NCR MANAGEMENT REVISED 03 MAR2020 Copyright Performance Review
- Slides: 40
NCR MANAGEMENT REVISED 03 -MAR-2020 Copyright© Performance Review Institute 1
TABLE OF CONTENTS • Introduction • Writing an NCR • NCR Deadlines • Clarification of Terms • Client Responses • NCR System Functionality • NCRs in RMS • NCRs in OASIS • Conclusion Copyright© Performance Review Institute 2
INTRODUCTION • Nonconformances (NCRs) are a complicated reality in auditing, and different certification bodies / registrars manage the process of NCR resolution differently. • This presentation represents PRI Registrar’s process for managing NCRs. Copyright© Performance Review Institute 3
WRITING AN NCR Copyright© Performance Review Institute 4
WRITING AN NCR • When to write an NCR: • Any time a client has not conformed with • any of the requirements of the applicable standard. • any of their own documented processes. • Non-conformance of a standard requirement or client process should never be written as an OFI. • OFIs should be avoided in most cases, as they tend to walk a fine line between soft-grading NCRs and outright consulting. • When writing an NCR, there should be no reference to any actual or potential legal wrong-doing by the client. • PRI Registrar offers management system audits, not legal compliance audits. We do not have the knowledge or resources to back up any allegations of legal violations. • If you do write an NCR related to a potential legal violation, then it should be worded in terms of a management system issue. • For combined and integrated audits, where a nonconformity has been determined in a common process, a single NCR shall be issued referencing the requirements for the applicable AQMS standard(s). NCRs issued on common processes shall be referenced in both reports. Copyright© Performance Review Institute 5
WRITING AN NCR • Zero NCR Audits • We realize that this is a delicate subject, but it’s one we need to address. • Writing NCRs is not the goal of an audit. The idea is to audit for conformity, not nonconformity. • The goal of an audit is to provide value by identifying areas that do not meet the intent of the requirements and are in need of improvement. • Zero NCR audits do happen; an audit is a sample, and you may not see anything that needs to be written as an NCR. And that’s fine. • However, no client is perfect. And all clients are definitely not perfect all the time. Copyright© Performance Review Institute 6
WRITING AN NCR • PRI Registrar has no interest in setting NCR quotas – you find what you find, and our intent isn’t to tell you how many NCRs you need to write. • But data has shown what might be considered normal percentages of audits with zero NCRs. • If you are finding (on average!) that you have more than the expected proportion of zero NCR audits, then you should consider whether you need to go deeper during your audits, or reconsider your threshold for writing NCRs. • Again, we emphasize that the expectation is not that you must write NCRs at every audit. The numbers we provide are percentages from historical PRI Registrar audits, and we find the numbers to be appropriate as a benchmark. Copyright© Performance Review Institute 7
WRITING AN NCR • Average levels of audits with and without NCRs: AQMS QMS/EMS Audits With At Least One NCR Initial Recert Surveillance 79. 22% 76. 61% 67. 97% 46. 91% 57. 43% 55. 56% 20. 78% 23. 39% 32. 03% 53. 09% 42. 57% 44. 44% Audits With No NCRs Initial Recert Surveillance • It is worth noting that, for Aerospace audits, the IAQG is able to track trends in NCRs being written, and does monitor these trends as part of their oversight of the Aerospace program. This may influence the selection of auditors for witness. Copyright© Performance Review Institute 8
NCR DEADLINES Copyright© Performance Review Institute 9
NCR DEADLINES • The issue date of an NCR is the day of the audit’s closing meeting. • In the case of a multisite with multiple closing meetings, the issue date will be the day of the closing meeting that covers the site where the NCR was written. • It is the responsibility of the lead auditor to provide accurate NCR timelines to the client during the closing meeting. • It is also the responsibility of the lead auditor to ensure that the client is meeting their response deadlines. • If a client is failing to meet their deadlines, then the lead auditor is to contact the client and copy the assigned Account Specialist. • If a client has failed to meet their deadlines, then the lead auditor is to inform the assigned Account Specialist. Copyright© Performance Review Institute 10
NCR DEADLINES • The deadlines for NCRs vary based on a variety of factors. • The following slides will break down the timelines by audit type and standard. • An interactive NCR Due Date worksheet is available for QMS/EMS/OHS and Aerospace standards on the Auditor Help page, accessible through RMS at this link • Or via RMS -> Help -> Auditor Reference Materials • Auditors are encouraged to provide a copy of this worksheet to clients, or to copy the information into the audit report. Copyright© Performance Review Institute 11
NCR DEADLINES Stage 2 audits † Containment Acceptance Correction (w/ Containment) Correction (w/o Containment) Correction Acceptance Correction Verification Root Cause Acceptance Corrective Action Plan Corrective Action Acceptance Corrective Action Verification Who QMS/EMS/OHS Aerospace Client Auditor Client Auditor N/a N/a 30 days 40 days 6 months 7 days 14 days * 7 days 20 days 30 days 60 days 20 days 30 days 6 months * Days from the client response, not days from the end of the audit † There are no real consequences to missing deadlines for a Stage 2, except the 6 -month verification of correction and corrective action, at which point the audit must be closed with no registration. The client may restart with a new Stage 1/Stage 2. Copyright© Performance Review Institute 12
NCR DEADLINES Recertification audits Containment Acceptance Correction (w/ Containment) Correction (w/o Containment) Correction Acceptance Correction Verification Root Cause Acceptance Corrective Action Plan Corrective Action Acceptance Corrective Action Verification Who QMS/EMS/OHS Aerospace Client Auditor Client Auditor N/a N/a 30 days 40 days Expiration ** 7 days 14 days * 7 days 20 days 30 days 60 days 20 days 30 days Expiration ** * Days from the client response, not days from the end of the audit ** If NCRs are not closed prior to expiration, client has 6 months to complete them before the audit must be closed with no registration Copyright© Performance Review Institute 13
NCR DEADLINES Surveillance & Special audits Containment Acceptance Correction (w/ Containment) Correction (w/o Containment) Correction Acceptance Correction Verification Root Cause Acceptance Corrective Action Plan Corrective Action Acceptance Corrective Action Verification * *** Who QMS/EMS/OHS Aerospace Client Auditor Client Auditor N/a N/a 30 days 40 days 60 days or N/a*** 7 days 14 days * 7 days 20 days 30 days 60 days or N/a*** Days from the client response, not days from the end of the audit NCRs do not need to be closed prior to audit closure; NCRs may be accepted during the current audit and closed at next audit. NCRs must at least be accepted. If NCRs are being left in accepted status, the status must not change until the next audit. For Aerospace audits, accepted audits will be left in the “Open” status. Copyright© Performance Review Institute 14
CLARIFICATION OF TERMS Copyright© Performance Review Institute 15
CLARIFICATION OF TERMS • There are certain terms that regularly cause confusion. • These terms may be used differently by different certification bodies. • The following slides will define how PRI Registrar uses these terms. Copyright© Performance Review Institute 16
CLARIFICATION OF TERMS • Verification: • There are two parts to verifying an NCR: • Verification of implementation • Verification of effectiveness • Verification of implementation is required in order to close an NCR. • This will usually be done prior to the closure of the current audit, but may be done at the following audit if the NCR is allowed to be accepted, based on the standard and audit type. • Verification of effectiveness is required at the following audit, regardless of whether the NCR has already been closed. Copyright© Performance Review Institute 17
CLARIFICATION OF TERMS • Accepted NCR: • NCR where the auditor has accepted the client’s plan for corrective action and will verify implementation of the plan at the following audit. • Accepting NCRs is allowed but discouraged for all QMS/EMS/OHS audits and Aerospace surveillance audits. • Accepted majors at surveillances will trigger a registration decision of the audit. • Requires additional on-site time for verification at the next audit. • Additional time for verification is not considered audit time. • This time is not subject to the 8 -hour days requirement, and may be used to extend the audit day. • This activity must appear on the audit plan, as non-audit time. Copyright© Performance Review Institute 18
CLARIFICATION OF TERMS • Closed NCR: • NCR where the auditor has verified that the client’s corrective action has been implemented. • May require additional time at the next audit for review of effectiveness. • If the NCR was written against a process that is scheduled to be assessed at the next regular audit, the review may be included as part of the audit of that process. • If the review of the NCR will be complicated and/or time-consuming, such that it would detract from the quality of the audit, additional time should be requested. • If the NCR was written against a process that is not scheduled to be assessed at the next regular audit, then additional time must be requested, and the review must appear on the audit plan. Copyright© Performance Review Institute 19
CLARIFICATION OF TERMS • Return to conformance: • Also known informally as “the 60 -day rule”. • It is an Aerospace standard requirement (AS 9104/1: 2012 8. 4 d) that a certified organization must return to conformance within 60 days. • It is a PRI Registrar expectation that the same will apply to QMS/EMS/OHS organizations. • A return to conformance refers to the implementation of an accepted correction, not closure of the NCR. • Objective evidence of the implementation is required. • For Aerospace organizations, failure to meet this requirement must result in suspension. • If the client fails to return to conformity, then the lead auditor is to inform the assigned Account Specialist so that suspension may be initiated. Copyright© Performance Review Institute 20
CLIENT RESPONSES Copyright© Performance Review Institute 21
CLIENT RESPONSES • The following slides are meant to serve as a reminder of some of the key issues to consider when reviewing NCR responses. • For more detail, we have made available to clients an NCR response guide available at this link. • This guide is heavily based on the ANAB NCR guide for certification bodies, and so closely reflects what accreditation bodies are looking for in NCR responses. Copyright© Performance Review Institute 22
CLIENT RESPONSES • Containment: • Aerospace only. • Containment should address the fallout of an NCR that has immediate impact on shipped product. • The response should always include reference to alerting any and all affected customers. • If containment is required, then correction is due at the same time. • Acceptance and rejection of containment shall be documented in the NCR Discussion tab in OASIS. Copyright© Performance Review Institute 23
CLIENT RESPONSES • Correction: • Addresses the specific issue raised by the NCR. • There should always be a correction, even if only a review to determine whether the issue is an anomaly or systemic. • A correction response should always be different than the corrective action. • Objective evidence is required for correction. Copyright© Performance Review Institute 24
CLIENT RESPONSES • Root Cause: • The most basic cause of the nonconformance. • If the client response is a restatement of the NCR, then reject it. • If the client response is a rationalization of the issue, then reject it. • If you feel the need to document that the client response is “weak”, then reject it. Copyright© Performance Review Institute 25
CLIENT RESPONSES • Corrective Action: • The actions taken to prevent the issue from happening in the future. • The corrective action should be different from the correction. • All aspects of the root cause must be addressed. Copyright© Performance Review Institute 26
NCR SYSTEM FUNCTIONALITY Copyright© Performance Review Institute 27
NCR SYSTEM FUNCTIONALITY • The following slides will review how NCRs are to be handled in RMS or OASIS. • Remember that in all cases, NCRs are to be managed inside the applicable system. • NCRs are not to be managed by email or phone call. Copyright© Performance Review Institute 28
NCRs IN RMS Copyright© Performance Review Institute 29
NCRs IN RMS • NCRs are to be entered into RMS and submitted to the client prior to the closing meeting if at all possible. • If it is not possible, due to lack of internet access or time restrictions, then the NCRs are to be left with the client in another form (such as the RF-22 NCR Summary Report) and entered in RMS as soon as possible after the end of the audit. • Under no circumstances shall the NCRs be entered more than two days after the end of the audit, unless a new NCR needs to be written based on new information or client actions. Copyright© Performance Review Institute 30
NCRs IN RMS When accepting or rejecting client responses, these are the available statuses: • Correction: • Accept: • The response is acceptable, has been implemented, and all necessary objective evidence has been submitted. • Reject for Evidence: • The response is acceptable, but objective evidence must still be submitted. • Reject: • The response is not acceptable, and the client must try again. Copyright© Performance Review Institute 31
NCRs IN RMS • Root Cause: • Accept: • The response is acceptable. • Reject: • The response is not acceptable, and the client must try again. Copyright© Performance Review Institute 32
NCRs IN RMS • Corrective Action: • Close: • The response is acceptable, has been implemented, and all objective evidence has been submitted. • Reject for Evidence: • The response is acceptable, but objective evidence of implementation must still be submitted prior to the audit closing. • Accept: • The response is acceptable, and objective evidence of implementation will not be available until the next regularly scheduled audit. • Reject: • The response is not acceptable, and the client must try again. Copyright© Performance Review Institute 33
NCRs IN OASIS Copyright© Performance Review Institute 34
NCRs IN OASIS • When entering an NCR into OASIS, remember to import the relevant site information. • If the NCR applies to more than one site, then import all affected sites. However, do not import information for any site that is not affected. • When managing the NCRs, PRI Registrar encourages auditors to use the NCR Discussion tab. • When containment is required, the auditor shall use the discussion tab to document the review, acceptance and/or rejection of the client’s containment response. • OASIS has no functionality to document the containment timelines separately from the overall NCR submission, so the use of the discussion tab must serve as our evidence that the timelines are being met. Copyright© Performance Review Institute 35
NCRs IN OASIS Copyright© Performance Review Institute 36
NCRs IN OASIS • For surveillance audits, if an NCR is being left in the accepted status (to be closed at the next regular audit), then the NCR in OASIS is to be left open. • This signals to the office that NCR requires verification at the next audit, and that a modification must be created to allow a verification statement to be entered. • You are encouraged to add a statement to the verification field indicating that the NCR is accepted but not closed, and that verification for closure will be conducted at the next audit. This removes any doubt. • It is possible to submit an audit to CB Admin Review without closing all NCRs. Copyright© Performance Review Institute 37
NCRs IN OASIS • When verifying an NCR for closure at the next audit, you will need to search for the previous audit in OASIS as a modification, rather than as you would normally search for an audit. • If there was a different auditor at the previous audit, contact the Account Specialist to gain access to the modification • Once the verification statements have been entered, the modification will be submitted as you usually submit an audit. Copyright© Performance Review Institute 38
CONCLUSION Copyright© Performance Review Institute 39
CONCLUSION • NCRs are the most important tool that an auditor and a CB have to ensure that companies remain in conformance with the requirements of their respective standards. • In order to maintain the ongoing validity and value of management system auditing, we must all ensure that NCRs are written and managed appropriately. • If you have any questions about the topics discussed in this training, please contact Samantha Brock or Pete Kucan. Copyright© Performance Review Institute 40