Management system guidance

10.0 Improvement

ISO Navigator Pro™ is a free tool that provides practical, expert guidance for businesses wishing to interpret and better implement the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018.

Our range of templates cover the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018, and offer an easy way to implement your next management system.

10.2 Nonconformity and corrective action


There is a clear link between ISO 9001:2015 Clause 8.7 Nonconforming Outputs and Clause 10.2 Nonconformity and Corrective Action. ISO 9001 Clause 10.2 requires your organization to evaluate the need for actions that will prevent recurrence of nonconformities. A nonconformity might arise via customer compliants, poor or adverse results and trends from monitoring, reviews, assessments or inspections, non-fulfilment of legal or regulatory requirements, or procedures not being followed.

Where as, the intent of ISO 9001 Clause 8.7 is to prevent the unintended delivery or use of nonconforming outputs (outputs should be considered as products and/or services) and that any nonconformity is controlled and corrected to prevent its unintended use by or delivery to the customer. Clause 8.7 only requires an organization to deal with outputs (products and/or services) that fail to conform to specified requirements.

As the first step in the nonconformity and corrective action process, the root-cause of the nonconformity should be determined and the effectiveness of the subsequent corrective action should be monitored and evaluated. Corrective actions can be triggered through nonconforming tests or other work, customer complaints, internal or external audits, management reviews, and observations by staff.

Definition of correction

Correction (also referred to as immediate correction) is action taken to eliminate a detected nonconformity or defect (adapted from ISO 9000). A correction can be made in conjunction with undertaking corrective action. For a product nonconformity, correction might include reworking the part, accepting the nonconformance through the concession process, replacing the product, or scrapping the product.

Definition of corrective action

Action implemented to address the root-cause(s) and contributing cause(s) of the undesirable condition, situation, nonconformity, or failure; action taken to prevent recurrence. As part of the corrective action process you must identify all the causes (root-cause and contributing causes) that have or may have generated an undesirable condition, situation, nonconformity, or failure.

When to apply corrective action

The decision to apply or not apply the corrective action process should be made by the appropriate level of management within the company, based on the level of risk. This guidance provides a 6-step methodology for applying corrective action and meeting the requirements in each of these clauses. Many factors that can trigger the corrective action process, examples include:

  1. A safety impact that affects the product or personal;
  2. Product performance and/or reliability issues;
  3. High impact on production and/or maintenance operations;
  4. Repetitive problems to one part of the activity/process, or similar problems across many activities/processes;
  5. Difficulty in detecting the nonconformity;
  6. By customer request;
  7. Significant quality or management system issues;
  8. Complex problem that cannot be solved without assistance of others not located where the problem occurred.

These clauses state the requirements for the occurrence of a nonconformity and include actions to prevent a similar nonconformity or problems occurring. The analysis of nonconformities should not look for someone to blame, or a department that is 'more responsible than another', but rather for understanding and improving the organizational weaknesses that made them possible.

Where your internal audits identify that your organization's policy, objectives, standards and other requirements as outlined within their management system are either not implemented, or are improperly implemented, a nonconformance report should be raised and entered into the nonconformity log as appropriate. This should require an agreed response from the relevant Line Manager prior to closure.

The root-cause must address the nonconformity and the corrective action must address the root-cause. Any nonconformities and subsequent actions to prevent their reoccurrence and the effectiveness of the corrective action(s), should be duly documented and retained. If you need a procedure and forms to help your business control its nonconformity and corrective action process, click here.

Our new range of audit checklists include the tools needed for corrective action management in accordance with ISO 9001.

6-step methodology for applying corrective action

Step 1. Identify the Problem

Once a problem has been identified through inspection, customer complaints, or audit results, it should be captured using non-conformity reports (NCRs) or corrective action reports (CARs) in order to identify who is affected by the problem and what the impact is. Considering the following:

  1. What are the operations, products, materials, defects, malfunctions that may characterise the problem? What is it about?
  2. Who is concerned with the problem? Who is reporting the problem? Who is rectifying the problem? Who is the problem affecting?
  3. Where are all the places where the event takes place; shop floor, services, machine, process step?
  4. Where is it seen? Where does it originate?
  5. When does the event appear (time, date, when does it start, how long does it last, how often)
  6. When is the problem reported defective? When is the problem repaired?
  7. Has it occurred before? If yes, what is the history?
  8. How do we know there’s a problem (how is it detected)?
  9. How does the event appear, how does it stop?
  10. How frequently is the problem experienced?
  11. How is the effect of the problem being measured (costs, delays, scrap rate, customer complaints, return rate, concessions, reliability rate, etc)?
  12. How is the problem currently addressed? How is it corrected?

This step helps to fully describe a situation, precisely analyse all its elements and gain a common understanding of them, allowing the definition of an action plan. Ensure that all team members agree about the definition of the issue and resulting impact.

The problem description should describe the problems in terms of what, where, when, and how big. On a flip chart, presentation board, or even paper; write out a description of what you know about the problem. Try to document the problem and describe it as completely as possible.

The description should contain facts; such as observations and documentary evidence and not assumptions. All information must be gathered before identifying the root-cause can begin.

Make sure both of the above factors are true before you move to the next step. Consider any new information that the team may have gathered since completing the initial problem description.

Describe the problem by identifying what is wrong and detail the problem in quantifiable terms. Define, verify and implement the interim containment action to isolate the effects of the problem from any internal/external customer until Permanent Corrective Actions (PCA) are implemented.

Step 2. Establish a Response Team

Identify representatives from functions that may have an influence on the corrective action process, including the identification of the root causes. Remember to assign responsibilities and objectives to the team members.

Remember, those performing the job, such as operators, inspectors, drivers, etc., are the best people to help identify the real causes, don’t leave them out of the team!

The size and composition of the team should depend on the complexity and the impact of the problem. The composition of the team is not fixed forever and may evolve depending on the analysis results and the required actions.

New team members should join the team if analysis shows they are identified as being in the scope, some others will leave if their area is definitely identified as out of the scope.

However, consideration should be made that expending the size of the core team over 6 to 8 members generally results in less efficiency. When more members or special skills are required, sub teams should be considered. Don’t forget, root-cause analysis must not be used for assigning blame or transferring responsibility. In summary, you should establish an investigation team with:

  1. Process and/or product knowledge;
  2. Allocated time and resources;
  3. Authority to solve the problem and implement corrective actions;
  4. Skill in the required technical disciplines;
  5. A designated Team Leader.

Brainstorming sessions should be used to identify potential causes to investigate each potential cause. Coordinate parallel activities with different team members to help expedite the process of verification.

Once you have reviewed the problem description, you can undertake a comparative analysis. A comparative analysis will help you identify relevant changes in a change-induced situation. Then you can reduce the number of possibilities that you must consider to determine root-cause. To complete a comparative analysis:

  1. Ask yourself; what is unique, peculiar, different, or unusual about the symptoms?
  2. Consider features such as people, processes, materials, machines and the environment;
  3. List all facts without prejudice as to the possible cause;
  4. Consider each difference you listed, and look for changes, ask yourself what has changed to give rise to this difference?
  5. Keep in mind that each difference may not have a corresponding change;
  6. List the changes next to the difference;
  7. Look at the dates each change occurred;
  8. Eliminate some changes if they occurred after the problem started;
  9. Consider categories of people, machines, processes or measurements.

If the problem is change-induced, the root-cause must be the result of a change relative to one or more of the identified changes. It is important to remember that you have not yet moved from the ‘observations’ phase of the process.

Any information you develop during the comparative analysis must be fact based, not opinion based and must be true only for the symptom’s information. Do not rule out any facts that might be valid answers. If it is a fact and it answers the question, write it down.

Your organization should first contain the problem by taking immediate corrective action (ICA) and then evaluating the need for initiating the formal problem-solving process.

Where necessary, provide an emergency response action to protect the customer from the problem, protect the customer operations and the organisation (to stop the problem getting worse) and verify that problem does not degrade until the root-causes are known.

An interim containment action is kept in place until a verified permanent corrective action can be implemented. In some cases, the interim containment action may be the same as or similar to the emergency response action. An interim containment action provides more opportunity for investigation.

Conduct trial runs whenever possible. However, in some situations, your verification may simply be a matter of common sense. For example, if an interim containment action involves stopping the shipment of all products, you can be sure that customers will stop experiencing the problem.

An interim containment action can be any action that protects the customer from the problem. However, before you implement an interim containment action, you need to verify that the interim containment action will work. To verify the interim containment action:

  1. Prove before implementation it protects the customer from the problem;
  2. Provide a before-and-after comparison;
  3. Prove that the interim containment action will not introduce any new problems.

Methods of verification may include:

  1. A test to determine the desired performance level;
  2. A demonstration that changes eliminated the issue without creating a new problem;
  3. A comparison between the interim containment action and similar proven actions;
  4. A review to evaluate whether the interim containment action was effective;
  5. Assurance that the interim containment action did not introduce a new problem.

Any interim containment action you implement must protect the customer from the problem without the introduction any new problems. Also, a single interim containment action may not be enough. You may need to implement more than one interim containment action to fully protect the customer.

Step 3. Identify the Root-Cause(s)

Root-cause analysis (RCA) is a class of problem-solving methods aimed at identifying the root-causes of problems or events. The practice of root-cause analysis is predicated on the belief that the problems are best solved by attempting to correct or eliminate root-causes, as opposed to merely addressing the immediately obvious symptom.

Listed below are various root-cause analysis techniques, we recommend you use the 5-Whys (1st Why, 2nd Why, 3rd Why, 4th Why, and 5th Why - and the root-cause) technique to problem solving but you are free to undertake any of the following depending on the complexity of the problem:

  1. 3-Ws (what, where, when);
  2. 8D Eight Dimensions;
  3. Failure Mode and Effects Analysis (FMEA & DFEMA);
  4. Fish-bone Analysis;
  5. Pareto Analysis;
  6. Fault-tree Analysis;
  7. Cause Mapping - draws out, visually, the multiple chains of interconnecting causes;
  8. Barrier analysis - a technique often used in process industries;
  9. Change analysis - an investigation technique often used for problems or accidents.

The 5-Whys technique offers some real benefits to organizations with varying degrees of management system maturity:

  1. Simplicity. It is easy to use and requires no advanced mathematics or tools that allows you to dig deep and find underlying issues rather than using quick-fix solutions;
  2. Effectiveness. It helps to separate the symptoms from the causes and identifies the root-cause of a problem using evidence-based analysis;
  3. Comprehensiveness. It aids in determining the relationships between various problem causes and allows you to proactively eliminate problems for good;
  4. Flexibility. It works well alone and when combined with other quality improvement and troubleshooting techniques such as ones listed above;
  5. Engaging. By building a culture that embraces progress, by its very nature, it fosters and produces teamwork within and outside of the organization, encourages the reporting of issues without fear or judgement;
  6. Inexpensive. It is a guided, team focused exercise that seeks to improve and adapt processes to ensure long-term success. There are no additional costs.

Launching a formal root-cause analysis and problem-solving process should always be considered when an issue; such as, undesirable conditions, defects and failures are detected. The decision not to apply the process must be made based on objective evidence of absence of risks!

Step 4. Implement Corrective Action

When all root and contributing causes have been identified and their effects understood, implement all selected corrective actions. Verify that the planned actions were taken as scheduled and assess their effectiveness in permanently preventing the undesirable condition, situation, non-conformity or failure from recurring. Steps for permanent corrective action (PCA) implementation:

  1. Implement the permanent corrective action (PCA);
  2. Implement controls;
  3. Evaluate the permanent corrective action (PCA) for escape point;
  4. Remove the immediate containment action (ICA);
  5. Perform validation;
  6. Confirm with the customer that the symptom has been eliminated.

To ensure the most effective corrective actions to address the most likely, or critical root causes are taken in consideration of operational and business constraints such as costs, lead time, difficulty of implementation, and resources. Select solutions that optimise value and effectiveness for all stake-holders!

Implement the solutions that have been selected, verify that all actions have been completed to schedule and that they have prevented the undesirable condition, situation, non-conformity or failure from recurring. Plan and implement selected permanent corrective actions. Remove the interim containment action and monitor the long-term results.

Step 5. Prevent Recurrence

Modify the necessary systems, policies, practices and procedures to prevent recurrence of this problem and similar ones. Make recommendations for systemic improvements as necessary:

  1. Review the history of the problem;
  2. Analyze how the problem occurred and escaped;
  3. Identify affected parties;
  4. Identify opportunities for similar problems to occur and escape;
  5. Identify practices and procedures that allowed the problem to occur;
  6. Identify practices/procedures that allowed the problem to escape to the customer;
  7. Analyze how similar problems could be addressed;
  8. Identify and choose appropriate preventive actions;
  9. Verify preventive action and its effectiveness;
  10. Develop action plan;
  11. Implement preventive actions;
  12. Present systemic preventive recommendations to the process owner.

Serious consequences may occur when the underlying symptoms are not addressed, when the quick fix is accepted as a final, permanent solution. Excessive reliance on containment or emergency response action will create a repeating cycle. Problem containment is an addiction that will only get worse until the root-causes are found and addressed.

Step 6. Monitor Effectiveness

Establish a review process to ensure corrective actions are completed according to plan and that they continue to be effective over time by confirming you have done what you have planned. Try adjusting the type and number or frequency of additional checks and audits to check that the actions remain effective.

When same problem has been identified or is suspected to occur on same or similar products, processes or data, the same corrective actions must be implemented and their effectiveness verified for all these additional products, processes or data.

The owner of each corrective action, the team leader and all team members should verify the effectiveness of the actions taken to date, and when relevant, the customer. Examples of verification methods include:

  1. Additional process monitoring until it is demonstrated that the process is stable and capable of consistently meeting requirements (recording and analysis of process parameters and/or product characteristics, SPC, etc.);
  2. Additional internal audits to specifically verify the effectiveness of the corrective actions;
  3. Associated metrics showing significant improvement resulting from the corrective actions.

Examples of supporting evidence might include: updated procedures, work instructions, control plans, etc. to show any changes were defined. Additionally, evidence of effective implementation of the changes is also required such as SPC data, inspection records, training records, audit records, etc.

If the corrective actions are effective, evaluate which containment actions may be eliminated (e.g. stop over inspection and over production, return to normal transportation means, etc.) without adversely affecting the product and process output. Record evidence of actions completed and associated results (what works and what does not).

To document analysis results and changes to make the corrective action permanent, capture and share learning with all the stakeholders to prevent similar undesirable condition, situation, non-conformity or failure occurring on other products, production lines, factories or suppliers.

Identify all that can be shared from the experience that can be transferred across business units, production lines, factories or suppliers. Ensure that you get agreement from appropriate levels of management and other process owners and functions (internally and externally) to launch actions and verify there are implemented and effective.

Keep lessons learned register which includes a summary of content and results of analyses, flow charts, data bases, performance data, main actions and decisions, location where detailed data can be retrieved, difficulties encountered when managing the issue, etc.

When the decision is made to implement actions in another business areas, such as; production lines, factories or suppliers, which are not under direct control of the response team, implementation and the verification of effectiveness is not necessarily the responsibility of the team.

Escalation to top management or transfer to another function (procurement, engineering, etc.) may be required to ensure proper leverage and action follow-up.


More information on PDCA



ISO 9001:2015
ISO 14001:2015
ISO 45001:2018
4.1 Organizational Context 4.1 Organizational Context 4.1 Organizational Context
4.2 Relevant Interested Parties 4.2 Relevant Interested Parties 4.2 Relevant Interested Parties
4.3 Management System Scope 4.3 Management System Scope 4.3 Management System Scope
4.4 QMS Processes 4.4 EMS Processes 4.4 OH&S Management System


ISO 9001:2015
ISO 14001:2015
ISO 45001:2018
5.1 Leadership & Commitment 5.1 Leadership & Commitment 5.1 Leadership & Commitment
5.2 Quality Policy 5.2 Environmental Policy 5.2 OH&S Policy
5.3 Roles, Responsibilities & Authorities 5.3 Roles, Responsibilities & Authorities 5.3 Roles, Responsibilities & Authorities
    5.4 Consultation & Participation


ISO 9001:2015
ISO 14001:2015
ISO 45001:2018
6.1 Address Risks & Opportunities 6.1.1 Address Risks & Opportunities 6.1.1 Address Risks & Opportunities
6.2.1 Quality Objectives 6.1.2 Environmental Aspects 6.1.2 Hazard Identifcation
6.2.2 Planning to Achieve Objectives 6.1.3 Compliance Obligations 6.1.3 Legal & Other Requirements
6.3 Planning for Change 6.1.4 Planning Action 6.1.4 Planning Action
  6.2.1 Environmental Objectives 6.2.1 OH&S Objectives
  6.2.2 Planning to Achieve Objectives 6.2.2 Planning to Achieve Objectives



ISO 9001:2015
ISO 14001:2015
ISO 45001:2018
7.1 Resources 7.1 Resources 7.1 Resources
7.2 Competence 7.2 Competence 7.2 Competence
7.3 Awareness 7.3 Awareness 7.3 Awareness
7.4 Communcation 7.4.1 Communcation - General 7.4.1 Communcation - General
7.5 Documented Information 7.4.2 Internal Communcation 7.4.2 Internal Communcation
  7.4.3 External Communcation 7.4.3 External Communcation
  7.5 Documented Information 7.5 Documented Information


ISO 9001:2015
ISO 14001:2015
ISO 45001:2018
8.1 Operational Planning & Control 8.1 Operational Planning & Control 8.1.1 General
8.2 Customer Requirements 8.2 Emergency Preparedness 8.1.2 Eliminating Hazards
8.3 Design & Development   8.1.3 Management of Change
8.4 Purchasing   8.1.4 Outsourcing
8.5 Product & Service Provision   8.2 Emergency Preparedness
8.6 Release of Products & Services    
8.7 Nonconforming Outputs    


Monitoring, measurement, analysis and evaluation

ISO 9001:2015
ISO 14001:2015
ISO 45001:2018
9.1 Monitoring & Measurement 9.1.1 Performance Evaluation 9.1.1 Performance Evaluation
9.2 Internal Audit 9.1.2 Evaluation of Compliance 9.1.2 Evaluation of Compliance
9.3 Management Review 9.2 Internal Audit 9.2 Internal Audit
  9.3 Management Review 9.3 Management Review



ISO 9001:2015
ISO 14001:2015
ISO 45001:2018
10.1 Improvement - General 10.1 Improvement - General 10.1 Improvement - General
10.2 Nonconformity & Corrective Action 10.2 Nonconformity & Corrective Action 10.2 Incident, Nonconformity & Corrective Action
10.3 Continual Improvement 10.3 Continual Improvement 10.3 Continual Improvement

Want to know more?

SSL certification

A certificate guarantees the information your internet browser is receiving now originates from the expected domain - It guarantees that when you make a purchase, sensitive data is encrypted and sent to the right place, and not to a malicious third-party.

Free PDCA guidance

ISO Navigator™ is our FREE online training tool that shows you how to apply the principles of PDCA to your operations. We also offer many helpful templates that get you on the road to documenting your management system, please visit the download page.