The NCR Process as Quality Intelligence
Nonconformity data is the richest quality intelligence an organization produces. Every nonconformity — whether caught internally or reported by a customer — is a signal that a process did not work as intended. Organizations that capture and analyze all nonconformities systematically improve faster than those that treat failures as isolated incidents. The cultural prerequisite is: nonconformities are not evidence of blame; they are improvement opportunities. When staff fear punishment for reporting failures, they hide them, and the organization loses visibility into quality problems. An effective QMS creates a culture where reporting nonconformities is valued and safe.
Sources of Nonconformities
| NC Source | Description | Volume Expectation | Typical Root Cause Category |
|---|---|---|---|
| Customer complaints | Customer-reported failures in delivered products/services | Low volume, high significance | Process gaps, competence issues, requirements misunderstanding |
| Internal audit findings | NCs found during planned QMS audits | Medium volume | Procedure non-adherence, documentation gaps, awareness issues |
| Process monitoring | NCs found through in-process inspection and monitoring | Variable by sector | Process variation, equipment, material quality |
| Management review | Systemic underperformance identified at review | Low volume | Resource gaps, strategic misalignment |
| Supplier failures | Non-conforming goods or services from external providers | Variable | Supplier QMS gaps, specification clarity |
The NCR Process Flow
| Step | Required Output | Timeframe | Common Failure |
|---|---|---|---|
| Contain | Immediate corrective action to fix the specific instance | Same day | Skipped — CA started without containment |
| Document | NCR record opened with description, scope, evidence | 24 hours | Verbal only, no record |
| Root cause | Written RCA using appropriate method | 5–10 business days | Superficial RCA, symptom identified not cause |
| CA plan | Specific actions, owners, dates | 5 business days from RCA | No plan, or plan identical to correction |
| Implementation | Actions completed as planned | Per CA plan | Actions planned but not completed on time |
| Effectiveness | Monitoring confirms NC has not recurred | 30–90 days post-implementation | Never done |
Root Cause Analysis Methods
Several RCA methods are available; choose the method proportionate to the nonconformity severity. Five Whys is simple and fast — asking "why?" repeatedly until you reach the root cause. It works well for straightforward NCs with one primary cause. Fishbone (Ishikawa) diagram is a structured visual method showing potential cause categories (People, Process, Equipment, Materials, Environment, Measurement) and how they might contribute to the effect. It is good for complex NCs with multiple contributing factors. The 8D method (Eight Disciplines of Problem Solving) is comprehensive and structured, with eight defined steps: define the problem, contain the issue, identify root cause, develop corrective actions, implement, verify effectiveness, prevent recurrence, and close. The 8D method is standard in automotive and aerospace industries and is proportionate to significant customer-facing failures. The critical principle: the RCA must be rigorous enough to identify the true root cause, not just the obvious symptom.
5 Whys Example
Example RCA for a delivery delay nonconformity: Why was the order shipped late? Because production was delayed. Why was production delayed? Because a critical component was received late from the supplier. Why was the component late? Because the supplier was not notified of the delivery date change when the customer moved up the delivery deadline. Why was the supplier not notified? Because there is no procedure for notifying suppliers when delivery dates change. Root cause: No change control procedure. Corrective action: Implement change control procedure with mandatory supplier notification requirement. This RCA identifies a system gap, not a person error, and the CA addresses the system gap.
Corrective Action Design
The corrective action must address the identified root cause, not the symptoms. The test: if the root cause is as identified, will this CA prevent recurrence? If your RCA identifies that "the operator made an error," the CA of "retrain the operator" may fix that one person's error but does not prevent the next operator from making the same error. Better: "The process requires precision but has no control to catch errors — implement a verification step and train all operators." CAs often contain multiple sub-actions: address the immediate problem, add process controls, improve training, update documentation, communicate the change. Each sub-action must have an owner, a due date, and success criteria. The CA plan is documented in the NCR record.
Effectiveness Verification
Effectiveness verification is mandatory, not optional. ISO 9001 explicitly requires organizations to review the effectiveness of corrective actions taken. This means going back after the CA is implemented and checking whether the nonconformity has ceased to recur. For a delivery delay, you would monitor actual delivery performance for the next 5–10 deliveries under the new process, confirm that delays have ceased, and document the verification. The timeframe for effectiveness verification depends on the frequency of the relevant activity: monthly for processes that occur daily; quarterly for processes that occur weekly; once per year for processes that occur infrequently. Without effectiveness verification records, your CA process is incomplete regardless of how good your RCA and CA planning are.
| KEY IDEA | The corrective action must address the identified root cause, not the specific instance of nonconformance. If the root cause is "no procedure exists for this activity," the corrective action is "develop and implement a procedure" — not "retrain the operator who made the error." Address the system, not the person, and you prevent recurrence system-wide. |
| IMPORTANT | Effectiveness verification is mandatory, not optional. ISO 9001 explicitly requires organizations to review the effectiveness of corrective actions taken. This means going back after the CA is implemented and checking whether the nonconformity has ceased to recur. Without effectiveness verification records, your CA process is incomplete regardless of how good your RCA and CA planning are. |
| BITLION INSIGHT | The corrective action register is one of the most powerful continuous improvement tools available to a QMS. Organizations that analyze their CA register monthly — looking for patterns in root causes, processes with disproportionate NC rates, and CAs that are not being closed — generate improvement insights that no other management tool produces. Build CA register analysis into the monthly quality reporting cycle. |