GUIDE FOR MANAGEMENT SYSTEM AUDITORS EXPRESSING … · TABLE GIVING TIPICAL EXAMPLES OF B-TYPE...

Rev. 4 of November 2012 1/24

GUIDE FOR MANAGEMENT SYSTEM AUDITORS

EXPRESSING FINDINGS IN AUDIT REPORTS

ACCEPTANCE OF AN ORGANISATION’S PROPOSALS

TABLE OF CONTENTS

1 PURPOSE AND FIELD OF APPLICATION

2 DEFINITIONS

3. EXPRESSING B-TYPE FINDINGS

4. EXPRESSING C-TYPE FINDINGS “RECOMMENDATION

5. TABLE GIVING TYPICAL EXAMPLES OF B-TYPE FINDINGS (ISO 9001:2008)


7. TABLE GIVING TYPICAL EXAMPLES OF B-TYPE FINDINGS (SA 8000:2008)

8. TABLE GIVING TIPICAL EXAMPLES OF B-TYPE FINDINGS (OHSAS 18001)

9. EXPRESSING “MA” AND “MI” FINDINGS FOR THE EN9100 SCHEME

10. ACCEPTANCE OF AN ORGANISATION’S PROPOSALS

GUIDE FOR MANAGEMENT SYSTEM AUDITORS – EXPRESSING F INDINGS IN AUDIT REPORTS – ACCEPTANCE OF AN ORGANISATION’S PROPOSALS

___________________________________________________________________________________________________________


1 PURPOSE AND FIELD OF APPLICATION

This document is a practical guide for expressing “B-type findings” (Minor Non Conformities) in audit reports during certification, periodic, extra, supplementary, renewal and complete review audits performed at an organisation's facilities. It is also a guide to examine and accept replies from organisations in response to findings formulated during an audit, in terms of analysis of causes, treatment of finding and proposed corrective action. This guide does not describe how to express findings emerging during document reviews neither does it apply to preliminary audits as these set out to make observations and not findings.

This document has been drawn up in order to allow RINA auditors (both internal and non-exclusive) in the operating network to express these findings in a more uniform way.

Even though the document focuses on “B-type findings”, it also contains information on how to express “C-type findings (recommendations)”.

This guide applies to the filling in of audit reports on management systems.

2 DEFINITIONS

2.1 A-TYPE FINDINGS (MAJOR NON CONFORMITIES):

The “General Rules for the Certification of Management Systems” define “Major Non-Conformity” as:

1. total lack of consideration of one or more requirements of the reference standard;

2. non-compliance with one or more requirements of these Rules;

3. situations that could lead to the delivery of non-conforming products or products which do not comply with applicable legislation;

4. situations that could cause serious shortcomings in the management system or reduce its capacity to ensure the control of processes or products/services.

2.2 B-TYPE FINDINGS (MINOR NON CONFORMITY):

“Minor Non Conformity ” is defined as:

1. a situation that could reduce the customer’s capacity of delivering a conforming product;

2. a situation that could cause serious shortcomings in the management system or reduce its capacity to ensure the control of processes or products/services.


___________________________________________________________________________________________________________


2.3 C-TYPE FINDINGS (RECOMMENDATIONS)

“Recommendation” is defined as:

1. a suggestion made in order to improve the system and which is not directly pertinent to the requirements of the reference standard.

Unlike A and B findings, organisations are not obliged to implement C-type recommendations.

2.4 CORRECTION

“Correction” is defined as an action aimed at eliminating a major or minor non-conformity.

2.5 CORRECTIVE ACTION

“Corrective action” is defined as an action aimed at eliminating the causes of the major or minor non-conformity.

3. EXPRESSING B-TYPE FINDINGS (Minor Non Conformity )

“B-type findings” must be issued in the event of shortcomings reflecting a system finding (non-structural) rather than an isolated situation of an occasional nature that is therefore due to oversights (human error) concerning specific requirements of the applicable reference standard or documentation. In order to define the type of finding, auditors must examine the gravity of the event and, if necessary, extend their inspection to other samples considered to be representative. Considering the fact that audits by Certification Bodies are usually performed on the basis of elements taken “at random”, findings should be expressed by identifying a system shortcoming concerning a specific point of the standard rather than focussing on the sample itself.

The latter, in fact, could be misinterpreted by the organisation under audit as a mere formal aspect which can be solved by means of specific and isolated action, for example, on the audited document (such as inserting a missing signature, etc.), and therefore not ensuring that the necessary analysis of the reasons is made and action taken on the system as a whole. Findings must therefore be precise and detailed, refer to objective evidence and therefore indicate specific cases and/or documents on the findings form. Only information that can be checked must be considered as objective evidence. In order to integrate the two requirements, findings must be expressed in such a way as to highlight the type of system shortcoming with reference to the standard and indicate the analysed sample as an example in order to give the organisation a better understanding of the finding. Attention must therefore be focussed on the type of finding rather than on the sample in order to make it easier for the organisation to propose effective corrective action rather than handling of an individual non-conformity, as shown in the following example.


___________________________________________________________________________________________________________


Scenario : the audit revealed a drawing and an instruction without the required signatures of approval…

Expression of finding : there is no evidence that all technical documents are controlled for approval (e.g.: dwg. ... / Rev. ... and instruction ... / Rev. ...)

Scenario : examination of internal audit management documents revealed that Procedure XYZ does not define the relative management responsibilities…

Expression of finding : Procedure XYZ does not define the responsibilities for internal audit management

The description of the finding must mention the procedure connected with the finding in order to give the organisation a better understanding of the reasons why the finding was considered as “type B”.

4. EXPRESSING C-TYPE FINDINGS (Recommendation)

Special attention must be paid when making recommendations. By definition, recommendations are suggestions for improving the system and do not affect its conformity with the reference standard. As is also indicated in the audit report, the organisation is not obliged to implement recommendations.

Recommendations should be limited to real system improvement opportunities and they must be expressed so as to ensure they are not interpreted as Minor Non Conformities (B- type) or Major Non Conformities (A-type). Care must be taken not to use the verb “define” as this gives the idea that the organisation has not totally defined the issue of the recommendation and that the situation is more serious than it actually is; verbs expressing the concept of improvement, such as “detail”, “specify” and “describe”, should be used instead.

Some examples of incorrectly expressed recommendations are shown below.

Example 1 We recommend following the procedure systematically

Remark The procedure must always be followed and it is therefore incorrect to recommend following it systematically.

Example 2

We recommend filling in registration forms correctly.

Remark Forms must always be filled in correctly and it is therefore incorrect to recommend filling them in correctly.


___________________________________________________________________________________________________________


Example 3 We recommend systematically indicating all the data established by the procedure in the document.

Remark

If the procedure requires the data to be indicated, it must always be shown. It is therefore incorrect to recommend indicating them systematically

Example 4

We recommend completing the controlled issue of all the instructions.

Remark

System documents must be controlled and it is therefore incorrect to recommend their controlled issue.

Example 5

Make the definition of the quality objectives described in the annual improvement plan more pragmatic.

Remark

This recommendation is not very clear and may conceal a more serious problem. Quality objectives must be measurable and suitable for making evaluations

Please note that all the above observations deal with requirements of the standard which organisations are obliged to satisfy. By indicating these situations as suggestions, the auditor indicates that they are not obligatory and that the organisation may decide not to implement them if it so wishes.


___________________________________________________________________________________________________________



REF. ISO 9001 Scenario Expression of Finding

1 4.2 A procedure does not define the methods for performing an activity established in the reference standard.

The procedure does not define the methods for (performing; planning; recording; ...........) .......................

2 4.2 Instruction n° ..., Rev. …, does not show which parts have been modified.

The modified parts of updated documents are not always highlighted (e.g.: dwg. ... / rev. ..., instruction ... / rev. ..., etc.).

3 4.2 Technical instruction n° .../ rev. ... does not contain the required signatures of approval.

There is no evidence that all technical documents are controlled for approval (e.g.: instruction ... / rev. ...).

4 4.2 Standard … used for fire resistance tests on electrical cables is not present in the test room during testing.

The standards used for functional testing are not always available during testing (e.g.: Standard …).

5 4.2 The material test certificates are difficult to read as they are faded.

The methods used to store quality records do not always ensure they remain legible throughout the required storage period (e.g.: material test certificates).

6 4.2 The worksite reports for the Castelvetrano job are filled in occasionally and are not in line with the reference procedure.

Worksite reports are not always filled in as required by the reference procedure (e.g.: Castelvetrano job).

7 4.2 The IT data Back Ups have been stored in the same room with the company’s Server

The procedure used for the IT data Back Up stroring do not assure an adequate protection of the same data from possible damages.

8 5.3 The Technical Manager and Sales Manager show they are unaware of the objectives established by the organisation following the adoption of a Quality System.

The quality policy is not sufficiently implemented and supported at all levels (e.g.: in the … and … departments).


___________________________________________________________________________________________________________



9 6.2 Procedure P 8 requires internal auditors to be “Qualified” but the criteria for this qualification have not been established.

The qualification criteria for internal quality auditors have not been defined.

10 6.2 The training activities for project management staff have not been performed as established in Procedure 6.

Staff training activities are not always performed as established in Procedure P 6 (e.g.: Project Management staff).

11 5.4 Some quality objectives are too generic and cannot be measured.

Measurable quality objectives are not always defined (e.g.: system improvement objectives defined in the review dated 12/2009).

12 7.1 In the Production department, product XX was being manufactured without a Quality Plan being issued as required by the procedure.

The Quality Plan established in proc. .... / rev. … for new products is not systematically issued (e.g.: product XX ...... , .........).

13 7.2 For product HH, ordered by phone, there is no evidence that the order has been reviewed as required by the procedure.

Evidence of contract reviews is not always available for telephone orders (e.g.: Order ...)

14 7.2 The review record of the modification to an order for a complex product is not available.

Order modifications are not always subject to the required review (e.g.: order modification ...).

15 7.2 Contract JJJJ/A was reviewed after production commenced.

Contracts are not always reviewed before production activities commence (e.g.: contract JJJJ/A, ...).

16 8.2 The B.E.T. test on a product lot was not recorded in the laboratory register even though the chemical analysis sheet requires analyses to be performed on all lots of this product.

There is no evidence that all the chemical analyses indicated in the chemical analysis sheet are performed (e.g.: the B.E.T. test indicated in the chemical analysis sheet attached to lot 398 of 24/05/2004).

17 5.5 The process control documents are approved by

The specific responsibilities defined in document .... do not always reflect the


___________________________________________________________________________________________________________



the Production Manager instead of the Methods Manager as established in procedure XYZ

real situation of the organisation (e.g.: responsibility for .... by the ... Manager).

18 7.3 A design planning document has not been drawn up for the design activity of job XXZZ.

Design activities are not always systematically planned (e.g.: Job XXZZ).

19 7.3 The Design Plan of Job ZZXX does not indicate the completion dates of the various phases.

Design Plans are not always updated as they should be (e.g.: Job ZZXX ).

20 7.3 The design review records for Job HXHX cannot be traced.

Design review records are not always available (e.g.: Job HXHX).

21 7.3 There are 2 versions of the xxzz Design Plan in the technical department with the same date, signature and revision number, but with different updates; the obsolete copy is not identified.

Design Plans are not always managed in a controlled way (e.g.: the technical department has two copies of Design Plan zzxx with different contents but the same date, signature and revision number; the obsolete edition is not identified).

22 7.4 Some incoming components were not checked before entering the production cycle, as they should have been according to procedure P10.

Not all incoming components are checked before entering the production cycle as required by procedure P10 (e.g.: hydraulic cylinders Order XXX).

23 8.2 The “Procurement” department was not audited three months before the date of our audit as required by the Audit Plan.

Audits are not always performed according to the Audit Plan (e.g.: the Procurement Department has not been audited yet).

24 8.2 The applicable Technical Department procedures are not indicated on the Audit Report as required by Procedure P8.

Audit reports do not always mention the documents applied (e.g.: Technical Department audit).

25 5.6 Management Review report of ........... does not mention audit results.

There is no evidence that the Management Review of ........... analysed all the required elements (e.g.: audits).


___________________________________________________________________________________________________________



26 7.4 It is not clear how the suppliers, defined by procedure P6 as “long-standing”, have been assessed and accepted.

The assessment criteria used for some suppliers (e.g.: long-standing suppliers as defined in procedure P6) are not sufficiently well-defined.

27 7.4 The qualification questionnaire for supplier … established by procedure P6 is not available and the planned assessment audit has not been conducted.

Supplier qualification documents are not always sufficient to allow an objective assessment to be made as required by procedure P6 (e.g.: qualification of supplier …).

28 7.4 Orders 256/99 and 308/99 do not contain the signature of approval required by procedure P6.

There is no evidence of systematic order approval (e.g.: orders 256/99 and 308/99).

29 8.3 The method used to identify non-conforming materials is not indicated in the system documentation.

Procedure P13 does not define the methods used to identify NC materials.

30 8.3 Materials identified as non-conforming for which the required non-conformity registration form has not been filled in have been found.

The NC report relative to materials identified as NC is not always available (e.g.: materials ...).

31 7.5 There is no evidence of the registration of administration of Ciproxin to Mr S.G. in the Clinical Diary.

There is not always clear evidence of the administration of treatment (e.g.: prescription of Ciproxin to Mr S.G. in the Clinical Diary).

32 7.5 The customer has not been informed of damage to the dials on some pressure gauges it supplied for assembly on the system being manufactured.

Reports to customers concerning customer-supplied products are not always formalised (e.g.: Pressure gauges for job XXXX).

33 7.5 Components AA, BB, CC of job GGJJ/99 have not been marked for traceability as established in procedure P8.

The traceability marking for components established in procedure P8 does not seem to be applied (e.g.: components AA, BB, CC job GGJJ/99).

34 7.5 Machining tolerances for component FF have not been

Machining tolerances do not seem to have been defined for all work pieces.


___________________________________________________________________________________________________________



defined. (e.g.: Component FF).

35 7.5 One (or more) welders in the boiler department does (do) not possess the required qualification.

Not all welders seem to possess the required qualification (e.g.: Boiler department).

36 7.5 Though the warehoused packs for components WWW have been produced according to procedure P15, they are deteriorated due to significant absorption of humidity. The accompanying internal documentation is also damaged.

The methods of storing, checking and taking action in MAG are not always sufficient to ensure the packs and their contents remain in good condition (e.g.: packs for ... ).

37 7.5 Components in the ………. department are not marked with the required control tags showing inspection and test and status but another identification system is used which differs from the requirements of Procedure P12.

The method established in Procedure P12 to identify inspection and test status is not always applied or different methods are used (e.g.: ……components in the finishing / testing department).

38 7.5 DHH crates are stored in piles that are higher than the two metre maximum established in procedure P15.4 and some of them are deformed.

The method used to store crates differs from that established in Procedure P15.4 and does not always ensure they remain in good condition (e.g.: DHH crates).

39 7.5 The technical service staff is not provided with all the equipment required by Instruction IS 5.

The equipment given to the technical service staff does not always correspond to the requirements of Instruction IS 5.

40 7.6 An instrument was calibrated against samples that do not refer to international or national samples.

When calibrating measuring instruments, reference to international or national samples is not always guaranteed (e.g.: pressure gauge n° 15b).


___________________________________________________________________________________________________________



41 7.6 Linear measuring instruments (gauges and micrometers) are not calibrated every 6 months as indicated in procedure P11

The calibration frequency of measuring instruments is not always respected (e.g.: linear measuring instruments).

42 8.5 Action on RAC nos. 15 and 18 has not been defined (or the deadline within which...).

The required action is not always defined in corrective action requests.


___________________________________________________________________________________________________________



Ref. ISO 14001 Scenario Expression of Finding

1 4.4.3 No reply has been received to an environmental request from district XVDC, prot. 3450/05 of 04/04/2005.

The EMS does not always assure responses to environmental communications (e.g.: communication prot. 3450/05 of 04/04/2005).

2 4.5.1 Among other things, the monitoring plan established in procedure xyz involves daily inspections of waste storage areas, while the relative registration form shows that these are not always performed.

The daily inspections of waste storage areas, as established in procedure xyz, are not always performed.

3 4.3.3. Objective n° 7 of the environmental programme requires Sox concentrations at emission points E3 and E4 to remain under 80% of the maximum limit established in authorisation XVC.

Not all the environmental objectives pursue continual improvement (e.g.: objective n° 7 – maintenance of environmental performance).

4 4.5.1 The calibration record of pHmeter T1 located in laboratory 3 is not available.

There is no evidence that all the equipment used for monitoring has been calibrated (e.g.: pHmeter T1 in lab. 3)

5 4.5.5 The “Bottling” department was not audited three months before the date of our audit as required by the Audit Plan.

Audits are not always performed according to the Audit Plan (e.g.: the Bottling Department has not been audited yet).

6 4.5.5 The applicable Technical Department procedures are not indicated on the Audit Report, as required by Procedure P 8.

Audit reports do not always mention the documents applied (e.g.: Technical Department audit).

7 4.3.3 Some objectives in the 2005 environmental programme are too generic and cannot be measured.

Measurable objectives are not always defined (e.g.: system improvement objectives defined in the review dated 12/2004).

8 4.5.5 Procedure P 8 requires The qualification criteria for internal


___________________________________________________________________________________________________________


Ref. ISO 14001 Scenario Expression of Finding

internal environmental system auditors to be “Qualified”, but the qualification criteria have not been established.

environmental system quality auditors have not been defined.

9 4.6 Environmental performance data is not mentioned in the management review of 01/2005.

Environmental performance data is not always indicated in the management review report (e.g.: review of 01/2005).

10 4.5.2 The periodic assessment of legislative conformity recorded on Form 13.09 does not include the results of the conformity assessment.

There is no evidence of the results of the periodic legislative conformity assessment.

11 4.5.3 Action on NC nos. 4/05 and 8/05 has not been defined (or the deadline within which...).

The required action is not always defined in corrective action requests.

12 4.4.5 The instruction for the internal management of newly produced waste is not present in the vfr department of the production sector.

The internal waste management instruction is not always available in the relative departments (e.g.: vfr department – production)


___________________________________________________________________________________________________________


7. TABLE GIVING TYPICAL EXAMPLES OF B-TYPE FINDINGS (SA 8000:2008)

Ref. SA 8000 Scenario Expression of Finding

1 5.1 While checking the job announcements on the company website, one was found for an expert computer programmer showing an age limit of 30.

Job announcements do not always respect the requirements of the standard (e.g.: Expert Computer Programmer - Maximum age 30).

2 9.5 The 2005 staff training programme omits certain information. The relative implementation times are missing, as are the employees of a branch office.

Staff training is not always suitably planned (e.g.: in the 2005 training plan, not all the people involved are identified, neither are implementation times).

3 9.11 Revision 0 of instruction IL03, relative to the methods for sending reports or claims, does not correctly mention the certification body and the accreditation organisation.

The instruction for sending reports or claims concerning socially and ethically incorrect behaviour (il03 – rev.0) does not correctly mention the certification body and the accreditation organisation.

4 9.5 The 2006 internal audit plan (PVI 06 Revision C) does not include site n°4.

The internal audit plan (pvi 06 – rev.c) is not sufficiently consistent with the company organisational structure (e.g.: site n°4 not included).

5 9.8 The system documentation, revision 2 of procedure P5, does not indicate the supplier assessment criterion.

In procedure p5 - rev. 2, the supply assessment criterion adopted is not sufficiently justified.

6 9.10 The organisation has not implemented any control activities for secondary NCs issued during 2nd-party audits.

Insufficient evidence is given of the action taken as a result of supplier assessments (e.g.: follow-ups relative to secondary non-conformities issued during second-party audits)

7 3 The risks for pregnant workers are not indicated in the 30th January 2005 update of the DVR.

The risk assessment document is not sufficiently detailed (e.g.: risks for pregnant women - dvr of 30/01/2005)


___________________________________________________________________________________________________________


Ref. SA 8000 Scenario Expression of Finding

8 3 Records concerning the periodic evacuation drill planned for May 2005 in company document GE05 – rev. 00 are not available.

The documentation indicating the performance of periodic emergency drills is not systematically available (e.g.: periodic evacuation drill planned for May 2005, doc. GE05 - rev. 00)

8. TABLE GIVING TYPICAL EXAMPLES OF B-TYPE FINDINGS (OHSAS 18001: 2007)

Ref.

OHSAS 18001 Scenario

Expression of Finding

1 4.3.3 The result of the assessment of the risk derived from manual handling of cargoes highlighted the need of taking some improvement actions, which were not managed as a System improvement objective.

The objectives defined for the period in question are not always consistent with the risk assessment result (e.g. risk derived from manual handling of cargoes)

2 4.5.2 The Organization’s procedure required a check of the compliance with the legal prescriptions on a monthly basis whereas records were written only every three months.

There is no evidence of the check of compliance with legal prescriptions in accordance with the intervals defined in the procedure

3 4.4.2 In the X-ray department it was not possible to have the evidence of the specific training given to workers in relation to the safety cards of the products used.

The personnel using dangerous products subjected to safety cards are not always trained about the relevant risks (e.g. radiology operators)

4 4.4.7 The company has no instrument that allows for the real-time identification of those persons who did not take part in at least one emergency simulation, for example because they were absent due

The Management System does not provide sufficient control on the participation of all personnel to scheduled emergency simulations.


___________________________________________________________________________________________________________


to illness or change of shift.

5 4.4.7 In the X-ray department one of the interviewed operators showed low knowledge of the emergency procedures in force.

Emergency evacuation procedures described in System documentation are not always known by the personnel (e.g. radiology operator)

6 4.3.1 In the area dedicated to charging of lift truck batteries there were no vertical signs relating to explosion risks, identified in the risk assessment document.

ATEX explosion risk areas are not always properly identified (e.g. missing signs in the lift truck loading area)

7 4.4.6 At the workshop the periodical maintenance card relevant to only lathe XXX was not filled in.

Evidence of periodic maintenance operations carried out at the machines/equipment present in the workshop is not always provided (e.g. lathe XXX)

8 4.5.5 The safety function is not inserted in the annual audit programme.

Not all system processes are included in the annual audit programme (e.g. safety function)

9 4.4.6 A survey at the warehouse showed that maximum load indications relating to the racks in some cases are not well visible to the personnel; the control system should ensure their prompt positioning or change of position.

Checks carried out on equipment and working areas are not always effective (e.g. missing capacity indication for the racks present in warehouses)

10 4.6 Although the Organization has analyzed in detail all the accidents occurred, it does not record this data in the management review minutes.

The management review document does not deal with all the input elements foreseen by the standard (e.g. accident analysis)

11 4.5.3 Near-miss accidents are reported to the System Manager by e-mail messages instead of observing the modalities defined in the reference procedure.

Near-miss accidents are not always properly reported and recorded.

12 4.5.5 Although the Organization has identified some

Internal auditing activities are not always planned and carried out by the


___________________________________________________________________________________________________________


processes/risks as significant, it dedicated the same amount of time to all processes/risks during internal audits.

Organization on the basis of risk assessment results

9. EXPRESSING “MA” and “mi” FINDINGS FOR THE EN9100 SCHEME

The EN 9101 standard classifies findings as follows:

1) MA = major nonconformity

2) mi = minor nonconformity

3) OFI = opportunity for improvement (recommendations)

For the EN9100 certification scheme, expressing findings defined as nonconformities must be made on a specific form, an extract of which is shown below, together with the relevant instructions for filling it in.

Section 1 - Details of nonconformity:

(1)

REQUIREMENT/CLAUSE

NO.(S): (2)

CLASSIFICATION

(MA/MI): (3)

STATEMENT OF NONCONFORMITY:

(4)

OBJECTIVE EVIDENCE:

(5)

DUE DATE:

AUDITOR AUDITEE REPRESENTATIVE ACKNOWLEDGEMENT

NAME: Signature: Name: Signature:


___________________________________________________________________________________________________________


(1) Identify the processes, area and/or division subject to audit using the same terminology defined by the organisation;

(2) Identify the requirement of the 9100/9110/9120 standard to which the finding is to be expressed;

(3) Decide the type of finding based on what is stated in the previous paragraphs;

(4) Give a detailed description of the finding identified, ensuring both the auditor and the auditee are clear as to the nature of the finding;


___________________________________________________________________________________________________________


(5) Provide objective evidence in order to outline the deficiencies found related to the specific requirement of the reference standard.

2 scenarios of “MA” nonconformities and 2 of “mi” nonconformities are illustrated below.

SCENARIO 1 (“MA” NONCONFORMITY)

Records related to reviews of the design for the new landing system reveal that, although several problems have emerged and some risks have been identified, the relative actions have not been defined. In this specific case, the delay in launching the client programme is due to a mandatory airworthiness requirement not taken into account (projects UH838 and IU124) leading to reliability problems of the product to be delivered. Moreover, further analyses showed that the records of the design reviews were unavailable (product 7654, 8764, 4897) or that they were filled in on the same occasion, after the pilot product lot (product 2334, 2520, 3811, 4587).


DESIGN PROCESS

REQUIREMENT/CLAUSE

NO.(S): 7.3.4

CLASSIFICATION

(MA/MI): MA


THE DESIGN REVIEWS, NOT MADE SYSTEMATICALLY, DO NOT ENSURE THAT ALL THE INPUT ELEMENTS

RELATED TO PRODUCT REQUIREMENTS HAVE BEEN DETERMINED, WITH PARTICULAR REFERENCE TO THE

APPLICABLE MANDATORY REQUIREMENTS

OBJECTIVE EVIDENCE:

FOR THE PROJECTS UH838 AND IU124, THE MANDATORY AIRWORTHINESS REQUIREMENTS HAVE NOT

BEEN TAKEN INTO ACCOUNT AND FOR THE PROJECTS 7654, 8764 AND 4897 THE DESIGN REVIEWS

HAVE NOT BEEN PERFORMED.

DUE DATE:




___________________________________________________________________________________________________________


SCENARIO 2 (“MA” NONCONFORMITY)

An auditor is carrying out a certification audit according to the EN9110 standard of an organisation which undertakes aircraft engine maintenance. During the audit of the maintenance process, the auditor checks assembly of the Turbofan Rolls Royce engine number (BK-123-40), focusing on configuration management. On analysing in-depth the configuration management document for that engine, the auditor notes that 2 valves (XC-2012834 and BH41FT) have been installed even though not indicated in the list of main and auxiliary components. The engine and related aircraft have been delivered to the client.


MAINTENANCE PROCESS

REQUIREMENT/CLAUSE

NO.(S): 7.5.1

CLASSIFICATION

(MA/MI): MA


THE MAINTENANCE PROCESS HAS NOT BEEN CARRIED OUT AND COMPLETED IN COMPLIANCE WITH

WHAT WAS PLANNED, WITH PARTICULAR REFERENCE TO THE TECHNICAL REQUIREMENTS CONTAINED

IN THE CONFIGURATION DOCUMENTATION.

OBJECTIVE EVIDENCE:

2 VALVES (XC-2012834 AND BH41FT) HAVE BEEN INSTALLED IN THE TURBOFAN ROLLS ROYCE ENGINE

NUMBER (BK-123-40), DELIVERED TO THE CLIENT, WHICH WERE NOT FORESEEN IN THE DOCUMENTS

WHICH DEFINE THE ENGINE CONFIGURATION.

DUE DATE:




___________________________________________________________________________________________________________


SCENARIO 3 (“MI” NONCONFORMITY)

During the audit of the product development process, the auditor dwells on the methods used by the organisation to manage risk. In particular, the organisation uses FMEA. The auditor checks 4 examples of FMEA and in particular, two design FMEA of two new components just put into production and two process FMEA of two new production lines involving the following production phases: Receipt of goods, mechanical machining, assembly, galvanisation, storage and delivery to the client. These phases are, in any case, defined in the production flow-chart.

Analysing the FMEA, in three cases the auditor finds no problem but as regards the process FMEA related to the product code EA-32, the auditor finds that the assembly phase has not been taken into account. From an analysis of the production waste and of complaints from the client, it cannot be inferred that product nonconformities may be attributed to the assembly phase. Moreover, this phase has been checked on FMEA relative to other products whose characteristics are, in any case, different from the EA-32 product.


PRODUCT DEVELOPMENT PROCESS

REQUIREMENT/CLAUSE

NO.(S): 7.1.2 C)

CLASSIFICATION

(MA/MI): MI


THE RISK MANAGEMENT PROCESS DOES NOT INCLUDE, SYSTEMATICALLY, ASSESSMENT OF THE

PRODUCTION PHASES FORESEEN THROUGHOUT PRODUCTION OF THE PRODUCT.

OBJECTIVE EVIDENCE:

THE PROCESS FMEA RELATED TO THE PRODUCT CODE EA-32 DOES NOT TAKE INTO ACCOUNT RISK

ANALYSIS FOR THE ASSEMBLY PHASE.

DUE DATE:




___________________________________________________________________________________________________________


SCENARIO 4 (“MI” NONCONFORMITY)

During the procurement process audit, the auditor dwells on the organisation’s supplier register and on the criteria used to monitor supplier performance. In particular, the organisation assesses suppliers using indicators such as: % of waste, cost of supplier NC, OTD (on time delivery). The organisation decides to assess performance monthly. Analysing the performance of 10 suppliers, the auditor notes that, in the case of two suppliers, performance has not been assessed in the last six months. Going into more depth, out of a total of 34 suppliers on the list, performance has not been assessed for 3 suppliers (ABC Srl, CFD Spa, SPD Sas) in the last 6 months. Analysing the previous performance of the 3 suppliers, the auditor finds that, for two suppliers, no nonconformities were detected the year before and the two suppliers had an OTD of more than 95%. For one supplier, on the other hand, a NC had been found the previous year and 100 parts had been returned and immediately replaced with conforming parts by the supplier.


PROCUREMENT PROCESS

REQUIREMENT/CLAUSE

NO.(S): 7.4.1 B)

CLASSIFICATION

(MA/MI): MI


SUPPLIER PERFORMANCE IS NOT REVIEWED SYSTEMATICALLY OR AT THE REQUIRED INTERVALS

OBJECTIVE EVIDENCE:

FOR THE 3 SUPPLIERS ABC, CFD AND SPD PERFORMANCE HAS NOT BEEN EVALUATED IN THE LAST SIX

MONTHS EVEN THOUGH THE ORGANISATION HAS ESTABLISHED A MONTHLY REVIEW

DUE DATE:




___________________________________________________________________________________________________________


10. ACCEPTANCE OF AN ORGANISATION’S PROPOSALS

10.1 ANALYSIS OF CAUSES

In order to identify suitable corrective action, it is essential to perform a complete analysis to find the real cause which led to the finding.

The organisation must find the root cause of the nonconformity identified.

This analysis must be consistent with the finding highlighted and must clearly identify the fundamental cause of the finding.

The root cause must not be a simple repetition of the finding.

The definition of a suitable root cause must not allow the possibility of asking other “whys”; if this happens, the real root cause has not been determined.

The audit team leader must not approve analyses of the causes which are superficial and inconsistent with the finding which has been highlighted.

10.2 CORRECTION (CORRECTION/LIMITATION ACTIONS)

The organisation must define in the treatment, the immediate limitation action as well as the correction to eliminate/limit the nonconformity and to control any nonconforming products found.

This action must be consistent with the non conformity found.

If the organisation is able to implement the correction immediately, the correction is to be reported as action already taken (in the past).

If the correction cannot be made immediately, the organisation must submit it as a planned action.

The audit team leader must check whether the correction proposed by the organisation:

is such as to eliminate/effectively limit the finding,

is applicable.

10.3 CORRECTIVE ACTION

The organisation must define the corrective action which ensures the nonconformity will not recur.

The corrective action must be consistent with the nonconformity and with the analysis of the causes.

The audit team leader must check that the corrective action proposed by the organisation:

- is consistent with the analysis of the causes and implementable,

- that planning has been defined and a maximum period of time has been established for its implementation, in accordance with the reference certification rules,


___________________________________________________________________________________________________________


- that the people responsible for implementing the action have been established and that it has been approved by a representative of the organisation.

9.4 EXAMPLE

The present chapter gives an example of declaration of analysis of the causes, correction (correction/limitation actions) and corrective action.

Nonconformity

No systematic corrective action is taken against suppliers who do not meet the contractual requirements foreseen (i.e. for the supplier WELD-IT whose last 5 supplies have been nonconforming and late in delivery compared to the contractual delivery times stipulated, there is no evidence of action taken or planned to solve the problem).

Correction (correction/limitation actions) The Weld-it supplier has been temporarily suspended until further analysis of the causes, leading to non compliance with the contractual requirements, is made. The Weld-it material already delivered and stored in the warehouse has been immediately segregated and will be rechecked. The finished products with Weld-it components, ready for delivery, have been identified and segregated in order to be checked. A check will be made immediately to see whether this situation is common to other suppliers and if so, the same limitation actions may be implemented also in their case.

Analysis of causes Supplier performance has not been reviewed in the last 3 months. Data have been collected but neither analysed nor used. The information relevant to the problems found in connection with the supplies received has not been shared with the people concerned. This has occurred because the procedures in question do not define the procedure to be followed to assess supplier performance.

Corrective action The procedure will be modified to better define the method of collection, analysis and use of data related to suppliers. The responsibilities and authority of the people concerned will be clearly defined. The channels of information which enable information related to problems with suppliers to be shared immediately will be clearly defined. The performance of all the suppliers of the last 3 months will be analysed and subsequently every month. Actions will be planned in all cases where the contractual requirements are not complied with. All the people involved in supplier performance assessment will be trained.

GUIDE FOR MANAGEMENT SYSTEM AUDITORS EXPRESSING … · TABLE GIVING TIPICAL EXAMPLES OF B-TYPE...

Documents

Transcript of GUIDE FOR MANAGEMENT SYSTEM AUDITORS EXPRESSING … · TABLE GIVING TIPICAL EXAMPLES OF B-TYPE...