ISO/TS 16949
Six Sigma
State Awards



by Craig Cochran

Controlling nonconforming products is a fundamental quality control discipline. Even organizations with virtually no management systems will have at least a semblance of methods for controlling nonconformities. However, that doesn't mean effective methods nor even ones that would pass muster during an ISO 9001:2000 audit. In fact, effective, user-friendly methods for controlling nonconforming products are quite rare.

 A system for controlling nonconformities is, by its very nature, defensive. Its purpose is to contain nonconformities and prevent them from reaching customers. Implementing a great system won't make an organization world-class. On the other hand, a poor system can cause very serious problems, and possibly even lead to the organization's demise. Therefore, it makes sense to construct an effective system that everybody will use and understand.

 ISO 9001:2000 leaves most requirements for controlling nonconformities unchanged from earlier revisions. Despite this, much confusion exists about the full range and scope of control.

What is a nonconforming product?

 First, it may be useful to define exactly what a nonconforming product is. For such a product to exist, one or more of the following conditions must be present:

  Formal verification activities. By definition, nonconforming products result from verification, inspection or test activities. If these don't exist at a particular stage of product realization, then nonconforming products don't exist either. Organizations shouldn't abuse this by claiming they're not performing verification when they really are. Formal verification activities are very easily recognized by auditors. More important, an organization is playing the business version of Russian roulette when it tries to circumvent nonconforming product procedures for the sake of convenience.

  Removing a product from the material flow or product realization process . If a product's condition is such that it can be handled in the normal production flow, then the organization may elect to handle the product outside its nonconforming product procedures. This only works if there are formal verification activities that take place downstream in the production process.

  Operating conditions intended to produce conforming products. If process conditions aren't intended to produce conforming products, then the organization may handle the results of these processes outside its nonconforming product procedures. An example might be a production line that unavoidably produces a certain amount of start-up scrap. The scrap is simply part of getting the process up to normal operating conditions. The organization could elect to handle this product outside of its procedures for nonconforming products, especially when the scrap or waste in no way resembles conforming product. Trouble arises when the scrap or waste looks exactly like conforming product, as it does in many industries, such as chemical manufacturing. In these cases, potential misidentification outweighs other factors and makes nonconforming product procedures a necessity.

  Risk to the organization . Regardless of any other considerations, an organization can decide that the business risk or potential liability is great enough to treat products as nonconforming at any particular stage of the process. Regardless of ISO 9001:2000 requirements, this is the category that matters most when deciding if something is nonconforming.

 Even given these guidelines, an organization may discover a considerable amount of gray area regarding what is or isn't nonconforming product. This is only natural and a reflection of the real-life complexities of business. The organization must look objectively at its own operations, analyze its unique risk factors and decide what will be included within its system for nonconforming products. Some situations will be quite obvious, and others won't. As a last resort, the organization can always contact its registrar for an interpretation. But, remember, these interpretations are only opinions, and common sense should always prevail.

Identifying nonconforming products

 The first requirement for nonconforming products in ISO 9001:2000 states, "The organization shall ensure that product which does not conform to product requirements is identified and controlled to prevent its unintended use or delivery." The two key words here are "identification" and "control." Let's address identification first.

 Simply put, an organization must identify products that don't conform to requirements. This is an extension of the requirement for identifying all products by suitable means throughout product realization. Everything must be identified, period. The standard, however, doesn't prescribe any particular methods of identifying nonconforming products. Indeed, it can take many forms, all of which have their place:

  Tags, signs or stickers affixed to the product

  Labeled bins, boxes and bags

  Remarks or descriptions written directly on the product

  Tape or ribbon wrapped around the product

  Paint spots or other coded markings on the product

  Electronic identification, often by means of a barcode affixed to the product

  Storing the product in specially marked areas


 The organization is responsible for deciding which forms of identification are most appropriate for its manner of operations. No universal conventions exist for what nonconforming identification should look like. Is a green "rejected" tag OK? Sure, if that's what the organization wants to use. How about the word "crappy" scrawled in crayon on the product? No problem. The identification system needn't be conventional. What's important is that it's effective and understood by users. One or two interviews with employees will usually indicate if an identification system is working.

Controlling nonconforming products

 Control is the next issue that the standard requires organizations to address, and it actually encompasses a large category of activities:

  Establishing special handling requirements

  Segregating from conforming products

  Securing in locked or protected areas

  Establishing documented procedures

  Defining chain of command for the documented procedures

  Training employees on procedures

  Defining timeframes for taking action

  Defining dispositions

  Recording nonconformities

  Connecting process to the corrective/preventive action system


 In other words, "control" summarizes all the methods that lead to two desired outcomes: preventing nonconforming products from reaching the customer and eliminating the root cause of nonconforming products. Identification is actually a component of control, although the standard treats it separately. The specific means of control used by an organization will be described in a documented procedure.

Documenting procedure

 The next requirement stipulated by ISO 9001:2000 is, "The controls and related responsibilities and authorities for dealing with nonconforming product shall be defined in a documented procedure." This requirement is self-explanatory.

 Try to make this procedure simple and concise. How complex is your system for controlling nonconforming products? Probably not very. Ensure that the documented procedure is equally uncomplicated. The organization might consider using graphic explanations, such as flow diagrams, to make the procedure more intuitive and user-friendly.

 Responsibilities and authorities must be defined clearly in the documented procedure for each stage of control. Consider at least the following issues within the procedure:

  Who can identify nonconforming products?

  Who can move or handle nonconforming products?

  Who can authorize disposition of nonconforming products?

  Who can carry out the disposition?


These responsibilities and authorities should be addressed in a no-nonsense manner, and the persons who have responsibilities and authorities within the system should receive appropriate training. Defined responsibilities and authorities are useless if nobody knows about them.

Dispositioning nonconforming products

 ISO 9001:2000 next addresses dispositioning of nonconforming products. "The organization shall deal with nonconforming product by one or more of the following ways: a) by taking action to eliminate the detected nonconformity; b) by authorizing its use, release or acceptance under concession by a relevant authority and, where applicable, by the customer; and c) by taking action to preclude its original intended use or application."

 Simply stated, dispositioning means deciding what to do with nonconforming product. ISO 9001:2000 offers three possible dispositions; let's examine each individually.

  Taking action to eliminate the detected nonconformity. The key word here is "eliminate." The product will maintain its basic identity as a product, but the nonconformity will be eliminated. This can occur in a variety of ways:

  * By repairing . This includes actions that make the product functional although it doesn't conform perfectly to the original requirements. Such a product may not carry the same warranty as first-quality products, for instance.

  * By reworking. Actions that make the product conform to the original requirements. In the customers' eyes, this product is exactly the same as a first-quality conforming product.

  * By reprocessing . Sending the product back through the transformation process. This is done in many continuous process industries, such as chemicals and plastics.


  By authorizing its use, release or acceptance under concession by a relevant authority and, where applicable, by the customer. In this case, the product still doesn't meet requirements. Nothing has been done to eliminate the nonconformity or alter the product's quality or performance. However, somebody has decided to use, release or accept the product anyway. If a product is nonconforming according to the organization's internal specifications but acceptable according to the customer's specifications, then a concession can be issued by the organization. However, if the product is nonconforming according to the customer's specifications, then the concession can only come from the customer.

 The term "concession" may cause some confusion. It's nothing more than an agreement to use, release or accept a product. Concessions are always recorded; otherwise, they're worthless. If no record of the concession exists, then the organization has nothing to stand behind in the case of later disputes. Moreover, ISO 9001:2000 requires concessions to be recorded.

 Concessions normally include the following details:

  * The condition or quality level that has been accepted

  * The quantity of product that is covered under the concession

  * The person who has authorized the concession, including a signature, if


  * The date and time the concession was granted


 These could be recorded on the original sales order, the customer's purchase order, internal quality assurance records or other relevant documentation. Regardless of where and how the concession is recorded, the important thing is that it's clear and unambiguous.


  By taking action to preclude its original intended use or application. This disposition can lead to a number of different actions. Ultimately, the product isn't going to be used or applied as it was originally intended. This normally occurs through one of the following actions:

 * Scrapping. This action that actually gets rid of the product, such as tossing it into a dumpster.

  * Recycling. The product is sent to an outside party who can recycle the product or its components into something usable

  * Reprocessing. The product is changed into something entirely different from what was originally intended.

  * Regrading. This is possible when the product was nonconforming according to one set of requirements but it conforms to a lesser or different set of requirements. ISO 9000:2000 lists regrade as an example of "eliminating a detected nonconformity," but it seems to fit more logically under this category.

 In their procedures for controlling nonconforming products, some organizations stipulate time limits within which a disposition must be accomplished (e.g., "Nonconforming products must be dispositioned within 30 days of being identified."). However, common sense dictates that some dispositions may take longer to arrive at than others. Time limits are rarely a good idea, and they usually result in the organization violating its own procedures. If organizations want to reduce the amount of time between identification and disposition, managers simply need to monitor products in their nonconforming areas, a responsibility that is often ignored.


 The standard requires that records be maintained describing the nature of nonconformities along with any subsequent actions taken. This requirement has given people a lot of heartache: "We're going to spend all our time filling out records!" The truth is that if an organization has that many nonconformities, completing records is the least of its problems.

 At least the first three of the following pieces of information must be recorded:

  A description of the nonconformity

  Action taken, otherwise known as "disposition"

  Reverification (i.e., when the nonconformity has been corrected)

  Details of concessions, if any


 Because we've already discussed documenting the concession, let's focus on the other three items. The description of the nonconformity and action taken can easily be recorded on the form that identifies the product as nonconforming. Keep it simple. Like most paperwork, the more complex a record is, the less employees will use it. The best option is electronic record keeping, particularly for organizations that identify nonconforming products through barcodes or other electronic means.

Reverifying nonconforming products

 When nonconforming products are corrected, they must be reverified. This verification must match the original requirements that the product was intended to meet--otherwise, you've regraded the product. Reverification can be done through the original inspection process or by a completely different function--it doesn't matter. The important thing is that the reverification is recorded, just like any formal verification. Two elements must be included in this record:

  Evidence of conformity with acceptance criteria (i.e., actual measurements or observations)

  Identification of the person authorizing the release (i.e., the person performing the verification or responsible for seeing that the task is carried out)


 The reverification record can be kept anywhere that makes sense to the organization. The only imperative is that the relevant people know where it is and can retrieve it.

Nonconformities detected later

 Occasionally--but presumably not often--nonconformities will be detected after delivery or after the customer has used the product. The standard requires that the organization take action appropriate to the effects or potential effects of the nonconformity. This can mean a number of things. Typically, organizations institute a returned goods process to deal with nonconformities that are detected after delivery or use has begun. For most goods, this system works fairly well and follows this general sequence:

1. The customer contacts the organization to report the nonconformity.

2. If it's determined to be appropriate, the customer is issued a tracking number of some sort. This number is often referred to as RMA (returned materials authorization) or RGA (returned goods authorization).

3. The customer is asked to mail or ship the product back to

the organization, referencing the assigned tracking number.

4. When the product returns to the organization, it's handled much like any other nonconformity. The primary difference is that there may be the additional issue of crediting the customer for all or part of the product's cost.

5. Corrective action is initiated to determine and eliminate the root cause of the nonconformity, as with in any other nonconforming product situation. The key benefit of a returned goods process is that the organization can see the nonconformity for itself, rather than just hearing about it.


 Sometimes the "effects" of the nonconformity may require more or less action than the returned goods process described above. For wide-ranging or potentially harmful nonconformities, the organization may institute a universal recall of all products sold within a certain time period. For very small nonconformities, the customer may simply receive an automatic credit and be asked to discard the nonconforming product. In any case, the organization must consider the nonconformity's effects and take action that logically matches those effects.

Integrating to corrective action

 Do all instances of nonconforming products result in corrective action? This is a very good question, and the answer requires some interpretation.

 The ISO 9001:2000 requirements for corrective action are straightforward. "The organization shall take action to eliminate the causes of nonconformities in order to prevent recurrence." This basically means that all nonconformities will be submitted for corrective action, but the very next sentence provides something of a trap door: "Corrective actions shall be appropriate to the effects of the nonconformities encountered." My interpretation is that "appropriate actions" can include anything from companywide initiatives to no action at all. It all depends on the effects of the nonconformities. In other words, the organization must evaluate, among other considerations, the organizational risk and potential impact on customer satisfaction, and then take action that logically fits the description of "appropriate." As long as there's evidence that the organization has performed this evaluation and has an objective basis for its action--or nonaction--then nobody should object.

 Keep in mind that the corrective and preventive action system is worthless if it's not used. An organization should look for every possible opportunity to put it to use and enforce root-cause investigation into nonconformities. Clearly, the link between corrective actions and control of nonconforming products is one of the most critical relationships within any management system. In the end, your system for controlling nonconforming products will be fatally flawed if it doesn't include a clear and direct connection to your corrective action system.


About the author

  Craig Cochran is an RAB-certified lead auditor and a project manager with the Center for International Standards & Quality, which is part of Georgia Tech's Economic Development Institute. CISQ can be reached at (800) 859-0968 or on the Web at . E-mail Cochran at Letters to the editor regarding this article should be e-mailed to .

Today's Specials

Menu Level Above 

[Contents] [News] [WebLinks] [Columnists]

This Menu LeveL 

[CMMs] [ISO/TS 16949] [Six Sigma] [Nonconforming] [Registrars] [State Awards]

Menu  Level Below 


Copyright 2002 QCI International. All rights reserved.
Quality Digest can be reached by phone at (530) 893-4095. E-mail:
Click Here