ISO9001:2015 6.3 - Planning of Changes - OFI from auditor

[skb76]

All

thanks all for the opinions..

YES, i understood OFI no need to be closed! and yet as i mentioned before i need to 'do something' as my experience audit with them..

so, once again i came out with this table (not completed yet); and main source cite from somewhere..
any comment and guidance!..

thanks in advance..

 

[Coury Ferguson]

An OFI if it is solid could lead in the near future to a nonconformity. Review your process, see if it meets the intent of the standard. If it does, no need to answer the OFI with action. Sit down with your management staff, and discuss this and see if it is in the best interest of the organization.

Just my opinion.

 

[Kronos147]

...the auditor SOMEHOW needs 'us' to WORKING ON something even its OFI...

Ok, how does the organization review the effectiveness of actions taken to address risks and opportunities? Maybe note it there, mention "we have this OFI" and then "we decided it was not for us" or "we turned this puppy into an improvement, and it made us feel all warm and fuzzy."

Don’t run your organization to keep your auditor happy.

Yes! Well said, John. It's your organization, not the auditors. I like to remind an auditor that there are other registrars out there.

The only thing an auditor can do is then find a way to revisit the OFI as non-conformance. I would see that as petty, and would most likely appeal. I would think the registrar would want to know they assessor seems to have an agenda.

If it is an OFI, then it is optional.

Definition of opportunity
1 : a favorable juncture of circumstances
2 : a good chance for advancement or progress

 

[John Broomfield]

Our auditor may have wished for more time to investigate a possible system weakness or nonconformity. If so that should have been disclosed both to the auditee organization for its further investigation and to the audit client (the CB) for inclusion in the next audit.

I can understand how this may be specified as one of the permitted uses of an OFI but I’ve yet to see this confirmed by a CB.

 

[tony s]

so, once again i came out with this table (not completed yet); and main source cite from somewhere..
any comment and guidance!..

To be honest with yourself, do you find value in the table you created? Will it bring improvement? Why do you need to create a table representing a) to d) of clause 6.3? There is no requirement in the standard that your organization have to retain documented information to demonstrate conformity with 6.3. There are a lot of ways that a change (e.g. transfer of production line to a new site, installation of new inventory system, outsourcing critical process instead of doing it by yourselves, paper-based to electronic-based documentation, etc.) can be planned and controlled.

 

[Randy]

So now it's double work or double speak.....Isn't all that nothing more than "Risks and Opportunities" wearing a different dress?

One of the toughest tasks I face as an auditor is getting past all the fluff, smoke & mirrors, and assorted stuff people do for looks that add not much more then "gee whiz".

 

[Steven Severt]

You are not required to respond / close an OFI

This is true, but auditors often ask about them during surveillance audits and they are often legitimate things that should be improved. It's generally good to log them and address them somewhere. I don't log OFIs from internal or external audits in our corrective action system, but I keep a rolling QMS FMEA with risk assessment so that these items can be entered and assessed, and action taken if necessary.

 

[tony s]

When an auditor raises an OFI, the intent should always be for improvement and not just change. There are times that auditors find the approach of the auditee different from what he/she knows or have experienced and just because he/she finds the approach a bit far from the "norm" they have to raise an OFI.

Since there's no ISO 9000 standard meaning of an OFI, some will interpret this as a situation that could lead to nonconformity. That's why auditors expect their auditees to take actions on OFIs. However, ISO 19011:2018 in section 6.4.10 has a different take on OFIs as specified in this statement "If specified by the audit objectives, opportunities for improvement recommendations may be presented. It should be emphasized that recommendations are not binding."

 

[Kronos147]

This is true, but auditors often ask about them during surveillance audits and they are often legitimate things that should be improved.

It should be emphasized that recommendations are not binding."

FWIW, I offer verbal OFI's in some instances (when I am auditing). I am clear they are non-binding. Occasionally I put them in reports too, but less frequent after I saw another auditor pick up the ball and run with one of mine ( grrrr ).

Either way, I have such a lousy memory that my client's have said (yeah, you said that last year, but with our consideration of corporate...) or whatever other reason, they didn't act upon it. I chuckle at my consistency and move on. It was not of value to them, the people that run the system every day, even know I thought the one day I year I come by it was a possibility. So, whatever, THEY (YOU!) know best about your system. (No the auditor, no matter how good Randy and I are, er, I mean they are, does not know best about your system.)

 

[Tagin]

All
----
so, once again i came out with this table (not completed yet); and main source cite from somewhere..
any comment and guidance!.

I think something like that can be useful. It is a simple high-level way to demonstrate that you have thought about the controls that are in-place to prevent unplanned/unauthorized changes.

I don't think this is a 7.4 doc, though. This is essentially a 6.3 doc that says: "Here's how we control QMS changes. The specific controls are in our separate QMS process docs, and we use them in the following way to control changes."

You could maybe even just have two columns: Change Proposed and Controls. The latter would list the QMS documents that control those particular changes, as long as those QMS documents already include authorities and responsibilities. (For example, a process change, might include references to your document management process doc, your tools management process doc, calibrated equipment process doc, risk register process doc, etc. depending on what is needed for the change.)

I think of it like the high-level process-interaction diagram. The diagram is not intended to fully document the processes in any detail, it is only to show that you have thought about (again, "planned") the interactions and organized them into a cohesive diagram.