Addressing Non-Conformances from an Internal Audit that are not product related

#1
We had an outside company come in last year to perform our Internal Audit. They found 25 NC's which are all procedure related that have no effect on product. These NC's are mainly "you should have added this statement to adhere to the standard" or the need to add or clarify verbiage to procedures or the Quality Manual to meet the standard expectations. What process has been used to address these types of NC's? If we write a CAPA, how would we verify the effectiveness of adding a statement to a procedure to better align with the standard? Again, the findings were not apart of any procedures that had a direct impact on product. The NC's found have no risk to the performance of the device. We are currently in our recertification audit and received a major non-conformance for not formally addressing last year's 25 Internal Audit findings. We stated in this year's management review that we plan to close them out by Mid April.

Desperate for suggestions.....
 
Elsmar Forum Sponsor

John Broomfield

Staff member
Super Moderator
#2
Implying that some nonconformities are okay could result in a permissive work environment* that allows employees to see and keep quiet about nonconformities.

Your system’s nonconforming processes may result in nonconforming services or products. So do not disparage the reporting of processes not conforming to their procedures or procedures not conforming to their processes.

All nonconformities need correction if not corrective action so apply your risk assessment criteria to decide which nonconformities deserve investment in the removal of their root causes from your system.

* The only bad nonconformity is the one you do not know about.
 

RoxaneB

Super Moderator
Super Moderator
#3
If you have multiple NCs along the same lines, I question why they weren't lumped into one over-arching finding that would encompass the observed systemic issue.

My initial thought - without knowing all of the details - would be to offer one response and indicate the group of individual findings that the correction action will address.

It's also one thing to add a statement to "adhere to the standard", but it's something else to actually do it. Is your organization actually meeting the requirements? At a quick glance, I'd offer the answer is 'no' based on the additional finding of not formally addressing the previous internal audit findings. The finding may be that they were invalid and someone in senior leadership will likely need to sign off on that. But if they are valid, you may wish to re-consider how your organization documents their processes.

There may not be a direct impact on the product, but what about an indirect/supportive relationship? We still need those processes to ensure the right product gets out the door at the right time.
 

Jim Wynne

Staff member
Admin
#4
We had an outside company come in last year to perform our Internal Audit. They found 25 NC's which are all procedure related that have no effect on product. These NC's are mainly "you should have added this statement to adhere to the standard" or the need to add or clarify verbiage to procedures or the Quality Manual to meet the standard expectations. What process has been used to address these types of NC's? If we write a CAPA, how would we verify the effectiveness of adding a statement to a procedure to better align with the standard? Again, the findings were not apart of any procedures that had a direct impact on product. The NC's found have no risk to the performance of the device. We are currently in our recertification audit and received a major non-conformance for not formally addressing last year's 25 Internal Audit findings. We stated in this year's management review that we plan to close them out by Mid April.

Desperate for suggestions.....
There's enough here to suggest that your external source for auditing might not be competent. If you could give us an example or two of the nonconformity statements you're concerned about it will be easier to give you advice. Please give the complete verbatim statement(s).
 

ScottK

Not out of the crisis
Staff member
Super Moderator
#5
Sounds like your organization is in a tough position.
Should have done something on these - at least had an initial response and plan for each one - for your re-registration audit. Even if your company did not agree with the findings. If you're in the middle of your re-registration it's a bit late for that.
Right now - Stop thinking about "direct impact on the product". Product is only one piece of the pie when doing a quality system audit. It's a quality system... that's all the processes that go into your operation of making the product in accordance with the standard. If the findings were about accounting/finances - you have a point as that's not covered. But just about everything else in a manufacturing operation is.

Honestly, if I was auditing one of my suppliers and found that there were 25 open NC's, with no action, from a single audit done last year I would rate that as a major too. Without knowing what they are I can't really say if I'd also be skeptical that the organization would be able to close them in 2 months.
 

Sidney Vianna

Post Responsibly
Staff member
Admin
#6
There's enough here to suggest that your external source for auditing might not be competent.
In vehement agreement. The OP tries to make a case that none of the NC's point to a risk in product conformity, but how do we even know the outsourced internal auditor knows ANYTHING about the product realization process to adequately assess the risks? The tone of the NC's disclosed so far point to the typical situation where the "internal auditors" were focusing on........wait.........documentation; the easiest piece of a system to assess; the low hanging fruit, opportunity-rich for likes, dislikes and "suggestions". Auditors tend to gravitate to their comfort zones and avoid controversy. Comments such as "...you should have added this statement..." shows superficiality in assessment and poor reporting technique.

Unfortunately, many times, the results of a system audit, be it internal or external, depends much more on the caliber/competence/knowledge of the auditor than the system itself. And a semi-competent auditor might "mask" some serious flaws of a system and give the organization an erroneous "bill of health".
 

Golfman25

Trusted Information Resource
#7
We had an outside company come in last year to perform our Internal Audit. They found 25 NC's which are all procedure related that have no effect on product. These NC's are mainly "you should have added this statement to adhere to the standard" or the need to add or clarify verbiage to procedures or the Quality Manual to meet the standard expectations. What process has been used to address these types of NC's? If we write a CAPA, how would we verify the effectiveness of adding a statement to a procedure to better align with the standard? Again, the findings were not apart of any procedures that had a direct impact on product. The NC's found have no risk to the performance of the device. We are currently in our recertification audit and received a major non-conformance for not formally addressing last year's 25 Internal Audit findings. We stated in this year's management review that we plan to close them out by Mid April.

Desperate for suggestions.....
Sounds like the just did a stage 1 type document review. Not really and effective internal audit. So it begs the question, what did you do with the results? Why or why not? I don't know if ISO 13485 requires a full 8D type process or not, but standard ISO would allow you just to make a correction and update your docs. as you saw fit.
 
#8
There's enough here to suggest that your external source for auditing might not be competent. If you could give us an example or two of the nonconformity statements you're concerned about it will be easier to give you advice. Please give the complete verbatim statement(s).
NC#5
The organization does not define the period for which at least one copy of obsolete documents are retained.

NC#10
The QMS does not address UDI “7.5.8 Identification requirement”
—— this is not applicable as we are a contract manufacturer. Adding a statement to our Manual would satisfy this NC. Correct? What would be the verification of effectiveness? How can this be monitored?
 

ScottK

Not out of the crisis
Staff member
Super Moderator
#9
NC#5
The organization does not define the period for which at least one copy of obsolete documents are retained.

NC#10
The QMS does not address UDI “7.5.8 Identification requirement”
—— this is not applicable as we are a contract manufacturer. Adding a statement to our Manual would satisfy this NC. Correct? What would be the verification of effectiveness? How can this be monitored?
In NC 5 do they cite the requirement? I mean it's a typical practice to keep prior revisions archived but there are several ways to that. How do you keep your revision history?

NC 10. Contract manufacturer or not, you need to consider UDI. Your procedure or quality manual may state that as a contract manufacturer it is the customer's responsibility to provide UDI information for you to apply to the product.... or that the customer will apply UDI after your operation... I agree that as a CM you should not own the UDI, but you need to have a process for controlling what is provided by your customers for their needs. Even if it's just a blurb in your Quality Manual.
 

Johnnymo62

Haste Makes Waste
#10
I worked for a medical device contract manufacturer years ago and we had to be able to trace from component part lots to individual device serial number we made, to the part delivered to the customer. The customers usually defined all marking and labeling requirements.

This traceability can reduce the number of units to recall, if it gets to that.
 
Thread starter Similar threads Forum Replies Date
Q Addressing poor commitment in people Misc. Quality Assurance and Business Systems Related Topics 23
R Addressing training requirements - 21 CFR Part 820.25 (1) & (2) Other US Medical Device Regulations 4
H Addressing of Undesirable side-effects, harms, risks and side-effects in clinical evaluation report (CER) EU Medical Device Regulations 12
P Interesting Discussion Addressing Human Factors in Corrective Action AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 23
JoshuaFroud Addressing wet ink signatures when more than one site is involved 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 8
J IATF 16949 Cl. 7.5.1.1 d - Customer Requirements - How are people addressing? IATF 16949 - Automotive Quality Systems Standard 10
Q Risk (closeout and options for the addressing) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
Q ISO9001:2015 Cl. 6.1 - What evidences of risk addressing is needed? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 11
A Addressing every clause in ISO 17025 ISO 17025 related Discussions 1
Sam Lazzara Experiences with Notified Bodies addressing EN ISO 14971:2012 Annex Zs ISO 14971 - Medical Device Risk Management 5
D CAPA Follow-up - Format for Addressing the Assessment ISO 13485:2016 - Medical Device Quality Management Systems 4
J Suggestions for addressing Printed Paper Documents Document Control Systems, Procedures, Forms and Templates 3
J AS9100 Rev C Internal Audit Procedure/Plan - Addressing 8.2.2 - Customer Requirements AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 4
F Document Control - Addressing control of content stored on web sites Document Control Systems, Procedures, Forms and Templates 9
B Addressing Lots that were measured with Out of Tolerance Gage Pins Nonconformance and Corrective Action 5
Sidney Vianna Public Comments Requested on ISO Standard Addressing Six Sigma - ISO 13053 Other ISO and International Standards and European Regulations 9
R Addressing Inspection in PFMEA (Process FMEA) FMEA and Control Plans 2
S ISO 9001:2008 Addressing the "Notes" in my quality Manual ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
T Addressing ISO 9001 Section 7 in the Quality Manual when Design is Excluded Design and Development of Products and Processes 6
K Compliance of Control Plans to Annex A - Addressing Error Proofing FMEA and Control Plans 13
R Addressing Training in ISO 9001:2000 Process Documents Training - Internal, External, Online and Distance Learning 21
S Philip Crosby's Cost of Quality - James Harrington's Book Addressing COQ Book, Video, Blog and Web Site Reviews and Recommendations 18
R Customer Focus - Level 1 Procedure - Addressing ISO 9001 Clause 5.2 Document Control Systems, Procedures, Forms and Templates 3
M Design Input - 820.30(c) - Addressing incomplete, ambiguous... requirements Design and Development of Products and Processes 1
D Using non-conforming components even though the final assembly is conforming? Manufacturing and Related Processes 5
N Competent Authority notification for non-EU manufacturer EU Medical Device Regulations 4
M CE marking for NON-EU EU Medical Device Regulations 0
E Non-GMP examples in Pharmaceutical industry Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 2
blile Increasing PFMEA occurrence ranking after non-conformance FMEA and Control Plans 4
S Non-Conformance and Deviations ISO 13485:2016 - Medical Device Quality Management Systems 4
B Risk Assessment Checklist for Non product Software IEC 62304 - Medical Device Software Life Cycle Processes 1
T Ideas for developing a Supplier Quality Management System, non automotive ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
N Audit non-compliance - API Spec Q1 9th Ed 5.6.1.2 b Oil and Gas Industry Standards and Regulations 10
R Applicability of new non-harmonized standards (MDD/MDR) EU Medical Device Regulations 8
M Scope of Combined ISO 9001 and IATF 16949 QMS - Non-automotive customers ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
J Guidance on manufacturing non-surgical face masks US Food and Drug Administration (FDA) 3
D Do non-IATF customers need to be included in audit scope? IATF 16949 - Automotive Quality Systems Standard 23
C If it doesn't prevent a non-conformance, is it a preventive action? IATF 16949 - Automotive Quality Systems Standard 13
T Non conformance product identification and traceability 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
I Non-Conformance vs OFI -- your best descriptions ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 61
G Question about Non-conformances during New Product Introduction Nonconformance and Corrective Action 14
B Bioburden monitoring for surgical instrument provided non-sterile EU Medical Device Regulations 3
Y Packaging validation for non-sterile Medical Equipment Other Medical Device Related Standards 1
S Can we provide training plan as corrective action for IATF 16949 Non conformity? IATF 16949 - Automotive Quality Systems Standard 9
J Medical System with non-medical device and FCC US Food and Drug Administration (FDA) 5
L PMA and Non-PMA parts in same finished goods area? Federal Aviation Administration (FAA) Standards and Requirements 1
W Non-Conformance from recent Audit carried out on Purchasing AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 11
D Do purchasing controls apply to non-medical parts? ISO 13485:2016 - Medical Device Quality Management Systems 5
S Service record requirements for Non-Serviceable Medical Devices CE Marking (Conformité Européene) / CB Scheme 1
S Industry Labelling Standards - non medical Manufacturing and Related Processes 0
Similar threads


















































Top Bottom