ISO 9001 Nonconformity and Corrective Action: A Practical Guide

Nonconformities are inevitable.

Products fail inspections. Services do not meet customer requirements. Procedures are ignored. Documents are used at the wrong revision. Suppliers deliver the wrong materials.

Even well-managed organisations will occasionally get something wrong.

The important question is not whether a nonconformity occurs. It is whether the organisation identifies it, controls the consequences, understands why it happened and takes appropriate action to stop it from happening again.

This is the purpose of nonconformity and corrective action within ISO 9001.

Unfortunately, many organisations make the process much more complicated than it needs to be.

A form is opened, somebody is blamed, the immediate problem is fixed and the report remains in a register for several months waiting for closure.

That is not an effective corrective-action process.

This guide explains what an ISO 9001 nonconformity is, the difference between correction and corrective action, how to investigate root causes and how to close findings using objective evidence.

Revision update: ISO 9001:2015 remains the current published edition. A revised edition is expected in September 2026. Organisations should continue using the current requirements until the new edition and applicable transition arrangements are officially published.

What is a nonconformity in ISO 9001?

A nonconformity is the non-fulfilment of a requirement.

The definition of what a nonconformity is, comes from the ISO 9000 standard (same family of standards as the ISO 9001).

In plain English, something was required to happen, but it did not happen as required.

A requirement might come from:

  • A customer contract.
  • A drawing or specification.
  • A product standard.
  • A legal or regulatory obligation.
  • An approved procedure.
  • A work instruction.
  • An inspection or test plan.
  • A supplier agreement.
  • The organisation’s Quality Management System.
  • ISO 9001 itself.

A nonconformity should therefore be based on evidence—not someone’s personal opinion.

The basic test is:

What was the requirement, and what evidence demonstrates that it was not met?

If neither of those points can be established, the issue may be a concern, observation or improvement opportunity rather than a confirmed nonconformity.

Examples of ISO 9001 nonconformities

Nonconformities can affect products, services, processes or the QMS itself.

Examples include:

  • A product fails its final inspection.
  • Work is completed using an obsolete drawing.
  • A service is delivered later than the agreed deadline.
  • A required inspection is missed.
  • An employee performs specialist work without demonstrated competence.
  • A measuring instrument is used after its calibration has expired.
  • An unapproved supplier provides a critical component.
  • A customer complaint is not investigated.
  • A design change is implemented without review or approval.
  • Internal audits are not completed according to the programme.
  • Corrective actions remain overdue without justification.
  • Management reviews do not consider required performance information.
  • Records cannot demonstrate that a required activity was completed.
  • A procedure describes controls that are not followed in practice.

The seriousness of each issue depends on its extent, consequences and risk.

One missing signature does not automatically have the same significance as releasing an unsafe or defective product.

What does ISO 9001 require?

Clause 10.2 of ISO 9001 addresses nonconformity and corrective action.

When a nonconformity occurs, the organisation needs to react to it and, where applicable:

  • Control the nonconformity.
  • Correct it.
  • Deal with its consequences.
  • Evaluate whether action is needed to eliminate its cause.
  • Determine whether similar problems exist or could occur elsewhere.
  • Implement the necessary action.
  • Review whether the corrective action was effective.
  • Update risks and opportunities where necessary.
  • Make appropriate changes to the QMS.

The organisation must retain documented information showing:

  • The nature of the nonconformity.
  • The actions subsequently taken.
  • The results of corrective action.

The action should be appropriate to the effect of the problem.

This is important because ISO 9001 does not require the same level of investigation for every small mistake.

What is the difference between a nonconformity and an NCR?

A nonconformity is the actual failure to meet a requirement.

An NCR is a Nonconformity Report or Non-Conformance Report used to record and manage that failure.

For example:

  • Concrete that does not achieve the specified strength is the nonconformity.
  • The document used to describe, investigate and close that problem is the NCR.

The term NCR is widely used in construction, manufacturing and engineering.

Other organisations may use terms such as:

  • Nonconformance report.
  • Nonconformity record.
  • Deviation report.
  • Defect report.
  • Quality incident.
  • Corrective Action Request.
  • CAR.
  • CAPA record.
  • Issue report.

The name of the form matters less than whether the process controls the problem effectively.

For a construction-specific explanation, see our guide to NCRs in construction projects, including common site examples and the typical stages of an NCR.

Correction, containment and corrective action

These terms are often confused, but they describe different activities.

What is containment?

Containment is the immediate action taken to control the extent of a problem and prevent further consequences.

Examples include:

  • Stopping production.
  • Suspending an activity.
  • Segregating affected materials.
  • Quarantining a batch.
  • Blocking a product from delivery.
  • Informing affected teams.
  • Identifying other potentially affected outputs.
  • Protecting completed work from further damage.

Containment gives the organisation time to understand the problem.

It does not necessarily correct the nonconformity or prevent recurrence.

What is a correction?

A correction eliminates a detected nonconformity.

Examples include:

  • Repairing defective work.
  • Replacing an incorrect component.
  • Reissuing a document at the correct revision.
  • Repeating an inspection.
  • Correcting information in a report.
  • Providing a delayed service.
  • Reworking a product.
  • Refunding the customer.

A correction deals with the immediate problem.

Imagine that a production line is supposed to manufacture red boxes, but one box is produced in blue.

Painting that box red is a correction.

That particular box may now meet the requirement, but nothing has been done to prevent the next box from also being produced in blue.

What is corrective action?

Corrective action is taken to eliminate the cause of a nonconformity and prevent recurrence.

Using the same example, corrective action might involve:

  • Correcting an incorrect equipment setting.
  • Changing the material-selection system.
  • Updating the work instruction.
  • Improving colour identification.
  • Introducing an automated verification step.
  • Addressing an ineffective training or approval process.

The correction fixes the affected output.

The corrective action addresses why the failure occurred.

Correction versus corrective action

CorrectionCorrective action
Deals with the detected problemDeals with the cause
Usually immediateNormally follows investigation
Makes the affected output acceptable where possibleReduces the likelihood of recurrence
May involve repair, replacement or reworkMay involve changing a process or control
Focuses on what went wrongFocuses on why it went wrong
Does not necessarily require root-cause analysisShould relate to the identified cause

Both may be required, but not every situation needs both.

Does every nonconformity need corrective action?

No.

The organisation must evaluate whether corrective action is necessary.

An isolated, low-risk error may only require correction when:

  • The cause is obvious.
  • The event is genuinely unusual.
  • The existing system is otherwise effective.
  • The likelihood of recurrence is very low.
  • The potential consequences are limited.
  • There is no evidence of a wider or repeated problem.

A more detailed investigation is likely to be justified when:

  • The problem is serious.
  • A customer is affected.
  • The issue creates a legal, safety or regulatory risk.
  • The same failure has happened before.
  • Several products, services or locations may be affected.
  • The existing control system failed.
  • The cause is unknown.
  • The potential cost of recurrence is significant.
  • An external auditor has identified a systemic weakness.

The decision should be based on risk and evidence.

Requiring a lengthy root-cause analysis for every minor administrative error can make the process slow and bureaucratic. However, dismissing repeated “small” issues can allow a significant pattern to develop unnoticed.

Sources of nonconformities

Nonconformities may be identified through:

  • Inspections and tests.
  • Internal audits.
  • Certification audits.
  • Customer audits.
  • Customer complaints.
  • Supplier failures.
  • Product returns.
  • Warranty claims.
  • Process monitoring.
  • Performance data.
  • Employee reports.
  • Management reviews.
  • Regulatory inspections.
  • Site observations.
  • Document reviews.
  • Lessons-learned activities.

The organisation should make it easy for employees to report problems.

If people believe that reporting a nonconformity will automatically lead to blame or punishment, the problems will still exist—but the management system may not know about them.

A practical nonconformity and corrective-action process

A practical process can be divided into ten stages.

Step 1: Identify the nonconformity

Record what happened as soon as reasonably possible.

The description should explain:

  • What was found.
  • Where it was found.
  • When it occurred or was discovered.
  • Which product, service or process was affected.
  • Who identified it.
  • The extent of the known issue.
  • Any immediate consequences.

Keep the description factual.

Avoid blame, assumptions and emotional language.

Poor description:

The production team failed to follow the procedure again.

Better description:

During final inspection of Batch 26-071, four of the 20 units sampled contained Component B rather than Component A specified by Drawing 1452, Revision 4.

The second version provides information that can be investigated.

Step 2: Identify the requirement that was not met

A nonconformity should state the applicable requirement.

Possible references include:

  • A contract clause.
  • Drawing number and revision.
  • Specification section.
  • Procedure and paragraph.
  • Work instruction.
  • Inspection criterion.
  • Legal requirement.
  • ISO 9001 clause.

Avoid vague statements such as:

The work was not completed properly.

Be specific:

Procedure QP-08, Section 5.3 requires final inspection to be completed and approved before dispatch. Order 7841 was dispatched on 8 July without a completed final-inspection record.

The requirement and evidence make the nonconformity clear.

Step 3: Take immediate containment action

Prevent the problem from getting worse.

Depending on the situation, containment may include:

  • Stopping the affected activity.
  • Isolating products or materials.
  • Checking stock, work in progress and delivered outputs.
  • Informing the customer.
  • Suspending a supplier.
  • Restricting access to an obsolete document.
  • Introducing temporary inspection.
  • Protecting affected work.
  • Recording potentially affected serial or batch numbers.

Containment should be proportionate to the risk.

If the issue could affect safety, regulatory compliance or customers, action may need to be taken before the full cause is known.

Step 4: Assess the extent and consequences

Do not assume that the first detected example is the only one.

Ask:

  • When could the problem have started?
  • Which products, services, projects or customers could be affected?
  • Does the same condition exist elsewhere?
  • Have similar complaints or failures been recorded?
  • Did the problem affect delivered outputs?
  • Are legal, safety or contractual requirements involved?
  • Does anyone need to be informed?
  • Are additional inspections required?

This extent review is frequently missed.

An organisation may repair one defective product while hundreds of similar products remain in storage or have already reached customers.

Step 5: Decide what will happen to the nonconforming output

The organisation must decide how the affected output will be controlled.

Possible dispositions include:

  • Rework.
  • Repair.
  • Replacement.
  • Regrading.
  • Rejection.
  • Scrap.
  • Return to supplier.
  • Use as-is under an approved concession.
  • Suspension or withdrawal of a service.
  • Re-performance of the activity.

Any acceptance under concession should be authorised by someone with the appropriate authority.

Where design, safety, legal or customer requirements are affected, technical or customer approval may also be necessary.

The reason for the decision should be recorded.

Step 6: Apply and verify the correction

Complete the approved correction and retain appropriate evidence.

Evidence might include:

  • Photographs.
  • Inspection records.
  • Test results.
  • Revised documents.
  • Delivery records.
  • Customer approval.
  • Designer approval.
  • Rework records.
  • Completed checklists.
  • Updated system entries.

The corrected output should normally be verified again against the original acceptance requirements.

Do not close the NCR merely because somebody has written “completed” in the action field.

Step 7: Investigate the root cause

The root cause is the underlying reason the problem occurred.

Finding the root cause is often the most difficult part of the process.

Weak root causes include:

  • Human error.
  • Operator mistake.
  • Carelessness.
  • Lack of attention.
  • Procedure not followed.
  • Poor communication.
  • Training issue.

These statements may describe what happened, but they rarely explain why the system allowed it to happen.

For example, if an employee used an obsolete drawing, the cause may not simply be “the employee selected the wrong drawing.”

Further questions might show that:

  • Obsolete drawings remained accessible.
  • File names did not show revision status.
  • The document system did not notify users about changes.
  • Printed drawings were not controlled.
  • Responsibilities for removing superseded information were unclear.
  • Programme pressure encouraged work to continue without verification.

A useful root cause identifies a condition that management can address.

Root-cause analysis methods

The investigation method should be proportionate to the complexity of the problem.

The 5 Whys

Ask why the problem occurred and continue questioning each answer until the underlying system weakness becomes clear.

Example:

Problem: A customer received the wrong component.

Why?
The incorrect component was selected during packing.

Why?
The two components were stored beside each other and looked similar.

Why?
The storage locations were identified only by product codes.

Why?
The risk of selecting similar components had not been considered.

Why?
The warehouse process had never been reviewed after the new product range was introduced.

The root cause is more useful than simply stating that the warehouse employee made a mistake.

Possible corrective actions might include changing storage arrangements, improving visual identification and reviewing risks when new product ranges are introduced.

The 5 Whys does not need to stop at exactly five questions. Some problems require fewer; complex problems may require more.

Fishbone analysis

A fishbone or Ishikawa diagram helps a team consider possible causes under categories such as:

  • People.
  • Methods.
  • Machines.
  • Materials.
  • Measurement.
  • Environment.
  • Management.

This method is useful when several interacting factors may have contributed.

Process mapping

Map the process as it actually happened and compare it with the intended process.

This can reveal:

  • Missing controls.
  • Unclear handovers.
  • Duplicate activities.
  • Uncontrolled changes.
  • Approval gaps.
  • Delays.
  • Informal workarounds.

Data and trend analysis

Review information such as:

  • Defect locations.
  • Product types.
  • Suppliers.
  • Teams.
  • Shifts.
  • Equipment.
  • Dates.
  • Weather or environmental conditions.
  • Complaint categories.
  • Project stages.

Patterns in the data may reveal causes that are not obvious from one event.

Cause-and-effect verification

A possible cause should be supported by evidence.

Ask:

If this really is the cause, does it explain the evidence and the extent of the problem?

Do not select a cause simply because it is convenient or easy to address.

Contributing causes versus root causes

Problems often have more than one cause.

For example, defective work might involve:

  • An unclear drawing.
  • Insufficient supervision.
  • Inadequate competence.
  • Programme pressure.
  • A missed inspection.
  • Poor communication between teams.

It may be unrealistic to identify one single cause when several system weaknesses combined to create the failure.

Record relevant contributing causes and address those that materially affect the risk of recurrence.

Step 8: Establish corrective action

Corrective action should respond directly to the identified cause.

If the cause is inadequate document access, corrective action might improve document distribution and revision control.

If the cause is unclear acceptance criteria, corrective action might revise the specification, inspection plan or work instruction.

If the cause is ineffective training, the action should address the competence gap and evaluate whether the person can perform the work—not merely record attendance at another presentation.

Possible corrective actions include:

  • Redesigning a process.
  • Introducing an approval step.
  • Changing physical storage arrangements.
  • Improving identification or traceability.
  • Updating a procedure or work instruction.
  • Changing supplier controls.
  • Revising inspection frequency.
  • Modifying equipment.
  • Improving software validation.
  • Clarifying responsibilities.
  • Providing and evaluating competence development.
  • Introducing automated error prevention.
  • Extending the action to other departments or locations.

The strongest corrective actions change the system so that the problem becomes less likely or more difficult to repeat.

Is retraining a suitable corrective action?

Sometimes.

Training may be appropriate when the investigation demonstrates that:

  • The required competence was not defined.
  • The employee had not received necessary instruction.
  • Existing training was ineffective.
  • The process or requirement had changed.
  • The organisation had not evaluated competence.

Retraining is not automatically suitable when:

  • The procedure is unclear.
  • The correct information is unavailable.
  • The system encourages mistakes.
  • Responsibilities conflict.
  • Workload makes the process impractical.
  • Equipment cannot perform reliably.
  • Management knowingly accepts shortcuts.

Writing “staff retrained” on every NCR normally indicates that root-cause analysis is not going far enough.

Step 9: Implement the action

Assign each action:

  • An owner.
  • A target date.
  • Required resources.
  • Expected evidence.
  • An effectiveness-review method.
  • An effectiveness-review date.

Keep the actions realistic and proportionate.

An action should not remain open indefinitely because it depends on an undefined system improvement.

Where permanent action takes time, temporary controls may need to remain in place.

Step 10: Verify effectiveness and close the NCR

Implementation and effectiveness are not the same.

A revised procedure proves that a document was changed.

A training record proves that somebody attended training.

Neither proves that the original problem has been prevented from recurring.

Effectiveness may be verified by:

  • Inspecting later products or services.
  • Sampling subsequent records.
  • Repeating part of an audit.
  • Reviewing complaints or defect data.
  • Observing the changed process.
  • Interviewing affected employees.
  • Checking other departments or locations.
  • Confirming that performance has improved.
  • Ensuring that the problem has not recurred during a suitable period.

The verification period should reflect the frequency and risk of the activity.

If a process occurs every day, effectiveness may be evaluated relatively quickly. If it occurs once every six months, immediate closure may not be justified.

For a detailed construction process, see our guide explaining how to close an NCR in construction, including evidence, approvals and final sign-off.

What information should an NCR form contain?

A practical NCR form may include:

  • NCR reference number.
  • Date raised.
  • Origin or source.
  • Project, department or process.
  • Product, service or activity affected.
  • Description of the nonconformity.
  • Requirement not met.
  • Objective evidence.
  • Immediate containment.
  • Extent and consequence assessment.
  • Disposition.
  • Correction.
  • Verification of correction.
  • Root cause.
  • Corrective action.
  • Responsible person.
  • Target completion date.
  • Evidence of implementation.
  • Effectiveness review.
  • Closure approval.
  • Closure date.

The form should support the process rather than make it unnecessarily difficult.

A simple problem may not require several pages of investigation. A serious or systemic failure may require supporting evidence, technical reviews and separate root-cause records.

Example of a completed corrective-action process

Consider a company that manufactures metal enclosures.

During final inspection, several enclosure doors are found not to close correctly.

Nonconformity

Five of the 30 enclosures in Batch 214 failed the specified door-alignment tolerance during final inspection.

Requirement

Manufacturing Drawing ME-104, Revision 6 requires the door alignment to remain within the stated tolerance.

Containment

  • The batch is quarantined.
  • Dispatch is suspended.
  • Work in progress is identified.
  • Recently delivered batches are reviewed.
  • The customer is informed where necessary.

Correction

The affected doors are adjusted and inspected again.

Extent review

Inspection of other batches finds the same condition on products manufactured using Assembly Fixture 2.

Root cause

The fixture gradually moved out of alignment because its maintenance check did not include dimensional verification of the locating points.

Corrective action

  • Repair and revalidate Assembly Fixture 2.
  • Add dimensional verification to the preventive-maintenance plan.
  • Review equivalent fixtures for the same weakness.
  • Brief maintenance and production personnel on the revised control.
  • Monitor door-alignment results for the next ten batches.

Effectiveness review

The next ten batches meet the alignment requirement, and the equivalent fixtures have been checked without identifying the same condition.

The NCR can now be closed using objective evidence.

Example of an audit nonconformity

Not all nonconformities affect a physical product.

An internal audit might find:

Procedure QP-07 requires approved suppliers to be re-evaluated every 12 months. Four of the ten critical suppliers sampled had not been re-evaluated within the required period.

Possible containment might include reviewing the current approval status and recent performance of the four suppliers.

The investigation may find that automatic reminders were lost when the purchasing system was changed.

Corrective action could include restoring system alerts, assigning responsibility for monitoring overdue reviews and checking whether other scheduled activities were affected by the same system change.

Example from a construction project

A site team pours concrete without completing the specified Hold Point inspection.

Nonconformity

The concrete pour proceeded before the reinforcement and embedded items were formally released.

Requirement

The approved Inspection and Test Plan requires the Hold Point to be released by the designated parties before concrete placement.

Immediate action

  • The issue is recorded.
  • Available photographs, delivery records and inspection information are collected.
  • The designer and client are informed.
  • Further affected work is suspended where necessary.

Correction

The completed work is assessed using available evidence, inspections, tests and technical review. Additional verification may be required.

The final disposition might be acceptance as-is, repair or removal and replacement depending on the technical assessment.

Possible root causes

The investigation may identify several contributing factors:

  • The inspection request was not submitted.
  • The programme did not allow sufficient notice.
  • Responsibility for releasing the Hold Point was unclear.
  • The subcontractor misunderstood the requirement.
  • The site team prioritised the pour schedule.
  • The ITP was not reviewed during the pre-pour meeting.

Corrective action

The project might revise the pre-pour process, assign responsibility for inspection requests, introduce a readiness review and prevent concrete orders from being released until the Hold Point status is confirmed.

Simply telling the site team to “be more careful” would not adequately address the cause.

What is the difference between corrective and preventive action?

Older quality systems often referred to corrective and preventive action as CAPA.

ISO 9001:2015 does not contain a separate preventive-action clause in the same way as earlier editions.

Prevention is built into risk-based thinking.

The organisation should identify and address risks before nonconformities occur, while corrective action responds to a nonconformity that has already happened.

In simple terms:

  • Risk-based action tries to stop a potential problem from happening.
  • Corrective action tries to prevent an actual problem from happening again.

The two activities are connected.

A nonconformity may reveal a risk that was not previously identified or adequately controlled. The organisation should therefore update relevant risks and opportunities where necessary.

Major and minor nonconformities

ISO 9001 does not require organisations to classify every internal nonconformity as major or minor.

However, classifications can help prioritise action if they are clearly defined and used consistently.

Major nonconformity

A significant or systemic failure affecting the organisation’s ability to achieve the intended results of its QMS.

Examples might include:

  • A required process has not been implemented.
  • A widespread failure affects several departments.
  • Products are regularly released without required verification.
  • Internal audits have not been performed.
  • A control failure creates significant customer or regulatory risk.

Minor nonconformity

An isolated or limited failure that does not demonstrate a complete breakdown of the system.

Examples might include:

  • One missing record within an otherwise effective process.
  • One overdue supplier evaluation.
  • One obsolete instruction found at a workstation.

Several related minor nonconformities may indicate a wider systemic issue.

The classification should not change the basic requirement to control the problem and take proportionate action.

Nonconformity or opportunity for improvement?

A nonconformity exists when a requirement has not been met.

An opportunity for improvement identifies a possible way to improve a process where no requirement has been breached.

Auditors and managers should not record clear nonconformities as “observations” simply to avoid difficult discussions.

They should also avoid raising personal preferences as nonconformities.

The decision should remain evidence-based:

  • What is the requirement?
  • What is the evidence?
  • How was the requirement not fulfilled?

How to write a good nonconformity statement

A good statement contains:

  1. The requirement.
  2. The objective evidence.
  3. A clear description of the failure.

For example:

Procedure DC-01 requires department managers to remove superseded printed procedures when a new revision is issued. During the audit, Revision 2 of Work Instruction WI-14 was available at two workstations although Revision 4 was the current approved version. The organisation has therefore not consistently controlled the unintended use of obsolete documented information.

Avoid statements such as:

Document control is poor.

That does not explain the requirement, evidence or extent of the failure.

How long should corrective action take?

ISO 9001 does not specify one universal closure period.

The timescale should reflect:

  • The significance of the issue.
  • The risk to customers.
  • Legal or regulatory consequences.
  • The complexity of the investigation.
  • Resources required.
  • Frequency of the affected process.
  • Time needed to verify effectiveness.

Immediate containment may be necessary even when permanent corrective action takes several months.

Organisations often establish internal targets such as:

  • Immediate containment within 24 hours.
  • Initial investigation within seven days.
  • Corrective-action plan within 14 days.
  • Completion within 30 or 60 days.

These are management decisions, not universal ISO 9001 deadlines.

Extending a target date may be justified, but repeatedly changing dates without additional control is not effective management.

When can an NCR be closed?

An NCR can normally be closed when:

  • The nonconformity has been clearly described.
  • The requirement has been identified.
  • The affected output has been controlled.
  • Consequences and extent have been considered.
  • The approved correction or disposition has been completed.
  • Root cause has been investigated where necessary.
  • Corrective action has been implemented.
  • Required evidence is available.
  • Effectiveness has been verified.
  • Required technical, customer or management approvals have been obtained.
  • Relevant risks and QMS documents have been updated where necessary.

Closure should be based on evidence—not the age of the report or pressure to reduce the number of open NCRs.

Common corrective-action mistakes

Blaming the individual

“Operator error” rarely explains why the system failed to prevent or detect the mistake.

Examine competence, instructions, workload, equipment, supervision and process design.

Confusing correction with corrective action

Repairing the defective output does not necessarily prevent recurrence.

Choosing a cause without evidence

A convenient explanation is not automatically the correct one.

Using retraining for every problem

Training cannot repair unclear processes, ineffective systems or poor management decisions.

Ignoring the extent of the problem

The first detected example may be part of a larger issue.

Writing vague actions

“Improve communication” and “remind staff” are difficult to implement and verify.

Closing actions without checking effectiveness

Completion evidence does not demonstrate that the action worked.

Making the process excessively bureaucratic

The investigation should reflect the significance and risk of the problem.

Leaving NCRs open indefinitely

Long-overdue reports lose their value and may indicate that responsibilities, resources or escalation arrangements are ineffective.

Using NCRs as a blame or commercial weapon

This discourages reporting and damages the quality culture.

A nonconformity should be used to control and improve the process, not create artificial ammunition between teams.

Monitoring nonconformity and corrective-action performance

Useful measures may include:

  • Number of nonconformities raised.
  • Open and closed NCRs.
  • Average closure time.
  • Overdue actions.
  • Repeat nonconformities.
  • Nonconformities by process, supplier or location.
  • Cost of rework or scrap.
  • Customer-related nonconformities.
  • Root-cause categories.
  • Corrective actions found to be ineffective.
  • Trends over time.

The number of NCRs should be interpreted carefully.

A project or company with no reported NCRs is not automatically performing perfectly. It may have a culture where problems are not reported.

A temporary increase may even indicate improved reporting and transparency.

Management should examine the nature, significance and recurrence of problems—not just the total number.

Building a positive nonconformity culture

Employees need to feel able to report problems early.

Management can support this by:

  • Separating honest reporting from blame.
  • Responding proportionately.
  • Recognising employees who identify risks.
  • Focusing investigations on systems and processes.
  • Sharing lessons learned.
  • Providing resources for corrective action.
  • Reviewing repeated or overdue issues.
  • Avoiding the use of NCR totals as a simplistic performance target.

People will always make mistakes.

A mature Quality Management System makes those mistakes visible, controls their consequences and learns from them.

A simple corrective-action checklist

Before closing a nonconformity, confirm that:

  • The problem is described clearly.
  • The failed requirement is identified.
  • Objective evidence is recorded.
  • Immediate containment has been completed.
  • The extent and consequences have been assessed.
  • Other potentially affected outputs have been considered.
  • The disposition has been approved.
  • The correction has been completed and verified.
  • The need for root-cause analysis has been evaluated.
  • Root and contributing causes are supported by evidence.
  • Corrective action addresses the identified cause.
  • Responsibilities and target dates are defined.
  • Actions have been implemented.
  • Relevant risks have been reviewed.
  • Documents or processes have been updated where necessary.
  • Effectiveness has been verified.
  • Required approvals have been obtained.
  • Closure evidence has been retained.

Final thoughts

Nonconformities should not be hidden, and NCRs should not be raised simply to create blame or paperwork.

The objective is much more practical:

  • Control what went wrong.
  • Protect the customer and the organisation.
  • Correct the affected output.
  • Understand why it happened.
  • Prevent it from happening again where necessary.
  • Use the evidence to improve the Quality Management System.

Correction without investigation can allow the same failure to return.

Investigation without action produces paperwork but no improvement.

Action without effectiveness checks leaves the organisation assuming that the problem has been solved.

A strong nonconformity and corrective-action process connects all three.

When organisations treat NCRs as learning tools rather than admissions of failure, problems become valuable information. That information can reduce waste, protect customers and support the continual improvement that ISO 9001 is designed to achieve.

FREE EXCEL TEMPLATE

Plan Your Quality Control Inspections with Confidence

Download the editable Excel Inspection and Test Plan template for recording inspections, tests, acceptance criteria, responsibilities and quality records.

Need more than an ITP? The Construction Quality Pack includes 12 editable templates for managing inspections, audits, nonconformances, reporting and project quality records.

Leave a Comment