Replying to Non-Compliances

Posted on by Chris Brooks

Foreword

The value of compliance monitoring lies less in the number of audits completed, or in the number of non-compliances raised, and much more in the standard of the responses to those non-compliances.  Therein lies the most common deficiency in compliance monitoring systems:  lack of rigour in responding to non-compliances.  In my experience, there are three main reasons for a lack of rigour:

  1. Poorly-written guidance (or, the complete absence of it) for responding to non-compliances;
  2. Poor, or non-existent, training for auditees;
  3. Poor adherence to published CMS standards.

Whatever the reason, lack of rigour in responding to non-compliances increases the probability that the same non-compliances will happen again.  This is no insignificant issue; as organisations become busier and more complex, the negative effect of non-compliances becomes progressively greater and maintaining compliance becomes more difficult.  The cost might only be financial but, each non-compliance has a degree of risk associated with it and the end effect might be severe.

This article is intended, albeit briefly, to address (a) above.  Poor adherence to standards will be the subject of a future article.  Also the subject of further articles will be discussion of root cause analysis and of preventive actions.  Training (Item (b)) is offered tailored to the circumstances of the client.

Definitions

We should start by defining the five basic terms employed when considering responses to non-compliances:

Non-Compliance. Sometimes known as a ‘non-conformance’ or a ‘finding’, a non-compliance is a difference between what should be done (as specified in regulations, manuals or procedures) and what actually is done.  A non-compliance should – always – be accompanied by a precise reference to the item / sub-item of the regulation in question.

Corrective Action. A ‘corrective action’ is the action taken to address the immediate effect of the non-compliance.  It is to be reported by the manager of the area under audit.  Supporting evidence is to be uploaded to the audit record.  Effort should be made to avoid actions such as ‘I have reminded…’.

Root Cause. The ‘root cause’ is the underlying reason for a non-compliance.  Whether your CMS is software-driven or is in hard copy only, a standard system for classifying root causes should be employed and a short justification of that classification recorded.  This is especially useful when seeking to identify systemic deficiencies (e.g.  in organisation).  Albeit designed for non-operational purposes, the BOEING MEDA (Maintenance Error Detection Aid) is ideal for our needs.

Preventive Action. Action taken to address the root cause; to ‘preventing’ the non-compliance from recurring.  Where the corrective and preventive actions are considered to be one and the same, that fact should be stated and justified (this should be the exception to the rule).

Supporting Evidence. Documents, plans, emails, manual revisions, photographs, entries in planners etc.  This is the proof that what is stated in the response has been completed.  The response to a non-compliance should not be accepted without firm evidence of closure.

Note:    In essence, non-compliance / corrective action and root cause / preventive action should be treated as matched pairs. 

Notes on an Effective Response

Taking, in turn, the four components of a response:

Corrective Action. The corrective action should, directly, address the non-compliance.  In the case of a non-compliance that poses an immediate threat to safety, the remedy might be limited to suspension or substantial – and immediate – alteration of the procedure in question.  Any alteration to a procedure must be documented in a controlled manner, briefed to the appropriate personnel (with proof of the same) and advised to the corresponding national aviation authority.  If the alteration would amount to a major change to a controlled manual, prior  permission should be gained from the authority before being enacted.

Root Cause. Some systems allow for the documentation of more than one root cause.  In most cases, however, it should suffice to document only one (the main) root cause and to address it directly using the preventive action.  The root cause should be determined by the manager of the area in question.  I have seen many examples of the auditor being expected to write the root cause as part of the audit report; this should be avoided.  All managers should be able to identify weaknesses in their areas of responsibility and design actions intended to prevent recurrence of a non-compliance.  This is one of the fundamental skills required of a manager; not of an auditor.  Furthermore, to become routinely involved in the identification of root causes and the design of preventive actions compromises the independence of the CMS function.  Outside of the scope of an audit, common sense should apply and it is perfectly acceptable to give advice on options for compliance; however, those are OPTIONS and neither proposals nor instructions.

Preventive Action. By definition, a preventive action should address – directly – the root cause.  One way of looking at the matter is to regard a root cause as a question and the preventive action as the answer.  If the latter does not answer the former, it makes no sense.  Be wary of bad habits in the design of preventive actions.  One of the most common I have seen is a statement such as ‘I have issued an e.mail to remind A Smith of the procedure to be followed’.  This is – very rarely – adequate.  If an individual has failed to follow a procedure, yet the procedure (e.g.  a maintenance procedure) has been published, the root cause is not a bad memory.  Procedures are required to be followed and should be consulted, not remembered.  The effectiveness of training and communication should be questioned first; not memory.  This is not  a matter of mere quality control; failure to follow maintenance procedures lies at the heart of a number of accidents. 

Yet another common error is partial use of the future tense.  It is never acceptable to state something along the lines of ‘The Ops Manual will be revised at the next opportunity’.  There should, always, be a calendar backstop.  An open-ended statement such as the above gives no guarantee regarding timing.  A non-compliance cannot be closed on the promise of an action; it may be closed only once action is proven to have been completed.  Again, common sense does have to prevail.  When a non-compliance is sufficiently minor that timing of the preventive action is relatively unimportant, it might be acceptable to state that a manual – if that is the action in question – has been marked for change at the next review.  In such cases, be specific and provide evidence of said marking (e.g.  a .pdf ‘sticky note’ on the working draft of the next revision).

Supporting Evidence. Examples of supporting evidence might include, but are not necessarily limited to:

  • Manual revisions;
  • Memos or bulletins;
  • Training records;
  • Maintenance records;
  • Project plans;
  • Digital photographs of workplace changes.

A non-compliance should be closed only when adequate supporting evidence has been provided.

SMART Principles

The acid test that must – always – be applied to corrective and to preventive actions is that they satisfy the ‘SMART Principles’.  Application of the principles should, in simple terms, be explained in the CMS manual:

  • S              Specific
  • M            Measurable
  • A             Achievable
  • R              Realistic
  • T              Time-Limited

It is for the auditee to prove to the auditor that what is proposed meets the above.  Dependent entirely upon the severity of the non-compliance, and in consideration of whether or not it is a repeat of an earlier non-compliance, it might be acceptable for the auditee to submit a ‘corrective action plan’ (see below).  This should be the case in exceptional circumstances only.  Without discipline in responding to non-compliances within the original due date (i.e.  without a formal extension), the CMS would considerably be reduced in effectiveness.  The CMS is part of the overall system for management of an organisation; it is NEVER to be considered something to which managers turn their attention only when they are not too busy with other matters.

Corrective Action Plan

A corrective action plan (CAP) is a response to a non-compliance that may not be completed within the due date assigned to a finding.  A CAP would state what is to be done and the target date.  If necessary, a CAP might comprise a number of steps and target dates.  A CAP is a matter of last resort.  It is always preferable, for the sake of efficiency, to close a non-compliance – based upon an acceptable response – within the due date assigned.  A CAP always requires more oversight than a non-compliance closed fully within the original due date.  For that reason, I disagree that a CAP should be submitted within a specified timescale (e.g.  two weeks) then followed up by the original due date.  Such a practice only succeeds in loading the CMS with additional work and is never a guarantee that the final response would be any better.

Footnote:

Should further information be required, including a .pdf version of this article, please contact the Author.