Responding to NADCAP nonconformance - Control of External Documents


Hi All,

we need to respond to a nonconformace "NADCAP"
control of External Documents.
my boss didn't take the time to read the nadcap checklist for the requirements, he thought that the checklist were optional (tool to assist) rather than actual requirements.
"inadequate knowledge"
what is the good way to answer without getting him fired.

Mark Meer

Trusted Information Resource
Re: Responding to Audit Findings - Procedures not being followed to the letter

...we need to respond to a nonconformace "NADCAP"
control of External Documents.
my boss didn't take the time to read the nadcap checklist for the requirements, he thought that the checklist were optional (tool to assist) rather than actual requirements.
"inadequate knowledge"
what is the good way to answer without getting him fired.

I am not familiar with NADCAP. (This is ISO 13485 sub-forum).

However, a few points:

1. Firing is generally not a good corrective action to a non-conformance. It is a business decision, however, so if higher-management thinks that such a lapse is a fireable offence, that is their prerogative. But it should not be the corrective action.

2. The investigation should seek to go deeper than simply "It's his fault". Why did he have "inadequate knowledge"? Why did he think something that was a requirement was optional? There may be a deficiency in your training/qualification processes...

3. You may also want to consider why this was not previously identified. Was it going on for sometime? Where are the requirements specified? Is checking up on these requirement encompassed by your internal audit program?

In seeking answers to the above, you may be able to tighten training (and re-train your boss), and update internal audit program to ensure these checklists are encompassed.



One possible way to address this is to highlight that the checklists were not part of the organization's compliance calendar. In my experience with Nadcap, they want to see a three legged 5-why as to the deep dive into the corrective action. So: Why did it happen? Why did you fail to detect it? and then Why did the system allow it to happen? You don't have to necessarily go 5 deep on each, but they at least would like to see that you took a serious effort and understanding the root cause of the nonconformance.

I used to fight with the staff engineer during the nonconformance closure part of the audit until I realized that they really just want you to add another layer of controls in place to ensure that the problem cannot happen again. So adding the checklists to a compliance calendar, having an "audit checklist" that is completed 30-60 days out from when they come, or something to that effect might work.


Yes. i am rewriting the internal auditing procedure to include the nadcap checklist.
please see below - waiting to hear back

3.1. Internal quality audits are conducted to ensure ongoing compliance with requirements of the QMS standards, company’s policies and procedures. This is accomplished by auditing against all important processes and areas, and by applying all applicable sections of the standard. Audit requirements include those of ISO 9001, ISO 9100, Nadcap, the company’s quality system documentation, as well as requirements of customers or regulatory authorities, as applicable.
3.2. Audits are conducted by process, and each process must be audited at least once annually.
3.3. The applicable ISO 9001, ISO 9100 and Nadcap requirements pertaining to each process are encompassed in the Internal Audit Report “checklist”. These are the minimum clauses which must be audited for each process; an auditor may audit any clause of the applicable standard, and writing findings against them, depending on how the audit unfolds. (You will have to create this table yourself; see the sample table included with the kit documentation.)
3.4. Additional processes of other activities or facilities, outside of the process model, may also be scheduled. For example, this may include safety audits, configuration management audits, etc. In such cases, unique audit forms may be developed for such non-process related audits.
3.5. The Quality Manager plans audits according to need, management decision, or customer requirements, and assigns a Lead Auditor for each, as well as any supporting auditor team members. Scheduling is recorded in the Internal Audit Schedule portion of the Internal Audit Log.
3.6. Auditors are independent of the area being audited. Employees selected as internal auditors will have attended at a minimum a 4 hour internal auditor training program and at least 8 hours of shadow auditing with a previously qualified internal auditor.
3.7. Using the Internal Audit Report as a basic checklist, the Lead Auditor will plan the scheduled audit with the appropriate departments and with any other audit team members. The audit team will determine additional checklist items or requirements to verify, and add these to the checklist portion of the Internal Audit Report.
3.8. Auditors will then conduct the audit by following the steps defined on the Internal Audit Report. These are:
3.8.1. Step One: Audit Planning – definition of the scope of the audit, dates of audit, auditors, applicable clauses of affected standards, and documents to review.
3.8.2. Step Two: Document Review – a comparison of the quality system documentation against the requirements of the applicable standard.
3.8.3. Step Three: Auditing – comparison of actual practice vs. the requirements of both the company QMS documentation and the applicable standards.
3.8.4. Step Four: Verifying Effectiveness of the Process – general questions aimed at verifying that the process being audited is effective and not prone to generating nonconformities.
3.8.5. Step Five: Summarize Findings – a detailed list of the negative findings to be entered into the [CAR Form Name] system.
3.8.6. Step Six: Review of Report – a review by the Lead Auditor of all findings and evidence to ensure the audit report is complete, clear, objective, and provides traceable objective evidence.
3.9. Auditing shall be performed by obtaining objective evidence to support each requirement, or indicate where nonconformances are found. All findings are recorded on the Internal Audit Report. The internal auditor submits [CAR Form Name]s as necessary to address the nonconformances recorded on the report.
3.10. When recording nonconformities, each negative finding must include three elements:
3.10.1. Indication of the Requirement – the document or clause of the applicable standard which is thought to have been violated.
3.10.2. Objective Evidence – traceable indication of the evidence found which supports the claim of a nonconformity (e.g.: documents, products examined, interview results). In all cases, objective evidence must be recorded in sufficient detail to ensure a third party can find the exact evidence at a later date.
3.10.3. Details of the Disconnect – a brief statement on why the objective evidence shows a nonconformity against the requirement.
3.11. The nonconformities shall be rated as either “Major” or “Minor” per the requirements of customers and some regulatory bodies. See definitions of Major and Minor Nonconformities in section 3 above. ( delete if not desired. This is not a requirement for internal audits, although some customers or government agencies may require it of your internal program; if deleted, you should also delete the definitions for “major” and “minor” in section 3.)
3.12. Findings shall be rated by Type, whether Corrective, Preventive or Opportunity for Improvement (OFI) for when [CAR Form Name]s are filed.
3.13. Once [CAR Form Name]s are filed, the responsible managers or parties shall ensure timely corrective action is taken to remedy any nonconformances found. During the [CAR Form Name] effectiveness review, the results of actions taken to address audit findings are evaluated.
3.14. The Quality Manager shall update the audit schedule within the Internal Audit Log to reflect to closure of the audit, and enter a summary of audit findings. Based on the results of the audits, and previous audits, the [who?] will then schedule the next audit of the particular process. Processes for which internal audits discover a high number of findings, or critical findings of any number, should be audited more frequently until the process is proven effective again.
3.15. The completed Internal Audit Report is then published on the company’s server and/or sent to the appropriate managers of the areas audited, in order to report the findings and results. In this way, and in conjunction with the submission of [CAR Form Name]s, all necessary managers are notified of the audit results and may make informed decisions for their departments based on those results.
3.16. The results of internal audits are also gathered and summarized on the Audit Trend Analysis Chart, generated by the Internal Audit Log, for review by top management during management review and by all employees, through a general posting of the chart.
3.17. In all cases, auditees are expected to cooperate fully with the audit team.
Top Bottom