Streamlining audit response and corrective action processes

[Hi_Its_Matt]

I am thinking about streamlining my process for responding to audit findings (internal and external) and my corrective / preventive action process. In my mind, they should be very similar: document the problem, contain and correct the immediate issue, determine the root cause, determine (based on risk) whether action is needed to prevent recurrence, and finally, if actions are needed, implement them and review their effectiveness.

So with that, my two-part question:
Do you all use a different process/form/system for responding to internal versus external audit findings? And second, is this process distinct from your “CAPA system?”

I have read several threads here where people advocate for keeping responses to audit findings out of the "CAPA system." However this seems to be driven more by the idea that the "CAPA system" is a very big hammer to wield for what are potentially small issues. My counter to that would be to modify the CAPA process to be more flexible and risk-based, rather than having it be so burdensome.


Extraneous details on how this all came up:
The company I work for recently received a non-conformance from our notified body stating that our corrective action process is not fully effective because we “have not defined a process for the correction, corrective action, preventive action, or effectiveness review of nonconformities identified during external audits.” (Ironic, isn’t it).

The evidence is we had a 2019 finding that was entered into our corrective action system, but the 2020 findings were not entered into the corrective action system, and we just used the form that the notified body provided to us. (This handling difference was caught in the 2021 audit, which generated the finding above.) The real cause of this is that the 2019 issue required real corrective action, while the 2020 findings required just correction. What caught the auditors eye is that we didn’t have documented evidence that we reviewed the effectiveness of the corrections we took to address the 2020 findings. The corrections were indeed implemented, and it was self-evident that they were effective, we just didn’t document that anywhere. I started in early 2021, so these were both before my time.

I DO agree with the auditor that our processes are not clear (i.e. not documented) on how to handle external audit findings (do we use our "audit finding response form" or our "corrective action form"). And so I am looking to document such process. The whole effort just has me wondering why we use separate forms and systems in the first place.

For what its worth, this is a small (<20 person) medical device design consulting company, so we are able to change things up to suit our needs quite easily, without the bureaucracy that may come at a larger organization.

 

[Tidge]

Internal Audits and CA/PA serve different functions. I'm not sure trying to combine them makes any sense.

 

[Philip B]

A nonconformity is a nonconformity irrespective of where it is derived from. We apply the same CaPA process to all nonconformities including those found during internal audits. We try to avoid raising trivial matters as nonconformities to avoid unnecessary CaPAs. Our CaPA process includes corrections as well as corrective actions.

 

[Kirby]

I'm thinking that there are many "good" answers here. There may be one approach that is technically correct and and would "work" in any system but system resources, environment, culture, industry practices (customer requirements), and other factors may favor a different approach that is more appropriate to the organization. I've seen systems where all CAPA was managed through a single process (audit findings, product, process, customer complaints, etc.), and I've seen systems where audit findings, and resultant CA, were managed as a separate process.

I think that as long as we have sufficient documentation (Procedures, Work Instructions, etc) that describes our approach, and that we conduct our process in accordance with that description, we are OK.

In our current system, (AS9100) audit issues are maintained as a separate process, it just makes sense for our team and facilitates clarity and effectiveness of action and review (for us). Note about the forms - Where the CB issues NCRs and they are managed in Oasis, we do not transcribe the text to our form, it's just redundant and doesn't make sense to us. Rather in our Audit file we have separate folders for Internal Audits and CB Audits. The CB report and copies of the Oasis forms (Finding, containment, correction, etc.) are retained in the CB file while Internal Audit findings are copied to our internal CAR form and retained with the internal audit report.

In a different organization it might make more sense to consolidate the process, especially where responsibility and authority is shared by multiple people / sites and consolidation may afford a better level of "user friendliness" - One path for all records.

I do think that the finding / observation (process conducted one way in one year and another way in the next year), on the surface, is valid. (Unless the supporting documentation was revised to change the process during the interval). Which approach is described in your documentation? If we do not have documentation that describes the process clearly, our documentation may be ineffective. If the documented description of the process is clear and correct, but we deviate from it, that's not good.

 

[QuinnM]

Hi Matt,
Our audit findings feed into our CAPA process. The CAPA process has a request phase to evaluate the issue. Basically the Quality Manager works with the requestor to ensure the request is valid and the data is correct. If the CAPA is valid, the issue is supported with data, then the CAPA is accepted and moved into investigation. This request phase also includes a risk assessment. If the risk assessment is low, then the CAPA may be closed, with corrections if applicable, in the request phase.
Quinn

 

[Kirby]

I just took a look at Extraneous details on how this all came up: "... What caught the auditors eye is that we didn’t have documented evidence that we reviewed the effectiveness of the corrections we took to address the 2020 findings."
I realize that the original post is more about a good approach for CA in audits and otherwise, but, one action that may help to ensure that effectiveness of CA is reviewed and documented would be to add this action as an item in the Management Review Agenda / Output form / record. This may be beneficial on a couple of levels. It makes sure that all interested parties present in MRM are aware of current (or "resolved") issues, and provides input regarding effectiveness. It also provides a record that effectiveness was evaluated as well as the criteria used to evaluate.

 

[RoxaneB]

I'm reading two separate - yet related - issues at play here.

1. The process for capturing corrections, corrective actions, and preventive actions.

2. The process for reviewing these activities for effectiveness (i.e., was the issue fixed/prevented?).

1. The process for capturing corrections, corrective actions, and preventive actions.

Similar to Kirby, I'm in favour of a "Lord of the Rings" approach - one system to rule them all. This is especially helpful for smaller organizations by keeping the focus on one tool and one source of truth, instead of multiple tools, multiple data sources. When there are multiple places to document information, you run the risk of:

• redundancies and repeat work (and who has time for that?!?!);
• "left hand/right hand syndrome" where one system does it one way while another does it a different way; and,
• "black holes" where information is not captured since no tool asks for it because we thought the other tool did it.

At the end of the day, a nonconformance is a nonconformance. What is important is what was done to fix it. The source (i.e., internal audit, external audit, customer complaint, Joe spotted it while he was on a smoke break) is helpful in an analysis later on (see #2) and may offer some context to the nonconformance, but it, the source, is not what requires your immediate attention.

The creation of one tool to capture all the details of a noncoformance can be very powerful in keeping all your information in one location and promotes the creation of one culture (i.e., corrective action is corrective action regardless of what triggered the need for said action) and one language (i.e., it doesn't matter if it was against ISO 9001, ISO 14001, or your organization's own business standards).

2. The process for reviewing these activities for effectiveness (ie., was the issue fixed/prevented?).

Once you have one system in place to capture the information and data, now you can truly start to analyze the process. When data is scattered about in multiple systems, looking for trends is time consuming, onerous, and - dare I say it - non-value added. By keeping it all together, NOW you have the ability to look for and share some stories.

• Are your external audit findings against one clause or one process? If so, time to look at them and your actions - in other words, your actions may be ineffective.
• Are your internal audit findings in the same areas or against the same processes as those from external audit findings?
• Is there a correlation between customer complaints and where you're seeing audit findings?
• Are you seeing multiple "corrections" occurring in the same process over and over? If so, it might be time for a corrective action, instead.

 

[Zero_yield]

We use the same system for both, and it works. Ultimately, it's all deviation management and corrective / preventative actions.

 

[Hi_Its_Matt]

Thanks everyone for the feedback. I'm happy to see you all mostly agree with a unified approach, as it suggests I'm not off in left field with some radical new idea.

@Tidge I didn't mean to imply that I was going to combine our audit process and CAPA process (meaning, their procedures), if that's how it sounded. Rather, as @RoxaneB so eloquently put it in her bullet #1, I meant just having one system and one tool for capturing our investigation of issues, actions to address them, and review the effectiveness of those actions, regardless of where they originate.

We are a small enough company where its the same few people handling most issues anyways, so why not have one system. So long as the system is risk-based, and flexible enough to allow less effort and documentation rigor for lower risk issues, while still requiring a higher, more appropriate amount of rigor for higher risk issues, then I don't see a lot of downsides to this approach.

Side note: I have seen companies who fail at this "risk based approach" and required detailed root cause analysis, short and long term action plans, multiple levels of approvals, etc, for even the smallest of issues. That was the type of system that causes people to run and hide when even the first syllable of "correction action" escapes from someone's mouth.

To answer @Kirby 's question:

Which approach is described in your documentation? If we do not have documentation that describes the process clearly, our documentation may be ineffective. If the documented description of the process is clear and correct, but we deviate from it, that's not good.

The situation was the former. Our documentation did not speak to handling the external findings. We have an "internal audit response form" that captures all the information you would expect (issue, investigation, correction, corrective action, etc). And we have a corrective action form that captures the same information for issues identified by other processes. However, there isn't anything in the audit or CAPA procedure that said to actually use the CAPA form. In 2019 we did, and in 2020 we didn't. Nothing significant changed procedurally between those years that would explain the difference in behavior.

As for this suggestion:

...one action that may help to ensure that effectiveness of CA is reviewed and documented would be to add this action as an item in the Management Review Agenda / Output form / record. This may be beneficial on a couple of levels. It makes sure that all interested parties present in MRM are aware of current (or "resolved") issues, and provides input regarding effectiveness. It also provides a record that effectiveness was evaluated as well as the criteria used to evaluate.

We actually already do this for corrective and preventive actions. And if the 2020 findings would have been captured in our CAPA process, I would be willing to bet that the actions and their effectiveness would have been discussed. But alas, they weren't captured in that particular system, and so got overlooked at the next management review meeting. This very process is what makes me think that a unified process for responding to issues makes sense. So that they all get discussed as part of management review.


Now... I just have to go update these procedures and forms in the timeframe I committed to.

 

[Kirby]

We took a hit in our last audit because we did not have CB audits in our MRM output record and there was no other evidence that we had reviewed the findings and opportunities. I tried to convince the auditor that the CB post-audit briefing that he conducted , including a sign-in sheet, at least spoke to the attending concerned individuals' being aware of the findings and opportunities. That didn't work. He wrote the NC and it gave it "Containment Required" status.

Then we modified the verbiage in our MRM Agenda and Output forms. Where it said something like " - Review audit results", (with a field for summary) we changed to "- Review audit results including external audits" - He didn't buy that either, his feeling was, since the finding was related specifically to CB audits, we needed to actually say "CB audits", so we changed to "- Review audit results including CB audits" and he accepted.

I guess that's why I gravitated to the MRM output based solution, as I've already mentioned earlier, it provides a record of review and also allows the team to actually conduct the review and offer input / actions / opportunities as part of the MRM.