ISO 9001:2015 Clause 10.2 Nonconformity and corrective action

ISO 9001:2015 16 Minutes

10.2.1 When a nonconformity occurs, including any arising from complaints, the organization shall:

  1. react to the nonconformity and, as applicable:
    • take action to control and correct it;
    • deal with the consequences;
  2. evaluate the need for action to eliminate the cause(s) of the nonconformity, in order that it does not recur or occur elsewhere, by:
    • reviewing and analysing the nonconformity;
    • determining the causes of the nonconformity;
    • determining if similar nonconformities exist, or could potentially occur;
  3. implement any action needed;
  4. review the effectiveness of any corrective action taken;
  5. update risks and opportunities determined during planning, if necessary;
  6. make changes to the quality management system, if necessary.

Corrective actions shall be appropriate to the effects of the nonconformities encountered.
10.2.2 The organization shall retain documented information as evidence of:
a) the nature of the nonconformities and any subsequent actions taken;
b) the results of any corrective action.

1) When a nonconformity occurs, the organization must react to the nonconformity by taking action to control and correct it; or deal with the consequences;

When a nonconformity occurs within an organization, it is essential to react promptly and effectively to address the issue and ensure that it does not recur. The specific actions taken may vary depending on the nature and severity of the nonconformity, but generally, the organization should follow these steps:

  1. Identify and Document the Nonconformity: The first step is to identify and document the nonconformity. This involves gathering information about what went wrong, where it occurred, when it occurred, and who was involved.
  2. Containment: Once the nonconformity is identified, the organization should take immediate action to contain it. This may involve isolating the affected area, products, or processes to prevent the nonconformity from spreading or causing further damage.
  3. Root Cause Analysis: To prevent similar nonconformities in the future, it’s crucial to determine the root causes of the issue. This involves investigating why the nonconformity occurred in the first place. Tools like the 5 Whys technique or Fishbone (Ishikawa) diagrams are often used for root cause analysis.
  4. Corrective Action: Corrective actions are measures taken to eliminate the root causes of the nonconformity and prevent its recurrence. These actions may include process changes, employee training, equipment maintenance, or any other appropriate steps to address the issue.
  5. Verification of Effectiveness: After implementing corrective actions, the organization should verify their effectiveness. This ensures that the nonconformity has been adequately addressed and that the corrective actions are working as intended.
  6. Preventive Action: In addition to corrective actions, preventive actions are taken to prevent similar nonconformities from occurring in the future. This involves proactively identifying and addressing potential sources of nonconformities to reduce the likelihood of their occurrence.
  7. Documentation and Record Keeping: Throughout the entire process, it is essential to maintain proper documentation and records of the nonconformity, the actions taken, and their outcomes. This documentation is crucial for audit purposes and continuous improvement.
  8. Communication: Effective communication is essential during the entire process. This includes informing relevant stakeholders about the nonconformity, the actions being taken, and the resolution.

So, to answer your question, when a nonconformity occurs, the organization must react by taking action to control and correct it (addressing the immediate issue) and dealing with the consequences (preventing future occurrences). Both corrective and preventive actions are necessary to ensure the organization’s quality, safety, and compliance standards are upheld.

2) When a complaint occurs, the organization must react by taking action to control and correct it; or deal with the consequences;

When a complaint occurs within an organization, the organization must react promptly and effectively to address the complaint and satisfy the customer or stakeholder who raised it. The appropriate reaction typically involves both options you mentioned:

  1. Taking Action to Control and Correct the Complaint:
    • Address the specific issues raised in the complaint by investigating and identifying the root causes.
    • Develop and implement corrective actions to resolve the complaint. These actions should be tailored to the nature of the complaint and should aim to eliminate the root causes.
    • Communicate with the customer or stakeholder who made the complaint, informing them of the actions being taken and providing an estimated timeline for resolution.
    • Ensure that any necessary adjustments are made to products, services, or processes to prevent similar complaints in the future.
    • Monitor and verify the effectiveness of corrective actions to ensure the issue has been adequately addressed.
  2. Dealing with the Consequences of the Complaint:
    • Address any immediate consequences of the complaint, such as providing compensation or refunds to the affected customer if applicable.
    • Evaluate the impact of the complaint on customer satisfaction, reputation, and other relevant factors.
    • If necessary, develop strategies to mitigate the consequences, such as communicating with other stakeholders, conducting public relations efforts, or implementing changes to prevent similar issues in the future.
    • Consider the long-term consequences of the complaint and take steps to improve the organization’s processes and customer service to prevent similar complaints from occurring in the future.

In summary, when a complaint occurs, the organization’s response should be multifaceted, encompassing both corrective actions to address the specific issue and measures to deal with the consequences, which may include repairing relationships with customers and preventing future complaints. Effective complaint management is essential for maintaining customer satisfaction and a positive reputation.

3) The organization must evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by reviewing and analysing the nonconformity; determining the causes of the nonconformity; determining if similar nonconformities exist, or could potentially occur

When a nonconformity occurs within an organization, it’s crucial to evaluate the need for action to eliminate the causes of the nonconformity to prevent its recurrence or occurrence elsewhere. This evaluation typically involves a systematic approach, and as you mentioned, it should include the following steps:

a) Reviewing and Analyzing the Nonconformity:

  • Begin by thoroughly reviewing and analyzing the nonconformity. This includes gathering all available information related to the nonconformity, such as incident reports, customer complaints, inspection data, and any other relevant documentation.
  • Examine the details of the nonconformity, including when and where it occurred, who was involved, and its specific impact on products, services, or processes.
  • This review helps in gaining a clear understanding of the nature and scope of the nonconformity.

b) Determining the Causes of the Nonconformity:

  • Conduct a root cause analysis to determine why the nonconformity occurred. This involves identifying the underlying factors and systemic issues that contributed to the nonconformity.
  • Utilize tools like the 5 Whys, Fishbone diagrams (Ishikawa), fault tree analysis, or failure mode and effects analysis (FMEA) to delve into the causes.
  • The goal is to pinpoint the specific weaknesses or failures in processes, procedures, training, or other elements that led to the nonconformity.

c) Determining if Similar Nonconformities Exist or Could Potentially Occur:

  • After identifying the root causes of the nonconformity, assess whether similar nonconformities exist in other parts of the organization or could potentially occur.
  • Review historical data, conduct risk assessments, and evaluate similar processes or products to identify potential areas of concern.
  • This proactive approach helps in preventing the recurrence of similar issues by addressing them before they become nonconformities.

Once these steps are completed, the organization can develop and implement corrective actions to address the specific causes of the nonconformity and preventive actions to minimize the risk of similar nonconformities occurring in the future. This systematic approach to evaluating and addressing nonconformities is a fundamental aspect of quality management systems and continuous improvement processes, such as those outlined in ISO 9001.

4) When the non conformance occurs, the organization must implement any action needed;

When a nonconformity occurs within an organization, it is essential for the organization to implement any necessary actions for several important reasons:

  1. Nonconformities often arise from issues related to product or service quality, safety, or reliability. Failing to address these issues can lead to dissatisfied customers, which can result in loss of business, damage to the organization’s reputation, and potential legal liabilities.
  2. Many organizations operate within regulated industries where compliance with specific standards, laws, or regulations is mandatory. Nonconformities can lead to compliance breaches, which can result in fines, legal actions, or even the suspension of operations. Implementing corrective and preventive actions is necessary to maintain compliance.
  3. Nonconformities can disrupt the normal flow of operations. Addressing these issues promptly can help prevent production delays, increased operational costs, and resource wastage. Implementing actions to correct and prevent nonconformities helps maintain operational efficiency.
  4. Identifying and addressing nonconformities is an essential part of the continuous improvement process. By understanding the root causes of nonconformities and taking action to eliminate them, organizations can enhance their processes, reduce errors, and increase overall efficiency and effectiveness.
  5. Nonconformities often signify risks within an organization. Failing to address these risks can lead to more significant issues down the line. Implementing corrective and preventive actions helps mitigate these risks, preventing potential crises and emergencies.
  6. Nonconformities can result in legal and liability issues, especially in cases where nonconformities lead to harm, injury, or damage. Implementing actions helps demonstrate the organization’s commitment to rectify its mistakes and can reduce the likelihood of legal action.
  7. Addressing nonconformities promptly and effectively can demonstrate to customers that the organization is responsive and committed to providing quality products or services. This can improve customer retention and loyalty.
  8. Nonconformities can harm an organization’s reputation, and a damaged reputation can be challenging to rebuild. Implementing actions to address nonconformities and prevent their recurrence is vital for protecting and managing the organization’s reputation.

In summary, implementing actions to address nonconformities is essential for maintaining customer satisfaction, compliance with regulations, operational efficiency, risk mitigation, and overall organizational health. It is a proactive approach that helps organizations avoid costly consequences and improve their processes over time.

5) The organization must review the effectiveness of any corrective action taken

Reviewing the effectiveness of corrective actions is a crucial step in the process of addressing nonconformities and ensuring that the underlying issues have been adequately resolved. This review is an integral part of a continuous improvement cycle and helps organizations verify that the corrective actions taken have achieved the desired results. Here’s why reviewing the effectiveness of corrective actions is important:

  1. Verification of Problem Resolution: Reviewing effectiveness confirms whether the initial problem or nonconformity has been fully resolved. It ensures that the identified root causes have been addressed and that the issue no longer exists.
  2. Preventing Recurrence: By assessing the effectiveness of corrective actions, organizations can determine whether there is a risk of the nonconformity recurring. This proactive approach helps prevent future occurrences of the same problem.
  3. Ensuring Compliance: In regulated industries, verifying the effectiveness of corrective actions is essential to demonstrate compliance with relevant standards and regulations. Regulatory authorities often require evidence that nonconformities have been adequately addressed.
  4. Customer Satisfaction: Effective corrective actions contribute to improved customer satisfaction. A review of effectiveness helps ensure that the organization’s efforts align with customer expectations, leading to higher levels of satisfaction.
  5. Resource Allocation: Organizations invest resources (time, money, personnel) in implementing corrective actions. Evaluating effectiveness allows organizations to assess whether these resources were well-spent and whether any adjustments are needed.
  6. Continuous Improvement: Reviewing corrective actions is part of the PDCA (Plan-Do-Check-Act) cycle, a fundamental principle of quality management systems. It fosters a culture of continuous improvement by providing feedback on what works and what needs further refinement.
  7. Data-Driven Decision Making: The review process typically involves collecting data and metrics to assess the outcomes of corrective actions. This data can inform future decisions, helping the organization make informed choices about process improvements.
  8. Documentation and Records: Maintaining records of corrective action reviews is essential for audit purposes and to demonstrate due diligence in addressing nonconformities.

To effectively review corrective actions, organizations should establish clear criteria for success, conduct follow-up audits or inspections, and engage relevant stakeholders to provide feedback. If the corrective actions are found to be ineffective or if the nonconformity recurs, the organization should revisit the root cause analysis and implement more robust actions.In conclusion, reviewing the effectiveness of corrective actions is a fundamental step in the process of addressing nonconformities, fostering continuous improvement, and ensuring the long-term health and success of an organization.

6) The organization must update risks and opportunities determined during planning, if necessary;

When a nonconformity occurs within an organization, it can indeed be an opportunity to update and refine the organization’s assessment of risks and opportunities. Here’s how the occurrence of a nonconformity can influence the evaluation of risks and opportunities:

  1. Identifying New Risks: The nonconformity itself can highlight previously unidentified risks. By analyzing the root causes of the nonconformity, the organization may uncover systemic weaknesses or vulnerabilities in its processes, which could lead to the identification of new risks that need to be addressed.
  2. Evaluating the Impact: Nonconformities often have consequences that impact various aspects of the organization, such as product quality, customer satisfaction, or regulatory compliance. Assessing the impact of the nonconformity can provide insights into the severity of certain risks or the potential for risks to materialize.
  3. Reviewing Controls: Nonconformities may reveal weaknesses in existing controls or risk mitigation strategies. Organizations can use these instances to reassess the effectiveness of their current risk management measures and update or strengthen controls as needed.
  4. Opportunities for Improvement: Nonconformities also present opportunities for improvement. By addressing the root causes and implementing corrective and preventive actions, organizations can enhance their processes, reduce errors, and seize opportunities to optimize operations or enhance product quality.
  5. Stakeholder Feedback: Nonconformities often trigger feedback from customers, regulators, or other stakeholders. This feedback can shed light on customer expectations, market trends, and emerging opportunities that the organization may need to consider.
  6. Compliance and Regulatory Implications: Depending on the nature of the nonconformity, there may be compliance or regulatory implications. These may include changes in regulations or standards that affect the organization’s risk profile or create new opportunities.

To effectively update risks and opportunities following a nonconformity, organizations should incorporate the following steps:

  1. Root Cause Analysis: Thoroughly investigate the nonconformity to identify the root causes. This analysis can reveal weaknesses in existing processes and controls, leading to updates in risk assessments.
  2. Risk Assessment: Review and reevaluate the organization’s risk assessment in light of the new information and insights gained from the nonconformity. Consider how the nonconformity impacts risk likelihood and severity.
  3. Opportunity Identification: Similarly, assess how the nonconformity and its resolution might create opportunities for improvement or optimization within the organization. These opportunities can be integrated into the organization’s strategic planning.
  4. Controls and Actions: Determine if adjustments are needed in risk mitigation measures or actions to seize opportunities. Update risk management plans and strategic initiatives accordingly.
  5. Communication: Ensure that relevant stakeholders are informed about the updated risks and opportunities and any corresponding changes in strategies or plans.

By treating nonconformities as learning opportunities, organizations can enhance their risk management practices and strategic planning, ultimately strengthening their ability to navigate challenges and leverage opportunities effectively.

7) When non conformity occurs, organization must make changes to the quality management system, if necessary

When a nonconformity occurs within an organization, it can indeed necessitate changes to the organization’s quality management system (QMS), if such changes are necessary to prevent the recurrence of the nonconformity or to improve the overall effectiveness of the QMS. Here’s why and how changes to the QMS may be required following a nonconformity:

Why Changes to the QMS May Be Necessary:

  1. Preventing Recurrence: The primary goal of addressing a nonconformity is to prevent its recurrence. If the nonconformity is a result of weaknesses in the QMS processes, procedures, or controls, changes to the QMS may be necessary to eliminate these weaknesses.
  2. Continuous Improvement: Nonconformities provide opportunities for learning and improvement. Organizations should view them as feedback mechanisms that can highlight areas where the QMS can be enhanced to prevent similar issues in the future.
  3. Alignment with Standards and Regulations: If the nonconformity resulted in non-compliance with quality standards or regulatory requirements, changes to the QMS may be required to ensure ongoing compliance.
  4. Customer Satisfaction: Nonconformities often impact customer satisfaction. Improving the QMS can lead to better product or service quality, which can in turn enhance customer satisfaction and loyalty.

How to Make Changes to the QMS:

  1. Root Cause Analysis: Begin by conducting a thorough root cause analysis to determine why the nonconformity occurred. Identify weaknesses or gaps in the QMS processes that contributed to the nonconformity.
  2. Corrective Actions: Develop and implement corrective actions to address the root causes of the nonconformity. These actions may include process changes, updated procedures, additional training, or other measures designed to prevent recurrence.
  3. Preventive Actions: In addition to corrective actions, implement preventive actions to minimize the risk of similar nonconformities occurring in the future. This involves proactively identifying and addressing potential sources of nonconformities.
  4. Risk Assessment: Reassess the organization’s risk assessment and management processes to incorporate any new insights gained from the nonconformity. Ensure that identified risks are effectively mitigated.
  5. Quality Policy and Objectives: Review and, if necessary, update the organization’s quality policy and objectives to reflect the changes made to the QMS. Ensure that these documents align with the organization’s commitment to quality.
  6. Documentation: Update relevant documentation, including quality manuals, procedures, work instructions, and process maps, to reflect the changes in the QMS.
  7. Training and Communication: Provide training to employees on the updated QMS processes and procedures. Communicate the changes effectively throughout the organization to ensure everyone is aware of the improvements.
  8. Monitoring and Measurement: Implement new monitoring and measurement processes to track the effectiveness of the changes made to the QMS. Regularly assess whether the changes are achieving the desired outcomes.
  9. Audit and Review: Include the changes in the QMS as part of the organization’s internal audit and management review processes. This ensures ongoing evaluation and improvement.
  10. Continuous Improvement: Establish a culture of continuous improvement within the organization. Encourage employees to report potential nonconformities and suggest improvements to the QMS.

By making necessary changes to the QMS following a nonconformity, organizations can strengthen their quality management processes, enhance product or service quality, and demonstrate a commitment to ongoing improvement. This contributes to the organization’s ability to consistently meet customer requirements and maintain compliance with quality standards.

8) Corrective actions shall be appropriate to the effects of the nonconformities encountered.

Corrective actions taken by an organization should be appropriate to the effects of the nonconformities encountered. This principle is a fundamental aspect of effective quality management and is outlined in various quality management system standards, including ISO 9001. Here’s why it’s important and what it entails:

Why Corrective Actions Should Be Appropriate to the Effects of Nonconformities:

  1. Proportional Response: The corrective actions should be proportionate to the significance and potential impact of the nonconformity. Minor nonconformities may require less extensive actions than major ones. Matching the response to the severity of the nonconformity ensures efficient resource allocation.
  2. Preventing Recurrence: The purpose of corrective actions is to eliminate the root causes of nonconformities and prevent their recurrence. Effective corrective actions directly address the factors that led to the nonconformity, ensuring that similar issues do not arise in the future.
  3. Minimizing Risk: Nonconformities can have varying degrees of risk associated with them. Corrective actions should aim to minimize or mitigate these risks. Inadequate corrective actions can expose the organization to continued risk.
  4. Cost-Efficiency: Implementing corrective actions can involve costs related to time, materials, and labor. Appropriateness ensures that these resources are used efficiently, avoiding unnecessary expenditures.
  5. Customer Satisfaction: Corrective actions that effectively address the effects of nonconformities contribute to improved product or service quality, which can enhance customer satisfaction. Inappropriately applied corrective actions may not fully satisfy customer expectations.

What Appropriate Corrective Actions Entail:

  1. Root Cause Analysis: Begin by conducting a thorough root cause analysis to identify the underlying factors that led to the nonconformity. This analysis informs the selection of appropriate corrective actions.
  2. Tailored Solutions: Develop corrective actions that are tailored to the specific nonconformity. This might involve process changes, training, equipment maintenance, or other measures that directly address the identified root causes.
  3. Effectiveness Assessment: Evaluate the anticipated effectiveness of the corrective actions in preventing recurrence. This assessment should be based on data, analysis, and expert judgment.
  4. Risk Assessment: Consider the potential risks associated with the nonconformity when determining the appropriateness of corrective actions. Actions should aim to reduce or eliminate these risks.
  5. Continuous Improvement: View corrective actions as an opportunity for continuous improvement. Beyond addressing the immediate nonconformity, assess whether the actions can lead to broader process enhancements.
  6. Documentation and Communication: Document the corrective actions taken and communicate them effectively within the organization. Ensure that relevant stakeholders are aware of the actions and their expected outcomes.
  7. Monitoring and Verification: Monitor the implementation of corrective actions and verify their effectiveness. Confirm that the nonconformity has been adequately addressed and that the actions have resulted in the desired improvements.

By ensuring that corrective actions are appropriate to the effects of nonconformities, organizations can effectively manage their quality, mitigate risks, and maintain compliance with quality management standards. This approach fosters a culture of quality and continuous improvement within the organization.

10) The organization shall retain documented information as evidence of the nature of the nonconformities and any subsequent actions taken; and the results of any corrective action.

retaining documented information as evidence of the nature of nonconformities and any subsequent actions taken, as well as the results of corrective actions, is a critical practice for effective quality management and compliance with quality management standards,

Documented Information:

  1. Nonconformity Report (NCR) or Incident Report: ISO 9001 does not prescribe a specific format, but organizations must have a documented process for recording and reporting nonconformities when they are identified. This report should include details such as the nature of the nonconformity, its location, date, and the person who identified it.
  2. Corrective Action Plan: When a nonconformity is identified, organizations should document the plan for corrective action. This plan outlines the actions to be taken to address the nonconformity, including responsibilities, timelines, and resources required.
  3. Records of Corrective Actions: Maintain records of the actions taken to correct nonconformities. These records should include information about what actions were taken, who was responsible, when they were completed, and any supporting evidence or documentation.
  4. Root Cause Analysis: Organizations should document the results of the root cause analysis conducted to determine why the nonconformity occurred. This analysis helps in identifying the underlying causes that need to be addressed to prevent recurrence.
  5. Preventive Action Plan: If the organization identifies potential nonconformities or areas of concern during the corrective action process, a documented preventive action plan may be required. This plan outlines the actions to be taken to prevent similar issues in the future.

Records:

  1. Nonconformity Records: Maintain records of all identified nonconformities, including their descriptions, investigation details, and actions taken to address them. These records serve as historical data and evidence of the organization’s nonconformity management process.
  2. Corrective Action Records: Keep records of all corrective actions implemented, including documentation of the actions, their effectiveness, and any follow-up actions or verifications. These records demonstrate the organization’s commitment to resolving nonconformities.
  3. Preventive Action Records: If preventive actions are taken, maintain records of these actions, including the plan, actions taken, and their effectiveness. These records demonstrate proactive efforts to prevent nonconformities.
  4. Review and Verification Records: Records of reviews, verifications, and assessments conducted to evaluate the effectiveness of corrective and preventive actions should be kept. These records demonstrate that the organization has evaluated whether the actions have achieved the desired results.
  5. Management Review Records: Any discussions or decisions related to nonconformities and corrective actions during management reviews should be documented. This provides evidence of top management’s involvement and commitment to quality improvement.
  6. Training Records: Records of training provided to employees involved in the nonconformity and corrective action process should be maintained. This ensures that personnel are competent to carry out their responsibilities in this regard.

These documents and records collectively provide evidence of an organization’s commitment to addressing nonconformities, continuously improving its processes, and ensuring the effectiveness of its quality management system in accordance with ISO 9001:2015 Clause 10.2. It’s important for organizations to establish clear processes for creating, maintaining, and retaining these documents and records as part of their quality management system.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply