Clause 10.2 Non-Conformance & Corrective Action (secrets)

By

Table of Contents

Broadly speaking, the intended outcomes of ISO 9001:2015 are to consistently meet the needs and expectations of your customers and interested parties. The intended outcomes for your particular management system will depend upon your particular organisational context. Everything that you do as an organisation should, in some way, be focused on meeting the intended outcomes of your management system. At a point where you fail to do this, you might choose to describe it as a non-conformance. Non-conformances are the catalysts for corrective actions. Your corrective action process is your systematic approach to fixing failures in achieving your intended outcomes.

Management System Requirements

I mentioned in an earlier chapter that there are 136 ‘shalls’ in the ISO 9001:2015 management system standard. More precisely, 132 of those ‘shalls’ are linked to actual requirements that you must meet successfully for you to gain certification to the management system. Add to that list your organisation’s own requirements then you have a great deal of things to get right. When we discussed the requirements for internal audit at clause 9.2, the standard described two reasons for performing internal audits;

  1. To identify if the system conforms to your organisation’s own requirements
  2. To identify if the system conforms to the requirements of ISO 9001:2015

An internal audit is a systematic way of gathering objective evidence to identify if you are meeting these requirements, or not as the case may be. If you fail to meet a requirement, then you will potentially raise a non-conformance. Non-conformances can come from a variety of places including but not limited to:

  • Process error
  • Task error
  • Procedure error
  • Communication error
  • Design error
  • Customer complaints
  • Breach of regulation
  • Hazard identification
  • Environmental impacts
  • Training
  • Delivery failures

The list is pretty much endless in that errors can occur at any point of the product or process life cycle. Corrective actions are the means by which you systematically try to fix these errors so that they cause the least amount of damage and (if possible), will not happen again. The actions for dealing with non-conformances as described by clause 10.2.1(a)-(f) is a really good guide if you are completely new to the concept. In fact, when teaching students in class I often recommend that they break the detail of the steps into a series of PowerPoint slides, and use them for their internal corrective actions training.

Analyse The Non-Conformances

The requirements begin at clause 10.2.2:

  1. React to the non-conformance as applicable; the risk-based approach is relevant here. High-risk non-conformances should be dealt with swiftly in order to reduce the negative effect on the customer, safe working environments or environmental impact. Low-risk non-conformances can be allocated more time to complete. ISO 9001:2015 describes two actions for dealing with non-conformances:
  2. Action to control and correct it
  3. Deal with the consequences

Hopefully, the consequences will not be too serious because you have taken action to control and correct in a timely manner. Not all non-conformances are created equal, and you may decide to ignore some of them because the consequences cause minimal negative impact. Once you have identified those non-conformances that must be dealt with, ISO 9001:2015 provides guidance for how you should deal with them.

  1. 1. Review and analyse the non-conformance; this is the fact-gathering and data collection part of the process. You will be gathering data from interviews and observations so that you can identify:
  • What the error is; is it a machine, process, procedure, communication or training error etc.?
  • When did the error occur?; is it a new error or a reoccurring one? When was the error first reported?
  • Where is the error located?; is it local to a machine or a system-generated error that can have an effect on global operations?
  • What are the consequences of the error?; are there serious negative consequences associated with the error? Is there a danger of an accident or negative environmental impact?

Who is going to perform this investigative process? It calls for an objective approach and so it’s best that is assigned to the process owner. However, if there is specific technical knowledge required that only the process owner can supply then he or she may have to assist in the investigation. This is a fact-finding exercise and can be assigned to anyone who has been appropriately trained in the investigative process.

Root-Cause Analysis

b(2) Determine the cause; all corrective actions must begin with root-cause analysis. Very often, the cause of non-conformances do not exist in a vacuum. There are sometimes many factors that are the cause of non-conformances. Only by performing a systematic investigation will you reveal those connections. You can employ well-known managing tools for investigation and problem solving such as the Ishikawa fishbone technique or the 5 why’s etc. If these tools are unfamiliar to you then a quick Google search and watching some YouTube videos will soon educate you. I should mention that using these techniques is a collaborative exercise. After the fact-finding exercise is complete, you should work in collaboration while performing a root-cause analysis. There is a very informative YouTube video named: The Jefferson Memorial, which you can find here.

The 5 Why’s

So, you’re walking across the shop floor and you turn a corner and witness an operative standing on the forks of an FLV which are raised to their full height. The operative has done this so that a box can be reached from a high shelf. I have actually witnessed this situation.

  1. Why was this happening?; because the motorised ladder unit was broken.
  2. Why was it broken?; because of a lack of maintenance.
  3. Why was it not maintained?; due to a lack of communication.
  4. Why was it not communicated?; due to a lack of training on the process.
  5. Why was the operative not trained?; due to a lack of resources.

A great deal of non-conformances can be traced back to a failure of communication, education and training. What would happen in the same situation where the motorised ladder was functioning correctly and the operative had been recently trained? In a situation where an employee is simply not following the process and the training provided, then another process is enacted; the HR process of reprimands and warnings etc.

If you are from a health and safety background then you will know about reducing risk to an acceptable level. Sometimes, risk cannot be removed completely, but if you can reduce the risk levels so that their consequences will not cause a negative impact, then your corrective actions can be considered complete. I provided more details on the 4T’s of risk, tolerate, terminate, treat and transfer in the article for clause 6.1 Actions to Address Risks and Opportunities.

b(3) Determine if similar non-conformances exist or could occur; is this a one-off event? Could this problem reveal a product or service defect? For example, you discover that a component is overheating above its accepted design parameters and may cause danger of fire. Thousands of the products have been sold and distributed, which will now have to be recalled. Or, you provide a specialist service for the provision of medical-grade polymers. You discover that one of your ingredient suppliers made a change to their product recently but failed to inform you. Again, this caused a large-scale product recall. These are obvious examples; you might have to probe deeper to identify if the problem (error) could exist in the same way at another location.

  1. Implement required actions; so you have identified the cause of the problem and now you’re thinking about the appropriate action to deal with it. As I mentioned earlier, this is best achieved by collaboration. I say this because quite often it’s hard to see the woods for the trees. Working independently, one can often develop a tunnel vision and only see the solution to a problem from a single perspective. Working within a group, group members might suggest solutions that might simply not have occurred to you. Once you have decided what action to implement, you can decide time frames, roles, responsibilities and authorities and what resources will be required.

  2. Review the effectiveness of the action; in my experiences as an auditor, I’ve found this is an area of weakness when dealing with non-conformances. The only way that you can evaluate the effectiveness of your corrective actions is to review and monitor them over a specified time period. You can’t simply implement the correction and then walk away from it. The monitoring and review requirement has to be built into the corrective action. This would include requirements for roles, responsibilities and authorities, observation parameters and time frames. The monitoring and review reports must be fed back into the management system so that organisational knowledge can be updated and communicated. If the original non-conformance was raised by a 1st, 2nd or 3rd party auditor, then your monitoring and review report should be sent to them if required to do so. There may be a requirement for updated education, training and communication in regards to process, procedure or task changes that have been implemented.

    The review evidence should seek to confirm that the corrective actions have actually been designed and implemented and that they are correctly related to the original non-conformance. The evidence should also confirm that the corrective actions have been monitored and reviewed for effectiveness over a specified period of time.

  3. Update risks and opportunities; the review might also seek to identify if the risks and opportunities that were identified in clause 6.1 failed to identify the risk associated with the current non-conformance. If there was a failure, then the document that describes risks and opportunities will have to be revised and updated. Your PESTLE analysis back at clause 4.1 is not a one-off process, it is dynamic in nature and must be reviewed and updated frequently. The same concept applies to your capture of risks and opportunities.

    Risk is not static, it can change according to many circumstances both internally and externally. Your corrective action process is a major component of your risk management strategy. Any risk management strategy aims to reduce overall risk down to a minimum. Where risk can’t be eliminated it will be minimised down to acceptable limits. For further information on risk management strategies, see ISO 3100:2018.

Changes To The Management System

4.Make changes to your management system; corrective actions are one of the drivers toward continual improvement. As I’ve mentioned many times previously, the skeleton that supports all modern management systems is the concept of continual improvement. Corrective actions must become permanent and those changes need to be entered into the management system documentation. Updates and changes to the management system might include but are not limited to:

  • Changes to processes, procedures and tasks.
  • New requirements for training.
  • Updates to communications.
  • Reviews of legal requirements.
  • Contractual reviews.
  • Updates to user instructions.
  • Changes to warranties.
  • Changes in working environments.
  • Changes to insurance requirements
  • Changes to insurance requirements.
  • Changes to monitoring, measurement, analysis and evaluation requirements.
  • Updating of roles, responsibilities and authorities.
  • New resource requirements.
  • Updating of the change management process.

A short review of that list emphasises the continuing complexities and requirements of implementing and maintaining a management system. All management systems are living, breathing entities that require care and maintenance in order for them to remain effective. Depending on your organisational context and the complexities of your business activities, the responsibility for management system maintenance should be shared. Personally, I think it’s too much of a task for a single person to perform in most situations.

Risk-Based Approach

The management system makes a final instruction that corrective actions should be appropriate to the effects of the non-conformances. As mentioned earlier, not all non-conformances are created equal and a risk-based approach is important here. High-risk non-conformances will require a faster response and maybe more resources than low-risk non-conformances. Of course, what might be considered a low-risk non-conformance could result in serious, unplanned and unexpected consequences. The best advice here is to adopt a risk-based approach, deal with the high-risk non-conformances first and work backwards from there.

Documented Information Requirements

The authors of ISO 9001:2015 are quite aware of how important the corrective actions process is and how it contributes to the continual improvement of the management system. ISO 9001:2015 is quite specific in its requirements for documented information for this clause. You are required to retain records as evidence of:

  1. The nature of non-conformances; accurate details of the non-conformances that describe, when, where, and how the non-conformances occurred. These details need to be factual and objective. Try to make the descriptions very short and to the point. Superfluous writing can tend to cause misinterpretation. Where the non-conformances is against an ISO 9001:2015 management system requirement you can use the acronym RED as a way to describe a non-conformance:

R(requirement); state the requirement of the standard: ISO 9001:2015 Clause 8.3.6.d) requires documented information on ‘the actions taken to prevent adverse impacts, to be retained.

E(evidence); state the objective evidence gathered:
When interviewed, the design manager stated that designers did not need to keep this, and none are found by the auditor.

D(deficiency); state the deficiency between the requirement and the evidence:
Nonconformity, as documented information on ‘the actions taken to prevent adverse impacts, is not retained.

  1. The records of actions taken; are the details of both corrections and corrective actions. They describe your initial actions (corrections) such as isolating a leaking valve and also your corrective actions such as the root-cause analysis and permanent changes.

  2. Records of the results; might include changes to the management system, changes to training and communications, descriptions of the effectiveness and implementation of the corrective actions. Results might also describe how the corrective actions might have affected and caused a change to other systems and processes.

As you have probably gathered by reading this far, I’m a great believer in education communication and training when it comes to implementing and maintaining management systems. If you are asking employees to understand the importance of continual improvement and the corrective actions process, then it’s important to provide training around these concepts. As I mentioned earlier, simply rewrite the steps from A to F of clause 10.2.1 across some PowerPoint slides and provide that as a basic understanding of the corrective actions process.

ISO 14001:2015

The requirements remain the same as for ISO 9001:2015

ISO 45001:2018

The requirements remain the same as for ISO 9001:2015 except for parts:

(b) Evaluate, with the participation of workers (see 5.4) and the involvement of other relevant interested parties, the need for corrective action; in relation to clause 5.4 consultation and participation of workers – your workers who might be directly affected by hazards and non-conformities are the best people to decide the need for, and the design of, corrective actions. One can easily see how these clauses (10.2) and clause (5.4) are related. Both clauses are essentially requiring you to consult with workers (or their representatives) about hazard control, non-conformances and corrective actions.

(e) Assess OH&S risks that relate to new or changed hazards, prior to taking action; I talked about the effects of change at clause 6.3. Change can potentially introduce new, unplanned hazards into a working environment. It’s for this reason that changes must be planned so that potential hazards can have safety controls designed before the change occurs. An obvious example would be the introduction of a new piece of machinery that might be replacing an older machine. Does the new machine require new risk assessments, operating procedures or safe maintenance routines etc?

For auditors:

  • Check for the existence of a non-conformity process
  • Check roles and responsibilities for the non-conformity process
  • Check the documentation for non-conformances and investigate a sample through to closure
  • Check records of management review for inclusion of non-conformances and how any have resulted in continual improvement
  • Check that the management system is being updated as a result of the non-conformance process

ISO 14001:2015

As for ISO 9001:2015

ISO 45001:2018

As for ISO 9001:2015 but also:

  • Check that consultation and participation of workers has occurred in relation to the non-conformance process.
  • Check that the results of corrective actions, changes in hazard control and updates to the management system have been communicated to workers or their representatives.

Questions that I’ll answer in future articles:

  • What are examples of nonconformity?
  • What is the NCR procedure?
  • How do you write a nonconformity?
  • What is a corrective action example?
  • How do you find nonconformity?
  • What are the causes of nonconformities?

References: 

  • www.iso.org
  • ISO 9000:2015
  • ISO 9002:2015
  • ISO 14001:2015
  • ISO 45001:2018

Please be kind, share and create a link back to this article.

(c) All content is copyrighted to ISO Training UK – All rights reserved 2022.

Author Bio

Paul Ingram has over 15 years of experience working in quality, health and safety and environmental management. Specialising as a trainer, he has provided training to thousands of delegates for small and multi-national businesses across the globe. A specialist in management system training and able to design and deliver courses for ISO 9001, 45001 & 14001. This includes implementation, Introduction, Internal Auditor, Lead Auditor, Remote Auditing, Management Brief and many more. For more information about booking a course visit: ISO Training & Consultancy

You cannot copy content of this page