by Larry Whittington
Auditors must get tough when evaluating corrective actions. If a corrective action fixes only its resultant problem and doesn’t remove its cause, don’t accept it. If you accept a weak solution, you’ll end up writing the same or a similar nonconformity in a future audit.
The problem: Nonconformity
Do you seem to be reporting some of the same nonconformities from audit to audit? Isn’t that frustrating? Why isn’t the auditee fixing the problems that you keep citing? Well, it may be partly your own fault. Accepting weak corrective actions will lead to repeat nonconformities.
Why are organizations having such a hard time taking effective corrective action? It may be that they don’t understand how to perform root cause analysis. Or, they may view a corrective action request as an annoyance to be quickly dismissed so they can get back to their “real” work.
A common mistake in completing a corrective action is for the auditee to claim that the cause of a nonconformity was human error. As a result, the organization attempts to correct the behavior of the person it blames for the problem instead of eliminating the real root cause.
If an organization says that a nonconformity you’ve cited was due to human error, you should ask its management team why it’s so prone to error. The answer may be that it’s overly complex, poorly documented, is conducted by inadequately trained employees, or that their job descriptions are unclear.
To reduce the use of this excuse, your organization may want to institute a policy that citing “human error” is an unacceptable root cause for a nonconformity. Force auditees to investigate what is causing the mistakes and then determine how the process can be made less prone to error.
The auditor’s role
Unfortunately, auditors often compound this issue by attempting to conduct a follow-up audit too soon. It’s possible that you might be able to verify that a problem was contained and fixed soon after it was cited, but it’s more likely that you won’t be able to reliably evaluate the effectiveness of its corrective action so soon. Enough time must elapse to ensure that the events or transactions that triggered the nonconformity have repeated themselves after the corrective action was performed and implemented. Only then can you see if the nonconformity is repeating itself or not. The evidence must clearly show the nonconformity is not recurring to prove the action was effective in removing the cause(s).
As the auditor, you must clearly describe the detected nonconformity in your audit report to aid in its containment and correction, and for the corrective action process. You may have to explain the corrective action procedure and related forms.
Remind the auditee that a corrective action may not be required for all reported nonconformities. It depends on the effect of the nonconformity. If it’s a problem that is easily detected, low risk, and costly to prevent, the right business decision may be to record the investigation and explain your justification for not taking a corrective action.
Corrective action request
When writing the request for corrective action, explain the problem. What is the evidence that a specified requirement was not met? The evidence could be documents, observations, records, or statements. The specified requirement could a legal, internal, customer, industry, or standard requirement.
Although you may be tempted, don’t include or even imply a possible cause in the problem statement. If you do, you will be interfering with the organization’s analysis and cause it to overlook the real root cause. Don’t mention the person by name who is involved in the problem; keep the focus on the process.
To relate a sense of importance and urgency, you may want to include an explanation of why the situation is of such concern. Identify the potential consequences if the situation isn’t addressed quickly and properly. You need to issue a well-written corrective action request, verify that it’s assigned to the appropriate process owner, and that he or she has an agreed-to completion date.
Corrective action process
According to ISO 9001:2008, clause 8.5.2, the corrective action process must:
- Review the detected nonconformity.
- Determine the cause(s) of the nonconformity.
- Evaluate the need to prevent its recurrence.
- Determine the necessary corrective action.
- Take action appropriate to the effects of the nonconformity.
- Record the results of the action taken.
- Review the effectiveness of the action taken.
Clause 8.5.2 of ISO 9001 states that “Corrective actions shall be appropriate to the effects of the nonconformities encountered.” Organizations should establish criteria for what they consider “appropriate” action. There may be minor problems that need to be fixed that don’t require formal corrective action. New problems could be referred to a manager for review. If it’s the first occurrence, it could be merely fixed and tracked. If there are multiple occurrences, a corrective action should be initiated.
Correction vs. corrective action
One reason for weak corrective actions may be confusion over correction vs. corrective action. Correction is the action to eliminate a detected nonconformity. Corrective action is an action to eliminate the cause of a detected nonconformity to prevent its recurrence. Therefore, correction fixes the problem; corrective action removes the cause.
To illustrate the difference between correction and corrective action, consider this example. An auditor writes a nonconformity report because a required employee training record can’t be located. It could be that the training was never given and therefore a record doesn’t exist, or the training was provided but the record is missing.
The “correction” would be to find the missing record and file it, or to provide the necessary training and record it. The “corrective action” would be to find out why the record was missing and then modify the training process to remove the cause and prevent missing training records in the future.
Requirements for correction
ISO 9001:2008 states in clause 8.2.2, Internal audit: “Ensure any necessary corrections and corrective actions are taken to eliminate detected nonconformities and their causes.” Therefore, the standard calls for separate activities: correction to remove the nonconformity and corrective action to remove its causes, but only to the extent necessary.
Clause 8.2.3, which addresses process monitoring and measurement states, “When planned results are not achieved, correction and corrective action shall be taken, as appropriate.” Again, the standard recognizes that the activities are different and only performed as appropriate.
Organizations also confuse the terms “containment” and “remedial action.” Containment isolates the nonconforming product or service from its normal flow and prevents its delivery to the customer. Containment is part of controlling a nonconforming product or service.
Remedial action is the correction activity to eliminate a nonconforming product. In the case of services, the correction may require that additional services be provided to overcome the nonconforming service and ensure satisfaction.
The different types of correction include:
- Rework the nonconforming product to make it conform to requirements.
- Repair it to be acceptable for its intended use, although it doesn’t meet requirements.
- Regrade it to conform to a different set of requirements.
- Reprocess it by sending it back through the transformation process.
Corrective vs. preventive action
Another point of confusion is the difference between corrective action and preventive action. Corrective action is the action to eliminate the causes of a detected nonconformity to prevent its recurrence. It is a type of problem management.
Preventive action is the action to eliminate the causes of a potential nonconformity to prevent its occurrence. It can be considered a form of risk management.
After an audit, a corrective action is taken on a nonconformity because the finding is a detected problem. Preventive action can be taken on a reported observation because the finding could be a future problem.
When the ANSI-ASQ National Accreditation Board (ANAB) was receiving inadequate responses to nonconformities it issued during audits of certification bodies (CBs), it gave guidance to its auditors on how to better evaluate corrective action responses.
According to ANAB’s guidance, nonconformity responses should be reviewed in three parts: correction, root cause analysis, and corrective action. In reviewing the three parts, auditors first look for a plan and then evidence that the plan is being implemented. In some cases, the CB may take action and not provide a plan. This is acceptable as long as the following guidance is met.
To be fully accepted, the response must include the following components:
- The extent of the nonconformity has been determined and contained.
- The nonconformity has been corrected and the response is written in the past tense, e.g., the missing record was found (not “will be” found). The CB has examined the system to see if there are other examples that need correction and addressed the extent of the problem in its response. The response should include the evidence ANAB found and any other evidence the CB may have found.
- If correction cannot be immediate, a plan to correct the nonconformity may be appropriate. If this is the case, include identification of the responsible parties for the actions and a schedule (with dates) for implementation.
- If applicable, all parties involved have been informed of the problem (identify internally affected parties, auditors, and customers, etc.)
- Evidence that the correction was implemented or evidence that the plan is being implemented
To be fully accepted, the response must follow the following guidance:
- The root cause refrains from simply repeating the finding or the direct cause.
- The root cause is a brief expression of fact that attempts to neither explain the situation away nor rationalize the condition.
- A well-considered direct cause has been determined, along with a careful analysis to determine the true root cause. “Someone didn’t follow a process” would be a direct cause; determining why someone didn’t follow a process would lead to the root cause.
- The root cause statement must focus on a single issue. If more than one cause is identified—for instance, training and inadequate work instructions—then two corrective action plans must be submitted.
- The root cause statement addresses a fundamental issue without any obvious “why” questions remaining. If a “why” question can reasonably be asked about the root cause analysis, this indicates that the analysis didn’t go far enough.
To be fully accepted, the response must include the following components:
- The corrective action or corrective action plan addresses the root cause(s) determined in the root cause analysis.
- The plan must include the actions to address the root cause(s), identify the responsible parties for the actions, and include a schedule (with dates) for implementation.
- To accept the evidence of implementation, enough evidence is provided to show that the plan is being implemented as outlined in the response (and on schedule). Complete evidence in full isn’t required to close the nonconformity; some evidence may be reviewed during a future assessment when verifying the corrective actions.
In summary, solving a problem reported in an audit includes these steps:
- Contain problem
- Correct problem
- Action required?
- Determine causes
- Identify solutions
- Implement action
- Evaluate effectiveness
- Make changes
- Prevent problem
As auditors, we need to be tough on accepting corrective actions. Reject the ones that are only containment actions or corrections. Ensure that auditees have determined the root causes and taken corrective action to remove them. Verify that their actions were effective and the nonconformity isn’t repeating itself.
About the author
Larry Whittington is president of Whittington & Associates, a training, consulting, and auditing company founded in 1993 and located in Woodstock, Georgia. He is a RABQSA-certified lead auditor and IRCA principal auditor, as well as an ASQ Certified Quality Auditor and Software Quality Engineer. Whittington has developed requirements, implementation, documentation, and auditing courses used by multiple training firms and has taught hundreds of classes to thousands of students. Contact him at firstname.lastname@example.org.
Tags: corrective actions, nonconformity, root cause.