Nonconformity Management: An Integral Protocol and Follow-up

·

A nonconformity is the failure to meet a requirement, whether of a standard, a customer specification or an internal procedure. Far from being a failure of the quality system, its detection and orderly treatment is precisely the proof that the system works. The ISO 9001:2015 standard devotes its clause 10.2 to nonconformities and corrective actions, making their management an auditable requirement. This guide explains how to record, analyse and close product nonconformities with a traceable protocol that withstands any audit.

Types of nonconformity and why classify them

Not all nonconformities carry the same severity nor demand the same response. Classifying them correctly is the first step to allocating resources with judgement:

It is also worth distinguishing between correction (the immediate action that resolves the specific problem: rework, segregate, withdraw) and corrective action (acting on the root cause so that the problem does not recur). Confusing the two is one of the most widespread mistakes: the "fire is put out" without investigating why it started.

The management protocol step by step

A robust nonconformity procedure follows a sequence that must be documented in full:

  1. Detection and recording. Anyone in the organisation should be able to open a nonconformity. It is recorded with date, an objective description, the affected product or process, evidence (photograph, measurement, batch) and the person who detects it.
  2. Immediate containment. Segregate and identify the nonconforming product to prevent its inadvertent use or delivery. This is where the control of nonconforming output in clause 8.7 of ISO 9001 comes in.
  3. Assessment and decision. Determine the fate of the product: rework, repair, concession (acceptance under authorised deviation), reclassification or scrapping.
  4. Root cause analysis. Investigate why it happened, not just what happened.
  5. Corrective action. Define, implement and assign an owner and deadline to the action that eliminates the cause.
  6. Effectiveness verification. Check, after a period of time, that the action worked and the problem does not reappear. Without this step, closure is premature.
  7. Closure and recording. Document the entire cycle as documented information required at audit.

Root cause analysis: the tools that work

The heart of mature nonconformity management is root cause analysis (RCA). The most widely used tools are:

The 8D (Eight Disciplines) methodology, widely used in the automotive industry and required by the sector standard IATF 16949, integrates these steps into a structured format for team problem-solving, particularly useful for customer complaints.

Table: correction versus corrective action

AspectCorrectionCorrective action
ObjectiveResolve the specific problemEliminate the root cause
HorizonImmediateStructural and lasting
ExampleRework the defective batchRecalibrate the equipment and revise the procedure
VerificationThe product conformsThe problem does not reappear

Indicators and follow-up

Managing nonconformities without measuring is navigating blind. The indicators that provide real visibility are the number of nonconformities by origin (internal, customer, supplier, audit), the average time to closure, the percentage of corrective actions verified as effective, and the recurrence rate. Batch traceability is mandatory in regulated sectors such as food (where Regulation (EC) 178/2002 requires tracing "one step back, one step forward"), pharmaceuticals and medical devices, and it becomes critical when a nonconformity forces a market recall.

The cost of poor quality is another indicator worth quantifying, because it translates the problem into the language management understands. It is made up of internal failure costs (rework, scrap, segregation), external failure costs (returns, complaints, warranties, loss of customers), appraisal costs (inspection, testing) and prevention costs (training, maintenance, process improvement). Experience shows that investing in prevention reduces failure costs disproportionately, and failure costs are always the most expensive and the most damaging to reputation. That is why good nonconformity management is not a cost centre: it is the tool that allows spending to be redirected from "firefighting" towards systematic prevention, where money yields far more.

Integration with the quality management system

Nonconformity management is not an isolated process: it is one of the engines of the continual improvement that ISO 9001 places at the heart of the system. The PDCA cycle (Plan-Do-Check-Act), also known as the Deming cycle, fits naturally into this flow: the corrective action is planned, implemented, its effectiveness verified, and one then acts by standardising what has been learned. Nonconformities also feed into the management review (clause 9.3 of ISO 9001), where top management analyses trends, recurrences and the effectiveness of actions in order to make decisions about resources and priorities.

It is this connection that turns the isolated data point into organisational intelligence. An individual nonconformity, once resolved, corrects a product; a pattern of nonconformities analysed in the management review can expose an unsuitable supplier, inadequate training or a fundamentally flawed design. Risk-based thinking, another pillar of the 2015 version of the standard, closes the loop: information from nonconformities feeds back into risk assessment to anticipate and prevent, not merely correct. Statistical process control (SPC) tools help detect variation before it becomes a defect, shifting the system from reaction towards prevention.

Common mistakes in nonconformity management

The first is treating correction as if it were corrective action: the product is reworked but no one investigates the cause, and the defect returns. The second is shallow root cause analysis that stops at "human error" without asking what in the system allowed that error. The third is closing without verifying effectiveness, contaminating the indicators with fictitious closures. The fourth is a punitive culture that penalises whoever reports, which causes nonconformities to be hidden rather than managed. The fifth is failing to analyse trends: each nonconformity is treated in isolation and the signal of a systemic problem is lost.

Frequently asked questions

Does every nonconformity require a corrective action? No. ISO 9001 (clause 10.2.1) requires evaluating the need for corrective action based on the impact and the likelihood of recurrence. For trivial, non-recurring deviations, correction alone is enough, provided the decision is recorded.

What is a concession or deviation? It is the formal authorisation to use or release a product that does not meet a specified requirement, granted by a competent authority and, where applicable, by the customer. It must always be documented and never become standard practice.

How long must records be kept? The period is set by the organisation according to legal, contractual and sector requirements. In regulated fields, retention is usually required for the entire useful life of the product plus an additional margin.

Who can open a nonconformity? Ideally, any employee should be able to. The more sources of detection there are, the sooner problems are identified and the better the quality culture works.

What is the difference between a nonconformity detected in an internal audit and a customer complaint? The internal-audit one is discovered before the problem reaches the customer, so its cost and reputational impact are far smaller; this is the desirable situation. A customer complaint means the failure has already escaped control and usually demands a more formal and rapid response, frequently using the 8D methodology. A mature system detects the vast majority of its nonconformities internally and receives very few through the customer channel.

Conclusion

The maturity of a quality system is not measured by the absence of nonconformities, but by the soundness with which it manages them. An organisation that detects little is not an organisation without problems: it is one that is not seeing them. The protocol that separates competent companies from the rest rests on four pillars: recording rigorously from any point in the organisation, investigating the root cause to the bottom, distinguishing unambiguously between correction and corrective action, and verifying effectiveness before considering anything closed. When that cycle is truly completed, each nonconformity ceases to be a cost and becomes a lesson that shields the product against its recurrence. At Summum Quality we help design and implement nonconformity procedures aligned with ISO 9001 that pass audits and, above all, that prevent the same failure from costing twice.