The Most Common NCRs
In ISO 9001 Over It’s
30 Plus Year History
As ISO 9001 passes the thirty year mark, it is interesting to note that for as much as it has evolved over the years, many of the items that are cited as nonconformances in 2019 are the same items that were being cited in the late 1980s. Perhaps these items are simply universally misunderstood, difficult, or unreasonable? I think it’s simply a case of awareness and (to a point) commitment to meeting the requirement as specified. To that end, I’d like to explore the three most common areas for infractions in an ISO 9001 audit.
Let’s start by acknowledging a key point. ISO 9001 is an open and interpretive document, particularly in its 5th edition (2015) format. The standard has never been more open to interpretation than it is now. This is exemplified in the abundance of guidance materials that the ISO itself saw fit to publish (Annex A, ISO/TS 9002, etc.) as the general public began to digest ISO 9001:2015 and raise reasonable questions on intent. What these concerns fail to fully appreciate is the freedom an organization has to interpret the standard as they see fit, and to challenge auditor protestations expectation that an organization can (and should) know what is best for itself to control it’s own processes and ensure their effective implementation. Bearing this in mind, let’s begin our exploration of the common areas where trouble comes up on audit day.
The Management Review Meeting process (ISO 9001:2015 clause 9.3.) Management review is a simple but powerful tool in the world of ISO 9001. For innumerable companies it is used as a protocol for meeting not just the management review requirement, but many of the other requirements in ISO 9001 where “analysis” and “evaluation” are required. Things like supplier reevaluation, risk action review, employee competency assessment, customer satisfaction results review, and more. The primary issues that come up time and time again in this area can be understood as falling into two key areas. 1) Missing a required discussion topic, and 2) Insufficient evidence of management review outputs. Addressing the first item is a relatively simple matter. The organization simply needs to get its arms around how it wishes to control the pace and content of the meeting. Standardized agenda forms and PowerPoint presentations are both common but neither is mandatory. In addition, it is important to note that not every topic has to be discussed at once. Many organizations find it helpful to take the meeting in “small bites” to ensure meaningful discussion of the topic at hand. In terms of showing outputs from the meeting, remember the verbiage that is used in ISO 9001 itself. It states that management reviews shall lead to “decisions and actions.” These meetings are supposed to be productive, and not simply a review of information. The meeting minutes should reflect an analysis of the data and reflect what the actual decisions, actions (and conclusions) were from the meeting.
The Internal Audit process (ISO 9001:2015 clause 9.2.) Internal audits remain a flashpoint for many organizations who express frustration at performing an assessment when they feel ill equipped to do so (and often have minimal comfort with the requirements of a standard that (as previously mentioned) is so open to interpretation to begin with. The most often cited issue usually involves a lack of evidence that all areas were included in the audit process. Organizations would do well to remember that protocols for recording internal audits are varied and none of them are mandatory. An organization may choose to use a checklist, a process audit document, procedural printouts, or blank paper to record the events of the audit. What matters is whether or not the events of the audit are captured (who was interviewed, what samples were reviewed, etc.) Additionally, it’s important to remember that ISO 9001:2015 is intended to be a process based standard, hence the internal audits should be rooted in the organization’s processes as well. As with management review, an organization can choose to take the internal audit in small intervals rather than attempting to do it all in one condensed timeframe. Finally, remember that in terms of ensuring your auditors are competent, you’re required to decide for yourself what that means. Using your own team members to perform the audit is just as acceptable as using a consultant, provided the internal audit is effective.
Measurement Resources (ISO 9001:2015 clause 7.1.5.) We end our analysis of common NCs with perhaps the most frustrating of them all. For many organizations measurement resources include things like calipers, micrometers, depth gages, ring gages, pin gages, and other similar dimensional measurement tools. However, it should be noted that many other types of measurement resources exist. Things like multimeters, temperature gages, PH meters, colorimeters, weight scales, and even tape measures are considered measurement resources as well. The most common issues that come up in this area fall to calibration/verification and respective labeling. It is required that any measurement resource used for product/process approval be calibrated or verified in such a manner that it is traceable to national standards (such as NIST.) Organizations can choose to utilize a laboratory for all calibrations or they can choose to perform some of the calibrations themselves (often this is done with things like gage blocks, master references, etc.) Regardless of the intended process, organizations need to remember that ISO 9001 requires studious records that show the required traceability. Labeling is yet another focal point and can be understood in a rather simple way. All measurement devices have to be labeled, period. If it is subject to calibration/verification, the labeling must ensure traceability to the calibration/verification record. If the device is considered “reference only” (which is permitted in appropriate circumstances), it still must be labeled to ensure that the “Reference Only” status is known.
In setting out to achieve or maintain ISO 9001 certification, organizations would do well to remember it is an interpretative document and be prepared to explain their interpretation to the external auditor. Just remember, you don’t have to do what everyone else is doing. You do have to prepared to show how what you’re doing is effective at meeting the requirements of ISO 9001.
For information on assistance with existing nonconformances or information about our internal audit services, please contact us at 1-888-248-0256.