Comparison of the Top Nonconformances Across 5 Standards
This chart is a comparison of the areas where Major and Minor nonconformances have been written over the last few years during Certification Body audits across 5 of the main standards – ISO 9001, ISO 14001, ISO 45001, AS9100, and IATF 16949®.
When Do Nonconformities Occur?
Nonconformities can occur when:
- A system does not conform with the intended requirement (procedures, system manual may not exist or are inadequate).
- Implementation does not correspond to the intended requirement or quality system.
- Implementation of the system is not effective.
Top 5 Nonconformities For All 5 Standards
Overall, analysis of the findings by SAI Global indicates a trend across industries and standards with the same requirements. Clauses that are at the top of the list of findings among all 5 standards are:
- 10.2 Nonconformity and Corrective Action
- 8.1 Operational Planning and Control
- 9.2 Internal Audits
- 9.3 Management Review
- 7.2 Competence
Certification Body, SAI Global shares its third-party audit insights as to why these common nonconformities occur. When preparing for certification or recertification it’s a good idea to review these areas to be sure your management system is effective and conforms to the intended requirements of the standards.
Keep in mind that a minor nonconformance finding is not a barrier to certification or successful audits, but it depends on an organization’s response and effective plan of corrective action to avoid failing initial certification or suspension of an existing certification. The average number of minor nonconformities in an audit is 4-6. However, major nonconformance findings might prevent your organization from achieving an initial certification or act as a barrier to re-certification.
In this article (the first of a 5-part series), the focus is also on ISO 9001 nonconformities and what actions organizations can take to prevent potential findings during future audits. ISO 9001 applies the framework developed by ISO to improve alignment among the other international standards for management systems. The other standards – ISO 14001, ISO 45001, IATF 16949® and AS9100, will be covered in more detail in future articles and newsletters.
10.2 Nonconformity and Corrective Action
- Failure to take required actions
- Corrective actions are not tracked to completion and/or are overdue with no status updates
- Corrective actions are closed with no evidence of evaluation of effectiveness of actions taken
- No or poor root cause analysis resulting in recurrence of the problem
- No escalation process
- Response timing
- Criteria for determining effectiveness
- Root cause analysis
- Escalation process
- Determine effectiveness and efficiency of all processes
8.1 Operational Planning and Control
- Processes are not organized into a logical flow (process approach)
- Requirements for processes to operate effectively and efficiently have not been defined
- Sequence and interaction of processes are not well known or understood
- Process controls do not include items identified as high risk
- Quality plans and process control documents do not include all product/process acceptance criteria
- Planning activities are not complete and do not cover all operations to determine effectiveness and efficiency of processes
- Nor formal management of change process or change process not consistently followed
- Outsourced processes controls/requirements are not completely defined
- Implementation of plans identified from risks assessment
- Establish operating criteria – monitoring and measurement
9.2 Internal Audits
- Audits not performed as scheduled or not conducted at all.
- The internal audit process is not audited
- Objective, scope and criteria are not clearly defined for each audit
- In determination of audit frequency, audit scheduling doesn’t consider – risk, past findings and current performance
- Competency of internal auditors
- Audits are not following a process-based approach
- Audits do not include customer specific requirements or contract adherence
- Audit use “canned” checklists with little to no evidence of audit planning
- Communicate the purpose of internal audits throughout the organization
- Review/revise audit management activities
- Audit scheduling process
- Maintain auditor competency
9.3 Management Review
- Management review not occurring at all or as scheduled
- Required top management not present at meetings
- No evidence all required topics were discussed
- Incomplete or no evidence of follow up on action items from previous meetings
- No action items generated when not meeting objectives
- No evidence of assessment of effectiveness of actions taken to address identified risks
- Establish and maintain frequency and methodology
- Records of competency are not retained or complete
- No defined process to determine training needs in order to develop training plans to address competency gaps
- Refresher training not occurring per schedule
- No training tracking system for follow up of employees to miss required training
- Ensure roles, responsibilities and accountabilities are defined and communicated
- Maintain competency evaluation records/training plans
Other Common Nonconformances
Other common areas where findings can occur, especially in the context of ISO 9001:
4.1 Understanding the Organization and its Context
- Risk identification is incomplete or very high level
- Risk identification does not include internal and external risks
- Risk assessment if not maintained
- Risk assessment does not include “lessons learned” from previous experience
- Risk identification is not conducted for each process
- Think broadly when identifying risks and opportunities
- Use past experience from your industry
- Revisit often to validate assumptions
- Risk assessment by top management and process owners
- Equipment not properly maintained to ensure ability to meet agreed contracts
- Information systems do not support operations
- Inadequate or insufficient resources to support operations
- Equipment not capable of providing the intended or needed result on a consistent basis or needed volumes to meet customer commitments
7.1.5 Monitoring and Measurement Resources
- Equipment not calibrated per schedule
- Equipment not in the calibration system
- No assessment conducted for out of tolerance results
- Calibration records are incomplete
- Inadequate measurement traceability
7.5.3 Control of Documented Information
- Records are not retained for required time
- Records to be maintained are not defined
- Records are not dispositioned as scheduled
- Documented information is not available at the point of use or to personnel needing to use it
- Documented information from external sources is not controlled
- Accessibility of required information
- Documentation matched to competency requirements
8.5.1 Control of Production and Service Provision
- Control conditions have not been adequately defined
- Standardized work instructions do not reflect current process activity, are incomplete or do not exist
- Specifications/tolerances for acceptable performance have not been achieved yet product passed to next operation
- Standardized work instructions/quality plans are not consistently followed
In summary, internal and external audits usually reveal at least one minor nonconformity…and that’s not necessarily a bad thing. Audits serve as a framework for helping organizations identify and fix QMS issues before they result in serious quality concerns. On the other hand, a major nonconformance could indicate systemic patterns of failure, but is an opportunity for improvement. Effective corrective action is critical and ISO 9001 Section 10.2 states that organizations must:
- Correct nonconformities
- Eliminate the root cause
- Implement corrective action
- Verify results
- Update the risk register
- Implement permanent system change, and
- Document corrective action results
This is the first of a 5-part series. In the coming weeks, ISO 14001, ISO 45001, AS9100 and IATF 16969® nonconformance areas will be covered in more detail.
If you’re not sure your system is up-to-speed, simpleQuE offers certification readiness audits that are performed prior to a surveillance or initial Certification Body (CB) audit to be sure that your quality management system and team are ready. In addition, 2nd party internal audits can be conducted by our experts to be sure your system is maintained to these standards. Contact us for information about our services and on-site customized training classes for Root Cause Analysis and Problem Solving, Process Ownership, Internal Auditor and more.
We Can Help: IATF 16949® Experts a Click Away
If you’re searching for an IATF 16949:2016 consultant, our team at simpleQuE is well-positioned to support your IATF 16949® and MAQMSR consulting (Minimum Automotive Quality Management System Requirements), certification, maintenance, training and internal auditing needs. Our consultants are qualified, certified, and are experts on the automotive standards, customer-specific requirements, and AIAG or VDA core tools. In addition, many are current or former 3rd party auditors who bring valuable insight because of the knowledge gained from auditing for certification bodies.
SimpleQuE also offers a full line-up of IATF 16949® training courses which includes AIAG and VDA Core Tools, Root Cause Analysis and Problem Solving, Requirements and Implementation. With IATF® also putting a major focus on internal auditor competency, it is essential to have IATF 16949® Internal Auditor Training. Our IATF 16949® auditor training utilizes the process audit approach. Contact Our IATF® consultants to learn more about the customized services offered to match your certification and training needs.
Obtaining and maintaining IATF 16949®, and meeting all of the related Customer Specific Requirements (CSRs), is difficult, which is why we’ve created free IATF 16949® tools, checklists and resources for your use.
SimpleQuE is not associated with the IATF®, IAOB, ANAB®, IAQG®, and is not a certification body. SimpleQuE is an independent consulting, training, and second-party auditing service provider that assists a company on a path for the company to obtain and maintain certification through accredited certification bodies.
Learn More About The simpleQuE Advantage