9.1 Internal systems audits (ISO 19011)
While Layered Process Audits (LPA) check if the operator is following the written rules today, the Internal Systems Audit asks if the rules themselves are compliant, effective, and actively utilized. This is a comprehensive health check of your entire Quality Management System (QMS). Treating the internal audit as a superficial compliance exercise wastes engineering resources and obscures risk. The goal of an internal audit is to proactively identify structural gaps in your own foundation before they impact your customers.
The Auditor’s mindset: fact finder, not fault finder
Section titled “The Auditor’s mindset: fact finder, not fault finder”A professional audit is a structured sampling exercise designed to verify objective conformity to a defined engineering standard. The auditor’s authority comes from that written standard.
The Golden Rule of Independence:
An auditor cannot audit a process they currently manage; a conflict of interest compromises the result. Auditors should have a direct reporting line to Quality Leadership to maintain independence from Production.
The “Show Me” Rule:
Auditors rely on documented evidence rather than verbal assurances. Data is essential.
- Auditee: “We calibrate the torque drivers on the line every Monday.”
- Auditor: “Excellent. Show me the specific calibration log for the last three Mondays.”
- The Logic: When the log is missing or unsigned, the calibration cannot be verified, resulting in a non-conformance finding.
Risk-based scheduling (optimize your audits)
Section titled “Risk-based scheduling (optimize your audits)”Avoid auditing every department with the exact same frequency simply to fill out an annual schedule. Allocate auditing resources where the active risk resides.
The Scheduling Logic:
Whenever a specific process generates a major CAR (Corrective Action Request) or a severe Customer Complaint, increase its audit frequency. For processes involving “Special Processes” (e.g. Wave Soldering, Conformal Coating) where the physical output cannot be fully verified by non-destructive inspection, audit them more frequently. When a low-risk department has been stable with zero findings for an extended period, reduce their audit frequency to baseline compliance levels to optimize resources.
Classifying findings (the grading scale)
Section titled “Classifying findings (the grading scale)”Use predefined definitions to correctly categorize factory issues.
Major Non-Conformance (The Systemic Gap):
- Definition: A systemic breakdown of a critical quality requirement, or a direct risk of shipping non-conforming product to the customer.
- Example: No formal Control Plan exists for a newly launched product line, or product was shipped without a signed Engineering Deviation waiver when required.
- Action: Immediate investigation and Escalation to Executive Management Review.
Minor Non-Conformance (The Isolated Lapse):
- Definition: A single, isolated observed lapse in procedural discipline that does not actively threaten the integrity of the overall system or the final product.
- Example: One traveler document in a sample of ten is missing a secondary signature, or a calibration sticker fell off a storage bin.
- Action: Formally document and fix the specific gap within an agreed timeframe.
Opportunity for Improvement (OFI):
- Definition: The process is technically ISO compliant, but it is inefficient or carries unnecessary latent risk.
- Example: “The standard is met, but consider digitizing this handwritten log into the MES to prevent future transcription errors.”
- Action: Optional implementation by the process owner, recommended for continuous improvement.
Final Checkout: Internal systems audits (ISO 19011)
Section titled “Final Checkout: Internal systems audits (ISO 19011)”| Control Point | Engineering Requirement | Structural Risk Avoided |
|---|---|---|
| Auditor Independence | The Auditor must not belong to or report to the department being audited. | Conflict of Interest / Managerial Bias. |
| Audit Evidence | Findings must be based exclusively on Objective Evidence (Hard Records, Data Logs, Photos). | Subjective Disputes. |
| Audit Frequency | The schedule must be dynamically driven by live Risk data and Past Performance. | Inefficient use of engineering time. |
| The Closing Strategy | No surprises. All findings must be openly discussed with the Auditee before the final report is published. | Adversarial department relationships. |
| Targeted Follow-up | The Quality team must verify the physical effectiveness of the CAPA, not just confirm the paperwork. | Recurrent Findings month over month. |