Management system guidance

8.0 Operation

ISO Navigator Pro™ is a free tool that provides practical, expert guidance for businesses wishing to interpret and better implement the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018.

Our range of templates cover the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018, and offer an easy way to implement your next management system.

8.7 Nonconforming outputs


The quality management system should have clear control mechanisms and processes in place to implement corrective actions that address poor-quality and nonconforming (defective) outputs, including products and services; when identified internally by the organization, or reported externally by the customer and other stakeholders.

The intent of ISO 9001 Clause 8.7 is to prevent the unintended delivery or use of nonconforming outputs (outputs should be considered as products and/or services) and that any nonconformity is controlled and corrected to prevent its unintended use by or delivery to the customer. Clause 8.7 only requires an organization to deal with outputs that fail to conform to specified requirements.

Where as, ISO 9001 Clause 10.2 requires your organization to evaluate the need for actions that will prevent recurrence of nonconformities. As the first step in the process, the root-cause of the nonconformity should be determined and the effectiveness of the subsequent corrective action should be monitored and evaluated.

Corrective actions can be triggered through nonconforming tests or other work, customer complaints, internal or external audits, management reviews, and observations by staff. If you need a procedure and forms to help control your business's defect management process, click here.

Definition of correction

Correction (also referred to as immediate correction) is action taken to eliminate a detected nonconformity or defect (adapted from ISO 9000). A correction can be made in conjunction with undertaking corrective action. For a product nonconformity, correction might include reworking the part, accepting the nonconformance through the concession process, replacing the product, or scrapping the product.

Definition of corrective action

Action implemented to address the root-cause(s) and contributing cause(s) of the undesirable condition, situation, nonconformity, or failure; action taken to prevent recurrence. As part of the corrective action process you must identify all the causes (root-cause and contributing causes) that have or may have generated an undesirable condition, situation, nonconformity, or failure.

When to apply corrective action

The decision to apply or not apply the corrective action process should be made by the appropriate level of management within the company, based on the level of risk. Many factors that can trigger the corrective action process, examples include:

  1. A safety impact that affects the product or personal;
  2. Product performance and/or reliability issues;
  3. High impact on production and/or maintenance operations;
  4. Repetitive problems to one part of the activity/process, or similar problems across many activities/processes;
  5. Difficulty in detecting the nonconformity;
  6. By customer request;
  7. Significant quality or management system issues;
  8. Complex problem that cannot be solved without assistance of others not located where the problem occurred.

The root-cause must address the nonconformity and the corrective action must address the root-cause.

Controlling and documenting nonconforming outputs

The requirements of ISO 9001 Clause 8.7 also include the establishment of controls to ensure that nonconforming outputs, including products and services are not delivered to the customer or that their unintended use is prevented and that action is taken to contain the effect of the nonconformity detected after delivery by the timely reporting of the nonconformity to any relevant interested parties of products or services already delivered.

It should be noted that Clause 8.7 does not require you to maintain a documented procedure. However, we strongly recommended that businesses implement a documented procedure that describes how nonconforming outputs, including products and services, are identified, captured, how they are rectified, analyzed, who is responsible for the corrective action process, what action should be taken, and what records should be kept:

  1. Descriptions of each nonconforming output, including products and services:
    • Verbal statements;
    • Illustrations, photos, schematics;
    • Audit reports;
    • Defect codes;
    • Other, suitable objective evidence.
  2. Descriptions of each action taken
    • Containment;
    • Labelling;
    • Segregation;
    • Return or suspension of product delivery;
    • Dispositions/scrap;
    • Re-work;
    • Concession applications;
    • Use-as-is.
  3. Descriptions of any concessions
    • Accepted concessions;
    • Concessions logs;
    • Waivers;
    • Derogations;
    • Deviations;
    • Permits;
  4. Confirmation of authorized signatories
    • Approved by person(s) with appropriate delegated technical authority;
    • Authorized by design responsible representative;
    • Nonconformance control authorities;
    • Authorized by the customer.

Define how your organization verifies conformance where process outputs, products and services are corrected following nonconformance.  What are the arrangements for defining corrective actions for nonconforming outputs detected after delivery (see Clause 10.2) e.g. reaction to the nonconformity, evaluation of necessary action(s), implementation and monitoring of identified action(s), review of effectiveness and sustainment of action(s) taken.

By keeping records of your nonconformities, it is easier to spot negative trends and examine the root cause, and eliminate the cause of your problems. This, in turn, should result in fewer defective products or process outputs and could lead to more satisfied customers.

Capturing nonconforming outputs

The manner in which nonconformities are captured and documented within your quality management system is key to complying with clause. The Sales Manager often acts as the customer representative and is in charge of capturing customer feedback and complaints. The Quality Manager is often in charge of initiating an investigation of the root-cause and for implementing the corrective action plan.

This is done by considering whether any further action is required to prevent a similar nonconformity arising at the same place or occurring somewhere else, at some point in the future and by determining if similar nonconformities have occurred elsewhere; and consequently, whether it needs to take similar corrective action.

Manufacturing problems should be brought to the attention of the Quality Manager via the initial sample inspection reports carried out by an Inspector who in turn reviews the problem and implements any process changes necessary using any as specialists required.

It is recommended that you retain and update a nonconformity log as appropriate, in conjunction with the above mentioned documented procedure, this is a vital tool for informing staff about nonconformities, their status, and the respective reaction to them. All such entries must be reviewed by the Departmental Managers affected. This can also help to identify recurring problems and reveal data that can be analyzed.

Top management should on a bi-annual basis, review the progress on outstanding recommendations and take the necessary action to expedite completion.

Dealing with nonconforming outputs internally

Taking appropriate action to address the effects of the problem may require a simple correction by the process owner or operator where it was discovered, or, if a major failure or defect exists, more significant levels of resource would be needed for problem solving and corrective action.

Top management and the Quality Manager should, in close consultation with the staff form each work area, establish what is considered as conforming, an opportunity for improvement, or a minor, or major nonconformity; on the basis of known risk levels, remedial actions should be defined, implemented and documented. We suggest the following defintions and actions:

Conforming All performance indicators, metrics, objectives, audit results, etc. show stability and consistently achieve targets. Process is fully documented and implemented. Continue to monitor trends and indicators.
Opportunity for improvement Minor problems exist, otherwise conforming, minor process or product changes planned. Post audit follow up and review is required to assess new opportunities. Review and implement actions to improve the process(s). Monitor trends/indicators to determine if improvement was achieved.
Minor nonconformity Poor performance/adverse trends, expected results not achieved. Current practices conform but are not documented. Process partially documented or partially implemented. Investigate root cause(s) and implement corrective action by next reporting period or next scheduled audit or inspection.
Major nonconformity Practices are nonconforming, likely to cause safety or regulatory compliance issues. Likely to have a significant adverse effect on customer satisfaction, product quality, the environment, health and safety, delivery, or profitability. Process not implemented, no resources, not documented. Implement immediate containment action, investigate root cause(s) and apply corrective action. Re-audit in 4 weeks to verify correction.

Senior management should be actively involved in any major corrective actions making sure that all actions agreed by any multi-functional teams are carried out fully. Major corrective actions and improvements can be placed to your continual improvement programme and reported at management review meetings.

Nonconformities do not need to be tackled all in the same way, ensure that appropriate action is taken according to the nature (scale and seriousness) of the nonconformity. There may be a formal process for dealing with major nonconformities but there should also be another process for dealing with less serious, minor nonconformities.

If you have manufactured a product, inspected it and found it to be out of specification, it is most likely to be deemed nonconforming product. In some instances, you will have to scrap the defective product but in other situations you may be able to do some remedial work and bring it back into specification.

Controlling nonconforming product outputs

No matter how you resolve a nonconformity, you must keep records of each nonconformance or defect and how it was dealt with. Records of product nonconformity should be periodically reviewed to determine if a chronic problem exists with the production process, it’s all about improvement!

What the clause is telling us is that the product should then be subject to further inspection to verify that it is now correct. As for records, if you documented the nonconforming product there should normally be somewhere to verify that you successfully (or not) cured the problem and that it is now conforming.

  1. Re-verification simply means that you cannot assume that because someone tells you they have corrected the problem then it is ok. The clause is asking you to re-verify by whatever means you originally chose.

  2. If you used inspection as a method of verification then re-inspect in the same method. If not, use whatever method suits you (or your customer). Just make sure it is ok before it leaves!

  3. The re-verification after remedial work might involve testing as well as inspection. The reason is not just to verify that the defect has been removed, but also to assure that fresh defects have not been introduced by the rework. Records would be as appropriate for the re-inspection or re-testing performed.

  4. Re-verification is equivalent to re-inspection and records could include a signature of approval or a more formal test report. Whichever format is chosen, it must be defined in the nonconformity procedure.

You may need to supply new evidence of conformance to your customer along with corrective action documentation if requested. The method that you use in either of these situations should be defined in your procedures, that way you relieve yourself and your auditor from guessing how you would address them.

Where necessary, any product or process outputs that do not conform to specified requirements should be properly identified and controlled to prevent unintended use or delivery. Improvements are then implemented to ensure the nonconformance does not reoccur. Control defective products by:

  1. Defining how nonconforming products and processes are identified;
  2. Defining how nonconforming products and processes are dealt with;
  3. Removing or correcting nonconformities;
  4. Preventing the delivery or use of nonconforming products and processes;
  5. Verifying how nonconforming products and processes were corrected;
  6. Providing evidence that corrected products and processes now conform to requirements;
  7. Keeping records that catalogue nonconforming products and processes.

There may be instances where it is impossible to completely eliminate the cause of the nonconformity, so in these instances, the best you can do is to reduce the likelihood or the consequences of a similar problem happening again in order to reduce the risk to an acceptable level. Where applicable any corrective action taken and controls implemented to eliminate the cause of nonconformity should be applied to other similar processes and products.

Controlling nonconforming service-based outputs

Controlling nonconforming outputs can apply to services just as much as it does to tangible goods. Reports, data, test results and intellectual property, to name just a few service outputs, can all be potentially nonconforming, in which case all the disciplines of the above processes apply.

In the case of service processes that directly involve the customer, the control of  nonconforming outputs is the way the organization deals with nonconformities in the service provision until the appropriate corrective action can be defined and implemented.

It should be any company’s policy to detect, control and rectify any aspect of nonconformance as quickly and efficiently as possible. When nonconformities are identified, you should examine whether the personnel involved are sufficiently empowered with the authority to decide the disposition of the service, for example:

  1. To immediately terminate the service;
  2. To replace the service provided;
  3. To offer an alternative.

You should also examine:

  1. Your organization's customer claims and complaints processes;
  2. Any temporary corrections that are implemented to mitigate the effect of the nonconformity (e.g. refund, credit, upgrade, etc.);
  3. The identification, segregation and replacement of the service;
  4. Equipment, service providers and environment.

This will enable you to judge whether the control of such nonconforming services is effective. In such situations the processes should have provisions to capture data on the nonconformities and to feedback information, at the appropriate management level, for the effective definition and implementation of corrective actions. Evidence will need to be sought to justify effective implementation of these techniques.


More information on PDCA



ISO 9001:2015
ISO 14001:2015
ISO 45001:2018
4.1 Organizational Context 4.1 Organizational Context 4.1 Organizational Context
4.2 Relevant Interested Parties 4.2 Relevant Interested Parties 4.2 Relevant Interested Parties
4.3 Management System Scope 4.3 Management System Scope 4.3 Management System Scope
4.4 QMS Processes 4.4 EMS Processes 4.4 OH&S Management System


ISO 9001:2015
ISO 14001:2015
ISO 45001:2018
5.1 Leadership & Commitment 5.1 Leadership & Commitment 5.1 Leadership & Commitment
5.2 Quality Policy 5.2 Environmental Policy 5.2 OH&S Policy
5.3 Roles, Responsibilities & Authorities 5.3 Roles, Responsibilities & Authorities 5.3 Roles, Responsibilities & Authorities
    5.4 Consultation & Participation


ISO 9001:2015
ISO 14001:2015
ISO 45001:2018
6.1 Address Risks & Opportunities 6.1.1 Address Risks & Opportunities 6.1.1 Address Risks & Opportunities
6.2.1 Quality Objectives 6.1.2 Environmental Aspects 6.1.2 Hazard Identifcation
6.2.2 Planning to Achieve Objectives 6.1.3 Compliance Obligations 6.1.3 Legal & Other Requirements
6.3 Planning for Change 6.1.4 Planning Action 6.1.4 Planning Action
  6.2.1 Environmental Objectives 6.2.1 OH&S Objectives
  6.2.2 Planning to Achieve Objectives 6.2.2 Planning to Achieve Objectives



ISO 9001:2015
ISO 14001:2015
ISO 45001:2018
7.1 Resources 7.1 Resources 7.1 Resources
7.2 Competence 7.2 Competence 7.2 Competence
7.3 Awareness 7.3 Awareness 7.3 Awareness
7.4 Communcation 7.4.1 Communcation - General 7.4.1 Communcation - General
7.5 Documented Information 7.4.2 Internal Communcation 7.4.2 Internal Communcation
  7.4.3 External Communcation 7.4.3 External Communcation
  7.5 Documented Information 7.5 Documented Information


ISO 9001:2015
ISO 14001:2015
ISO 45001:2018
8.1 Operational Planning & Control 8.1 Operational Planning & Control 8.1.1 General
8.2 Customer Requirements 8.2 Emergency Preparedness 8.1.2 Eliminating Hazards
8.3 Design & Development   8.1.3 Management of Change
8.4 Purchasing   8.1.4 Outsourcing
8.5 Product & Service Provision   8.2 Emergency Preparedness
8.6 Release of Products & Services    
8.7 Nonconforming Outputs    


Monitoring, measurement, analysis and evaluation

ISO 9001:2015
ISO 14001:2015
ISO 45001:2018
9.1 Monitoring & Measurement 9.1.1 Performance Evaluation 9.1.1 Performance Evaluation
9.2 Internal Audit 9.1.2 Evaluation of Compliance 9.1.2 Evaluation of Compliance
9.3 Management Review 9.2 Internal Audit 9.2 Internal Audit
  9.3 Management Review 9.3 Management Review



ISO 9001:2015
ISO 14001:2015
ISO 45001:2018
10.1 Improvement - General 10.1 Improvement - General 10.1 Improvement - General
10.2 Nonconformity & Corrective Action 10.2 Nonconformity & Corrective Action 10.2 Incident, Nonconformity & Corrective Action
10.3 Continual Improvement 10.3 Continual Improvement 10.3 Continual Improvement

Want to know more?

SSL certification

A certificate guarantees the information your internet browser is receiving now originates from the expected domain - It guarantees that when you make a purchase, sensitive data is encrypted and sent to the right place, and not to a malicious third-party.

Free PDCA guidance

ISO Navigator™ is our FREE online training tool that shows you how to apply the principles of PDCA to your operations. We also offer many helpful templates that get you on the road to documenting your management system, please visit the download page.