This week’s blog post follows Part 1 which told the story of a non-conformance I discovered during an internal audit and how I used the process approach to ask questions at each stage. This week I’m looking at what you do once you have found a non-conformance as once you’ve found it, you need to do something about it to both fix it and (ideally) prevent it happening again. The ISO 9000:2015 standard defines a nonconformity as the “non-fulfilment of a requirement” (clause 3.6.9), while BSI uses the following: “A non-conformity is defined as a deviation from a specific procedure, standard, stated process, or system requirement” which I think is a more practical definition. All kinds of issues, incidents, faults, complaints etc can be classed as a non-conformance, here are some examples for each discipline
Discipline | Non-conformity |
---|---|
Quality (ISO 9001) | • Faulty product • Customer complaint • Damage to or loss of customer property • Failure of a process or procedure • Internal or External audit finding |
Environmental (ISO 14001) | • Spillage • Leak • Failure of duty of care in relation to waste (such as using an unlicensed person to dispose of waste) |
Occupational Health and Safety (ISO 45001) | • Near Miss (something that could have caused injury or damage but didn’t) • Incident / accident (injury to a person) • Ill health • Damage to property, vehicle, customer property etc |
Information Security (ISO 27001) | • Laptop does not have the correct version of antivirus software • A change in employment status (chang in role or leaving) which leaves somebody with incorrect access to systems • A Data Breach not managed within the timescales defined by data protection legislation |
Business Continuity (ISO 22301) | • A fire alarm being set off accidentally • Loss of a key piece of system software (such as invoicing or time management) • Loss of emergency communication systems during a business continuity exercise |
Clause 10 of the newer ISO standards (generally those written since 2015 in line with the Annex SL structure) covers all Improvement related activities including the management of non-conformities. Although some standards have additional requirements (for example, ISO 45001 has a requirement to communicate with and involve relevant people), the basic steps are:
- React to the non-conformity i.e. do something about it quickly!
- Control and correct it in a timely manner
- Deal with the immediate consequences
- Evaluate the need for corrective action
- Investigate the non-conformance
- Work out the root cause
- Find out whether similar non-conformances have occurred, or are likely to
- Implement the corrective actions
- Review the effectiveness of the actions you have taken – did they work?
- Review and update the Risk Register and / or make changes to the management system if required
- Keep a record of what happened and what you did
So to take the example of the faulty component in Part 1 :
- React:
- Identify, label and quarantine the components
- Update the production schedule to allow for the resulting delay
- Order new parts
- Evaluate:
- Non-conformance investigated through the internal audit process
- Root cause identified using the 5 why’s technique (other root cause identification techniques are available – but that is a blog post for another day!)
- All similar components in stock checked for weld and paint quality
- Current Purchase Order with the paint supply checked and updated if required
- Welding competencies checked
- Corrective actions:
- Management meeting held to discuss and confirm the corrective actions required
- Corrective actions implemented in an appropriate time frame
- Review effectiveness:
- Non-conformance discussed at the next Management Review Meeting
- Risk Register:
- Review – in this case no updates were required to the risk statements as ‘failure of supply chain’ and ‘failure of quality management system’ had already been identified
- Records:
- Internal audit report
- Non-conformance added to Improvement register
- Management meeting minutes
While nobody likes being issued with non-conformities during an audit, it is important to remember that they identify something that needs correcting while also providing an opportunity for improvement as actions can be taken to prevent the same thing happening again.
With thanks to Cathy Brode for providing the Information Security examples and to We’re going on a bear hunt for the title!