Auditing preventive action
Even before they’ve started to go about the business of evaluating the processes for preventive actions, it’s often quite difficult for auditors to differentiate them from corrective actions. Here, the ISO 9001 Auditing Practices Group gives some tips for approaching this often complex area
ISO 9000 clause 3.6.4 defines preventive action as ‘action to eliminate the cause of a potential nonconformity or other undesirable potential situation’. This can be considered as an action taken to prevent nonconformity from happening. However, if there is no nonconformity to start with, and if the preventive action is effective, the status quo will be maintained. This raises the difficulty of auditing a process for which the desired output is to maintain the status quo. There is often confusion about the differences between the term, ie correction, corrective action and preventive action (refer to ISO 9000 for their formal definitions), and also in relation to an organization's activities in respect of each of them.
Auditing an organization’s correction and corrective action processes is relatively straightforward, because the results and effectiveness of these processes are usually well defined (ie if the organization has already identified a nonconformity, it is relatively simple for an auditor to evaluate the process the organization used, or is planning to use, to correct it, and whether or not this will be effective in avoiding re-occurrence of the nonconformity). However, auditing preventive action processes is usually more complex.
Spot the difference
ISO 9001 requires the organization to have a documented procedure for preventive action. However, it is worth noting that the combination of corrective action and preventive action documented procedures into a single QMS document is acceptable, but is not recommended. If these are combined, then it is important for the auditor to verify that the organization understands clearly the difference between the intent of corrective and preventive actions.
The standard requires this documented procedure to include various important points:
1. How the organization determines potential nonconformities and their causes. Typical examples might include:
- trend analysis for process and product characteristics (output from the data analysis process)
- alarms to provide early warning of approaching ‘out-of-control’ operating conditions
- monitoring of customer perception, by both formal or informal feedback systems
- ongoing failure mode and effect analysis for processes and products (this is a requirement of TS 16949, for the automotive industry, for example)
- evaluation of nonconformities that have occurred in similar circumstances, but for other products, processes, or other parts of the organization, or even in other organizations; through planning activities for both predictable situations (e.g. due to expansion, maintenance, or personnel changes – see also ISO 9001, Clause 5.4.2b)) and for unpredictable situations (e.g. naturally occurring problems such as hurricanes, earthquakes, floods etc.)
2. An evaluation of the need for preventive action. Methods used in the evaluation could include risk analysis approaches or failure mode and effect analysis (neither of these specific approaches or methodologies are requirements of ISO 9001.)
3. How the organization determines what action is required, and how it is implemented. An auditor should look for evidence that:
- the organization has analyzed the causes of potential nonconformities (use of cause and effect diagrams and other quality tools may be appropriate for this)
- the required actions are deployed in all relevant parts of the organization, and in a timely manner
- there are clear definitions of the responsibilities for the identification, evaluation, implementation and review of preventive actions
4. Records of the results of the actions taken
- what records are kept?
- are they appropriate, and are they a true reflection of the results?
- are they being controlled in accordance with ISO 9001 clause 4.2.4?
5. A review of the preventive actions taken
- were the actions effective (ie nonconformity prevented from occurring and were there any additional benefits)?
- is there a need to continue with the preventive actions the way they are?
- should they be changed, or is it necessary to plan new actions?
There is often significant ‘philosophical’ discussion between the auditor and the organization about where corrective action ends, and where preventive action begins. For example, if a nonconformity is detected in process A, are actions taken to avoid future nonconformities in processes B, C and D preventive actions, or simply within the scope of the corrective actions taken for process A? The auditor should avoid being side-tracked by these discussions, and concentrate on whether or not the actions were effective. The labeling of the actions taken is of secondary importance.
This article is an edited version of 'Documenting non-conformances' from the website of the ISO 9001 Auditing Practices Group, and is reproduced courtesy of ISO and the IAF. These papers were developed on current best practice and therefore have not been formally endorsed as International Accreditation Forum (IAF) guidance or ISO TC176 interpretations. For further information about the Auditing Practices Group click here.
The ISO 9001 Auditing Practices Group is an informal group of QMS experts, auditors and practitioners drawn from the ISO Technical Committee 176 Quality Management and Quality Assurance (ISO/TC 176) and the IAF. It has developed a number of guidance papers and presentations that contain explanations about the auditing of QMSs. These reflect the process-based approach that is essential for auditing the requirements of ISO 9001.
 |
|
 |
|
 |
 |
 |
|
 |