Do I need to answer Audit Observations?

John Broomfield

Staff member
Super Moderator
#21
We know from the recommendations of ISO 19011 that Audit Findings (statements of fact from the audit) replaced Observations a long time ago.

Audit Findings either indicate:

  • Conformity - perhaps worthy of praise
  • Nonconformity - perhaps worthy of corrective action
That leaves the gray area of Opportunties for Improvement.

OFIs are not audit findings. They are more like recommendations but auditors may use them to offer advice or, unintentionally, to conceal system weaknesses by making the system depend to some extent on the CB.

When a management system fails to identify a future significant risk or opportunity that is a system weakness that needs corrective action not an OFI.

Continued issue of "Observations" instead of OFIs indicates that the CB is out of date with its use of terminology recommended by ISO 19011.

I understand why the auditor felt compelled to reduce the level of embarrassment but this should have resulted in fortitude and a re-audit instead of a bundle of nonconformities and recommendations dressed up as observations and the wrong conclusion: recommended continued certification.

The lack of fortitude may indicate fundamental incompetence or it may indicate a deeper problem with the CB itself. Indeed, the independent review of the report should have refuted this conclusion.

John
 
Elsmar Forum Sponsor
#22
John:

Your post brings up an interesting point about the chosen CB - what was their technical reviewer thinking when they saw 17, OFIs? 17? If I was doing the technical review, I'd be wondering what the h*ck the auditor was smoking - and that's before reviewing the actual content of the report(s) to see how they were worded and if they were soft graded...
 

Big Jim

Super Moderator
#23
We know from the recommendations of ISO 19011 that Audit Findings (statements of fact from the audit) replaced Observations a long time ago.

Audit Findings either indicate:

  • Conformity - perhaps worthy of praise
  • Nonconformity - perhaps worthy of corrective action
That leaves the gray area of Opportunties for Improvement.

OFIs are not audit findings. They are more like recommendations but auditors may use them to offer advice or, unintentionally, to conceal system weaknesses by making the system depend to some extent on the CB.

When a management system fails to identify a future significant risk or opportunity that is a system weakness that needs corrective action not an OFI.

Continued issue of "Observations" instead of OFIs indicates that the CB is out of date with its use of terminology recommended by ISO 19011.

I understand why the auditor felt compelled to reduce the level of embarrassment but this should have resulted in fortitude and a re-audit instead of a bundle of nonconformities and recommendations dressed up as observations and the wrong conclusion: recommended continued certification.

The lack of fortitude may indicate fundamental incompetence or it may indicate a deeper problem with the CB itself. Indeed, the independent review of the report should have refuted this conclusion.

John
Perhaps just a small detail, but don't "findings" include the entirety of the audit report? Both positive and negative?
 

John Broomfield

Staff member
Super Moderator
#24
Jim,

Yes, but instead of saying positive and negative I said conformity and nonconformity.

After all, nonconformities can add value if they are well-crafted.

We all need to do our bit to remove the fear of nonconformities.

John
 
R

Reg Morrison

#25
The lack of fortitude may indicate fundamental incompetence or it may indicate a deeper problem with the CB itself. Indeed, the independent review of the report should have refuted this conclusion.
John:

Your post brings up an interesting point about the chosen CB - what was their technical reviewer thinking when they saw 17, OFIs? 17? If I was doing the technical review, I'd be wondering what the h*ck the auditor was smoking - and that's before reviewing the actual content of the report(s) to see how they were worded and if they were soft graded...
According to ISO 17021:2011, 9.3.3, (independent) technical reviews of surveillance audit reports is only required if a situation potentially leading to decertification exists (i.e., a major NC is reported). By softgrading the findings, the auditor actually suppresses the triggering of a report review.

If the registrar in this case had any seriousness, based on the feedback from the OP to them, would ensure that this auditor gets witnessed and all of his reports get thoroughly reviewed.

Certainly, registrars can do more than the minimum required by 17021, but I doubt any registrar out there will have each and every surveillance audit report independently reviewed, if not required.
 
K

kanwal

#27
My take is a little different.

First - Observations need to be justified with reference to the audit criteria, as NCs are required to be. Since both are audit findings.

Second - The observations need to be accepted in a manner similar to NCs before they reach the audit report.

Having accepted them in the first instance, not following through needs to be justified before it can be closed.

This is based on the provisions of ISO 19011:2011 - see definition of audit findings in clause 3.4 and specifically NOTE 2 as the starting point.
 
#28
My take is a little different.

First - Observations need to be justified with reference to the audit criteria, as NCs are required to be. Since both are audit findings.

Second - The observations need to be accepted in a manner similar to NCs before they reach the audit report.

Having accepted them in the first instance, not following through needs to be justified before it can be closed.

This is based on the provisions of ISO 19011:2011 - see definition of audit findings in clause 3.4 and specifically NOTE 2 as the starting point.
This is a matter of "grading" where it's almost impossible to suggest such a course of action. Nowhere has the content of these observations been discussed. How they can be treated as NCs when we don't even know what the subject is, how it was found etc. etc. These are often no more important that a comment like "You should eat more fruit". Are you suggesting that I run off and immediately change my diet? Is there any factual basis for this comment?

No, observations - or worse, NCs - graded as OFIs are a waste of time and should be filed in the small, round filing bin...
 

Big Jim

Super Moderator
#29
This is a matter of "grading" where it's almost impossible to suggest such a course of action. Nowhere has the content of these observations been discussed. How they can be treated as NCs when we don't even know what the subject is, how it was found etc. etc. These are often no more important that a comment like "You should eat more fruit". Are you suggesting that I run off and immediately change my diet? Is there any factual basis for this comment?

No, observations - or worse, NCs - graded as OFIs are a waste of time and should be filed in the small, round filing bin...
That's a bit strong. Wisdom would indicate that it would be foolish not to consider them. If it was worth the effort of the auditor to bring them to your attention, it would be a mistake not to at least consider if there is value there for your organization.

I certainly agree that there is no requirement to do so. Organizations are not prohibited from doing stupid things.
 

Jim Wynne

Staff member
Admin
#30
Just as there is no such thing as being a little bit pregnant, a nonconformity either exists or it doesn't. If actual objective evidence is used to support a finding of nonconformity, there should be no room for wiggling. If an auditor identifies a nonconformity and an auditee can make a rational case for conformance, the auditor needs to reconsider. If there is still disagreement after discussion, the auditee can use the appeal process.

As far as "observations" are concerned, all objective evidence is based on "observation." Nonetheless, auditees need to listen carefully to everything an auditor says regarding what's been seen, whether anything is documented as a result or not. In the present case, the idea of there being 17 "observations" seems absurd on its face. I'm reminded of what my father used to say about people who talk too much: Anyone who talks that much must be telling some lies. If there are that many documented observations, you can bet that some of them should have been classified as NCs, and the auditee should treat them as such, if only internally.
 
Thread starter Similar threads Forum Replies Date
Anerol C Need to answer a Car due the CAR answering process and implentation is not workin Nonconformance and Corrective Action 1
H Countermeasure Answer on Decision Making - Need help Nonconformance and Corrective Action 16
N I need your opinion about budget answer Document Control Systems, Procedures, Forms and Templates 6
P UDI-PI requirements on reusable surgical device, do we need serialisation? ISO 13485:2016 - Medical Device Quality Management Systems 0
J Need Help with FPY Data in Assembly Process Manufacturing and Related Processes 7
W 17025 and NIST handbook relationship (need advice) ISO 17025 related Discussions 8
lanley liao Does all of the suppliers need to integrated into the supplier list qualified of the company? Oil and Gas Industry Standards and Regulations 2
K Need procedure for D&D inputs? ISO 13485:2016 - Medical Device Quality Management Systems 4
S Need help on "Country of Origin" Medical Device and FDA Regulations and Standards News 0
Ed Panek Immediate need for 80601-2-56 Consulting expert. PM me for details Career and Occupation Discussions 0
Tagin You're Gonna Need a Bigger Root Cause Coffee Break and Water Cooler Discussions 12
M PSA Suppliers - CSR matrix and need the quality manual of PSA APQP and PPAP 2
M Need Help With Information Security Asset Risk Register IEC 27001 - Information Security Management Systems (ISMS) 2
K "World Class Product" based QM. I need advice. Quality Management System (QMS) Manuals 14
I Do I need to sign off my annual audit calendar? Internal Auditing 2
P Do we need to retrospectively use the "MD" symbol (indicating device is a medical device) on labels, e.g. finished devices within expiration date? EU Medical Device Regulations 2
M Do I need separation in my circuit with a medical charger? IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
V Certified Auditor - Need of additional certification specific to industry ( GMPs) ASQ vs ECA vs others Professional Certifications and Degrees 1
D Low risk IVD study in the UK, do I need MHRA approval? UK Medical Device Regulations 1
A Medical Device Contract Manufacturer - Does the CM need to register with FDA? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
J Records Control - Does each individual record need to be numbered? Records and Data - Quality, Legal and Other Evidence 2
N Is there a need for clinical test of Class IIa products (for MDR)? EU Medical Device Regulations 2
J Do Software Subcontractors need to be ISO13485 compliant in the EU? EU Medical Device Regulations 3
K Do I need a "State of the art" plan? CE Marking (Conformité Européene) / CB Scheme 1
S Need advice for schooling Quality Manager and Management Related Issues 5
R What information do i need to get from the device manufacturer 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 0
S Need guidance on project ISO 13485:2016 - Medical Device Quality Management Systems 2
H Need MSA 4th ed. compliant attribute MSA template General Measurement Device and Calibration Topics 4
J Need Change Control Yes/No Decision Tree Template ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
C Does an accessory need an IFU if it use is discussed in the Parent device IFU? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 5
B Countries with no need for FSC (Free sales certificate) Other Medical Device Regulations World-Wide 0
R The term "Benefit Risk Ratio" in EU MDR, do I need to present benefit risk analysis as a RATIO Risk Management Principles and Generic Guidelines 4
A Brexit When does the UK responsible person need to be in place? UK Medical Device Regulations 10
R Do we need issue ECN (Engineering Change Notice) towards updated Material Specification? Design and Development of Products and Processes 2
N IPC-A-630 - Is this free or do i really need to pay for it? Manufacturing and Related Processes 4
C ISO/ IEC 17021 Resource requirement (need help) Document Control Systems, Procedures, Forms and Templates 5
P Need a programmer for QVI's VMS software for optical inspection machine Inspection, Prints (Drawings), Testing, Sampling and Related Topics 0
silentmonkey How to decide what characteristics need to be verified during incoming inspection? ISO 13485:2016 - Medical Device Quality Management Systems 5
D Change Approval Requirements - Does every change need formal customer approval? Design and Development of Products and Processes 17
T Do I need a qualified compiler for class B software? IEC 62304 - Medical Device Software Life Cycle Processes 3
E 13485:2016, Sections 4.1.6, 7.5.6 and 7.6 - Validation of Software - Need some Advice please ISO 13485:2016 - Medical Device Quality Management Systems 3
C ISO 13485 :2016 - CAPA - Does every CAPA need to be checked by regulations? ISO 13485:2016 - Medical Device Quality Management Systems 9
L Proof of Concept Studies - Do we need to comply with SAE reporting? Medical Device and FDA Regulations and Standards News 3
gunnyshore Adding a new facility - do I need to submit an amendment to the MDL or MDEL, or both? Canada Medical Device Regulations 3
N FDA UDI - Label vs. Labeling - Does the insert need to include UDI? Other US Medical Device Regulations 1
SocalSurfer AS9100 new certificate, but need QMS software, help Quality Assurance and Compliance Software Tools and Solutions 2
A Demonstration of Equivalence - Need for comparing biological characteristics for an SamD EU Medical Device Regulations 1
G Need to change KPI we called NC parts (maximum 3%.) to FTQ (first time quality) IATF 16949 - Automotive Quality Systems Standard 4
W Need for current design or process control FMEA and Control Plans 2
L Turkish Requirements - Does the Software need to be translated? CE Marking (Conformité Européene) / CB Scheme 2

Similar threads

Top Bottom