This article covers some useful examples of how to write clear, objective nonconformities during an internal audit or supplier audit.
Auditing expert Peter Sebelius walks through real-world audit scenarios, demonstrating how to reference requirements correctly and avoid common pitfalls—such as making assumptions or drawing subjective conclusions.
The video above is a sneak peak of Peter’s online course on ISO 13485 Internal Auditing, where you can find even more practical tips and hands-on training for conducting effective audits.
It is very important that audits are objective, which means that the audit evidence must be evaluated objectively against the audit criteria to determine if the auditee conforms to the requirements (conformity) or does not conform (nonconformity).
So, simply put. A conformity is the fulfilment of a requirement, whereas nonconformity, means nonfulfillment of a requirement.
If the audit criteria for the audit are selected from statutory and regulatory requirements, the audit findings should be referred to as compliance or non-compliance.
When referring to standards, the auditee is either conforming or nonconforming. However, the Medical Device Regulation and the In-Vitro Diagnostic Medical Device Regulation are examples of statutory regulatory requirements, and in these cases, the terms compliance or non-compliance should be used.
The auditor should always maintain objectivity and refrain from jumping to conclusions. If there is no objective evidence that the auditee is not conforming to the audit criteria, a nonconformity should not be written.
The auditor’s job is to collect sufficient audit evidence to be able to determine if the auditee is conforming or not. The auditor should not have any personal opinions on how the auditee runs its organisation, nor should he or she guess or assume anything.
One sure way of ensuring that the auditor does not become subjective is to follow the method for writing nonconformities that is described in the examples below.
The 5.2 requirement states:
Top management shall ensure that customer requirements and applicable regulatory requirements are determined and met.
During the audit, let’s say that the auditor learns that the auditee is developing a software that will process personal data for EU customers. The management representative confirms that they have not considered the General Data Protection Regulation, or short GDPR, that apply in this case. This means that the applicable regulatory requirements have not been determined.
When writing the nonconformity, use the following steps:
Applying these steps to the situation above will result in the following nonconformity:
5.2Top management has notshallensured thatcustomer requirements andapplicable regulatory requirements are determinedand met.
The only information that the auditor has at this time is that the auditee has not considered the GDPR. So, anything else in the requirement should be removed.
What about ensuring GDPR requirements have been met? Could, or even should the nonconformity include this requirement too? At this time, there is no evidence to show that the auditee did not meet GDPR requirements. It is, of course, unlikely, but the auditee might, for example, have implemented more rigorous data protection procedures that would meet or exceed GDPR requirements without having determined that GDPR apply.
Thus, the only thing that should be kept in the description of the nonconformity is that the auditee has not ensured that the applicable regulatory requirements have been determined.
This goes back to not jumping to conclusions. The final description of the nonconformity is:
Top management has not ensured that applicable requlatory requirements are determined.
No more, no less than that.
Section 5.3 is also about management responsibility and includes items a) through e) but this example will focus on d), which reads:
Top management shall ensure that the quality policy:… d) is communicated and understood within the organization;
During the audit, the auditor asks a few people in the organisation what the quality policy means to them, and they say that they don’t understand it.
When the quality policy is shown to them, staff member C say that it is only applicable to the quality department. So, the auditor can conclude that the quality policy is not understood within the organisation.
Again, the section number will be removed and the sentence negated by replacing shall with “has not”. At this time, the auditor does not know if management has communicated the quality policy or not so “communicated and” should be removed. This results in the following nonconformity:
Top management has not ensured that the quality policy is understood within the organization.
The important thing is to not expand the nonconformity to comprise more aspects than there is evidence for. Remember, just because the staff doesn’t understand, it doesn’t mean it wasn’t communicated.
Next example is from section 4.2.5 and relates to records. The requirement reads:
4.2.5 … Records shall remain legible, readily identifiable and retrievable.
During the audit, the auditor notices that the thermally printed cleaning record from dishwasher EQ002 from the 4th of May 2019 has faded and that the last three rows cannot be read.
As always, start with the requirement, remove the section number and any irrelevant words, and add “have not”. This results in the nonconformity:
Records have not remained legible.
If the auditor is required to document conformities as well, the same approach can be applied, usually with the addition of some evidence. If we assume that the situation above with the faded cleaning record had been copied to a paper where the text remained legible, the conformity could read:
When examining the cleaning record for the EQ002 dishwasher from 4th of May 2019, records were found to remain legible, identifiable, and retrievable
Basically, the conformity is made up of the conformity description together with audit evidence.
Sticking to this way of writing nonconformities is key to getting it right. When a different approach to writing nonconformities is applied, it is likely that the nonconformity can be seen as subjective.
For more nonconformity examples like these and hands on training on how to practically conduct an audit take a look at the ISO 13485 Internal Auditor Training course.
Develop the necessary skills to conduct 1st and 2nd party audits according to ISO 13485 in Peter Sebelius’ online Internal Auditor Training course.
In this course, auditors and anyone on the receiving end of an audit will get a walkthrough of the audit process, from opening meeting to preparing the audit report. The second part of the course teaches course participants to interpret the requirements of the ISO 13485 standard.
Peter Sebelius is a highly esteemed trainer, consultant and entrepreneur in the medical device industry. He is a member of the Joint Working Group that is revising the ISO 13485 and ISO 14971 standards.
He has vast ‘hands on’ experience, having developed, amongst other things, a mechanical chest compression device and an ex vivo perfusion machine for lungs. He has received numerous awards including the Great Design Award and the title “This year’s specialist” by Veckans affärer.
Receive FREE templates and quarterly updates on upcoming courses that can help you in your career! Subscribe to our newsletter now.
When you submit this form, you will be sending personal information to medicaldevicehq.com. To comply with GDPR requirements, we need your consent to store and use the personal data you submit. Take a look at our Privacy policy for more details.
Choose your course options below
IMPORTANT – The course will be associated with the account that the purchase is made from. Are you taking the course or is someone else?
Oops, I actually wanted to buy seats for several people. Take me to the right place.
Special launch offer: 349 299 EUR for the online plan & 449 349 EUR for the online lifetime plan.
