ISO 9001 Corrective Action (Nonconformity and Corrective Action)
Things go wrong within any organization and a formal corrective action process provides a systematic way to capture, assess, and correct issues when they arise. The requirements defined by ISO 9001:2015 (clause 10.2) allow for correction of the immediate problem (containment & correction) and then provide a method for discovering the actual cause of the issue (root cause investigation) and implementing changes to ensure the problem doesn’t happen again (corrective action). The process then asks us to revisit the solution at some point in the future to verify that the solution worked and didn’t create some new unforeseen issues (effectiveness verification). The data and outputs of the process are fed back into the organization’s planning and improvement processes (risk management and performance evaluation).
Nonconformities may include: Customer complaints, nonconforming outputs, audit findings, returned product or rejected services (customer complaints), employee suggestions, initiatives from management review, supplier issues, out-of-spec products, services, or processes. Anything that fails to perform as expected or meet specifications is open to corrective action.
Containment and Control
The first action taken when a nonconformity is identified should be to assess the issue and contain the problem. This means identifying and segregating any nonconforming outputs and stopping the processes that are producing the nonconformities. Once containment is complete, corrections must be implemented to address the immediate source of the nonconformity before activities can be resumed. Controls should be established to ensure the process operates correctly while longer-term corrective actions are established and implemented.
Companies often fail to identify true root causes to nonconformities which results in attacking symptoms and allowing an opportunity for the actual problem to recur. Using a good root cause investigation process and tools is paramount to effective corrective action. Understand and become proficient in the use of tools such as 5-Why or fishbone (Ishikawa) diagrams to help identify true root causes. Also, be sure to keep the investigation team focused on actually fixing the problem rather than completing the corrective action form.
Focus on the big picture during investigations and consider how this problem may manifest in other areas of the company. Are there other similar opportunities for failure and nonconformities? Consider tracking and analyzing trend data where available and applicable. Risk assessments data should also provide an input to corrective action.
Nonconformities can often have more than one root cause, so be thorough during investigations and subsequent implementation of the corrective action activities. You may need to address more than one source of the issue. Also remember to attack the process, not the people associated with the process.
When developing actions to address the root cause(s) make sure the fix is verifiable. There should be a clear measurable or observable way to verify the change worked as planned and didn’t cause any unwanted issues or consequences (see Effectiveness Verification section below).
Consider the full cost to implement the corrective action and verify its effectiveness. For some projects, the cost can be significant and may require capital investment and management approval. Be sure to account for personnel, equipment, facilities, materials, external resources, validation expenses, etc.
Not all issues may warrant formal corrective actions. Per ISO “Corrective actions shall be appropriate to the effect of the nonconformities encountered”. Smaller issues where the failure mode is evident and the fix is relatively easy can be addressed on the spot with little or no documentation. Resource limitations may prohibit an organization from executing formal corrective action on every single issue. Some organizations find value in capturing and tracking minor issues that don’t warrant a formal corrective action in some type of “issues log”. This log may capture quick fixes to minor issues and allows for periodic review and analysis to identify repetitive issues or trends that may warrant more formal corrective actions.
Companies should utilize a risk-based approach to determine those nonconformities for which resources and effort should be allocated. The approach method, criteria, decisions, and results should be documented and executed in a consistent manner. A good practice would be to initiate a corrective action for certain types of nonconformities such as audit findings, customer complaints, safety issues, etc., and at a minimum evaluate these issues to determine the need for a formal investigation. Initiating a corrective action doesn’t necessarily require a full investigation and corrective action, but when an investigation is not completed, the reason and justification for no investigation should be captured in the corrective action records.
While not all investigations require corrective actions be sure to document why corrective actions are not taken following investigations.
As you determine the need for and type of correction action(s) to implement, consider what, if any, changes need to happen to the overall management system or organization. Any changes to the management system should be implemented following the requirements and processes defined in your Change Management procedure.
When root causes investigations indicate that product, service, or process failures resulted from or were attributed to human error, fool-proofing and human error prevention techniques and solutions should be considered and applied as applicable and practical. See our past article “ISO 9001 Operational Planning and Control” for additional information on these techniques.
At some point after the corrective action has been implemented, ISO requires that some type of verification effort be completed to ensure that the corrective actions effectively addressed the nonconformity. This verification should also confirm that no unforeseen or unintended consequences resulted from the corrective action. When this effectiveness check is completed is entirely up to you, but sufficient time should be allowed for the changes to take root and produce results. In some cases this might be a few days. Other changes may take months to demonstrate effectiveness. Some type of process to track and document these verification activities should be implemented and used. Be sure to include explanations and justifications for verification activities that take significant time to complete or continue to be pushed out.
Risks and Opportunities
ISO 9001 requires that risks and opportunities be reviewed and updated, as applicable, based on nonconformities and associated corrective actions. We will cover risk management in a future article but for now, just know that your corrective action process will need to link to and drive updates to risk assessments. Often this can be addressed at the business level during Management Review and/or Strategic Planning activities. If the risk is associated with a product or service, especially one that puts customers as risk, you should immediately review and update product risk assessments (FMEA, hazard analysis, etc.) which we touched on in ISO 9001 Design Outputs.
ISO 9001 corrective action has been a long-term staple of the management system standard and is a core process within many other standards. Your process must include requirements for identifying nonconformities, correcting the immediate issue, investigating the issue to determine the root cause, and defining and implementing corrective actions to prevent future and similar issues from recurring. Don’t forget to follow-up and demonstrate that corrective actions were effective and didn’t cause other issues. Best-in-class systems will analyze corrective action data to identify trends and take proactive steps to prevent issues before they occur. Develop and implement a corrective action system that best suits your organization while satisfying the ISO 9001 corrective action requirements.