====== How to Appeal a Nonconformance ====== {{keywords>How to Appeal a Nonconformance}} A MAJOR problem with both ISO 9001:2015 and AS 9100:2016 is the proliferation of ambiguous/nebulous/vague requirements that promote subjective interpretation and inconsistent application. Consequently, when encountering these ambiguous/nebulous/vague requirements, some auditors will adopt their own subjective, and therefore arguable, interpretation of the “intent” behind the requirement. This often happens because it's beyond the comprehension of an experienced Quality Professional that the standard would have ignored (or left out) several "key" concepts (requirements) necessary for the effective implementation of a basic Quality Management System (QMS). Struggling to make sense of this, //some// auditors will attempt to "fill in the gaps"... "imagining" requirements that don't actually exist. ===== Auditors Violating THEIR requirements ===== {{ :articles:youre_doing_it_wrong.jpg?direct&300|}} When auditors issue nonconformities to organizations for not meeting (their interpretation of) the “intent”, rather than the "actual" (verbatim) requirement, they’ve violated //[[https://www.iso.org/standard/61651.html|ISO 17021-1:2015, “Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirements"]]//. This document contains some important requirements that the Certification Bodies (CBs) must comply with. When encountering an auditor who is intent upon issuing a nonconformity for your organization violating (their interpretation of) the “intent” of a requirement – rather than the actual requirement, be aware that the registrar (and auditor) must comply with the following requirements of ISO 17021-1:2015:
9.4.5.3 A finding of nonconformity shall be recorded against __a specific requirement__, and shall contain a clear statement of the nonconformity, identifying in detail __the objective evidence on which the nonconformity is based__. Nonconformities shall be discussed with the client __to ensure that the evidence is accurate and that the nonconformities are understood__. The auditor however shall refrain from suggesting the cause of the nonconformities or their solution. 9.4.5.4 The audit team leader shall attempt to resolve any diverging opinions between the audit team and the client concerning audit evidence or findings, and __unresolved points shall be recorded__. 9.4.8.2 The audit team leader shall ensure that the audit report is prepared and shall be responsible for its content. The audit report shall provide an accurate, concise and clear record of the audit to enable an informed certification decision to be made and shall include or refer to the following: \\ k) audit findings (see 9.4.5), reference to evidence and conclusions, __consistent with the requirements__ of the type of audit;
Unfortunately, //some// AS 9100 CBs may actually be promoting the issuance of invalid nonconformities. While I have no first-hand knowledge of this, I've "heard" that at least two major CBs are charging a fee for each NC issued... a portion of which is then paid to the auditor for follow-up and closure of those NCs. In effect, these CBs have issued a "bounty" to incentivize auditors to issue invalid or questionable NCs. Going a step further, another major CB has established a "quota" for each auditor to issue at least 1 nonconformity per audit day. The source of this is “likely” [[https://www.sae.org/standards/content/as9104/3/|AS9104/3:2007, "Requirements for Aerospace Auditor Competency and Training Courses"]], sec. 8.2.1a. The section reads:
8.2 Auditor Performance Criteria and Parameters \\ 8.2.1 Performance monitoring shall address, at a minimum, the following mandatory criteria: \\ **a. nonconformities per audit day;** \\ a. upheld complaints; \\ b. upheld client nonconformity appeals; and \\ c. oversight/witness findings.
While AS9104/3 obviously doesn't mandate auditors to issue 1 nonconformity per audit day, the CB in question appears to have //mistakenly// interpreted the requirement that way. You can also "appeal" the [[articles:classifying_nonconformities|classification of a nonconformity]]. For example, you can appeal for the reclassification of a "Major" nonconformity to a "Minor" nonconformity. ===== Preparing for a Complaint or Appeal ===== Accredited CBs are required by ISO 17021-1:2015, sec. 9.7 (Appeals) and 9.8 (Complaints) to “//have a documented process to receive, evaluate and make decisions on//” appeals and complaints. The “appeal” process allows clients to challenge invalid nonconformities. ISO 17021-1:2015 states:
9.7.4 The appeals-handling process shall include at least the following elements and methods: \\ a) an outline of the process for receiving, validating and investigating the appeal, and for deciding what actions need to be taken in response to it, taking into account the results of previous similar appeals; \\ b) tracking and recording appeals, including actions undertaken to resolve them; \\ c) ensuring that any appropriate correction and corrective action are taken.
If you don't have a copy of this procedure, then phone or e-mail your CB to get a copy, or link to their "Complaints & Appeals" procedure. If you've been unable to obtain a copy through normal channels, during the "Opening Meeting" for each audit performed by a CB, the auditor should ask whether there are any questions concerning the audit. Ask the auditor to provide you a copy of the CB's "Complaints & Appeals" procedure. While CBs are not required to post their appeals process on their website, many do. Below are a few ANAB accredited CBs along with hyperlinks to their “Appeals” processes: ^ Certification Body ^ Complaint & Appeal Process ^ | [[https://asrworldwide.com|American Systems Registrar (ASR)]] | [[https://asrworldwide.com/complaint-process-2]] | | [[https://www.eaglecertificationgroup.com|EAGLE Certification Group]] | [[https://www.eaglecertificationgroup.com/wp-content/uploads/2023/02/Doc-9-V18.pdf]] | | [[https://www.intertek.com/certification/| Intertek]] | [[https://www.intertek.com/business-assurance/policy-statement/| Complaints & Appeals Process]] & [[https://www.intertek.com/form/products-retail-certification-body-complaints-appeals-process/|Online Complaints & Appeals Form]] | | [[https://www.mcnacert.com/team|Management Certification of North America (MCNA)]] | [[https://www.mcnacert.com/team]] † | | [[https://www.nqa.com|NQA-USA]] | [[https://www.nqa.com/en-us/clients/regulations]] ††† | | [[https://orioncertification.com|Orion Registrar, Inc.]] | [[https://orioncertification.com/about-us/appeals-complaints/]] †† | | [[https://www.pjr.com|Perry Johnson Registrars, Inc.]] | [[https://www.pjr.com/registration-document-download]] †††† | | [[https://platinumregistration.com|Platinum Registration]] | [[https://platinumregistration.com/clients#DisputesandAppeals]] † | | [[https://qsr.com|Quality Systems Registrars]] | [[https://qsr.com/contact/feedback/]] | † Link from this page. \\ †† Requires the client to have a password to access their “Appeals & Complaints” form. \\ ††† Click on “[[https://www.nqa.com/getmedia/d0a72b3d-b189-47e0-9e21-ceb025e8d903/2023-NQA_Registration_Regulations_A4.pdf|Regulations Relating to Registration]]”. At the time of this writing, their “Complaints” & “Appeal” process was described on page 4, § 37 – 50. \\ †††† After reading the “[[https://www.pjr.com/downloads/PRO-10.pdf|Dispute Procedure (PRO-10)]]”, the client must contact PJR to obtain their "F-217 Dispute Resolution Request Form”. However, the procedure is well-defined. ===== Diverging Opinions ===== Every certified company should be aware of the following requirements that ISO 17021-1 imposes on the CBs & their auditors:
ISO 17021-1:2015, sec. 9.4.5.4 \\ //The audit team leader shall attempt to resolve any __diverging opinions__ between the audit team and the client concerning __audit evidence or findings, and unresolved points shall be recorded__.// \\ AND \\ ISO 17021-1:2015, sec. 9.4.7.3 \\ The client shall be given opportunity for questions. And diverging opinions regarding the audit findings or conclusions between the audit team and the client shall be discussed and resolved where possible. Any __diverging opinions__ that are not resolved __shall be recorded__ and referred to the certification body.
Prior to the end of the audit, inform the auditor of __any__ and __all__ nonconformities that you disagree with. In many cases, invalid nonconformities are due to a CB auditor: {{ :articles:arguing-7218071.png?direct&300|Source: https://pixabay.com/vectors/arguing-conflict-debate-different-7218071/}} * misunderstanding “how” the company complies with a requirement (e.g., a worker either misunderstood the question or didn’t provide a sufficient answer); * having a strong bias toward one specific way in which a requirement must be met (when other approaches comply with the standard as well); or * having a limited or incorrect interpretation of the standard (this is largely due to the many ambiguous/vague requirements contained in the standard). Ultimately, both auditors and auditees are //people//... who make mistakes. This can be exacerbated when the auditor and/or auditee use unfamiliar jargon/slang or do not share a common native language. The best way to avoid an invalid nonconformity is to always have the auditor show you the specific requirement in the standard AND explain their interpretation. If the auditor is steadfast in maintaining that an invalid nonconformity remains valid due to their "subjective" interpretation, then inform the auditor of your intent to appeal the nonconformance and why. This alone may prompt the auditor to withdraw any nonconformities that they're not confident in defending under scrutiny from the CB. This is especially true where the auditor has already had multiple appeals issued from clients against nonconformities that they've issued. **⇒ ⇒ ⇒ IMPORTANT ⇐ ⇐ ⇐** IF “diverging opinions” over the validity of a nonconformity cannot be resolved during the audit, then you should ask the auditor to record this in the audit report. If the auditor refuses to do this, then immediately following the audit, contact the CB and issue a complaint stating: \\ \\ //During our audit which took place on [date(s)], there were diverging opinions regarding nonconformity number [number] that were not resolved. While we requested that the auditor record these diverging opinions (in accordance with ISO 17021-1:2015, sec. 9.4.5.4 and sec. 9.4.7.3) in the audit report, the auditor failed to do so. \\ \\ Please record this as a complaint against [auditor's name] for failing to comply with ISO 17021-1:2015, sec. 9.4.5.4 and sec. 9.4.7.3.// \\ Upon completing the complaint, submit it in writing (e.g., via e-mail) to the CB (preferably within a day or two following the audit). The above is important because this is the first step in preparing your appeal. I've seen a couple of auditors "dare" the client to appeal a nonconformity... claiming that if that happens, then the Accreditation Body (AB) will accompany the next auditor during their next audit - and there will be no "leniency". In one case, I witnessed a client "call" the auditor's bluff and appealed the nonconformity. The nonconformity was overturned by the CB and the auditor was "counseled" regarding his "threatening" behavior toward clients. The auditor quickly changed his approach. Where an auditor demonstrates an unacceptable lack of professionalism and/or a consistent bias toward invalid or extremist interpretations, you should issue a complaint AND the CB should allow you to “refuse” scheduling that auditor for future audit activities. ===== Preparing & Submitting an "Appeal" ===== After the audit, issue a written "Appeal" to the CB with any objective evidence supporting your position. This should be prepared as soon as possible following the audit (e.g., within a week). Using ISO 9001:2015 & AS9100:2016 as examples, most invalid nonconformities involve requirements that __do not__ require any associated records or other documentation. So, there may not be any objective evidence supporting either position (Remember that ISO 17021-1, sec. 9.4.5.3 states: "//A finding of nonconformity shall be recorded against a specific requirement, and shall contain a clear statement of the nonconformity, __identifying in detail the objective evidence on which the nonconformity is based__.//"). So, in these situations, the only "objective evidence" would be interviews recorded in the audit report. Begin your "appeal" by identifying the audit report number, the date on which the audit report was issued, and the specific Nonconformity number(s). Then state:
"Contrary to ISO 17021-1:2015, section 9.4.8.2k", the nonconformity was __not__ "consistent with the requirements of" ISO 9001:2015, sec. x.x."
The below example depicts how an appeal might be issued against an invalid ISO 9001:2015 or AS9100:2016 nonconformity relating to section 6.1.2: **Nonconformity:** \\ 6.1.2 \\ The organization failed to demonstrate how it plans: \\ a. actions to address these risks and opportunities; \\ b. how to: \\ 1. integrate and implement the actions into its quality management system processes (see 4.4); \\ 2. evaluate the effectiveness of these actions. \\ \\ **Objective evidence:** \\ The organization has not retained documentation (e.g., risk matrices, FMEAs), or any other evidence of how it plans actions to address risks and opportunities. \\ \\ **Customer Response:** \\ Contrary to ISO 17021-1:2015, section 9.4.8.2k, the above nonconformity was __not__ “consistent with the requirements of” ISO 9001:2015, sec. 6.1.2. This section does __not__ require that planned "actions to address... risks and opportunities" be documented. This is supported by the "[[https://asq.org/quality-resources/iso-9001/us-tc176|US TC 176 - TG22 - Interpretations]]" which states: "//ISO 9001:2015 does __not__ require an organization to provide documented information as evidence of determining risk or opportunities. Annex A.4 of ISO 9001:2015 states: ...the organization is responsible for its application of risk-based thinking and the actions it takes to address risk, including whether or not to retain documented information as evidence of its determination of risks.//" Evidence of our compliance is contained throughout our quality management system (e.g., documented procedures/Work Instructions, Drawings, Training), every aspect of which was designed to address risks and opportunities. And in our management review meeting minutes (attached), where we evaluate "the effectiveness of actions taken to address risks and opportunities" (as per ISO 9001, sec. 9.3.2e). This objective evidence demonstrates that, while "//actions to address these risks and opportunities//" are not documented in risk matrices, FMEAs, etc., we do "integrate and implement the actions" into our quality management system processes through our Quality Manual, Procedures, Work Instructions, Work Travelers/Routers, training, etc.; satisfying the requirements of ISO 9001:2015. Be aware that the "[[https://asq.org/quality-resources/iso-9001/us-tc176|US TC 176 - TG22 - Interpretations]]" referenced above contains __NON-binding__ opinions rather than official, binding interpretations. So while it can be referenced to support your interpretation, it can also be ignored by the CB. Now let's look at an example of a nonconformity where an Auditor neglected to notice that "[[https://asq.org/quality-resources/iso-9001/us-tc176|US TC 176 - TG22 - Interpretations]]" is NON-binding. **Nonconformity:** \\ 9.2.1 \\ The organization failed to conduct perform process-based audits in accordance with ISO 19011. \\ \\ **Objective evidence:** \\ Contrary to ISO 19011, Internal Audit Reports indicate that "clause-based" internal audits are performed rather than "process-based" internal audits. \\ **Customer Response:** \\ Contrary to ISO 17021-1:2015, section 9.4.8.2k, the above nonconformity was __not__ “consistent with the requirements of” ISO 9001:2015, sec. 6.1.2. This section does __not__ require that internal audits be "process-based". The auditor likely obtained this interpretation from the "[[https://asq.org/quality-resources/iso-9001/us-tc176|US TC 176 - TG22 - Interpretations]]". While requests for “official” ISO 9001:2015 Interpretations from US TC 176 - TG22 are submitted using a form titled “Interpretation Request Form”, the TAG 176 – SC2 - TG22 “Standard Operating Procedure” titled “US Guidance for handling requests for interpretation of the requirements of ISO 9001” clearly states in bold text: “//Since the US TAG to ISO TC176 (TAG) does not provide explanations of ISO 9001, responses provided under this procedure are opinions and are not to be offered as an official interpretation//.” Consequently, the "[[https://asq.org/quality-resources/iso-9001/us-tc176|US TC 176 - TG22 - Interpretations]]" contains "non-binding" opinions rather than binding official interpretations of the standard. Further evidence that ISO 19011 is not an applicable requirement is contained in ISO 9001:2015, "ANNEX B – OTHER INTERNATIONAL STANDARDS ON QUALITY MANAGEMENT AND QUALITY MANAGEMENT SYSTEMS DEVELOPED BY ISO/TC 176 (INFORMATIVE)". The last sentence of the first paragraph in this annex states: "//Guidance or requirements contained in the documents listed in this annex do not add to, or modify, the requirements of this International Standard.//" The last standard listed in that section is ISO 19011. In addition, ISO 19011, "Guidelines for auditing management systems" is a guidance document containing NO requirements. Evidence of our compliance with ISO 9001:2015, sec. 9.2.1 is contained throughout our internal audit reports (several examples attached). Each internal audit contains "information on whether the quality management system is __effectively__ implemented and maintained". This is demonstrated through the internal audit reports indicating whether each area assessed is in compliance with the requirements of our quality management system; satisfying the requirements of ISO 9001:2015. And another example depicts how an appeal might be issued against an invalid ISO 9001:2015 or AS9100:2016 nonconformity relating to section 10.2.1: **Nonconformity:** \\ 10.2.1b2 \\ The organization failed to determine "the causes of the nonconformity". \\ **Objective evidence:** \\ Reviewed five CAR’s and found there was no root cause documented in any of them. **Customer Response:** \\ Contrary to ISO 17021-1:2015, section 9.4.8.2k, the above nonconformity was __not__ “consistent with the requirements of” ISO 9001:2015, sec. 10.2.1. This section does __not__ require "the causes of the nonconformity" (i.e., root cause) to be documented. This is confirmed in the "ISO/TC 176/SC 2 Listing of Approved Interpretations against ISO 9001:2015". ISO 9001:2015, sec. 10.2.2 requires the organization to: ...retain documented information as evidence of: \\ a. the nature of the nonconformities and any subsequent actions taken; \\ b. the results of any corrective action. Compliance with those requirements was verified by the auditor. Copies of CARs reviewed by the auditor are attached as objective evidence. Ultimately, the success of your appeal will depend heavily on how compelling your argument and supporting objective evidence is in comparison to that provided in the audit report. Depending on the CB, it is possible that the auditor who issued the nonconformity may not be contacted or involved in the appeal process. While this article was written with the assumption that an invalid nonconformity was issued, considering that many ISO 9001 Quality Managers receive little or no training in quality or ISO 9001, it is quite possible that the auditor may have been correct in their interpretation. If this was the case, then learn from the experience. However, if your appeal is deemed valid by the CB, it's generally a good idea to inform the CB that you do NOT want that auditor to participate in future audits at your site. While many auditors are contractors, working for multiple Certification Bodies, all CBs have "Technical Reviewers" who "review" the audit reports prior to issuance. Each CB has its own "culture"; where invalid nonconformities are either tolerated or not. If the CB continues to utilize auditors who issue invalid nonconformities, then seek out a different registrar. ===== Non-Responsiveness of the CB ===== Most CBs will respond in a timely fashion. However, some do not. If you're an AS9100 certified company, then after submitting your appeal, also notify the "Aerospace Director" or equivalent) directly. If the CB is non-responsive, then login to the IAQG OASIS database and generate a "Feedback" directed toward the CB. If there is still no response (and prior to the 60-day deadline for resolving the nonconformity), then login to the IAQG OASIS database and generate a detailed "Feedback" directed toward the AB (Accreditation Body). Ensure that the "Feedback" includes a complete timeline with events, dates, and identities of those who were contacted. Sharing this information with the AB ensures that the Accreditation Body is aware of the full details concerning how the CB handled your appeal. {{page>wiki:pathforward}}