How to Appeal a Non-conformance

A MAJOR problem with every Management System Standard published by ISO (e.g., ISO 9001:2015, ISO 14001:2015) and, through extension AS 9100:2016 is the proliferation of ambiguous/nebulous/vague requirements that promote subjective interpretation and inconsistent application.

Consequently, when encountering these ambiguous/nebulous/vague requirements, some auditors will adopt their own subjective, and therefore arguable, interpretation of the “intent” behind the requirement. This often happens because it's beyond the comprehension of an experienced Quality Professional, and well-trained auditor, that the standard would have ignored (or left out) several “key” concepts essential to requirements for the effective implementation of a basic Quality Management System (QMS). Struggling to make sense of this, many auditors will attempt to “fill in the gaps”… “imagining” requirements that don't actually exist.

When auditors issue nonconformities to organizations for not meeting (their interpretation of) the “intent”, rather than the “actual” (verbatim) requirement, they’ve violated ISO 17021-1:2015, “Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirements”. This document contains some important requirements that the registrars/Certification Bodies (CBs) must comply with.

When encountering an auditor who is intent upon issuing a nonconformity for your organization violating (their interpretation of) the “intent” of a requirement – rather than the actual requirement, be aware that the registrar (and auditor) must comply with the following requirements of ISO 17021-1:2015:

9.4.5.3 A finding of nonconformity shall be recorded against a specific requirement, and shall contain a clear statement of the nonconformity, identifying in detail the objective evidence on which the nonconformity is based. Nonconformities shall be discussed with the client to ensure that the evidence is accurate and that the nonconformities are understood. The auditor however shall refrain from suggesting the cause of the nonconformities or their solution.

9.4.5.4 The audit team leader shall attempt to resolve any diverging opinions between the audit team and the client concerning audit evidence or findings, and unresolved points shall be recorded.

9.4.8.2 The audit team leader shall ensure that the audit report is prepared and shall be responsible for its content. The audit report shall provide an accurate, concise and clear record of the audit to enable an informed certification decision to be made and shall include or refer to the following:
k) audit findings (see 9.4.5), reference to evidence and conclusions, consistent with the requirements of the type of audit;

Unfortunately, some AS 9100 CBs may actually be promoting the issuance of invalid nonconformities. While I have no first-hand knowledge of this, I've “heard” that at least two major CBs are charging a fee for each NC issued… a portion of which is then paid to the auditor for follow-up and closure of those NCs. In effect, these CBs have issued a “bounty” to incentivize auditors to issue invalid or questionable NCs. Going a step further, another major CB has established a “quota” for each auditor to issue at least 1 nonconformity per audit day. The source of this is “likely” AS9104/3:2007, "Requirements for Aerospace Auditor Competency and Training Courses", sec. 8.2.1a. The section reads:

8.2 Auditor Performance Criteria and Parameters
8.2.1 Performance monitoring shall address, at a minimum, the following mandatory criteria:
a. nonconformities per audit day;
a. upheld complaints;
b. upheld client nonconformity appeals; and
c. oversight/witness findings.

While AS9104/3 obviously doesn't mandate auditors to issue 1 nonconformity per audit day, the CB in question appears to have mistakenly interpreted the requirement that way.

Preparing for an Appeal

Every accredited CB is required to have an appeals process (as specified in ISO 17021-1:2015, section. 9.7, “Appeals”). However, they’re not required to post their appeals process on their web site or make it easy to find. You may need to phone or e-mail your CB to appeal an invalid nonconformity.

ISO 17021-1:2015 states:

9.7.4 The appeals-handling process shall include at least the following elements and methods:
a) an outline of the process for receiving, validating and investigating the appeal, and for deciding what actions need to be taken in response to it, taking into account the results of previous similar appeals;
b) tracking and recording appeals, including actions undertaken to resolve them;
c) ensuring that any appropriate correction and corrective action are taken.

During the Audit

Prior to the end of the audit, inform the auditor of any and all nonconformities that you disagree with (Ref. ISO 17021-1, sec. 9.4.5.4). In many cases, these issues can be resolved (and were often due to a misunderstanding on the part of the auditor).

If the auditor is steadfast in maintaining that an invalid nonconformity remains valid due to their “subjective” interpretation, then inform the auditor of your intent to appeal the nonconformance and why. This alone may prompt the auditor to withdraw any nonconformities that they're not confident in defending under scrutiny from the CB. This is especially true where the auditor has already had multiple appeals issued from clients against nonconformities that they've issued.

Clearly, the best and easiest way to win an appeal is to have the invalid nonconformity withdrawn by the auditor prior to the report being issued.

However, if the auditor insists upon issuing the invalid nonconformity, prior to issuance of the audit report, it will be most beneficial for you to ensure that, pursuant to ISO 17021-1, sec. 9.4.5.4, the disputed nonconformities are “recorded” in the audit report as “unresolved points”.

I've seen a couple of auditors “dare” the client to appeal a nonconformity… claiming that if that happens, then the Accreditation Body (AB) will accompany the next auditor during their next audit - and there will be no “leniency”. In one case, I witnessed a client “call” the auditors bluff and appealed the nonconformity. The nonconformity was overturned by the CB and the auditor was “counseled” regarding their “threatening” behavior toward clients. The auditor quickly changed their approach.

Submitting an "Appeal"

After the audit, issue a written “Appeal” to the CB with any objective evidence supporting your position.

Using ISO 9001:2015 & AS9100:2016 as examples, most invalid nonconformities involve requirements that do not require any associated records or other documentation. So, there may not be any objective evidence supporting either position (Remember that ISO 17021-1, sec. 9.4.5.3 states: “A finding of nonconformity shall be recorded against a specific requirement, and shall contain a clear statement of the nonconformity, identifying in detail the objective evidence on which the nonconformity is based.”). So, in these situations, the only “objective evidence” would be interviews recorded in the audit report.

Begin your “appeal” by identifying the audit report number, the date on which the audit report was issued, and the specific Nonconformity number(s). Then state:

“Contrary to ISO 17021-1:2015, section 9.4.8.2k”, the nonconformity was not “consistent with the requirements of” ISO 9001:2015, sec. x.x.“

The below example depicts how an appeal might be issued against an invalid ISO 9001:2015 or AS9100:2016 nonconformity relating to section 6.1.2:

Nonconformity:
6.1.2 The organization failed to demonstrate how it plans:
a. actions to address these risks and opportunities;
b. how to:
1. integrate and implement the actions into its quality management system processes (see 4.4);
2. evaluate the effectiveness of these actions.

Objective evidence:
The organization has not retained documentation (e.g., risk matrices, FMEAs), or any other evidence of how it plans actions to address risks and opportunities.

Customer Response:
Contrary to ISO 17021-1:2015, section 9.4.8.2k, the above nonconformity was not “consistent with the requirements of” ISO 9001:2015, sec. 6.1.2. This section does not require that planned “actions to address… risks and opportunities” be documented. This is supported by the ”US TC 176 - TG22 - Interpretations“ which states: ”ISO 9001:2015 does not require an organization to provide documented information as evidence of determining risk or opportunities. Annex A.4 of ISO 9001:2015 states: …the organization is responsible for its application of risk-based thinking and the actions it takes to address risk, including whether or not to retain documented information as evidence of its determination of risks.

Evidence of our compliance is contained throughout our quality management system (e.g., documented procedures/Work Instructions, Drawings, Training), every aspect of which was designed to address risks and opportunities. And in our management review meeting minutes (attached), where we evaluate “the effectiveness of actions taken to address risks and opportunities” (as per ISO 9001, sec. 9.3.2e). This objective evidence demonstrates that, while planning is undocumented, it is taking place; satisfying the requirements of ISO 9001:2015.

Be aware that the ”US TC 176 - TG22 - Interpretations“ referenced above contains NON-binding opinions rather than official, binding interpretations. So while it can be referenced to support your interpretation, it can also be ignored by the CB. Now let's look at an example of a nonconformity where an Auditor neglected to notice that ”US TC 176 - TG22 - Interpretations“ is NON-binding.

Nonconformity:
9.2.1 The organization failed to conduct perform process-based audits in accordance with ISO 19011.

Objective evidence:
Contrary to ISO 19011, Internal Audit Reports indicate that “clause-based” internal audits are performed rather than “process-based” internal audits.

Customer Response:
Contrary to ISO 17021-1:2015, section 9.4.8.2k, the above nonconformity was not “consistent with the requirements of” ISO 9001:2015, sec. 6.1.2. This section does not require that internal audits be “process-based”. The auditor likely obtained this interpretation from the ”US TC 176 - TG22 - Interpretations“.

While requests for “official” ISO 9001:2015 Interpretations from US TC 176 - TG22 are submitted using a form titled “Interpretation Request Form”, the TAG 176 – SC2 - TG22 “Standard Operating Procedure” titled “US Guidance for handling requests for interpretation of the requirements of ISO 9001” clearly states in bold text: “Since the US TAG to ISO TC176 (TAG) does not provide explanations of ISO 9001, responses provided under this procedure are opinions and are not to be offered as an official interpretation.”

Consequently, the ”US TC 176 - TG22 - Interpretations“ contains “non-binding” opinions rather than binding official interpretations of the standard.

Further evidence that ISO 19011 is not an applicable requirement is contained in “ANNEX B – OTHER INTERNATIONAL STANDARDS ON QUALITY MANAGEMENT AND QUALITY MANAGEMENT SYSTEMS DEVELOPED BY ISO/TC 176 (INFORMATIVE)”. The last sentence of the first paragraph in this annex states: ”Guidance or requirements contained in the documents listed in this annex do not add to, or modify, the requirements of this International Standard.“ The last standard listed in that section is ISO 19011.

Evidence of our compliance is contained throughout our internal audit reports (several examples attached). Each internal audit contains “information on whether the quality management system is effectively implemented and maintained”. This is demonstrated through the internal audit reports indicating whether each area assessed is in compliance with the requirements of our quality management system; satisfying the requirements of ISO 9001:2015.

And another example depicts how an appeal might be issued against an invalid ISO 9001:2015 or AS9100:2016 nonconformity relating to section 10.2.1:

Nonconformity:
10.2.1b2
The organization failed to determine “the causes of the nonconformity”.

Objective evidence:
Reviewed five CAR’s and found there was no root cause documented in any of them.

Customer Response:
Contrary to ISO 17021-1:2015, section 9.4.8.2k, the above nonconformity was not “consistent with the requirements of” ISO 9001:2015, sec. 10.2.1. This section does not require “the causes of the nonconformity” (i.e., root cause) to be documented. This is confirmed in the “ISO/TC 176/SC 2 Listing of Approved Interpretations against ISO 9001:2015”.

ISO 9001:2015, sec. 10.2.2 requires the organization to: …retain documented information as evidence of:
a. the nature of the nonconformities and any subsequent actions taken;
b. the results of any corrective action.

Compliance with those requirements was verified by the auditor. Copies of CARs reviewed by the auditor are attached as objective evidence.

Ultimately, the success of your appeal will depend heavily on how compelling your argument and supporting objective evidence is in comparison to that provided in the audit report. The auditor who issued the nonconformity is rarely contacted or involved in the appeal process.

While this article was written with the assumption that an invalid nonconformity was issued, considering that many ISO 9001 Quality Managers receive little or no training in quality or ISO 9001, it is quite possible that the auditor may have been correct in their interpretation. If this was the case, then learn from the experience.

However, if your appeal is deemed valid by the CB, it's generally a good idea to inform the CB that you do NOT want that auditor to participate in future audits at your site. While many auditors are contractors, working for multiple Certification Bodies, all CBs have “Technical Reviewers” who “review” the audit reports prior to issuance. Each CB has its own “culture”; where invalid nonconformities are either tolerated or not. If the CB continues to utilize auditors who issue invalid nonconformities, then seek out a different registrar.

Non-Responsiveness of the Registrar

Most registrars will respond in a timely fashion. However, some do not. If you're an AS9100 registered company, then after submitting your appeal, also notify the “Aerospace Director” or equivalent) directly. If the registrar is non-responsive, then login to the IAQG OASIS database and generate a “Feedback” directed toward the CB (Certification Body). If there is still no response (and prior to the 60-day deadline for resolving the nonconformity), then login to the IAQG OASIS database and generate a detailed “Feedback” directed toward the AB (Accreditation Body). Ensure that the “Feedback” includes a complete timeline with events, dates, and identities of those who were contacted. Sharing this information with the AB ensures that the Accreditation Body is aware of the full details concerning how the registrar handled your appeal.