Conformance1

Tools for conforming to standards, goals and processes

Nonconformity

  • What is nonconformity and how is it defined in ISO 9001:2015?
  • How do companies address and prevent nonconformities?
  • What are some common questions companies have about nonconformities?
ISO 9001: 2015 still mandates that organizations control nonconformities and their effects through corrective and preventive action, though the standard no longer mentions preventive action by name.

A nonconformity is the failure of an organization to meet any of the requirements of its quality management system. These requirements can come from organization policies, an international standard (such as ISO 9001), customers, suppliers, laws, or industry regulations. ISO 9001 directs organizations to use corrective action and preventive action to eliminate nonconformities both reactively and proactively.

It is critically important that everyone involved in the planning, implementation, execution, and evaluation of a quality management system understands the concept of nonconformity and its relationships to corrective and preventive action. Remember, the purpose of your quality management system is to ensure that you meet the needs and expectations of your interested parties, because they ultimately decide your organization’s fate. Therefore, failure to take corrective and preventive action in response to deviations from requirements defeats the purpose of having that quality management system and threatens your relationship with and reputation among your organization’s stakeholders and is therefore detrimental to your organization’s success.

Nonconformity’s role in the ISO 9001:2015 standard

Clause 10.2 of ISO 9001:2015, titled “Nonconformity and corrective action,” replaces clause 8.5.2 of the previous standard. This substantially updated clause establishes the practices and procedures an organization must follow when dealing with non-conformities. Clause 10.2’s foundation is the idea that correcting nonconformities after they occur is not sufficient. Organizations must not only deal with the consequences of nonconformities but also proactively take measures to prevent prevent the recurrence of the nonconformity and other, similar nonconformities.  

ISO 9001: 2015 still mandates that organizations control nonconformities and their effects through corrective and preventive action, though the standard no longer mentions preventive action by name. The standard also retains its requirement to evaluate the results of all corrective actions as well.  

New to ISO 9001:2015 are mandates to modify the quality management system to prevent nonconformities when necessary and to retain documented information about nonconformities and the measures taken to address them. ISO 9001 eliminates the requirement for a documented corrective action procedure, though we recommend creating one regardless.

The new modifications that affect how an organization must manage nonconformity are not limited to clause 10.2.  In addition to the new requirements listed above, ISO 9001:2015 clause 6.1: Actions to Address Risks and Opportunities makes a subtle but powerful addition: a broad and rigorous approach to quality management called “risk-based thinking”. In addition to taking action to prevent negative outcomes, this quality management philosophy encourages organizations to seek out and seize upon positive opportunities for benefit and improvement and to balance the potential risks and benefits of any action or decision. The implication of this approach for your organization’s procedures for addressing nonconformity is that some potential nonconformities may not invalidate the actions that could cause them if the potential benefits of those actions are greater than the potential harm caused by the nonconformity.

Clause 6.1: Actions to Address Risks and Opportunities most explicitly defines ISO 9001’s risk-based thinking principles, but its tenets influence the wording and intent of the entire standard, especially .

Nonconformities in an Audit

Be aware of the difference between major and minor nonconformities. Though ISO 9001 does not grade or categorize nonconformities – something either conforms or it does not – certification auditors usually do distinguish between major and minor nonconformities, and this distinction will affect your organization’s certification status. 

Minor nonconformities are not serious enough to prevent the violated requirements from fulfilling their purpose. Minor nonconformities are generally isolated to individual instances and are often due to the oversight of a single employee or small group of employees. Minor nonconformities will not disqualify your organization for certification as long as you correct them quickly.

A major nonconformity, on the other hand, is serious enough to make the intended results of its associated requirements unacheivable. They have potentially catastrophic consequences for your organization and are grounds for denying or revoking certification if discovered during a registrar audit.

You can prevent major nonconformities from affecting audits by making sure they do not exist in the first place, and the best way to do so is aggressive and sincere implementation of your quality management system. If your quality management system only exists on paper and your organization neglects to enforce its requirements, major nonconformities will proliferate, and certification auditors will notice. More importantly, major nonconformities can cause serious harm to your organization, so you should be prepared to devote more resources to identifying, preventing, and correcting them.  

How to address, correct, and prevent nonconformities

  • Conduct thorough and well-planned internal audits; they are the primary means of detecting both existing and potential nonconformities.
  • Rely on a comprehensive internal audit checklist, a set of questions evaluating the level of conformance with individual requirements.
  • Write up audit findings in a high-quality audit report and support audit findings with solid evidence.
  • Use a gap analysis audit when preparing to update a QMS for ISO 9001:2015 compliance to identify gaps or overlooked ISO 9001:2015 requirements. 
  • Issue thorough and thoughtful nonconformance reports. An organization cannot realistically expect to fix and prevent nonconformities without understanding them. A good nonconformance report builds such an understanding by highlighting:
  • which requirement was violated by the nonconformity
  • the consequences of the nonconformity
  • measures to be taken to prevent the nonconformity from occurring again
  • the corrective action the organization will take to address the nonconformity and prevent it from recurring
  • Develop a corrective and preventive action (CAPA) plan. Once the team responsible for dealing with QMS violations fully understands the problem, it must design and enact a CAPA plan to prevent the nonconformity from recurring in the future and to make sure similar nonconformities never crop up.  

Common questions about nonconformities

Does failure to meet an objective constitute a nonconformity? 

Certification auditors generally do not consider the failure to meet a quality objective to be a nonconformity. Quality objectives are goals, not requirements. Unmet objectives are useful tools in and of themselves, because they expose shortcomings and thereby assist your organization in pursuing its continual improvement. 

However, take note that auditors that find objectives that remain unmet due to inaction in subsequent audits often will count these failures as nonconformities.

Your organization, on the other hand, should view unmet objectives as nonconformities. An ummet quality objective indicates failure somewhere in your organization. Failure to meet an objective indicates that something is amiss in your quality management plan, and you must take prompt action to fix the problem.

What are the most common nonconformities? 

Failure to fully update quality management systems is the most common source of nonconformities reported in certification audits, If the nonconformity is present in multiple parts of your organization or occurring repeatedly, the auditor will consider the oversight a major nonconformity and deny or revoke your ISO 9001 certification. More importantly, undiscovered and unaddressed nonconformities will hurt your organization sooner or later, so using internal audits to find and deal with them is a necessity.

Ensuring effective internal auditing practices, conducting gap detection audits for 2015 compliance, and successfully implementing corrective and preventive action in response to any threats or impediments to conformance will secure your ISO 9001:2015 certification. Taking these measures will also help you ensure the quality of your products and services and protect your organization’s reputation by preventing nonconformities and their damaging effects.