During the assessment of a certification dossier (initial certification), RvA noted the following: though generally the nonconformities are rated and resolved appropriately, for one of the nonconformities the following is noted. Minor nonconformity X reads “The Management Review does not demonstrably include inputs “the effectiveness of actions taken to address risks and opportunities” and “opportunities for improvement” (ref. 9.3.2 e and f). The nonconformity was classified as minor, because the topics related to these sub elements could be shown to have been managed within the QA dept.
The client had taken the following (paraphrased) corrective action: The management review template was changed to include these topics (demonstrated); and new method will be implemented next year. This had resulted in closing the minor nonconformity and issuing the ISO 9001 certificate (effective implementation to be verified at the first surveillance).
The CAB had used the definitions in line with ISO/IEC 17021-1 (3.12 and) 3.13 to the letter. However, this means that the CAB has certified a client, while they have demonstrated that a nonconforming situation had not yet been demonstrably closed, i.e. it had demonstrated that the client does not comply with all requirements.
In our opinion, this is a clear and straightforward example of where the current definition of nonconformity does not function properly. Under the requirements of ISO/IEC 17021:2011, the CAB should have raised a major nonconformity, because, in line with cl. 9.1.15 b1, the “nonconformity represented 1) failure to fulfil one or more requirements of the management system standard” and the CAB was required to verify effective implementation of corrective actions prior to closure.
It is our opinion that in this type of cases “non-fulfillment of the requirement of the standard”, even though it is not demonstrable (or even if it is just not clear whether) this nonconformity affects the capability of the management system to achieve the intended results, should be raised as major nonconformities.
This topic may be as applicable to many other nonconformities, e.g.
“The organization did not define the audit criteria and scope for each internal audit” (9.2.2.b);
“The organization did not retain documented information that identifies the authority deciding the action in respect of the nonconformity”(8.7.2.d);
“It is not demonstrable that, in determining the extent of post-delivery activities that are required, the organization has considered customer feedback or customer requirements (cl. 8.5.5 d and e).
“It is not demonstrable that the organization has taken into consideration, the effectiveness of the controls applied by the external provider” (8.4.2.c.2);
Etc.
We ask if this item can be raised as a broader concern with the aim of ensuring that if a nonconformity is raised which represents “a failure to fulfill one or more requirements of the standard”, then the consequence is that such a nonconformity shall be closed only after effective implementation of corrective action has been demonstrated. This is to ensure that the CAB’s statement of conformity is not supported with an audit that has demonstrated a failure to fulfill a requirement of the standard.
March 2018
In the soul of the standard, writers concern two type nonconformities (see 3.11, 3.12 and 3.13 of ISO/IEC 17021-1:2015). One can be closed conditionally (without reviewing corrective action evidences for effective implementation), the other one can not (reviewing corrective action evidences for effective implementation is MUST).
Actually, it depends on the nature or context or content of the NC. According to new High Level Structure approach, the intended results can be changed from one organization to other one. Even the organisations are almost at the same size and in the same business sector. Their intended results may vary depending on what they want or expect from the implementation of ISO 9001 or any MS standard.
To support this comment, we should take into consideration Clause 9.5.2 b) and c) of ISO/IEC 17021-1:2015 given below.
3.11
nonconformity
non-fulfilment of a requirement
3.12
major nonconformity
nonconformity (3.11) that affects the capability of the management system to achieve the intended results
Note 1 to entry: Nonconformities could be classified as major in the following circumstances:
- if there is a significant doubt that effective process control is in place, or that products or services will meet specified requirements;
- a number of minor nonconformities associated with the same requirement or issue could demonstrate a systemic failure and thus constitute a major nonconformity.
3.13
minor nonconformity
nonconformity (3.11) that does not affect the capability of the management system to achieve the intended results
9.5.2 Actions prior to making a decision
The certification body shall have a process to conduct an effective review prior to making a decision for granting certification, expanding or reducing the scope of certification, renewing, suspending or restoring, or withdrawing of certification, including, that:
- b) for any major nonconformities, it has reviewed, accepted and verified the correction and corrective actions; (actually the decision is not conditional)
- c) for any minor nonconformities it has reviewed and accepted the client’s plan for correction and corrective action. (actually the decision is conditional, effective implementation of correction or corrective action will be verified during the next audit e.g. first surveillance)