Repeating Nonconformances: A recipe for ISO Disaster

iso-consultingRepeating nonconformances are a serious matter. This is when you get a nonconformance that is the same as a previous nonconformance issued by the certification body auditor in two consecutive audits. They cause major nonconformances, repeat visits, extra surveillance from your ISO auditor, and worse still it means you still have a problem.

From the certification bodies' perspective, it is evidence that some part of your system is failing. Also, they hit you because your corrective action system did not work. That is a separate and new nonconformance on its own. It is also a possibility that your internal audit process is also not effective. If your internal audit system did not catch the continued problem then and it is reasonable to assume that on a second audit the issue should have been known about and been watched for. Expensive.

But when is repeating actually repeating. The first thing to decide is what factor about the finding is repeating. Ideally, you should get these definitions in writing. In their contract or in faqs or technical papers on their website. Basically, there are two possibilities. Repeating nonconformances in the same process, and nonconformances that are raised against the same requirement of the standard. Be very clear with your auditor about what the issue is.

Certification bodies technically do not define your processes and although they may be able to determine that a breakdown has occurred in the same process, they don’t have to stick their nose out. They can simply complain about nonconformances against the same requirement of the standard.

Again we need to look to their written definitions, papers, and faqs. They “typically” define a major nonconformance as the complete breakdown of a process (or system) or the failure of our failure to address a requirement. Now they are formally relating a major nonconformance to the process, not the requirement (which is actually the correct definition). Repeating nonconformance that occurs against the same ISO requirement may NOT be in the same process and thus this is NOT a major nonconformance. For instance, it is possible that a nonconformance is found because a QA procedure is found out of date in the purchasing office. They are using the wrong version. Then on a subsequent visit, an engineering drawing is found on the shop floor that is the wrong revision. Although both findings will be written against 4.2.3 d) to ensure that relevant versions of applicable documents are available at points of use, they are not related. Is not unreasonable to find that QA documentation is controlled by the QA manager on a Sharepoint site and that the Engineering department is fully responsible for the control and distribution of Engineering Documents through a check-in/check-out document control program such as Agile. Different people, different software, different processes! There are two nonconformances but against two separate processes. They happen to be against the same ISO requirement, but that doesn’t make it a major nonconformance by their own definition.

Obviously, Certification bodies make their own rules and you have to choose your battles.

There is another important factor here. There are some processes that are more important than others. Manufacturing Inspection is more important than Records Control (in most but not all circumstances). If there is a problem (let alone a repeating problem) in inspection it needs to be fixed urgently. If there is a repeating nonconformance in inspection then management needs to be thanking the auditor and properly invest in the solution. If it’s a problem with records control then that solution might be delegated. Often this is how the repeating nonconformances occur. It was a minor issue (perhaps a new form was not added to the records registry) and delegated to someone without real power. Another nonconformance is found at the next audit against record control. Perhaps an established form used in the sales department was missed off the registry. Definitely repeating, the same process, and even the same requirement. But frankly a very limited impact on quality. Very low risk of impacting customer satisfaction. While this is a major nonconformance according to everything we have been discussing, it is extremely low risk and really doesn’t warrant a re-visit even if they insist on the Major classification. Technically, management didn’t assign “adequate” resources to address the issue (which would still have been substantially less effort than for an issue associated with inspection). But it wasn’t adequate. But this low-risk situation is worth arguing with the certification body.

Obviously, Certification bodies make their own rules and you have to choose your battles.

In practice, you need to make sure you address ANY find thoroughly. Frankly, if you find yourself in this situation there is an underlying question as to whether you are taking it seriously and addressing things properly (don’t argue valid findings, fix the situation). Any action you take still has to be proportional to the situation and also reflect the importance of the area where the problem was found, but make sure that findings are addressed completely. Truth is that this is for your own good (so you don’t have to deal with the hassle – but more importantly because nonconformances are an indicator of trouble). Also, alert your internal audit team. If they miss a repeating finding (or in fact any finding that the ISO auditor finds) then retrain them, give them more time, replace them or look to (at least periodically) outsource your internal audits so that you “know” you are covered. But take SOME action. A repeating nonconformance is an indicator that your corrective action system is not working. Reinvigorate it with more training, communication, more resources, and careful review. Make sure it is good and make sure it is used to drive value. Again take SOME action.

Cavendish Scott, Inc. has been working with ISO management systems for over 25 years. We conduct many hundreds of days of internal audits each year. We are highly professional, precise, and objective about findings and provide tons of support, training, and improvement ideas as we do. We find things before external ISO auditors, without fail. For help with your internal audit or simply to discuss how to address your ISO auditor’s findings just contact us.

7 Deadly Sins of ISO - Download the free eBook and avoid ISO horror stories