ITT-SYS03-ALL-01 RINA Rev. 8 · 2019-05-31 · RINA MANAGEMENT SYSTEM AUDIT PERFORMANCE TECHNIQUES ITT-SYS03-ALL-01 Rev. 8 Page 2/33 1 INTRODUCTION The purpose of this document is

RINA

MANAGEMENT SYSTEM AUDIT PERFORMANCE TECHNIQUES

ITT-SYS03-ALL-01

Rev. 8

Page 1/33

TABLE OF CONTENTS

1 INTRODUCTION .................................................................................................................................................... 2

2 PLANNING THE AUDIT .......................................................................................................................................... 2

3 OPENING MEETING .............................................................................................................................................. 2

3.1 Conducting the opening meeting.............................................................................................................. 2

3.2 Expected outcome of accredited certification .......................................................................................... 4

4 CONDUCTING THE AUDIT TO THE COMPANY PROCESSES / ACTIVITIES ............................................................... 4

5 COMPILING STAGE 1 AND STAGE 2 – SURVEILLANCE – RECERTIFICATION AUDIT REPORTS................................ 6

5.1 General information on audit reports ....................................................................................................... 6

5.2 Stage 1 audit report .................................................................................................................................. 7

5.3 Stage 2 – Surveillance – Recertification audit reports .............................................................................. 11

6 EXPRESSING FINDINGS IN AUDIT REPORTS .......................................................................................................... 17

6.1 DEFINITIONS .............................................................................................................................................. 17

6.2 EXPRESSING A FINDING ............................................................................................................................ 18

6.3 EXPRESSING "MA" and "mi" FINDINGS FOR THE EN9100 SCHEME .......................................................... 28

7 ACCEPTANCE OF AN ORGANISATION'S PROPOSALS ............................................................................................ 31

7.1 ANALYSIS OF CAUSES ................................................................................................................................ 31

7.2 CORRECTION (CORRECTION/LIMITATION ACTIONS) ................................................................................. 31

7.3 CORRECTIVE ACTION ................................................................................................................................. 31

8 EFFECTIVENESS OF CORRECTIONS AND CORRECTIVE ACTIONS ........................................................................... 32

9 AUDIT TEAM MEETING ......................................................................................................................................... 32

10 CLOSING MEETING ............................................................................................................................................... 33

RINA


ITT-SYS03-ALL-01

Rev. 8

Page 2/33

1 INTRODUCTION

The purpose of this document is to contribute to the harmonisation of the general handling of audits, providing some suggestions about auditing techniques, taking into account optimisation of audit times and some auditor conduct-related aspects, in addition to the provisions of the certification instructions (IS-CRT-SYS-....).

This document also provides information for the preparation of audit reports for management system certification.

This document also takes into account the requirements of the ISO 17021:2015 standard, “Requirements for bodies providing audit and certification of management systems”.

2 PLANNING THE AUDIT

The ISO 17021 standard envisages that the initial certification audit is to be carried out in 2 stages (1st stage and 2nd stage).

“Stage 1” is of primary importance for getting to know the client’s organisation, checking the purpose of the certification and planning the “stage 2”.

A satisfactory initial preparation of the audit is essential, partly so as to gain awareness beforehand the overall state of the company conformity. In detail, rather than aspects of documental, procedural and organisational conformity, in an evaluation of company processes, it is necessary to re-examine the order of priority of the audit stages and consequently adapt and/or optimise the audit times.

Identification of the company processes is an important aspect. Inputs, outputs, responsibilities and resources and improvement targets should be defined for each process.

The auditors would also have to gather information, and be aware of the main laws and chief regulations applicable to the product/service included in the scope of certification.

Optimisation of the audit must commence with satisfactory planning of the visit, seeing to the time/man balance, minimizing downtime and/or duplications, without reducing the audit times to the detriment of the quality of the service provided. For example, if 3 man/days are envisaged, it is advisable to use a team of 2 auditors who operate for 1.5 days, rather than 3 auditors for just 1 day. In fact, with a team of 3 individuals, the audit times to be reserved to the opening and closing meetings, and anything else carried out in a collective form, are multiplied by three. These duplications are to the detriment of a genuine evaluation.

It is also appropriate that, especially during the first certification and recertification audits, and each time it is possible, the audit team is made up of at least two auditors, also to demonstrate to the company the maximum importance which RINA assigns to the event.

When assigning the tasks to the members of the audit team, it is necessary to be sure that the auditor qualified in the technical area relevant to the organisation activities is assigned the part of the audit relating to the production of the production/service.

It is also essential that, with regard to surveillance and recertification audits, the auditor is provided with a copy of the previous audit reports, from which information on the conformity of the company QMS can be gathered.

The auditor shall have to take steps to request the Program Reviewer to examine these documents, which must always be consulted even if, ultimately, at the certified organisation.

3 OPENING MEETING

3.1 CONDUCTING THE OPENING MEETING

The purpose of the opening meeting, which is organised with the client’s management and, where appropriate, with those responsible for the functions or processes to be audited, is to provide a short explanation on how the audit activities will be undertaken; the degree of detail shall be consistent with the familiarity of the client with the audit process.

RINA


ITT-SYS03-ALL-01

Rev. 8

Page 3/33

An organisation which is submitted to a third party audit for the first time (first certification) may need greater details on how the audit is carried out.

It is possible to write the names of the participants to the opening meeting in the appropriate space of the audit report.

The 17021:2015 standard envisages that, during the opening meeting, the following elements have to be dealt with:

a) introduction of the participants, including an outline of their roles; b) confirmation of the scope of the certification; c) confirmation of the audit plan (including type and scope of audits, objectives and criteria), any changes and

other relevant arrangements with the client, such as the date and the time for the closing meeting, interim meetings between the audit team and the client’s management;

d) confirmation of formal communication channels between the audit team and the client; e) confirmation that the resources and facilities needed by the audit team are available; f) confirmation of matters relating to confidentially; g) confirmation of relevant work safety, emergency and security procedures for the audit team; h) confirmation of the availability, roles and identities of any guides and observers; i) the method of reporting, including any grading of audit findings; j) information about the conditions under which the audit may be prematurely terminated; k) confirmation that the audit team leader and audit team representing the certification body is responsible for

the audit and shall be in control of executing the audit plan including audit activities and audit trials; l) confirmation of the status of findings of the previous review or audit, if applicable; m) methods and procedures to be used to conduct the audit based on sampling; n) confirmation of the language to be used during the audit; o) confirmation that, during the audit, the client will be kept informed of audit progress and any concerns; p) opportunity for the client to ask questions.

Furthermore:

The number of workers declared at the time of presentation of the Questionnaire has to be confirmed.

When a consultant is present, authorisation of his/her presence must be confirmed, but it must be recalled that the purpose of the audit is to ascertain the compliant application of the Management System to the entire organisation and the intervention of the consultant should be limited to the role of observer.

If any representatives of the Accreditation Body and/or RINA’s observers are present, they shall not influence or interfere with the audit process.

It is necessary to provide an indication of the presentation of RINA’s activities (maximum 5 minutes) during first certification audits and of the progress of these activities during periodic audits.

The Audit Plan, if necessary, must be amended (also manually), so as to: - make it more consistent with the company situation; - adapt it to the amendment requirements of the Organisation; - ensure that the checking of the production of the product/service is assigned to the auditor qualified in the technical area relevant to the organisation’s activities.

The representatives of the organisation shall have to be informed that during the audit, any situations may be found which may be classified as Major Non Conformities (Type “A” findings), Minor Non Conformities (Type ”B” findings), or improvement recommendations (Type C findings), explaining the difference, and that these will be illustrated in the audit report. Furthermore, adequate premises with an internet connection will have to be requested for the audit team meeting, so that it can prepare the audit report.

It will have to be explained that, in the event of an audit which envisages the execution of stage 2 immediately after stage 1 is completed, in the presence of any findings deemed critical, the stage 2 audit will have to be rescheduled and postponed to another date.

RINA


ITT-SYS03-ALL-01

Rev. 8

Page 4/33

On conclusion of the opening meeting, if not already proposed by company management, and if the location is not already known to the audit team, it is necessary to request a rapid visit to the factory/workshop/production premises, if applicable. This contributes to providing a message of practicability, always appreciated by the company, and at the same time makes it possible to be able to carry out a very effective initial evaluation, running through the entire production flow in a logical sequence. (In this connection, note that an extremely disorderly workplace may suggest a lack of control; vice versa, a very orderly one could reveal a “mask” prepared specifically for the audit. What is more, a glance at an archive could reveal interesting aspects for subsequent investigations).

3.2 EXPECTED OUTCOME OF ACCREDITED CERTIFICATION

It is necessary to remind the client that:

its clients and interested parties in general expect an organisation with a management system certified under accreditation to have a better performance than others, in terms of product quality or respect for the environment, even if we know that certification of a management system does not necessarily guarantee that 100% of products are compliant or that the system can prevent environmental accidents.

Therefore, an organisation which has invested resources to obtain accredited certification of its management system must, in any case, pursue these objectives to improve and obtain maximum return for its investments.

Even if these concepts have been highlighted by ISO and IAF through their communications related to ISO 9001 and ISO 14001, these concepts can be extended also to other management systems.

4 CONDUCTING THE AUDIT TO THE COMPANY PROCESSES / ACTIVITIES

The greatest amount of time possible must be dedicated to these activities, out of that available for the entire audit. This is the most important stage of the audit, during which the auditors must gather together the information which permits a calm and objective evaluation of the compliance of the organisation’s Management System.

Before auditing the various processes/activities of the organisation, it is advisable that the Audit Team reserves the necessary amount of time (usually a maximum of 0.5 hour) so as to get familiar with the documental structure of the Organisation, so as not to appear completely unaware before company management of that which the Organisation itself has set up, possibly with the aid of the head of the Company Management System. This makes it possible to avoid that the audit is carried out on a “freewheeling basis” later on and to loose time in disputes and explanations. The ISO 17021 standard envisages that these activities are carried out during the “Stage 1”.

At the start of the audit, it is necessary to present oneself to the interlocutors, greeting them and asking which are the tools used for governing the specific process/activity. One should avoid asking for a long description of the process/activity and running the risk of giving the impression to be unprepared with regard to the matter to be evaluated. (Care must be taken to provide proof, in any situation, of knowledge of the context being evaluated). By checking the tools used, it is possible to evaluate one’s involvement in the choice of these instruments.

The audits to the individual functions of the company organisation must be supported by the evaluation of the ability of the processes to obtain pre-established objectives, by means of analysing the flow of the activities relating to these processes and therefore it may be necessary to guide the audit following the route of an order and/or product line (e.g.: from supply to post-sales assistance) and - synchronising the methods for collating the registrations of the objective evidence of each activity in this sense, by all the members of the audit team - obtain consistent results. It is therefore extremely useful to ask the company for information about the stage of completion of the contracts/job orders (int./ext.) underway, so as to be able to choose the most complete path, in relation to the requisites of the Management System to be evaluated. (Following an investigation route not consistent with the lines of the evaluation must be avoided.)

At the beginning, a certain amount of time should be reserved so as to check (even rapidly) the process/activity control methods (documented information) and the notes previously written on the observation sheet.

RINA


ITT-SYS03-ALL-01

Rev. 8

Page 5/33

It should be necessary to verify how the certified organization uses RINA’s certification logo and the Accreditation Body’s logo, making sure they are correctly used according to the established rules.

During the audit, the Audit Team should: - ensure that the organisation has a method for identifying and reviewing all the applicable law s and regulations; - ensure that these laws and regulations are used as input for the processes; - ensure that the organisation is able to demonstrate compliance with the applicable laws and regulations.

The questions posed should be open in type (what – how – why – where – who – when) and always based on objective evidences. The compliance of the activities with the matters described in documental form must be evaluated, carrying out a retroactive investigation, with the aid of check-lists and the notes previously written on the observations sheet. (An interview consisting of yes/no – closed – answers or an investigation carried out with somewhat unclear and biased questions, without understanding what objectives have been set, will not lead very far).

The main input/output aspects, the related objective evidence and its evaluation shousl be recorded on the observation sheet and/or on any specific checklist relevant to any scheme and/or technical area, which, together with the audit report constitute the audit documentation. With regard to the notes, the downtime due to the search for the objective evidence requested, by the company contact person, can be used.

The evaluation should be carried out on the basis of the objective evidences provided. The seriousness of a check should be evaluated with regard to the association of the deficiencies, consequent to the types of investigations, such as: - whether the governance (control) document of the process/activity exists; - whether the governance document is compliant; - whether the governance document is correctly applied; - whether the registrations envisaged are available. Actually, in the various situations, it should always be necessary to consider the seriousness of the checks, recording any lack of documents in the presence of activities carried out effectively and vice versa. Furthermore, an evaluation should also consider any risks of non-conformities associated with the level of awareness (knowledge plus motivation) of the company contact person. (Purely technical compliance may conceal serious risks of non-conformities, if not associated with an adequate level of awareness of the personnel concerned). Until it is assessed as a non-conformity, any registered information remains simply an observation. Non-conformities must be supported by easy-to-trace objective evidences, otherwise they can only be classified as observations).

A disagreement may occur between the auditor and the organisation audited in the event that a process, or an activity is not supported by documented information. In this event, the auditor should request information to the persons who are involved in the activity/process and observe the methods for executing the activity/process so as to assess the effective need for a documented procedure/instruction.

Representative samples, adequate to the company’s size and complexity, will have to be used, and the evaluation will have to take place using a systemic and non-point approach (by quality control, where each deficiency leads to a non-conformity) increasing, if necessary, the number of samples to be checked. (It is important to determine with certainty whether the situation detected is due to an effective lack in the system or to an oversight or the non-accurate application of a procedure/instruction. Registration of the first non-conformities should not be hurried, and neither should it be deemed that by means of this act the task of the auditor has been fulfilled, without having a complete view of the state of the Organisation’s compliance).

In the event that a company with a Management System which has already been certified, due to the lack of contracts/job orders, presents a situation which essentially stops production activities, although temporarily, the audit inspection may be performed, if representative samples for the simulated execution of the

RINA


ITT-SYS03-ALL-01

Rev. 8

Page 6/33

processes/activities being evaluated are available. This situation must be noted on the last sheet of the audit inspection report and must be reviewed at the time of notification and/or execution of the subsequent audit inspection, possibly taking into consideration a suspension proposal in the event this situation persists.

At times, the facts - as seen by the auditor - may be challenged. In such cases, it is necessary to discuss with the contact individuals and try to understand the problem and smooth out any discrepancies. In this connection, it must be recalled in the evaluation that any non-compliant situations may arise in relation to either the requisites of the standard or the company requisites (documented information). Furthermore, faced with a finding, it is always advisable to ask oneself first “which paragraph (requirement) of the standard has been disregarded”, also so as to correctly assign any non-conformity.

5 COMPILING STAGE 1 AND STAGE 2 – SURVEILLANCE – RECERTIFICATION AUDIT REPORTS

The following paragraphs are a practical guide for preparing "stage 1" and "stage 2", surveillance and recertification audit reports on Management Systems, as required by UNI EN ISO/IEC 17021:2015.

5.1 GENERAL INFORMATION ON AUDIT REPORTS

The audit report is a fundamental aspect of the audit activity.

The purpose of the audit report is to provide objective evidence of the verifications performed on an organisation's application of the Management system, as indicated in paragraph 9 of UNI CEI EN ISO/IEC 17021:2015, to transmit the audit conclusions to the client and to provide sufficient elements and information to the person who must decide on whether an organisation may be certified in order to enable them to make the decision.

The UNI CEI EN ISO/IEC 17021:2015 standard transposes many of the indications contained in the ISO 19011 standard relevant to the drawing up of the audit report, thus transforming them into "requirements".

The ISO/IEC TS 17022:2012 standard provides elements to draw up the third party audit report and even if it's a "guide", and therefore not mandatory, it has been taken into account for the drafting of our audit reports.

The audit report must, in any case, constitute added value to the audit activities and must therefore be usable by organisations subject to audit to improve their management system. The audit report (stage 1 and stage 2) is expected to include, as objective evidence of the verifications performed for each process, a description of what was examined by the auditing team and the relative results (ISO/IEC 17021:2015 — 9.4.5 and 9.4.8).

For this purpose, the contents of the audit report should be identified while performing the "on-site" audit.

The UNI CEI EN ISO/IEC 17021:2015 standard foresees, moreover, that the report may supply opportunities for Management System improvement.

Indications are given below on how to compile reports in order to meet the requirements of the reference standards and indicate the points verified and the audit results but which can, above all, give added value to audit activities and can thus be more useful to the organisations under audit as regards improving their Quality Management Systems.

All the fields of the audit report must be filled in; if necessary specify that they are not applicable.

RINA


ITT-SYS03-ALL-01

Rev. 8

Page 7/33

5.2 STAGE 1 AUDIT REPORT

a – The audit report automatically displays the organization’s data (name, address, all sites to be shown on the certificate, activities, IAF sector,...), which was entered by the secretariat staff but which should be checked. If any data is missing or incomplete, it will be necessary to contact the secretariat staff of the competent RINA office.

For some standards (e.g. ISO 9001 and related standards) it is necessary to specify the requirements that the Organization declared it cannot apply and specify the reason for the acceptance of non applicability of the same (e.g. The audit team verified and accepted non application of the requirements as per p. 8.3 of the ISO 9001:2015 standard, because the company only manufactures products according to the customer’s design and has no specific technical structure).

Check the actual duration of the on-site audit expressed in man/days.

b – COMPANY REPRESENTATIVES - POSITION Enter the name and position of each interviewed person. In this field it is also necessary to specify the persons who took part in the initial and closing meetings.

a

b

RINA


ITT-SYS03-ALL-01

Rev. 8

Page 8/33

c – ORGANIZATION’S MANAGEMENT SYSTEM DOCUMENTED INFORMATION UNDER EXAMINATION

It is necessary to record at least the documented information that, according to the reference standard, must be maintained and any documented information that is deemed to be meaningful for the audit.

d – ANY OBSERVATIONS

Write a summary of any observations raised during the stage 1 audit specifying if the observation is "critical", meaning that it may be an ostacle to certification if not solved before the stage 2 audit.

e – SPECIFIC INFORMATION RELATED TO THE SCHEME (OPTIONAL)

Enter any additional information foreseen by the specific scheme requirements.

Applicabilities of the field (e):

ISO50001 The audit team must record the following information about:

- confirmation of the specific ISO 50001 information described in the IQ, in particular: o number of EnMS effective personnel, o number of energy sources, o number of significant energy uses and o annual energy consumption,

in order to confirm the Stage 2 audit duration.

c

d

e

RINA


ITT-SYS03-ALL-01

Rev. 8

Page 9/33

ISO 9001:2015

It is necessary to record a judgement about the key elements of the ISO 9001:2015 rule (context, interested parties, risk analisys)

ISO 14001:2015

It is necessary to record a judgement about the key elements of the ISO 14001:2015 rule (context, interested parties, risk analisys)

ISO 37001:2016

Insert detailed information relevant to: the scope of the anti-bribery management system Details regarding activities at risk; Mapping of subjects involved in risky activities Corporate reports Specific legaI references; Specific information on training conducted

f

RINA


ITT-SYS03-ALL-01

Rev. 8

Page 10/33

f – Most of the fields foresee close-ended questions to which the audit team shall reply, With regards to the field "In the audit team’s judgement, was suitable information collected about the management system scope...", it is necessary to record the information collected on the Observation Sheets.

Fill in the space INFORMATION AND ADDITIONAL REMARKS with additional information such as: production with several shifts, possible justification of the decision that not all shifts will be audited (for those schemes that foresee this possibility in the related specific requirements, like for example ISO9001 and ISO14001), presence of observators, membership of the organization to national or international groups, etc...

RINA


ITT-SYS03-ALL-01

Rev. 8

Page 11/33

5.3 STAGE 2 – SURVEILLANCE – RECERTIFICATION AUDIT REPORTS

a - The audit report automatically displays the organization’s data (name, address, all sites to be shown on the certificate, activities, IAF sector,...), which was entered by the secretariat staff but which should be checked. If any data is missing or incomplete, it will be necessary to contact the secretariat staff of the competent RINA office. For some standards (e.g. ISO 9001 and related standards) it is necessary to specify the requirements that the Organization declared it cannot apply and specify the reason for the acceptance of non applicability of the same (e.g. The audit team verified and accepted non application of the requirements as per p. 8.3 of the ISO 9001:2015 standard, because the company only manufactures products according to the customer’s design and has no specific technical structure). Check the actual duration of the on-site audit expressed in man/days. If applicable, specify the reasons for any extension (scope, site, ...).

b – COMPANY REPRESENTATIVES - POSITION Enter the name and position of each interviewed person. In this field it is also necessary to specify the persons who took part in the initial and closing meetings.

a

b

b

RINA


ITT-SYS03-ALL-01

Rev. 8

Page 12/33

c – ORGANIZATION’S REFERENCE DOCUMENTS

It is necessary to record at least the documented information that, according to the reference standard, must be maintained and any documented information that is deemed to be meaningful for the audit.

d – CHANGES WITH RESPECT TO PREVIOUS AUDIT

It is necessary to state whether the data is unchanged or, if any changes occurred, if they are compliant or non compliant and a comment in the notes (e.g. Organizational structure modified as per organization chart revised on...).

e – It is necessary to state whether the Organization has taken charge of the findings (A, B or C type) written in the previous audit report and to enter a comment if the Organization has not taken charge of or partially taken charge of the same.

c

d

e

RINA


ITT-SYS03-ALL-01

Rev. 8

Page 13/33

f – PERMANENT SITES CHECKED DURING THIS AUDIT

The system automatically enters the HO address if it is a single site. This field must contain all audited permanent sites, among those that appear on the certificate. The data entered in this field is also written on form "summary of activities/sites", which summarizes what has been audited in the three-year period.

g – TEMPORARY SITES CHECKED DURING THIS AUDIT

It is necessary to write any outsourced activities that are not carried out at a permanent site (e.g. service provision centers, operative yards,...). The data entered in this field is also written on form "summary of activities/sites", which summarizes what has been audited in the three-year period.

h – ONLY FOR ISO9001, ITALY, IAF SECTOR 28

In the presence of IAF sector 28 – ISO 9001 – Italy, a specific field is displayed which must contain the data relating to the yards where the survey was performed. The data entered in this field is also written on form "summary of activities/sites", which summarizes what has been audited in the three-year period.

f

l

i

h

g

f

h

g

l

i

RINA


ITT-SYS03-ALL-01

Rev. 8

Page 14/33

i – DESCRIPTION OF OTHER OUTSOURCED ACTIVITIES AUDITED BY SURVEY

It is necessary to write the audited activities that are not carried out in a specific site, complete with address (e.g. check of waste or goods transport activities, ...). The data entered in this field is also written on form "summary of activities/sites", which summarizes what has been audited in the three-year period.

l – ANY ACTIVITIES AUDITED ON THE BASIS OF DOCUMENTS

It is necessary to write all collected documental evidences as a support to the activities specified in the scope. The data entered in this field is also written on form "summary of activities/sites", which summarizes what has been audited in the three-year period.

m – AUDIT RESULTS

It is necessary to record any A, B or C findings raised during the audit.

n – IDENTIFICATION OF AUDIT RESULTS

It is necessary to specify that application of the MS was checked for all processes/activities/aspects and impacts (hereinafter referred to as “processes”) present in the audit plan and defined by the organization.

For each process it is necessary to enter a brief comment on the audited items, with objective evidences like, for example, the description of what was audited both at the company’s premises and during any external surveys, examined documents, references to the various record documents, etc.

m

n

o

p

RINA


ITT-SYS03-ALL-01

Rev. 8

Page 15/33

It is very important to enter the explanation of the reasons that led to the issue of a non conformity. This is obtained by describing the the situation that caused the non conformity to be raised and by explaining how it can be a hindrance to the application of the management system. An overall brief judgement on the MS must also be written.

o – MANAGEMENT OF CLAIMS

This field must be filled-in in the presence of any claims received from the Organization and claims received by the CB, according to the contents of Data Base C&C; it is necessary to write the reference number of the claim and the claim management modalities adopted by the Organization. Before the audit, non-exclusive auditors check the presence of any claims by contacting PR.

p - SPECIFIC INFORMATION RELATED TO THE SCHEME (OPTIONAL)

Record additional information as foreseen by the specific scheme requirements.

Applicabilities of the field (p):

ISO50001 The audit team must record the following information about:

- check that energy performance improvement has been demonstrated (during all type of audits);

- confirmation of the specific ISO 50001 information described in the IQ, in particular (during recertification):

number of EnMS effective personnel,

number of energy sources,

number of significant energy uses and

annual energy consumption,

in order to confirm the recertification audit duration.

EMAS The audit team must record the following information about Environmental Statement (ES).

“According to the Audit Team, the Environmental statement is, on whole, proposable/not proposa for the issurance/validation of the certification.

Optional sentence (only if applicable): The EMAS validation proposal of the Environmental Statement is dependent on taking into account any observations made during the audit.

The Organisaton has to send to the Competent Body the pertinent documentation for registration and Environmetal Statement, within 60 days from the date of validation.”

ISO3834 The audit team must record the following information: - name of welding coordinator(s) and a comment on his/her competency - welding processes applied, classified according to EN ISO 4063:2011 correlated to material groups used, classified according to CEN ISO/TR 15608:2012 - standards according to which welders, operators and welding procedures have been qualified

ISO 37001:2016

Insert detailed information relevant to: the scope of the anti-bribery management system Details regarding activities at risk; Mapping of subjects involved in risky activities Corporate reports Specific legaI references; Specific information on training conducted

RINA


ITT-SYS03-ALL-01

Rev. 8

Page 16/33

q – it is necessary to confirm the observance of the audit plan or highlight and justify any differences in order to update the three-year audit program (PVP) accordingly

r – it is necessary to summarize the evidences on the basis of which the system was deeemed to be compliant with the applicable standard and effective, and to enter a brief judgement on the managment review and internal audits

s – it is necessary to check that the use of the logo and the advertisement of the management system, including any sentences written on the packaging of a product or inside the accompanying information, are compliant with the requirements of the relevant rules

t – fill in all existing fields; remind the Organization of the possibility to use the Member Area also to propose corrective actions

u - INFORMATION AND ADDITIONAL REMARKS

Fill in this space with additional information such as: production with several shifts, presence of observators, membership of the organization to national or international groups, any justifications foreseen by additional requirements of specific

q

r

s

t

u

RINA


ITT-SYS03-ALL-01

Rev. 8

Page 17/33

schemes (e.g. possible justification of the decision that not all shifts will be audited for the ISO9001 and ISO14001 schemes),...

v – RESERVATIONS AND OBSERVATIONS

Space reserved to the Organization to enter various comments (e.g. diverging opinions or unresolved aspects during the audit, any reservations about the audit team behaviour,...).

6 EXPRESSING FINDINGS IN AUDIT REPORTS

6.1 DEFINITIONS

6.1.1 The "General Rules for the Certification of Management Systems" contains the following definitions:

Major non-conformities (A-type findings) are:

failure to fulfill one or more requirements of the management system standard;

non-compliance with one or more requirements of these Rules;

a situation that could lead to the delivery of non-conforming products or products which do not comply with applicable legislation;

situations that could cause serious shortcomings in the management system or reduce its capacity to ensure the control of processes or products/services.

Minor non-conformities (B-type findings) are:

a situation that could reduce the customer's capacity of delivering a conforming product;

situations that could cause minor shortcomings in the management system or not reduce its capacity to ensure the control of processes or products/services.

Recommendations (C-type findings) are: suggestions for improving the management system that do not directly concern the requirements of the reference standard.

v

RINA


ITT-SYS03-ALL-01

Rev. 8

Page 18/33

Unlike A and B findings, the Organization is not obliged to treat C-type findings.

6.1.1.1 The "ISO 50003 - Energy management systems — Requirements for bodies providing audit and certification of energy management systems” contains the following definition:

EnMS Major non-conformity: EnMS non-conformity that affects the capability of the management system to achieve the intended results.

Note to entry: Classifying nonconformities as major could be as follows: • audit evidence that energy performance improvement was not achieved; • a significant doubt that effective process control is in place; • a number of minor nonconformities associated with the same requirements or issue could

demonstrate a systematic failure and thus constitute a major nonconformity. NOTE: in case of multi-site organisations, when nonconformities are found at any individual site, even though the organization’s internal auditing, the Audit Team must carry out an investigation in order to determine whether the other sites may have been affected and must require the organization to review the nonconformities to determine if corrections or corrective action needs to be applied to the other sites. Records of the review and justifications shall be maintained.

6.1.2 CORRECTION

"Correction" is defined as an action aimed at eliminating a major or minor non-conformity (ISO 9000:2015).

6.1.3 CORRECTIVE ACTION

"Corrective action" is defined as an action aimed at eliminating the causes of the major or minor non-conformity (ISO 9000:2015).

6.2 EXPRESSING A FINDING

The following paragraphs provide information about how to express findings in audit reports during certification, surveillance, extra, supplementary and recertification audits performed at an organisation's facilities.

It is also a guide to examine and accept replies from organisations in response to findings formulated during an audit, in terms of analysis of causes, correction of findings and proposed corrective actions.

This guide does not describe how to express findings emerging during document reviews neither does it apply to preliminary audits as these set out to raise only observations and no findings.

Even though the document focuses on "B-type findings" (minor non-conformities), it also contains information on how to express "C-type findings (recommendations)"; “A-type findings” (major non-conformities) are not usually hard to be written, except for the need to clearly highlight the deficiency (e.g. unfulfilled requirement of the standard, exceeded authorization limits, misapplied legal requirement, ...) for which no relating examples are provided.

6.2.1 EXPRESSING “B” TYPE FINDING (MINOR NON-CONFORMITIES)

"B-type findings" must be issued in the event of shortcomings reflecting a system finding (non-structural) rather than an isolated situation of an occasional nature that is therefore due to oversights (human error) concerning specific requirements of the applicable reference standard or documentation.

In order to define the type of finding, auditors must examine the gravity of the event and, if necessary, extend their inspection to other samples considered to be representative.

Considering the fact that audits by Certification Bodies are usually performed on the basis of elements taken "at random", findings should be expressed by identifying a system shortcoming concerning a specific point of the standard rather than focussing on the sample itself.

RINA


ITT-SYS03-ALL-01

Rev. 8

Page 19/33

The latter, in fact, could be misinterpreted by the organisation under audit as a mere formal aspect which can be solved by means of specific and isolated action, for example, on the audited document (such as inserting a missing signature, etc.), and therefore not ensuring that the necessary analysis of the reasons is made and action taken on the system as a whole.

Findings must therefore be precise and detailed, refer to objective evidence and therefore indicate specific cases and/or documents on the findings form. Only information that can be checked must be considered as objective evidence.

In order to integrate the two requirements, findings must be expressed in such a way as to highlight the type of system shortcoming with reference to the standard and indicate the analysed sample as an example in order to give the organisation a better understanding of the finding.

Attention must therefore be focused on the type of finding rather than on the sample in order to make it easier for the organisation to propose effective corrective action rather than handling of an individual non-conformity, as shown in the following example.

Scenario:

the audit revealed a drawing and an instruction without the required signatures of approval...

Expression of finding:

there is no evidence that all technical documents are controlled for approval (e.g.: dwg. ... / Rev. ... and instruction ... / Rev. ...)

Scenario:

examination of internal audit management documents revealed that Procedure XYZ does not define the relative management responsibilities...

Expression of finding:

Procedure XYZ does not define the responsibilities for internal audit management

The description of the finding must mention the disregarded procedure in order to give the organisation a better understanding of the reasons why the finding was considered as "type B".

TABLE GIVING TYPICAL EXAMPLES OF B-TYPE FINDINGS (ISO 9001)

Ref.:2008 Ref.:2015 Scenario Expression of Finding

1 4.2 7.5 A procedure does not define the

methods for performing an activity

established in the reference standard.

The procedure does not define the methods for

(performing; planning; recording;......) of........

2 4.2 7.5 Instruction no...., Rev. ..., does not

show which parts have been modified.

The modified parts of updated documents are not

always highlighted

(e.g.: dwg. ... / rev. ..., instruction ... /

rev. ..., etc.).

3 4.2 7.5 Technical instruction n° .../rev. ... does

not contain the required signatures of

approval.

There is no evidence that all technical documents

are controlled for approval (e.g.: instruction ... /

rev. ...).

4 4.2 7.5 Standard ... used for fire

resistance tests on electrical cables is not

present in the test room during testing.

The standards used for functional

testing are not always available during testing

(e.g.: Standard ...).

RINA


ITT-SYS03-ALL-01

Rev. 8

Page 20/33


5 4.2 7.5 The material test certificates are difficult

to read as they are faded.

The methods used to store quality

records do not always ensure they

remain legible throughout the required storage

period (e.g.: material test

certificates).

6 4.2 7.5 The worksite reports for the

Castelvetrano job are filled in

occasionally and are not in line withthe

reference procedure.

Worksite reports are not always filled in as

required by the reference procedure (e.g.:

Castelvetrano job).

7 4.2 7.5 The IT data Back Ups have been stored in

the same room with the company's

Server

The procedure used for IT data Back Up storage

do not assure an adequate protection of the

same data from possible damages.

8 5.3 5.2 The Technical Manager and Sales

Manager show they are unaware of the

objectives established by the

organisation following the adoption of a

Quality System.

The quality policy is not sufficiently implemented and supported at all levels (e.g.: in the ... and ...departments).

9 6.2 7.2 Procedure P 8 requires internal auditors

to be "Qualified" but the criteria for this

qualification have not been established.

The qualification criteria for internal quality

auditors have not been defined.

10 6.2 7.2 The training activities for project

management staff have not been

performed as established in Procedure 6.

Staff training activities are not always performed

as established in Procedure P 6 (e.g.: Project

Management staff).

11 5.4 6.2 Some quality objectives are too generic

and cannot be measured.

Measurable quality objectives are not always

defined (e.g.: system improvement objectives

defined in the review dated 12/2009).

12 7.1 8.1 In the Production department, product

XX was being manufactured without a

Quality Plan being issued as ... required

by the procedure.

The Quality Plan established in proc.

.... / rev. ... for new products is not

systematically issued (e.g.: product XX...., ).

13 7.2 8.2 For product HH, ordered by phone, there

is no evidence that the order has been

reviewed as required by the procedure.

Evidence of contract reviews is not always

available for telephone orders (e.g.: Order ...)

14 7.2 8.2 The review record of the modification to

an order for a complex product is not

available.

Order modifications are not always subject to the

required review (e.g.: order modification ...).

15 7.2 8.2 Contract JJJJ/A was reviewed after

production commenced.

Contracts are not always reviewed

before production activities commence (e.g.:

contract JJJJ/A, ...).

16 8.2 9.1 The B.E.T. test on a product lot was not

recorded in the laboratory register even

though the chemical analysis sheet

requires analyses to be performed on all

lots of this product.

There is no evidence that all the chemical

analyses indicated in the chemical analysis sheet

are performed (e.g.: the B.E.T. test indicated in the

chemical analysis sheet attached to lot 398 of

24/05/2004).

RINA


ITT-SYS03-ALL-01

Rev. 8

Page 21/33


17 5.5 5.3 The process control documents are

approved by the Production Manager

instead of the Methods Manager as

established in procedure XYZ

The specific responsibilities defined in document

.... do not always reflect the real situation of the

organisation (e.g.: responsibility for....by

the...Manager).

18 7.3 8.3 A design planning document has not

been drawn up for the design activity of

job XXZZ.

Design activities are not always systematically

planned (e.g.: Job XXZZ).

19 7.3 8.3 The Design Plan of Job ZZXX does not

indicate the completion dates of the

various phases.

Design Plans are not always updated as they

should be (e.g.: Job ZZXX ).

20 7.3 8.3 The design review records for Job HXHX

cannot be traced.

Design review records are not always available

(e.g.: Job HXHX).

21 7.3 8.3 There are 2 versions of the xxzz Design

Plan in the technical department with the

same date, signature and revision

number, but with different updates; the

obsolete copy is not identified.

Design Plans are not always managed in a

controlled way (e.g.: the technical department

has two copies of Design Plan zzxx with different

contents but the same date, signature and

revision number; the obsolete edition is not

identified).

22 7.4 8.4 Some incoming components were not

checked before entering the production

cycle, as they should have been

according to procedure P10.

Not all incoming components are checked before

entering the production cycle as required by

procedure P10 (e.g.: hydraulic cylinders Order

XXX).

23 8.2 9.2 The "Procurement" department was not

audited three months before the date of

our audit as required by the Audit Plan.

Audits are not always performed according to the

Audit Plan (e.g.: the Procurement Department has

not been audited yet).

24 8.2 9.2 The applicable Technical Department

procedures are not indicated on the

Audit Report as required by Procedure

P8.

Audit reports do not always mention the

documents applied (e.g.: Technical Department

audit).

25 5.6 9.3 Management Review report of .....does

not mention audit results

There is no evidence that the Management Review

of analysed all the required elements (e.g.: audits).

26 7.4 8.4 It is not clear how the suppliers, defined

by procedure P6 as "long-standing", have

been assessed and accepted.

The assessment criteria used for some suppliers

(e.g.: long-standing suppliers as defined in

procedure P6) are not sufficiently well-defined.

27 7.4 8.4 The qualification questionnaire for

supplier ... established by procedure P6 is

not available and the planned assessment

audit has not been conducted.

Supplier qualification documents are not always

sufficient to allow an objective assessment to be

made as required by procedure P6 (e.g.:

qualification of supplier ...).

28 7.4 8.4 Orders 256/99 and 308/99 do not

contain the signature of approval

required by procedure P6.

There is no evidence of systematic order approval

(e.g.: orders 256/99 and 308/99).

29 8.3 8.7 The method used to identify non-

conforming materials is not indicated in

the system documentation.

Procedure P13 does not define the methods used

to identify NC materials.

RINA


ITT-SYS03-ALL-01

Rev. 8

Page 22/33


30 8.3 8.7 Materials identified as non-conforming

for which the required non-conformity

registration form has not been filled in

have been found.

The NC report relative to materials identified as

NC is not always available (e.g.: materials ...).

31 7.5 8.5 There is no evidence of the registration

of administration of Ciproxin to Mr S.G.

in the Clinical Diary.

There is not always clear evidence of the

administration of treatment (e.g.: prescription of

Ciproxin to Mr S.G. in the Clinical Diary).

32 7.5 8.5 The customer has not been informed of

damage to the dials on some pressure

gauges it supplied for assembly on the

system being manufactured.

Reports to customers concerning customer-

supplied products are not always formalised (e.g.:

Pressure gauges for job XXXX).

33 7.5 8.5 Components AA, BB, CC of job GGJJ/99

have not been marked for traceability as

established in procedure P8.

The traceability marking for components

established in procedure P8 does not seem to be

applied (e.g.: components AA, BB, CC job GGJJ/99).

34 7.5 8.5 Machining tolerances for component FF

have not been defined.

Machining tolerances do not seem to have been

defined for all work pieces (e.g.: Component FF).

35 7.5 8.5 One (or more) welders in the boiler

department does (do) not possess the

required qualification.

Not all welders seem to possess the required

qualification (e.g.: Boiler department).

36 7.5 8.5 Though the warehoused packs for

components WWW have been produced

according to procedure P15, they are

deteriorated due to significant

absorption of humidity. The

accompanying internal documentation is

also damaged.

The methods of storing, checking and taking

action in MAG are not always sufficient to ensure

the packs and their contents remain in good

condition (e.g.: packs for ... ).

37 7.5 8.5 Components in the department are not

marked with the required control tags

showing inspection and test and status

but another identification system is used

which differs from the requirements of

Procedure P12.

The method established in Procedure P12 to

identify inspection and test status is not always

applied or different methods are used (e.g.:

components in the finishing / testing

department).

38 7.5 8.5 DHH crates are stored in piles that are

higher than the two metre maximum

established in procedure P15.4 and some

of them are deformed.

The method used to store crates differs from that

established in Procedure P15.4 and does not

always ensure they remain in good condition (e.g.:

DHH crates).

39 7.5 8.5 The technical service staff is not provided

with all the equipment required by

Instruction IS 5.

The equipment given to the technical service staff

does not always correspond to the requirements

of Instruction IS 5.

40 7.6 7.1.5 An instrument was calibrated against

samples that do not refer to international

or national samples.

When calibrating measuring instruments,

reference to international or national samples is

not always guaranteed (e.g.: pressure gauge n°

15b).

RINA


ITT-SYS03-ALL-01

Rev. 8

Page 23/33


41 7.6 7.1.5 Linear measuring instruments (gauges

and micrometers) are not calibrated

every 6 months as indicated in procedure

P11

The calibration frequency of measuring

instruments is not always respected (e.g.: linear

measuring instruments).

42 8.5 10 Action on RAC nos. 15 and 18 has not

been defined (or the deadline within

which...).

The required action is not always defined in

corrective action requests.

RINA


ITT-SYS03-ALL-01

Rev. 8

Page 24/33

TABLE GIVING TYPICAL EXAMPLES OF B-TYPE FINDINGS (ISO 14001)


1 4.4.3 7.4.3 No reply has been received to an

environmental request from district

XVDC, prot. 3450/05 of 04/04/2005.

The EMS does not always assure responses to

environmental communications (e.g.:

communication prot. 3450/05 of 04/04/2005).

2 4.5.1 9.1 Among other things, the monitoring

plan established in procedure xyz

involves daily inspections of waste

storage areas, while the relative

registration form shows that these are

not always performed.

The daily inspections of waste storage areas, as

established in procedure xyz, are not always

performed.

3 4.3.3. 6.2 Objective n°7 of the environmental programme requires Sox concentrations at emission points E3 and E4 to remain under 80% of the maximum limit established in authorisation XVC. Not all the environmental objectives pursue

continual improvement (e.g.: objective n° 7 —

maintenance of environmental performance).

4 4.5.1 9.1 The calibration record of pHmeter T1

located in laboratory 3 is not available.

There is no evidence that all the equipmentused for monitoring has been calibrated (e.g.: pHmeter T1 in lab. 3)

5 4.5.5 9.2 The "Bottling" department was not

audited three months before the date

of our audit as required by the Audit

Plan.

Audits are not always performed according to the

Audit Plan (e.g.: the Bottling Department has not

been audited yet).

6 4.5.5 9.2 The applicableTechnical Department procedures are not indicated on the Audit Report, as required by Procedure P 8. Audit reports do not always mention the

documents applied (e.g.: Technical Department

audit).

7 4.3.3 6.2 Some objectives in the 2005

environmental programme are too

generic and cannot be measured.

Measurable objectives are not always defined

(e.g.: system improvement objectives defined in

the review dated 12/2004).

8 4.5.5

9.2 Procedure P 8 requires internal

environmental system auditors to be

"Qualified", but the qualification

criteria have not been established.

The qualification criteria for internal

environmental system quality auditors have not

been defined.

9 4.6 9.3 Environmental performance data is not

mentioned in the management review

of 01/2005.

Environmental performance data is not always

indicated in the management review report (e.g.:

review of 01/2005).

10 4.5.2 9.1.2 The periodic assessment of legislative

conformity recorded on Form 13.09

does not include the results of the

conformity assessment.

There is no evidence of the results of the periodic

legislative conformity assessment.

11 4.5.3 10.2 Action on NC nos. 4/05 and 8/05 has

not been defined (or the deadline

within which...).

The required action is not always defined in

corrective action requests.

12 4.4.5 7.5.3 The instruction for the internal

management of newly produced waste

is not present in the vfr department of

the production sector.

The internal waste management instruction is not

always available in the relative departments (e.g.:

vfr department — production)

RINA


ITT-SYS03-ALL-01

Rev. 8

Page 25/33

TABLE GIVING TYPICAL EXAMPLES OF B-TYPE FINDINGS (SA 8000:2008)

Ref. SA 8000 Scenario Expression of Finding

1 5.1 While checking the job announcements

on the company website, one was found

for an expert computer programmer

showing an age limit of 30.

Job announcements do not always respect the

requirements of the standard (e.g.: Expert Computer

Programmer - Maximum age 30).

2 9.5 The 2005 staff training programme omits

certain information. The relative

implementation times are missing, as are

the employees of a branch office.

Staff training is not always suitably planned (e.g.: in

the 2005 training plan, not all the people involved

are identified, neither are implementation times).

3 9.11 Revision 0 of instruction IL03, relative to

the methods for sending reports or

claims, does not correctly mention the

certification body and the accreditation

organisation.

The instruction for sending reports or claims

concerning socially and ethically incorrect behaviour

(il03 — rev.0) does not correctly mention the

certification body and the accreditation

organisation.

4 9.5 The 2006 internal audit plan (PVI 06

Revision C) does not include site n°4.

The internal audit plan (pvi 06 — rev.c) is not

sufficiently consistent with the company

organisational structure (e.g.: site n°4 not

included).

5 9.8 The system documentation, revision 2 of

procedure P5, does not indicate the

supplier assessment criterion.

In procedure p5 - rev. 2, the supply assessment

criterion adopted is not sufficiently justified.

6 9.10 The organisation has not implemented

any control activities for secondary NCs

issued during 2nd-party audits.

Insufficient evidence is given of the action taken as

a result of supplier assessments (e.g.: follow-ups

relative to secondary non-conformities issued

during second-party audits)

7 3 The risks for pregnant workers are not

indicated in the 30th January 2005

update of the DVR.

The risk assessment document is not sufficiently

detailed (e.g.: risks for pregnant women - dvr of

30/01/2005)

8 3 Records concerning the periodic

evacuation drill planned for May 2005 in

company document GE05 — rev. 00 are

not available.

The documentation indicating the performance of

periodic emergency drills is not systematically

available (e.g.: periodic evacuation drill planned for

May 2005, doc. GE05 - rev. 00)

RINA


ITT-SYS03-ALL-01

Rev. 8

Page 26/33

TABLE GIVING TYPICAL EXAMPLES OF B-TYPE FINDINGS (OHSAS 18001:2007)

Ref. OHSAS 18001 Scenario Expression of Finding

1 4.3.3 The result of the assessment of the risk

derived from manual handling of cargoes

highlighted the need of taking some

improvement actions, which were not

managed as a System improvement

objective.

The objectives defined for the period in question are

not always consistent with the risk assessment

result (e.g. risk derived from manual handling of

cargoes)

2 4.5.2 The Organization's procedure required a

check of the compliance with the legal

prescriptions on a monthly basis whereas

records were written only every three

months.

There is no evidence of the check of compliance

with legal prescriptions in accordance with the

intervals defined in the procedure

3 4.4.2 In the X-ray department it was not

possible to have the evidence of the

specific training given to workers in

relation to the safety cards of the

products used.

The personnel using dangerous products subjected

to safety cards are not always trained about the

relevant risks (e.g. radiology operators)

4 4.4.7 The company has no instrument that

allows for the real-time identification of

those persons who did not take part in

at least one emergency simulation, for

example because they were absent due

to illness or change of shift.

The Management System does not provide sufficient

control on the participation of all personnel to

scheduled emergency simulations.

5 4.4.7 In the X-ray department one of the

interviewed operators showed low

knowledge of the emergency procedures

in force.

Emergency evacuation procedures described in

System documentation are not always known by the

personnel (e.g. radiology operator)

6 4.3.1 In the area dedicated to charging of lift

truck batteries there were no vertical

signs relating to explosion risks,

identified in the risk assessment

document.

ATEX explosion risk areas are not always properly

identified (e.g. missing signs in the lift truck loading

area)

7 4.4.6 At the workshop the periodical

maintenance card relevant to only lathe

XXX was not filled in.

Evidence of periodic maintenance operations carried

out at the machines/ equipment present in the

workshop is not always provided (e.g. lathe XXX)

8 4.5.5 The safety function is not inserted in the

annual audit programme.

Not all system processes are included in the annual

audit programme (e.g. safety function)

9 4.4.6 A survey at the warehouse showed that

maximum load indications relating to the

racks in some cases are not well visible to

the personnel; the control system should

ensure their prompt positioning or

change of position.

Checks carried out on equipment and working areas

are not always effective (e.g. missing capacity

indication for the racks present in warehouses)

RINA


ITT-SYS03-ALL-01

Rev. 8

Page 27/33

Ref. OHSAS 18001 Scenario Expression of Finding

10 4.6 Although the Organization has analyzed in

detail all the accidents occurred, it does not

record this data in the management

review minutes.

The management review document does not deal

with all the input elements foreseen by the standard

(e.g. accident analysis)

11 4.5.3 Near-miss accidents are reported to the

System Manager by e-mail messages

instead of observing the modalities

defined in the reference procedure.

Near-miss accidents are not always properly

reported and recorded.

12 4.5.5 Although the Organization has identified

some processes/risks as significant, it

dedicated the same amount of time to all

processes/risks during internal audits.

Internal auditing activities are not always planned

and carried out by the Organization on the basis of

risk assessment results

6.2.2 EXPRESSING “C”-TYPE FINDINGS (RECOMMENDATION)

Special attention must be paid when making recommendations.

By definition, recommendations are suggestions for improving the system and do not affect its conformity with the reference standard. As is also indicated in the audit report, the organisation is not obliged to implement recommendations.

Recommendations should be limited to real system improvement opportunities and they must be expressed so as to ensure they are not interpreted as Minor Non Conformities (B-type) or Major Non Conformities (A-type).

Care must be taken not to use the verb "define" as this gives the idea that the organisation has not totally defined the issue of the recommendation and that the situation is more serious than it actually is; verbs expressing the concept of improvement, such as "detail", "specify' and "describe", should be used instead.

Some examples of incorrectly expressed recommendations are shown below.

Example 1

We recommend following the procedure systematically

Remark

The procedure must always be followed and it is therefore incorrect to recommend following it systematically.

Example 2

We recommend filling in registration forms correctly.

Remark

Forms must always be filled in correctly and it is therefore incorrect to recommend filling them in correctly.

Example 3

We recommend systematically indicating all the data established by the procedure in the document.

Remark

If the procedure requires the data to be indicated, it must always be shown. It is therefore incorrect to recommend indicating them systematically

Example 4

We recommend completing the controlled issue of all the instructions.

RINA


ITT-SYS03-ALL-01

Rev. 8

Page 28/33

Remark

System documents must be controlled and it is therefore incorrect to recommend their controlled issue.

Please note that all the above observations deal with requirements of the standard which organisations are obliged to satisfy. By indicating these situations as suggestions, the auditor indicates that they are not obligatory and that the organisation may decide not to implement them if it so wishes.

6.3 EXPRESSING "MA" AND "MI" FINDINGS FOR THE EN9100 SCHEME

The EN 9101 standard classifies findings as follows:

MA = major nonconformity

mi = minor nonconformity

OH = opportunity for improvement (recommendations)

For the EN9100 certification scheme, expressing findings defined as nonconformities must be made on a specific form, an extract of which is shown below, together with the relevant instructions for filling it in.

SECTION 1 - DETAILS OF NONCONFORMITY:

Process/Area/Department: (1)

Requirement/Clause No.(s): (2) Classification (ma/mi): (3)

Statement of Nonconformity: (4)

Objective Evidence:

(5)

Due Date:

Auditor Auditee Representative Acknowledgement

Name: Signature: Name: Signature:

(1) Identify the processes, area and/or division subject to audit using the same terminology defined by the organisation;

(2) Identify the requirement of the 9100/9110/9120 standard to which the finding is to be expressed;

(3) Decide the type of finding based on what is stated in the previous paragraphs;

(4) Give a detailed description of the finding identified, ensuring both the auditor and the auditee are clear as to the nature of the finding;

(5) Provide objective evidence in order to outline the deficiencies found related to the specific requirement of the reference standard.

Two scenarios of "MA" nonconformities and 2 of "mi" nonconformities are illustrated below.

RINA


ITT-SYS03-ALL-01

Rev. 8

Page 29/33

SCENARIO 1 ("MA" NONCONFORMITY)

Records related to reviews of the design for the new landing system reveal that, although several problems have emerged and some risks have been identified, the relative actions have not been defined. In this specific case, the delay in launching the client programme is due to a mandatory airworthiness requirement not taken into account (projects UH838 and IU124) leading to reliability problems of the product to be delivered. Moreover, further analyses showed that the records of the design reviews were unavailable (product 7654, 8764, 4897) or that they were filled in on the same occasion, after the pilot product lot (product 2334, 2520, 3811, 4587).


Process/Area/Department: Design Process

Requirement/Clause No.(s): 7.3.4 Classification (ma/mi): MA

Statement of Nonconformity:

The design reviews, not made systematically, do not ensure that all the input elements related to

product requirements have been determined, with particular reference to the applicable mandatory

requirements

Objective Evidence:

For projects UH838 and IU124, the mandatory airworthiness requirements have not been taken into

account and for the projects 7654, 8764 and 4897 the design reviews have not been performed.

Due Date:



SCENARIO 2 ("MA" NONCONFORMITY)

An auditor is carrying out a certification audit according to the EN9110 standard of an organisation which undertakes aircraft engine maintenance. During the audit of the maintenance process, the auditor checks assembl y of the Turbofan Rolls Royce engine number (BK-123-40), focusing on configuration management. On analysing in-depth the configuration management document for that engine, the auditor notes that 2 valves (XC-2012834 and BH41FT) have been installed even though not indicated in the list of main and auxiliary components. The engine and related aircraft have been delivered to the client.


Process/Area/Department: Maintenance Process

Requirement/Clause No.(s): 7.5.1 Classification (ma/mi): MA

Statement of Nonconformity:

The maintenance process is not carried out and completed in compliance with what was planned, with particular reference to the technical requirements contained in the configuration documents.

Objective Evidence:

Due Date:



RINA


ITT-SYS03-ALL-01

Rev. 8

Page 30/33

SCENARIO 3 ("MI" NONCONFORMITY)

During the audit of the product development process, the auditor dwells on the methods used by the organisation to manage risk. In particular, the organisation uses FMEA. The auditor checks 4 examples of FMEA and in particular, two design FMEA of two new components just put into production and two process FMEA of two new production lines involving the following production phases: Receipt of goods, mechanical machining, assembly, galvanisation, storage and delivery to the client. These phases are, in any case, defined in the production flow-chart. Analysing the FMEA, in three cases the auditor finds no problem but as regards the process FMEA related to the product code EA-32, the auditor finds that the assembly phase has not been taken into account. From an analysis of the production waste and of complaints from the client, it cannot be inferred that product nonconformities may be attributed to the assembly phase. Moreover, this phase has been checked on FMEA relative to other products whose characteristics are, in any case, different from the EA-32 product.


Process/Area/Department: Product development process

Requirement/Clause No.(s): 7.1.2 c) Classification (ma/mi): mi

Statement of Nonconformity: The risk management process does not include, systematically, assessment of the production phases foreseen throughout production of the product.

Objective Evidence: The process FMEA related to the product code EA-32 does not take into account risk analysis for the assembly phase.

Due Date:



SCENARIO 4 ("Ml" NONCONFORMITY)

During the procurement process audit, the auditor dwells on the organisation's supplier register and on the criteria used to monitor supplier performance. In particular, the organisation assesses suppliers using indicators such as: % of waste, cost of supplier NC, OTD (on time delivery). The organisation decides to assess performance monthly. Analysing the performance of 10 suppliers, the auditor notes that, in the case of two suppliers, performance has not been assessed in the last six months. Going into more depth, out of a total of 34 suppliers on the list, performance has not been assessed for 3 suppliers (ABC Srl, CFD Spa, SPD Sas) in the last 6 months. Analysing the previous performance of the 3 suppliers, the auditor finds that, for two suppliers, no nonconformities were detected the year before and the two suppliers had an OTD of more than 95%. For one supplier, on the other hand, a NC had been found the previous year and 100 parts had been returned and immediately replaced with conforming parts by the supplier.


Process/Area/Department: Procurement process

Requirement/Clause No.(s): 7.4.1 b) Classification (ma/mi): mi

Statement of Nonconformity: Supplier performance is not reviewed systematically or at the required intervals

Objective Evidence:

For the 3 suppliers ABC, CFD and SPD performance has not been evaluated in the last six months even though the organisation has established a monthly review

Due Date:



RINA


ITT-SYS03-ALL-01

Rev. 8

Page 31/33

7 ACCEPTANCE OF AN ORGANISATION'S PROPOSALS

7.1 ANALYSIS OF CAUSES

In order to identify suitable corrective action, it is essential to perform a complete analysis to find the real cause which led to the finding.

The organisation must find the root cause of the nonconformity identified.

This analysis must be consistent with the finding highlighted and must clearly identify the fundamental cause of the finding.

The root cause must not be a simple repetition of the finding.

The definition of a suitable root cause must not allow the possibility of asking other "whys"; if this happens, the real root cause has not been determined.

The audit team leader must not approve analyses of the causes which are superficial and inconsistent with the finding which has been highlighted.

7.2 CORRECTION (CORRECTION/LIMITATION ACTIONS)

The organisation must define in the treatment, the immediate limitation action as well as the correction to eliminate/limit the nonconformity and to control any nonconforming products found.

This action must be consistent with the non conformity found.

If the organisation is able to implement the correction immediately, the correction is to be reported as action already taken (in the past).

If the correction cannot be made immediately, the organisation must submit it as a planned action.

The audit team leader must check whether the correction proposed by the organisation: is such as to eliminate/effectively limit the finding, is applicable.

7.3 CORRECTIVE ACTION

The organisation must define the corrective action which ensures the nonconformity will not recur.

The corrective action must be consistent with the nonconformity and with the analysis of the causes.

The audit team leader must check that the corrective action proposed by the organisation: - is consistent with the analysis of the causes and implementable,

- that planning has been defined and a maximum period of time has been established for its implementation, in accordance with the reference certification rules,

- that the people responsible for implementing the action have been established and that it has been approved by a representative of the organisation.

7.3.1 EXAMPLE

This chapter gives an example of declaration of analysis of the causes, correction (correction/limitation actions) and corrective action.

Nonconformity

No systematic corrective action is taken against suppliers who do not meet the contractual requirements foreseen (i.e. for the supplier WELD-IT whose last 5 supplies have been nonconforming and late in delivery compared to the contractual delivery times stipulated, there is no evidence of action taken or planned to solve the problem).

RINA


ITT-SYS03-ALL-01

Rev. 8

Page 32/33

Correction (correction/limitation actions)

The Weld-it supplier has been temporarily suspended until further analysis of the causes, leading to non compliance with the contractual requirements, is made. The Weld-it material already delivered and stored in the warehouse has been immediately segregated and will be rechecked.

The finished products with Weld-it components, ready for delivery, have been identified and segregated in order to be checked.

A check will be made immediately to see whether this situation is common to other suppliers and if so, the same limitation actions may be implemented also in their case.

Analysis of causes

Supplier performance has not been reviewed in the last 3 months. Data have been collected but neither analysed nor used. The information relevant to the problems found in connection with the supplies received has not been shared with the people concerned. This has occurred because the procedures in question do not define the procedure to be followed to assess supplier performance.

Corrective action

The procedure will be modified to better define the method of collection, analysis and use of data related to suppliers. The responsibilities and authority of the people concerned will be clearly defined. The channels of information which enable information related to problems with suppliers to be shared immediately will be clearly defined.

The performance of all the suppliers of the last 3 months will be analysed and subsequently every month. Actions will be planned in all cases where the contractual requirements are not complied with.

All the people involved in supplier performance assessment will be trained.

8 EFFECTIVENESS OF CORRECTIONS AND CORRECTIVE ACTIONS

When checking the effectiveness of the corrections and corrective actions relating to the findings raised during the previous audit, it is necessary to not only record the checking of their adoption, but it is also necessary to record the evidence that their effectiveness has been checked to prove they are applied and to write a comment on the effectiveness of these actions.

9 AUDIT TEAM MEETING

An appropriate amount of time must be dedicated to this meeting.

At the beginning, a certain amount of time should be dedicated by all auditors to re-organise their notes, obtain the evaluations and register the findings and recommendations in written form.

The team leader runs through the paragraphs of the standard and every auditor submit his/her findings for general discussion.

The team leader remains responsible for the final drafting of the findings and their classification and the preparation of the final report.

It is advisable that for audits lasting more than one day, at the end of each day, the audit team sets aside time for a meeting in which they will discuss the findings raised during the day and record them so that they can be included in the audit report.

The audit report, for example, shall include the justification of any reduction of the audit times with respect to the prescribed times, clarifications on the product/service provided and on the methods for the creation of the same, relationships, partnerships, alliances with other companies already certified, belonging to national or international groups, clarifications on the classification of non-conformities or recommendations, opinions on the consultant.

Furthermore, information must also be included in the audit report relating to the strong or weak points of the system which is deemed by the Audit Team to be useful to the audit team who will carry out the next surveillance audit and to the DM.

RINA


ITT-SYS03-ALL-01

Rev. 8

Page 33/33

10 CLOSING MEETING

A formal closing meeting, where attendance shall be recorded, shall be held with the client’s management and, where appropriate, those responsible for the functions or processes audited. The purpose of the closing meeting, usually conducted by the audit team leader, is to present the audit conclusions, including the recommendation regarding certification. Any non-conformities shall be presented in such a manner that they are understood and the timeframe for responding shall be agreed.

It should be recalled that the Organisation’s management must be thanked for their hospitality and above all also for the cooperation shown by the personnel during the audit and by the openness demonstrated towards the Audit Team when presenting objective evidences.

All the persons taking part in the closing meeting must be recorded in the appropriate space of the audit report, by writing their names and specifying their attendance to the meeting.

The 17021:2015 standard envisages that all the following elements have to be discussed during the closing meeting (the degree of detail shall be consistent with the familiarity of the client with the audit process):

a) advising the client that the audit evidence obtained was based on a sample of the information; thereby introducing an element of uncertainty;

b) the method and timeframe of reporting, including any grading of audit findings;

c) the certification body’s process for handling non-conformities including any consequences relating to the status of the client’s certification;

d) the timeframe for the client to present a plan for correction and corrective action for any non-conformity identified during the audit;

e) the certification body’s post-audit activities;

f) information about the complaint and appeal handling processes.

The client shall be given opportunity for questions.

The findings must be presented professionally without omitting the objective evidence which has led to the determination of the same and always referring to the paragraph of the standard that has been disregarded.

In case of surveillance or recertification audits, it would be appropriate to compare the results of the current audit with the results of the previous ones.

In the presence of any diverging opinions regarding the audit findings or conclusions, it is recommended to avoid sharp discussions and listen to the reasons of those representing the Organisation’s management, and do all that is possible to settle them. Should this state of disagreement persist, the representatives of the Organisation must be requested to fill in the specifically dedicated section on the last page of the audit report and they must be ensured that they will receive a reply from RINA’s Management as soon as possible.

Documents

ITT-SYS03-ALL-01 RINA Rev. 8 · 2019-05-31 · RINA MANAGEMENT SYSTEM AUDIT PERFORMANCE TECHNIQUES ITT-SYS03-ALL-01 Rev. 8 Page 2/33 1 INTRODUCTION The purpose of this document is