the choice up to the audit team, as I am not actually on the team this time, but rather facilitating the process.

Thanks again!

 

[Randy]

Going by logic...not by clauses...:

Internal audits are to find what needs fixing.

HTH

No they are absolutely not! I have issued NC's for that exact reasoning written into audit programs and identified during audits I've done across half a dozen different standards.

ISO 9001:2008
8.2.2 Internal audit
The organization shall conduct internal audits at planned intervals to determine whether the quality management system
a) conforms to the planned arrangements (see 7.1), to the requirements of this International Standard and to the quality management system requirements established by the organization, and
b) is effectively implemented and maintained.

ISO 9001:2015
9.2.1 The organization shall conduct internal audits at planned intervals to provide information on whether the quality management system:
a) conforms to:
1) the organization’s own requirements for its quality management system;
2) the requirements of this International Standard;
b) is effectively implemented and maintained.

Nowhere is it stated that internal audits are to find what needs fixing!!! That statement in and of itself eliminates objectivity and impartiality from the process (Another NC I'd write)

The elevation to major and all that is someones made up dribble unless the audit or corrective action procedures have clearly stated that (which was correctly observed is not a 9001 requirement in any version old or new).

The excuses for not correcting the competency of trainers CA are lame. The organization, management or Red Riding Hood (if she's the correct person) has the authority to state what competency is and whether or not the criteria has been met. Do it, document/record it and move on to more important dribble. This isn't rocket science or synthetic DNA manufacturing because I've audited both and this ain't it.

 

[Golfman25]

Arguing major v minor for internal audit is a waste of time. Your issue here is the lack of corrective action and how was the audit closed without corrective action. Write your non conformance against those and fix it all. Good luck.

 

[Tyler C]

Thanks Golfman25. I would like to get away from major/minor, but that is how it is written in our procedure, so for now, that is what I have to abide by.

 

[Tyler C]

No they are absolutely not! I have issued NC's for that exact reasoning written into audit programs and identified during audits I've done across half a dozen different standards.

ISO 9001:2008
8.2.2 Internal audit
The organization shall conduct internal audits at planned intervals to determine whether the quality management system
a) conforms to the planned arrangements (see 7.1), to the requirements of this International Standard and to the quality management system requirements established by the organization, and
b) is effectively implemented and maintained.

ISO 9001:2015
9.2.1 The organization shall conduct internal audits at planned intervals to provide information on whether the quality management system:
a) conforms to:
1) the organization’s own requirements for its quality management system;
2) the requirements of this International Standard;
b) is effectively implemented and maintained.

Randy, I see your point, but I respectfully disagree. As you pointed out in the ISO 9001:2008 standard, it says, "The organization shall conduct internal audits at planned intervals to determine whether the quality management system
a) conforms to the planned arrangements (see 7.1), to the requirements of this International Standard and to the quality management system requirements established by the organization, and...".

From my perspective, if the organization determines that internal audits are to be used for the reasons listed in the standard, in addition to finding what needs fixed, then there is no NC here, because the organization determined this to be an use of the audits.

I would also like to point out that by the standard explicitly stating that internal audits are to be used to determine whether the QMS conforms, it is implicitly stating that internal audits are to be used to determine whether the QMS doesn't conform. That's actually the other side of 'whether' (whether, or not).

Internal Audits are a part of continual improvement, but to be able to improve, you first need to know what needs improving. In other words, what needs fixing.

Now, on the other side of this, I do agree that this can be abused which would be a nonconformance to "...ensure objectivity and impartiality..." As an internal auditor, I know what "needs to be fixed", and I could use the audit as a way of "getting at the manager" of the process. So, instead of showing them that they have an issue that needs fixing, I instead allow them to defend their stance on not needing to fix the non-issue. If they can defend it, then it's not an issue, but if they can't then all parties agree to fix it. Whether or not it actually gets fixed is another story.

 

[Coury Ferguson]

Fellow covers,

I was under the impression that if a minor nonconformance is found during an internal audit, and it is not addressed by the next internal audit, it is automatically elevated to a major nonconformance.

It is not in our internal procedure, nor is it in either ISO 9001:2008 or ISO 9001:2015 standards. I just cannot remember where I read this. Can anyone help me out on this? Is it just a 'best practice' type of thing?

If you want more info...
We are starting our next internal audit for our training process. During the last audit, a minor nonconformance was found against ISO 9001:2008, clause 6.2.2, a) "the organization shall determine the necessary competence for personnel performing work affecting conformity of product requirements." The finding was because we don't have the competencies determined for our trainers. The auditees accepted this finding and said they would correct it. Here we are, almost 1 year later, and it has not been corrected. A fellow internal auditor says they don't think it should be elevated because "it isn't that big of a deal", but I feel it should be elevated to ensure it gets addressed this time around. When asked where this requirement was, I could not find the answer. It is not often that I am stumped on something like this, so any help would be greatly appreciated!

Now back to your original post.

There is no requirement in ISO9001:2008/2015 that requires classification of defects (MAJ/MN). The step I would look at would be to elevate to the next layer in Management, and see if you get a response. If it stops there, then elevate it to the next level, until someone realizes there was something identified during the IA that needs to be addressed.

I have elevated, not just internally to the President/CEO and also to a Supplier's President/CEO to get an investigation going to determine RCCA.

In most organizations, the President/CEO have more important things to be concerned about, and usually will get the previous management level to respond, because him/her don't need something like this to take up more time from more important things like running an organization.

When I was performing 3rd Party Audits, if I saw this I would document a NC for an ineffective CA System, and depending on the reach/depth of non action, maybe even consider it a complete breakdown in the System.

Now from the 1st Party side, I would do exactly as I stated above.

Just my humble opinion here.

 

[Big Jim]

Thanks Golfman25. I would like to get away from major/minor, but that is how it is written in our procedure, so for now, that is what I have to abide by.

That's easy to get around. Re-write that part of the internal audit procedure. Just make sure that what you end up with is compatible with the standard.