Ravindiran Gurusamy, IRCA Certificated Associate Auditor, offers an overview of nonconformance and the corrective action process for management system standards.
Management system standards (MSS) will prevent nonconformities using the process approach, the plan, do, check, act (PDCA) cycle and by utilising risk-based thinking. The process-based approach, which could be said to be more ‘reactive’, enables an understanding and consistency in meeting the requirements, the consideration of processes in terms of added value, and the achievement of effective process performance and improvement of a process based on objective evidence. The risk-based approach can focus not only on risk in the process, but also on opportunities. The risk-based approach allows for preventive action to be carried out to eliminate the potential nonconformities before establishing the process and control measures, and an increased focus on converting the risks into opportunities. The risk-based approach is fundamentally preventive, but the effectiveness will depend on the correctness, completeness, consistency in identifying risk, and actions to address the risk. In this context, the ISO 9001:2015-specified risk-based approach enables the organisation ‘to minimise the negative effects and make maximum use of opportunities as they arise’.
Out of the three approaches, the risk-based approach enables an organisation to determine the factors which could cause its processes and the quality management system (QMS) to deviate from their planned results. It allows the organisation to set up preventive controls, minimising any negative impacts and maximising the use of opportunities as they arise.
Sources of nonconformances
Nonconformances can be identified through:
- any type of audit – first-party, second-party or third-party audits,
- relevant monitoring and measurements; or
- feedback and complaints provided by either customers or relevant stakeholders, both internal and external.
|ISO 9001:2015 clause||Clause description||Nonconformity identified by||Action initiation by|
|8.5||Production and service provision||Quality professionals and process owners||Process owners|
|8.7||Control of nonconforming products||Quality professionals and process owners||Process owners|
|9.1||Monitoring, measurement analysis and evaluation||Quality professionals and process owners||Process owners|
|9.1.2||Customer satisfaction||Customers||Process owners|
|9.2||Internal audit||Internal auditors||Process owners|
|9.2||Second-party audit||Second-party and/or client auditors||Audit client|
|9.2||Third-party audit||Conformance Assessing Bodies’ auditors||Audit client|
Recording an audit nonconformance
- Auditors should note evidence that is relevant to the audit criteria.
- By definition, a nonconformance can only be raised in the event of a requirement not being fulfilled.
- Evaluation of the audit findings may give evidence for a nonconformity.
- The nonconformity statement should be simple, clear and easily understandable.
- The nonconformity should be supported with documented objective evidence.
- The output (of the product or service) should be evaluated against the requirement (in the process or final).
- If it does not meet the requirement (eg, documented information, product requirements, quality management requirements, customer requirements, quality requirements etc), it is declared as a nonconformance output.
- The nonconformance should ensure that the nonconforming item(s) are identified, controlled and prevented from being unintentionally used.
- If the requirements of the customers or other relevant interested parties (internal or external) were not met, then they should also be recorded as a nonconformance.
All nonconformances should be analysed systematically. Clause 10.2 in ISO 9001:2015, states: ‘Corrective actions shall be appropriate to the effects of the nonconformities encountered.
The validity of the information received from external sources will have its own limitations. For example, in the majority of organisations, functions like design, operations, quality assurance and marketing are handled by different teams. Customers will often share feedback with the marketing team only, and when the information is passed on to different teams, it may become distorted. This will affect the organisation’s ability to find the root cause, potential causes and establish corrective actions. The team involved in the analysis of the reported problem must be representative of the different functions relevant to the problem or nonconformance. The problem-solving team should use its resources to obtain the correct information, from the correct sources, at the correct time about the external nonconformances.
ISO 9001:2015 (Clause 10.2): Nonconformity and corrective action
All nonconformances should be analysed systematically. Clause 10.2 in ISO 9001:2015, states: “Corrective actions shall be appropriate to the effects of the nonconformities encountered.” A similar requirement is mandated in other MSS, with additional controls as applicable, including: clause 10.2 in ISO 14001:2015 and ISO 45001:2018, clause 10.1 in ISO 27001:2013, clause 10.1 in ISO 50001:2018, clause 10.1.1 in ISO 21001:2018 and clause 10.2.1 in AS9100D:2016, etc.
The keyword in ISO 9001:2015 is ‘appropriate’, which implies some degree of freedom of choice for the organisation.
Appropriate usage of any one of the problem-solving tools, such as the Pareto Chart, the 5 Whys, Fishbone Diagram, Scatter Diagram and Failure Modes and Effects Analysis, can help identify the source or cause of the nonconformity, and actions can be implemented systematically to prevent the recurrence of the nonconformance.
Closing the nonconformance
The auditee should follow the hierarchy outlined below in identifying the correction, root cause and corrective actions.
- The correction should be the immediate action, to eliminate the detected nonconformity.
- The containment action limits the problem’s extent and establishes normal operations until the causes are defined and permanent corrective actions are implemented.
- Corrective actions are the actions taken on the identified potential causes to avoid the recurrences and to prevent the occurrences elsewhere within the organisation.
- Potential causes are the factors that, if not addressed, may cause the recurrence of the nonconformance.
ISO 9001:2015 Clause 10.2 only requires the organisation to determine the causes. It is good practice to carry out a root cause analysis, along with proper verification and validation against the Standard Operating Procedures (SOPs). Verification and validation against the SOP ascertain the cause which has contributed to the identified nonconformity. During the initial analysis stage, the team may come across many causes/ideas for the encountered problem or nonconformance. The causes were categorised in a Fishbone Diagram under Man, Machine, Material, Method, Measurement and Environment. Obviously, it is good practice to verify and validate each cause against the requirements specified in the organisation’s SOP, Work Instruction Sheets (WIS) or data entered in the records to shortlist the most probable causes for the problem. It is from the most probable causes that the root cause(s) can be identified.
After completing all the identified actions for root causes and potential causes, effectiveness monitoring can be undertaken for a period of six months or as per the rule of thumb for many organisational procedures. It is generally recognised that if the non-conformance has not recurred within six months because of any one of the variables, then it will not recur. The monitoring period can also be changed depending on the nature of the products and services.