Non-conformance Register vs Corrective Action Register

[333Hannahh]

Hi All,

I know there are a few threads on this and I have gone through them but I'm still not 100% clear on the process. I have been tasked with project lead on achieving ISO 9001 certification for my organisation (health services but back office - don't deal with medical issues, we process claims and pay health service providers). I have no previous experience in ISO or Quality. We have our Stage 1 audit in November this year.

Our current process is as follows:
We have 9 completely separate processing units each headed up by a unit manager. On a day-to-day basis managers / staff keep an eye on the running of the unit and can raise a non-conformance at any point that it is required. They request a NCR (non-conformance register) unique number from me, then they complete a non-conformance report which includes the following headings:
- Issue description
- Actions taken to fix
- Corrective verification
- Root cause analysis (if required)
- Corrective actions (if required)

Once the form is completed it is submitted to me and I put a summary of the information provided onto a non-conformance register (excel sheet), listed by NCR unique reference number. I will then follow up with the unit to ensure that the non-conformance is closed and signed off within 30 days of it being raised.

My question is: we are about to start with our internal audits, which may find an opportunity for improvement, minor or major non-conformance. How do I deal with those and ensure I’m recording the correct information?
- Does a non-conformance report have to be completed for each one raised from internal audit?
- If not, can I assign an NCR number and just include the summary information on my register without having a backing report as the IA report will be sufficient?
- Do I need to have a separate corrective actions register, or can this all be included on the Non-conformance register?

Sorry for the essay and all the questions – I’m hoping it makes sense to someone out there!
Thanks
Hannah

 

[Jim Wynne]

A couple of observations: The report, as you describe it, is missing an important component--the requirement that was not fulfilled. The ISO definition of nonconformance is "non-fulfillment of a requirement." If there is no documented requirement, there is no nonconformity. Next, I strongly suggest that you eschew classification of nonconformities (major, minor, etc.) resulting from internal audits. It serves no purpose and will likely devolve into inescapable subjectivity. All audit nonconformities must be addressed.

If you follow the "normal" algorithm for these things, there will be an audit report that lists each nonconformity encountered, which should beget at least a corrective action effort, if not a separate NCR. So long as the CA is tied to the audit report, a separate NCR isn't necessary. As far as separate NC and CA registers are concerned, it's your choice.

 

[Mark Meer]

We have separate NCR & CAPA registers as the two have independent purposes, and there are cases where CAPA is issued independent from a specific non-conformity.

NCR
- What is the non-conformity (what requirement is not met, and what is the evidence)?
- What, if any, remedial action is taken?
- Is investigation/corrective action required? If so, CAPA issued.

CAPA
- What is the issue (or potential NC)?
- Details of investigation/root-cause analysis
- Proposed corrective or preventive action
- Followup (to assess effectiveness of action(s))

 

[contigo123]

Does your internal audit procedure say what to do? Our Internal Audit SOP says that identified non-conformances require a CA, and thus they go into our CAPA system. In general we separate out product related issues that need correction into NCMRs and then other stuff goes into CAPAs (including product related issues that escalate to needing CA/PA as well as quality system related issues)

 

[Big Jim]

Try to keep it as simple as possible. You don't need two systems unless you see a benefit from it and want to.

Keep in mind that not all nonconformances need corrective actions. Reference element 10.2b. After reacting to the nonconformance, taking action to control and correct it, and dealing with the consequences, you "evaluate the need for action to eliminate the cause(s) of the nonconformity . . . "

You may be doing more than you need to. You get to decide if corrective action is necessary or not. If not, it ends there.

My first suggestion is to add a line to your form stating something like "Corrective Action needed? Yes or No after the "take action to control and correct" and "deal with the consequences" and end it there if correction isn't needed.

Keep in mind though that if the nonconformance is an audit finding conventional wisdom (or the wisdom of the certification body) usually requires corrective action. The standard doesn't say so, but if you don't, expect a fuss from the auditor as that is how they are trained.

Only the actual audit nonconformances should be treated as nonconformances. Observations and Opportunities for Improvement are not nonconformances. It is inappropriate for auditors to "soft grade" nonconfirmances by calling them Observations or Opportunities for Improvement. Also you do not need to respond to them or report back to the auditor as to how you treated them. It is probably wise to address them, but it need not be formal nor does a record of how you address them need to be kept.

My second suggestion is to start using the same forms and logs to deal with audit nonconformances as you are using now. It would be a good idea to reference it to the audit in the opening line or somewhere near the top.

 

[John Broomfield]

I recommend separating your logs of:

A. Service/Material/Product nonconformities

from your:

B. Preventive/Corrective Action Requests

Log A. would include customer complaints.

Let us not completely forget preventive actions flowing from data analysis, planning and risk assessments.

 

[333Hannahh]

A couple of observations: The report, as you describe it, is missing an important component--the requirement that was not fulfilled. The ISO definition of nonconformance is "non-fulfillment of a requirement." If there is no documented requirement, there is no nonconformity. Next, I strongly suggest that you eschew classification of nonconformities (major, minor, etc.) resulting from internal audits. It serves no purpose and will likely devolve into inescapable subjectivity. All audit nonconformities must be addressed.

If you follow the "normal" algorithm for these things, there will be an audit report that lists each nonconformity encountered, which should beget at least a corrective action effort, if not a separate NCR. So long as the CA is tied to the audit report, a separate NCR isn't necessary. As far as separate NC and CA registers are concerned, it's your choice.

Thanks so much for all of your replies, they are very much appreciated. We are not long finished with our training and I've gone back through my notes and the 'non-fulfillment of a documented requirement' in relation to non-conformances was not something that was highlighted so thank you for mentioning that. To expand on that point - is the 'documented requirement' the information contained in our standard operating procedures and KPI's? For example, one of our KPIs is to pay 100% of valid claims submitted. If for whatever reason that doesn't happen then the non-conformance is raised because the documented requirement (KPI) to pay 100% of valid claims wasn't met. Do the 'documented requirements' normally come from the SOPs, or can they come from the KPIs and other documents as well?
I agree with you regarding the classification of nonconformities - I'll take that out - didn't realise that was allowed as the training from the certification body went on a bit about minor and major nonconformities so I thought we had to classify them as such.

 

[Thee Bouyyy]

is the 'documented requirement' the information contained in our standard operating procedures and KPI's? For example, one of our KPIs is to pay 100% of valid claims submitted. If for whatever reason that doesn't happen then the non-conformance is raised because the documented requirement (KPI) to pay 100% of valid claims wasn't met.

What we do in our organization in this scenario is that if any of the KPIs are not met for any given period, we record it in a separate sheet that includes the root cause and action plan. This is not being treated as a non-conformance.

Do the 'documented requirements' normally come from the SOPs, or can they come from the KPIs and other documents as well?

It could originate from any documentation pertaining to your company's business scope and licence.

P.S : I'm in a hurry right now. Please accept my apologies if I misinterpreted. I haven't read all of the threads and responses from other users.

 

[Randy]

Without all the "this and that" and explanations, theory, and interpretations the simple answer is NO, not everything might mandate a CAR! Just take the time to read 9001:2015 - 10.2.1, it clearly states you get to decide what's important and what's not. There's some good information above

 

[Cari Spears]

I have a log for nonconforming product - this is where we keep all of the documented information required in AS9100D 8.7.2. I do not put process nonconformances in this log - product rejections only.

Then I have a corrective action log. Sometimes nonconforming product results in a corrective action request - not always. I log all corrective actions in this log, regardless of how they were initiated - nonconforming product, customer complaint, internal audit findings, management review action items, etc.

You can do whatever makes sense for your organization.