The Risks of ISO 9001 Nonconformance

Concerned about ISO 9001 nonconformance? You're not alone.

Almost all organizations receive a nonconformance notification at some point. The question is, how bad are they and is there a pattern?

ISO 9001:2015 requirements for a quality management system (QMS) require organizations to define and conduct internal audits. A comprehensive internal audit is the final step before certification in a formal process to align quality systems with internationally recognized standards. Internal and external audits can commonly reveal at least one nonconformity, defined in ISO 17021 as the "non-fulfillment of a requirement."

A nonconformance is not necessarily a bad thing, especially if it is isolated or occasional. The audit processes in ISO 9001 are a framework for helping organizations identify and fix their own QMS issues before they result in product quality concerns or waste. Systemic nonconformances and repeated failures, however, are much more concerning.

Discovering a pattern of issues during the audit process is a sign of high-level weaknesses in quality management. The aspects of a quality management system, from CAPA to management review, are highly interconnected. Repeated failures mean you are failing to see, measure, communicate, or improve the things that matter.

Your organization could be facing more than just barriers to certification or re-certification with ISO 9001 if you have major nonconformances or systemic patterns of failure. A single lapse may be an isolated incident, while a major non-conformity could be a significant red flag about your ability to manage quality effectively.

Read on to learn how to identify the nonconformance discoveries that matter, common issues with ISO 9001:2015 standards, and how to safeguard your organization.

What Major ISO 9001 Nonconformances Mean for Your Company

Any nonconformance is an opportunity for improvement. Issues of any size should lead to corrective action. However, major and minor nonconformances mean different things for your organization.

The primary difference between these two classifications is based on how the issue impacts the rest of the system or product:

A minor nonconformance is generally a system weakness which could potentially lead to significant QMS failures in the future. An example of this could be a single unauthorized change to a document or an instrument which is not correctly calibrated.

A major nonconformance is evidence of a significant failure in the management system which could threaten an organization's ability to achieve goals or protect customers. These could include a pattern of unauthorized document changes or poor calibration procedures which result in incorrectly tested products.

A minor nonconformance finding is not a barrier to certification or successful surveillance audits, but your organization must respond with an effective plan of corrective action to avoid failing initial certification or suspension of an existing certification. The average number of minor nonconformities discovered in an audit is 4-6.

Major nonconformance findings can prevent your organization from achieving an initial certification or act as a barrier to re-certification based on annual surveillance audits. There are also generally downstream risks which can include regulatory risks of noncompliance, quality concerns, waste, reputational damage, and more.

Common Nonconformances 

To ensure a successful certification or surveillance audit, it's essential to address your biggest risks. You can strengthen systems internally before certifying or surveillance audits based on knowledge of areas where organizations frequently struggle to meet standards. 

According to recent data from one certifying body, American Systems Registrar (ASR), auditors most commonly uncover issues within the categories of ISO 9001:2015 Sections 4, 6, 7, 8, 9, and 10. Batalas reports common nonconformities with 4, 5, and 7.

• Section 4: Failure to identify and define interested parties
• Section 5: Difficulties with control of records
• Section 6: Incomplete definition of change management
• Section 6: Risk evaluation issues, especially warehousing, internal and external issues
• Section 7: Poor documentation of training and records capture
• Section 8: Missing or incorrectly documented first piece inspections
• Section 9: Incomplete documentation of internal audit systems
• Section 9: Ineffective management review, including missing documentation of mitigation
• Section 10: Incomplete documentation of CAPA, such as corrective action not defined

Some of these common nonconformances reflect the transition to ISO 9001:2015. The 2015 version included some expanded requirements, which is the likely root cause of some issues such as the failure to identify interested parties and incomplete documentation of audits.

However, other trends cannot be traced to the 2015 ISO 9001 update. Based on the data, it's clear many organizations struggle to effectively document process and response for risk, training, audit, CAPA, and management review.

Learn more in Failure to Comply: Document Control in a Regulated Industry.

What Happens if You Don't Take Corrective Action? 

ISO 9001:2015 includes clear and in-depth guidance on how to respond to any nonconformity discovered through customer complaints or audits. Section 10.2 states organizations must:

• Correct nonconformities
• Eliminate the root cause
• Implement corrective action
• Verify results
• Update the risk register
• Implement permanent system change
• Document corrective action results

But, theoretically speaking, what if you don’t take corrective action?

The potential impact on your organization depends on the size of the nonconformance. You are near-certain to face barriers to certification or re-certification. You could potentially slide through until your surveillance audit if the nonconformance is minor, but uncorrected issues will eventually act as a barrier to ISO certification.

Certification challenges aren't the only risk, though. Major nonconformances can result in a host of issues, including:

• Regulatory noncompliance
• Product delivery delays
• Rework
• Rejected product
• Creeping operational costs

Discovering a nonconformity isn't necessarily negative since minor issues can represent an opportunity to strengthen your QMS. However, corrective action is critical in response to a nonconformance of any size. While a major problem is more likely to impact profitability or customer satisfaction immediately, all types of nonconformance can have a downstream impact.

How to Safeguard Against ISO 9001 Nonconformances

Audits and customer feedbacks are an invaluable source for discovering nonconformances. However, they aren't the only tools to shift towards a proactive and quality-driven culture. Corrective action is a reaction to a QMS failure. It's best to begin safeguarding against nonconformance risks immediately with best practices to prevent these issues from occurring in the first place.

1. CONDUCT MANAGEMENT REVIEW

Perform regular management review at least once annually, and more ideally, bi-annually or every quarter. Use these reviews as an opportunity to dive deep into product changes, requirements, process, and risk, and use a defined system to plan and implement improvements. Management review is the foundation of continuous improvement.

2. ANALYZE QUALITY DATA

Customer feedback and other quality events must be recorded and translated into action. Feedback is also an invaluable resource for understanding trends. Negative and positive feedback from customers and quality measurements can reveal trends in complaints, nonconformances, and deviations. By actively analyzing quality data, you can more effectively understand the difference between isolated events and emerging patterns to fast-track root cause analysis.

3. AUDIT CONTINUOUSLY

Internal audits can be performed on an ongoing basis to evaluate the health of processes on a continuous basis. Some processes may require more frequent audits. Audits can examine progress from previous findings or questions.

Most importantly, audits can be a valuable tool for collaborative discovery of opportunities for improvement with employees. In a quality-driven culture, employees who are closest to the process can work with internal audits to raise concerns or suggest opportunities for development.

4. INCREASE VISIBILITY

Increase visibility into the nonconformance process with an electronic quality management system (eQMS). With paper-based approaches, it is easy for CAPA and NCR to get lost in the system or buried beneath competing priorities. In contrast, cloud-based QMS software solutions for total quality management create visibility. You can ensure that opportunities for improvement are implemented quickly with simple, shared tools.  

Turning Nonconformity Findings into Quality Improvements

A nonconformity with ISO 9001 is not necessarily negative. Many organizations have at least some minor nonconformities. When issues are discovered early by an employee or during an internal audit or management review, they can represent an opportunity. Uncovering minor issues proactively can prevent significant problems and barriers to certification. 

A systemic, comprehensive approach to addressing risks is critical, especially if a minor nonconformance has the potential to spin into significant issues. To fully realize the benefits of an ISO 9001:2015 quality management system, the best approach is to safeguard against nonconformances and related risks. Drive improvement with management review, internal audit, data tracking, and electronic collaboration.

How is your organization currently performing against best practices for quality management? Could gaps in your processes result in adverse findings from certifying bodies or regulatory agencies? Get your quality score—take a short quiz to learn how you stack up.