ISO 9001:2015 requires that when a nonconformity occurs, including any arising from customer complaints, organisations to take the following steps:
Update Risks and Opportunities planning and any changes to the management system as appropriate. It is also noted that corrective actions must be appropriate to the effects of the nonconformities under review and that documented information (records) must be retained as evidence of:
Note the explicit requirement to determine if other similar nonconformities exist or could exist elsewhere. IE similar products or processes must also be considered. (As common sense would dictate!)
Risks and opportunities are also required to be reviewed as part of the nonconformity and corrective action process. (It is possible that this review may result in the likelihood of recurrence of a risk being reduced, but not eliminated entirely of course.)
The standard recognises that not every nonconformity should be treated equally. EG: High risk concerns, with potential safety consequences, regulatory requirement infringement or significant impact on customers, may require full in depth root cause analysis, utilising cross functional teams and an appropriate level of problem solving / corrective action tools, such as data collection and analysis, Ishikawa (fishbone) diagrams to brainstorm potential causes and solutions, or even a full blown Six Sigma project.
Where consequences are of a much lower risk or impact, appropriately scaled resources and countermeasure measures should be taken. EG: A simple “5 Y’s” exercise may suffice. (This is good news for organisations with long lists of open and overdue corrective actions, some of which could have been dealt with quickly and simply, thereby allowing resources to concentrate on the “vital few” complex / significant concerns.)
The “Global 8D” template is a widely used and effective tool which aids organisations to structure their problem resolution processes which can be used to address simple concerns directly, or to act as a structure and report out tool for larger projects.
Note also the requirement to where required, make changes to the Management System as part of the nonconformity corrective action process in order to prevent a recurrence. (Many organisations may well already address this requirements, as depending on the nature of the nonconformity, organisational processes may have been identified as a key part of the root cause / non detection.)
Note that records are required and they must include the identification of the nature of any nonconformity, the action(s) taken and crucially - the results of any corrective action. IE evidence must be gathered to determine if the actions carried out were effective.
(See also article 6.1 Actions to address risks and opportunities.)
Records (documented information) may be requested to determine not only if the problem and the corrective actions implemented were described adequately, but also the results. IE were the actions taken successful and if not, revisited in accordance with Plan Do Check Act methodology.
Auditors may also specifically check that where nonconformities have been identified, an investigation has been conducted to determine whether other similar nonconformities have or could, occur elsewhere and that if the organisation has considered whether it needs to make changes to the wider Management System as part of the process.
This article is the property of David Barker Consulting © and is free for you to use. If you wish to reproduce elsewhere, please be so kind as to ask permission first and credit me as your source. If you need any further assistance, feel free to use my contacts page to get in touch and let me know how I can help!
David Barker CQP MCQI