Addressing Non-Conformances from an Internal Audit that are not product related

[gemsmom]

We had an outside company come in last year to perform our Internal Audit. They found 25 NC's which are all procedure related that have no effect on product. These NC's are mainly "you should have added this statement to adhere to the standard" or the need to add or clarify verbiage to procedures or the Quality Manual to meet the standard expectations. What process has been used to address these types of NC's? If we write a CAPA, how would we verify the effectiveness of adding a statement to a procedure to better align with the standard? Again, the findings were not apart of any procedures that had a direct impact on product. The NC's found have no risk to the performance of the device. We are currently in our recertification audit and received a major non-conformance for not formally addressing last year's 25 Internal Audit findings. We stated in this year's management review that we plan to close them out by Mid April.

Desperate for suggestions.....

 

[John Broomfield]

Implying that some nonconformities are okay could result in a permissive work environment* that allows employees to see and keep quiet about nonconformities.

Your system’s nonconforming processes may result in nonconforming services or products. So do not disparage the reporting of processes not conforming to their procedures or procedures not conforming to their processes.

All nonconformities need correction if not corrective action so apply your risk assessment criteria to decide which nonconformities deserve investment in the removal of their root causes from your system.

* The only bad nonconformity is the one you do not know about.

 

[RoxaneB]

If you have multiple NCs along the same lines, I question why they weren't lumped into one over-arching finding that would encompass the observed systemic issue.

My initial thought - without knowing all of the details - would be to offer one response and indicate the group of individual findings that the correction action will address.

It's also one thing to add a statement to "adhere to the standard", but it's something else to actually do it. Is your organization actually meeting the requirements? At a quick glance, I'd offer the answer is 'no' based on the additional finding of not formally addressing the previous internal audit findings. The finding may be that they were invalid and someone in senior leadership will likely need to sign off on that. But if they are valid, you may wish to re-consider how your organization documents their processes.

There may not be a direct impact on the product, but what about an indirect/supportive relationship? We still need those processes to ensure the right product gets out the door at the right time.

 

[Jim Wynne]

We had an outside company come in last year to perform our Internal Audit. They found 25 NC's which are all procedure related that have no effect on product. These NC's are mainly "you should have added this statement to adhere to the standard" or the need to add or clarify verbiage to procedures or the Quality Manual to meet the standard expectations. What process has been used to address these types of NC's? If we write a CAPA, how would we verify the effectiveness of adding a statement to a procedure to better align with the standard? Again, the findings were not apart of any procedures that had a direct impact on product. The NC's found have no risk to the performance of the device. We are currently in our recertification audit and received a major non-conformance for not formally addressing last year's 25 Internal Audit findings. We stated in this year's management review that we plan to close them out by Mid April.

Desperate for suggestions.....

There's enough here to suggest that your external source for auditing might not be competent. If you could give us an example or two of the nonconformity statements you're concerned about it will be easier to give you advice. Please give the complete verbatim statement(s).

 

[ScottK]

Sounds like your organization is in a tough position.
Should have done something on these - at least had an initial response and plan for each one - for your re-registration audit. Even if your company did not agree with the findings. If you're in the middle of your re-registration it's a bit late for that.
Right now - Stop thinking about "direct impact on the product". Product is only one piece of the pie when doing a quality system audit. It's a quality system... that's all the processes that go into your operation of making the product in accordance with the standard. If the findings were about accounting/finances - you have a point as that's not covered. But just about everything else in a manufacturing operation is.

Honestly, if I was auditing one of my suppliers and found that there were 25 open NC's, with no action, from a single audit done last year I would rate that as a major too. Without knowing what they are I can't really say if I'd also be skeptical that the organization would be able to close them in 2 months.

 

[Sidney Vianna]

There's enough here to suggest that your external source for auditing might not be competent.

In vehement agreement. The OP tries to make a case that none of the NC's point to a risk in product conformity, but how do we even know the outsourced internal auditor knows ANYTHING about the product realization process to adequately assess the risks? The tone of the NC's disclosed so far point to the typical situation where the "internal auditors" were focusing on........wait.........documentation; the easiest piece of a system to assess; the low hanging fruit, opportunity-rich for likes, dislikes and "suggestions". Auditors tend to gravitate to their comfort zones and avoid controversy. Comments such as "...you should have added this statement..." shows superficiality in assessment and poor reporting technique.

Unfortunately, many times, the results of a system audit, be it internal or external, depends much more on the caliber/competence/knowledge of the auditor than the system itself. And a semi-competent auditor might "mask" some serious flaws of a system and give the organization an erroneous "bill of health".

 

[Golfman25]

We had an outside company come in last year to perform our Internal Audit. They found 25 NC's which are all procedure related that have no effect on product. These NC's are mainly "you should have added this statement to adhere to the standard" or the need to add or clarify verbiage to procedures or the Quality Manual to meet the standard expectations. What process has been used to address these types of NC's? If we write a CAPA, how would we verify the effectiveness of adding a statement to a procedure to better align with the standard? Again, the findings were not apart of any procedures that had a direct impact on product. The NC's found have no risk to the performance of the device. We are currently in our recertification audit and received a major non-conformance for not formally addressing last year's 25 Internal Audit findings. We stated in this year's management review that we plan to close them out by Mid April.

Desperate for suggestions.....

Sounds like the just did a stage 1 type document review. Not really and effective internal audit. So it begs the question, what did you do with the results? Why or why not? I don't know if ISO 13485 requires a full 8D type process or not, but standard ISO would allow you just to make a correction and update your docs. as you saw fit.

 

[gemsmom]

There's enough here to suggest that your external source for auditing might not be competent. If you could give us an example or two of the nonconformity statements you're concerned about it will be easier to give you advice. Please give the complete verbatim statement(s).

NC#5
The organization does not define the period for which at least one copy of obsolete documents are retained.

NC#10
The QMS does not address UDI “7.5.8 Identification requirement”
—— this is not applicable as we are a contract manufacturer. Adding a statement to our Manual would satisfy this NC. Correct? What would be the verification of effectiveness? How can this be monitored?

 

[ScottK]

NC#5
The organization does not define the period for which at least one copy of obsolete documents are retained.

NC#10
The QMS does not address UDI “7.5.8 Identification requirement”
—— this is not applicable as we are a contract manufacturer. Adding a statement to our Manual would satisfy this NC. Correct? What would be the verification of effectiveness? How can this be monitored?

In NC 5 do they cite the requirement? I mean it's a typical practice to keep prior revisions archived but there are several ways to that. How do you keep your revision history?

NC 10. Contract manufacturer or not, you need to consider UDI. Your procedure or quality manual may state that as a contract manufacturer it is the customer's responsibility to provide UDI information for you to apply to the product.... or that the customer will apply UDI after your operation... I agree that as a CM you should not own the UDI, but you need to have a process for controlling what is provided by your customers for their needs. Even if it's just a blurb in your Quality Manual.

 

[Johnnymo62]

I worked for a medical device contract manufacturer years ago and we had to be able to trace from component part lots to individual device serial number we made, to the part delivered to the customer. The customers usually defined all marking and labeling requirements.

This traceability can reduce the number of units to recall, if it gets to that.