1 / 12

PRI Registrar Quarterly Training - Auditor Issues and NCR Responses

This training session discusses auditor issues related to client processes and provides guidance on NCR responses for correction and corrective action.

steffes
Download Presentation

PRI Registrar Quarterly Training - Auditor Issues and NCR Responses

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PRI Registrar Quarterly Training 17-Nov-2018

  2. Introduction • As many of you will have heard, PRI Registrar had its ANAB office audit in September. • The office audit resulted in 13 NCRs (1 major, 12 minors), many of which must be resolved through auditor training. • We will be reviewing the findings that relate to auditor issues today.

  3. Client Processes • One NCR we received dealt with the matching of client processes across the audit paperwork, but also implied something more fundamental. • We will discuss: • the requirement directly related to the finding • the deeper implication for how processes are defined • how this relates to PRI Registrar’s process

  4. Client Processes • The NCR was specifically written because there were several examples of client processes not matching across all of the audit documentation (audit plan, audit program, and QMS/EMS Matrix). • While there was a period in which PRI allowed auditors to be more lenient in regards to the matching of process names (equivalent, if not identical), that is no longer the case. • Process names must match exactly everywhere they appear in the audit documents. • This includes the audit program (the RF-117 for Aerospace audits, and the RMS processes for other programs). • Modifications are underway in RMS to unify the audit program across all programs, and to make managing the processes easier.

  5. Client Processes • In addition to the surface issue of process names being identical, is the idea that everything listed on the audit plan, QMS/EMS Matrix, and audit program should be processes rather than activities. • In many cases, clients will not include some standard requirements as part of a fully defined process (usually requirements directly related to the management system). • This is not acceptable. • All standard requirements must be met within at least one of the processes defined in the interaction diagram. • A nonconformance shall be written to any client who fails to include all requirements in their defined processes. • The QMS/EMS Matrix must only list defined processes, and all standard clauses must be associated with at least one of these processes. • In addition, an NCR was issued to PRI regarding all standard clauses not being assessed during the certification cycle. • All clauses must be reviewed at least once during the surveillance audits, in addition to the full system audit (Stage 2 or Recertification). • Please be sure to take individual clauses into account when planning the process audits to ensure all requirements are met.

  6. Client Processes • In order to prevent this nonconformance from recurring, the following instructions are being implemented for audit documentation submitted to PRI Registrar: • Audit Plan (RF-12) • The audit plan must reference only the processes defined by the client on their interaction diagram, and shall not list activities as separate items on the plan. • E.g., if “heat treating” is part of a company’s “manufacturing” process, then heat treating may not be listed as its own entry on the audit plan. • If the auditor wishes to provide a more detailed audit plan that describes activities within a process, they may do so, as long as the process is clearly indicated on the plan. • An example follows on the next slide. • Audit Program (RF-117 or RMS) • Processes listed in the program must exactly match the processes defined by the client in their interaction diagram. • Any scope activities that are added to the audit program for tracking purposes (see Auditor Advisory #109) must be clearly identified as activities and not processes. • A modification to RMS is in process that will make the organization and maintenance of the audit program easier. • QMS/EMS Matrix (RF-129 or IAQG Form 2) • Processes listed in the program must exactly match the processes defined by the client in their interaction diagram. • No miscellaneous “pseudo-processes” may be listed (e.g., “QMS requirements”, or “Non-PEAR processes”).

  7. Client Processes This is a very good example of providing a more detailed audit plan, while clearly identifying activities as part of the client’s defined processes.

  8. NCR Responses • Another NCR that PRI Registrar received was that auditors were accepting weak NCR responses; specifically, two examples were found of auditors allowing clients to perform no correction, or submit a correction that was the same as the corrective action. • As such, we will review: • the difference between correction and corrective action • PRI Registrar’s expectations regarding correction and corrective action responses

  9. NCR Responses • Definitions • Correction: action to eliminate a detected nonconformity • Corrective Action: action to eliminate the cause of a nonconformityand to prevent recurrence • Expectations • All NCR responses require both (separate) correction and corrective action. • Correction is always required, even if that just involves investigation into the extent of the issue.

  10. Non-Applicable Clauses • Another two ANAB NCRs resulted from issues regarding clients’ non-applicable clauses: • The client had not identified N/A’s for each site in a multisite, and the auditor marked clauses in OASIS as N/A that had not been justified by the client. • If, while auditing, the auditor discovers a standard requirement that they cannot audit because it simply does not apply to the organization, and the client has not identified it as N/A or does not have a justification, a nonconformance shall be written. • Clauses were identified as N/A, but had weak or nonexistent justifications. • Any standard requirement identified as N/A must have a justification that includes at least a minimal level of detail as to why the N/A is justified.

  11. Scopes • Several NCRs were related to inaccurate or misleading scopes of certification. • A full scope training presentation (for both auditors and clients) is being developed, but for now: • The scope statement must describe what the auditor is able to audit now, not what the client is planning on doing in the future. • E.g., if the company is not yet manufacturing, but plans to do so in the future, then unless they can present an accurate mock-up of their manufacturing process that meets requirements, then “manufacturing” cannot appear in their scope. • The scope must accurately reflect the activities for which they are being certified. • E.g., if a company’s scope lists a process or activity that cannot be validated during the audit, the auditor shall contact the PRI Registrar office to discuss revising the scope statement. • For non-single sites, the sub-scope for each site must clearly reflect the differences (or lack of difference) between the sites. NOTE: For the purposes of a scope statement, kitting does not qualify as manufacture unless kitting changes the actual material properties (e.g., metallurgical) of the product.

  12. OASIS Functionality • Finally, several NCRs were written due to inaccurate data entered into the OASIS database. • One NCR was written against the inaccurate data itself. • Multiple NCRs were written (at least partially) based on other issues that were not truly problems, but looked like problems due to inaccurate data in OASIS. • Prior to submitting audit packages in OASIS, be sure to review your work for accuracy. In particular: • Ensure that N/A’s that are marked in Form 5 have corresponding justifications, and that the N/A’s in the QMS Matrix match. • Be sure that you are marking all relevant clauses that you audit, even if the requirement is met in a seemingly unrelated process. • Consider creating the PEARs before creating the QMS Matrix – this will make importing PEAR data into the Matrix easier. • Always remember to import the relevant site location on each form (including NCRs). • Make sure that processes audited at each site are properly marked on the QMS Matrix.

More Related