The idea of “softgrading” ISO 9001 and AS9100 nonconformities (NCs) is a known problem. This is when your registrar finds a significant problem in your quality management system, one which should by every right be categorized as a major nonconformity, but the auditor writes it up as a minor just to make sure they don’t lose your business. A variant on this is the more common practice of auditors downgrading even minor nonconformities by writing them up as “opportunities for improvement” instead. It’s a pernicious problem, and it’s existed since the earliest days of third-party certification body (CB) auditing. Both ANAB and IAQG have struggled to address this.
But while softgrading is a problem — it can lead to companies that are releasing defective product on the public nevertheless obtaining and maintaining, often for many years, their ISO 9001 certifications — the opposite is also true. This is what I call “hardgrading” nonconformities: the artificial inflation of a minor nonconformity into a major, or the writing of a minor nonconformity where there is no issue at all. We also see the escalation of OFIs (opportunities for improvement) into full blown nonconformities. Hardgrading happens under two circumstances: the first is when you have a “bully” auditor who is just inclined to beat up his clients because … well, because he’s a dick. We’ve all seen them, but they tend not to last too long, since they get poor survey results and eventually wash out.
Typically, however, hardgrading NCs comes about when an auditor is undergoing that on-site witness audit by ANAB. During any other audit, the particular auditor would either audit rather normally, or might engage in softgrading; when ANAB’s witness auditors show up, however, they stiffen up and go absolutely batnuts on writing major nonconformities. It’s all for show: they have to prove to ANAB that they are serious people, doing serious work, and being serious means (for some reason) brutalizing your client to show you’re “tough.”
Everyone knows about the problem, too. Auditors openly discuss it. Over at that loathsome Elsmar site (“people defaming people”), CB auditors boldly post their stories, under their own names and with the names of their employer CBs, of how they write major nonconformities that they’d never do otherwise, but because ANAB was looking over their shoulder. You’d think ANAB might glance at these websites, since the information they allege to be seeking is published right in the open, but that’s not part of the procedure, I guess.
Year of Living Dangerously
Recently, a company approached me with a particularly nasty situation. Historically, they’ve been certified by NQA for many years, and have had normal audit results, sometimes with no nonconformities at all. Last year that jumped to 1 major and a handful of minors when the CB switched auditors; fair enough. Then, NQA switched auditors again, and this time announced that ANAB would be witnessing.
Now take a deep breath and wait for it….
Under the new auditor , with ANAB witnessing, the company received a total of 23 nonconformities, with 17 of those classified as majors. Seventeen major nonconformities. It defies belief how a company could be certified for years and suddenly “spike” in just one year, when no changes occurred to the company, its staff, its management or its QMS. Either the past decade of auditing was a sham, or the auditor was off his chain while showing off to ANAB. Or, what’s more likely, both.
Consider the ramifications, too: this client now faces the loss of major customers who demand AS9100 certification. And if it loses that certification, it will have been for reasons which are utterly invented and the result of a known bad practice in the industry.
I analyzed the findings for the client, as part of Oxebridge’s Audit Defense Services, in order to prepare for some sort of response plan. Of the 17 “major nonconformities,” a full ten of them were clearly hardgraded. These are easy to spot, too, since they typically relied on only one or two pieces of evidence, and a major nonconformity typically can’t be issued on the basis of only one or two data points. In other cases, they were examples of “double ticketing” — where an auditor writes one NC under one clause, and then double-dips by writing the same issue up a second time under another clause. In one case the auditor triple-ticketed, writing the same nonconformity three times, under three separate clauses. Astounding!
Two of the majors were invalid outright, in that they had no objective evidence at all. ISO 17021 requires that any nonconformity, whether minor or major, be supported by objective evidence; without it, the client can’t go back and do containment, nor take corrective action.
Three more of the majors didn’t make any sense, and couldn’t be understood; they had evidence, but the evidence was related to clauses different than the one cited by the auditor as a problem. These, too, are impossible to address, since we can’t fix the problem if we don’t understand the problem. The CB has ignored our request to have them clarified.
In yet another case, the auditor wrote a major nonconformity against ITAR, but didn’t bother to cite the ITAR rule that was violated; sure enough, we threw it over the fence to Oxebridge’s ITAR expert, and it appears the auditor had no actual understanding of ITAR. Whenever auditors write up findings for things outside of the standard itself — such as law or regulations — they need to be very, very careful, since it’s a fair bet that they are not (a) lawyer or (b) regulatory body authorities. If they were, they wouldn’t be working for a registrar.
In fairness, two of the findings were legitimately graded as majors; one pointed to some evidence that potentially nonconforming product may have shipped — always an automatic major under AS9100, and rightfully so — and in the other case an entire clause of the standard had not been properly addressed. But that’s only two out of 17; that means over 88% of the nonconformities written by this auditor — right in front of ANAB — were bogus.
Of the minor nonconformities, these were rife with problems, too. One was valid, three were utterly invalid (no objective evidence) and the remaining three were unclear.
This means of the total findings — majors and minors — only four 4 out of 23 were written per the requirements of ISO 17021, the very standard ANAB was witnessing the CB against.
What Does the Fox Say?
We have no idea what ANAB did after the audit; its interactions with the CB are secret and not revealed in front of the client. So far it does not appear that ANAB cited the CB or auditor for any wrongdoing, since the CB has doubled-down and is demanding the client process all the NCRs as originally written. They just ignored the study we provided. It’s likely going to escalate to a full blown complaint, and it’s not at all clear how the CB thinks it can emerge unscathed in this case. The evidence against them is overwhelming.
Of course, ANAB could easily identify hardgrading if it wanted to: it need merely compare the audit reports of an auditor when he or she is not being witnessed, to those when he or she is being witnessed. What ANAB would see is that when they are in the room, the number of major nonconformities increases, and when they are not, they disappear. ANAB currently takes an informal view that the hardgrading isn’t a problem, since it means ANAB is doing its job by getting auditors to be “tough” on clients; they ignore the fact that these auditors are only being tough when ANAB is in the room, and that often this “toughness” is the result of artificially-inflated nonconformities. They ignore the fact that the CB’s go “soft” again as soon as ANAB leaves. The clients are left dizzy.
Hardgraded? Here’s Your Fix
The solution? I’m proposing something radical to this latest company, and it may help you as well. Most companies think they can just fire their registrar and start over. You can’t. ANAB and the IAF have put controls in place to address this, which were aimed at prohibiting companies from “registrar shopping” to avoid nonconformities. That’s a good thing.
Typically, when faced with hardgraded nonconformities that threaten your company, you have two choices: accept them and allow the certificate to lapse, risking your business, while you try to fix the issues whether or not they are bogus. This is expensive, but would only result in a temporary loss of your certificate.
The second option is to fight back, use the official tools available to you (corrective action responses, appeals and complaints) to have the bogus findings either downgraded to minors or thrown out wholesale. The problem is that the CB will insist — partly out of spite — that if you complain, they will still have to suspend your certificate while the complaint is being processed. This is their way of coercing you into not filing the complaint. They can write to ANAB and get permission to put the cert on hold while the complaint is being processed — there are no rules prohibiting that — but they won’t. Never.
There’s a third option, though, that few would think of; fortunately I have, and in extreme cases it works. The ISO 9001:2015 standard has been generally received by the world as an absolute disaster, and with it the AS9100 Rev D standard, and many purchasing agents and supplier quality engineers know this. Furthermore, when such a solid case for CB incompetence can be made, with documented evidence, this creates the basis for a logical argument that the certification scheme is flawed. If loss of your certification will result in loss of your customers, then you need to change the cards on the table, and have the customers “lose” the certification requirement.
You do this by sending an official request for waiver to your customer’s topmost buying authority, explaining how the new standard is deeply flawed, as is the certification scheme. you argue, with as much logic and evidence as possible, that the CB audit was invalid, but that the IAF rules prohibit you from switching registrasr, and so you will voluntarily allow your certification to lapse for a short period, until such time as you can change registrars while complying with accreditation rules; typically this would be a year or two.
In this same letter, you speak frankly and honestly about the findings the CB discovered, and explain (briefly but accurately — don’t bombard them with too many words) why the findings were invalid. With full transparency, you explain that for the findings that were valid, you intend on correcting them. Give a timeline for when you expect to have the valid findings corrected. You’re not exactly throwing yourself on your sword, you’re throwing the CB on your sword. But be humble about it.
You end this by requesting a 2 year waiver on ISO 9001 (or AS9100, etc.) and permission to continue to serve the customer during this time. You promise that you will obtain certification again, with a new registrar, after that period, and would acquiesce to any decision to revoke your approved supplier status after that period, if you failed to do so. After that, you fire up the QMS again, being sure it’s super clean, with a new registrar; or, if you’re a glutton for punishment, the same registrar. You’ll be treated as a new client, and have to pay a little extra, but you can start fresh.
Until the CBs stop allowing their auditors to act like caffeinated freaks whenever ANAB is in the room, and until ANAB takes as strong a position on hardgrading as it does on softgrading (hint: just read the ISO 17021-1 rules, guys), then you’re stuck with this problem. At least you may have a solution now.
About Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.