by Craig Cochran
products is a fundamental quality control discipline. Even organizations with virtually no management systems will have at least a semblance of methods for controlling nonconformities. However,
that doesn't mean effective methods nor even ones that would pass muster during an ISO 9001:2000 audit. In fact, effective, user-friendly methods for controlling nonconforming products are quite
A system for controlling nonconformities is, by its very nature, defensive. Its purpose is to contain nonconformities and prevent them from reaching customers.
Implementing a great system won't make an organization world-class. On the other hand, a poor system can cause very serious problems, and possibly even lead to the organization's demise.
Therefore, it makes sense to construct an effective system that everybody will use and understand.
ISO 9001:2000 leaves most requirements for controlling nonconformities
unchanged from earlier revisions. Despite this, much confusion exists about the full range and scope of control.
What is a nonconforming product?
First, it may be useful to define exactly what a nonconforming product is. For such a product to exist, one or more of the following
conditions must be present:
Formal verification activities. By definition, nonconforming products result from verification, inspection or test activities. If these don't exist at a particular
stage of product realization, then nonconforming products don't exist either. Organizations shouldn't abuse this by claiming they're not performing verification
when they really are. Formal verification activities are very easily recognized by auditors. More important, an organization is playing the business version of
Russian roulette when it tries to circumvent nonconforming product procedures for the sake of convenience.
Removing a product from the material flow or product realization process
. If a product's condition is such that it can be handled in the normal production flow, then the organization may elect to handle the product outside its
nonconforming product procedures. This only works if there are formal verification activities that take place downstream in the production process.
Operating conditions intended to produce conforming products. If
process conditions aren't intended to produce conforming products, then the organization may handle the results of these processes outside its nonconforming
product procedures. An example might be a production line that unavoidably produces a certain amount of start-up scrap. The scrap is simply part of getting
the process up to normal operating conditions. The organization could elect to handle this product outside of its procedures for nonconforming products,
especially when the scrap or waste in no way resembles conforming product. Trouble arises when the scrap or waste looks exactly like conforming product, as
it does in many industries, such as chemical manufacturing. In these cases, potential misidentification outweighs other factors and makes nonconforming product procedures a necessity.
Risk to the organization
. Regardless of any other considerations, an organization can decide that the business risk or potential liability is great enough
to treat products as nonconforming at any particular stage of the process. Regardless of ISO 9001:2000 requirements, this is the category that matters
most when deciding if something is nonconforming.
Even given these guidelines, an organization may discover a considerable amount
of gray area regarding what is or isn't nonconforming product. This is only natural and a reflection of the real-life complexities of business. The organization must
look objectively at its own operations, analyze its unique risk factors and decide what will be included within its system for nonconforming products. Some
situations will be quite obvious, and others won't. As a last resort, the organization can always contact its registrar for an interpretation. But, remember,
these interpretations are only opinions, and common sense should always prevail.
Identifying nonconforming products
The first requirement for nonconforming products in ISO 9001:2000 states, "The organization shall ensure that product which does not conform to product
requirements is identified and controlled to prevent its unintended use or delivery." The two key words here are "identification" and "control." Let's address identification first.
Simply put, an organization must identify products that don't conform to requirements. This is an extension of the requirement for identifying all products
by suitable means throughout product realization. Everything must be identified, period. The standard, however, doesn't prescribe any particular methods of
identifying nonconforming products. Indeed, it can take many forms, all of which have their place:
Tags, signs or stickers affixed to the product
Labeled bins, boxes and bags
Remarks or descriptions written directly on the product
Tape or ribbon wrapped around the product
Paint spots or other coded markings on the product
Electronic identification, often by means of a barcode affixed to the product
Storing the product in specially marked areas
The organization is responsible for deciding which forms of identification are most appropriate for its manner of operations. No universal conventions exist for
what nonconforming identification should look like. Is a green "rejected" tag OK? Sure, if that's what the organization wants to use. How about the word "crappy"
scrawled in crayon on the product? No problem. The identification system needn't be conventional. What's important is that it's effective and understood by
users. One or two interviews with employees will usually indicate if an identification system is working.
Controlling nonconforming products
Control is the next issue that the standard requires organizations to address, and
it actually encompasses a large category of activities:
Establishing special handling requirements
Segregating from conforming products
Securing in locked or protected areas
Establishing documented procedures
Defining chain of command for the documented procedures
Training employees on procedures
Defining timeframes for taking action
Connecting process to the corrective/preventive action system
In other words, "control" summarizes all the methods that lead to two desired
outcomes: preventing nonconforming products from reaching the customer and eliminating the root cause of nonconforming products. Identification is actually a
component of control, although the standard treats it separately. The specific means of control used by an organization will be described in a documented procedure.
The next requirement stipulated by ISO 9001:2000 is, "The controls and related
responsibilities and authorities for dealing with nonconforming product shall be defined in a documented procedure." This requirement is self-explanatory.
Try to make this procedure simple and concise. How complex is your system for controlling nonconforming products? Probably not very. Ensure that the
documented procedure is equally uncomplicated. The organization might consider using graphic explanations, such as flow diagrams, to make the procedure more intuitive and user-friendly.
Responsibilities and authorities must be defined clearly in the documented procedure for each stage of control. Consider at least the following issues within the procedure:
Who can identify nonconforming products?
Who can move or handle nonconforming products?
Who can authorize disposition of nonconforming products?
Who can carry out the disposition?
These responsibilities and authorities should be addressed in a no-nonsense manner, and the persons who have responsibilities and authorities within the
system should receive appropriate training. Defined responsibilities and authorities are useless if nobody knows about them.
Dispositioning nonconforming products
ISO 9001:2000 next addresses dispositioning of nonconforming products. "The
organization shall deal with nonconforming product by one or more of the following ways: a) by taking action to eliminate the detected nonconformity; b) by
authorizing its use, release or acceptance under concession by a relevant authority and, where applicable, by the customer; and c) by taking action to preclude its
original intended use or application."
Simply stated, dispositioning means deciding what to do with nonconforming
product. ISO 9001:2000 offers three possible dispositions; let's examine each individually.
Taking action to eliminate the detected nonconformity. The key word
here is "eliminate." The product will maintain its basic identity as a product, but the nonconformity will be eliminated. This can occur in a variety of ways:
* By repairing
. This includes actions that make the product functional although it doesn't conform perfectly to the original requirements. Such a product may not
carry the same warranty as first-quality products, for instance.
* By reworking. Actions that make the product conform to the original
requirements. In the customers' eyes, this product is exactly the same as a first-quality conforming product.
* By reprocessing
. Sending the product back through the transformation process. This is done in many continuous process industries, such as chemicals and plastics.
By authorizing its use, release or acceptance under concession by a
relevant authority and, where applicable, by the customer. In this case, the product still doesn't meet requirements. Nothing has been done to eliminate the
nonconformity or alter the product's quality or performance. However, somebody has decided to use, release or accept the product anyway. If a
product is nonconforming according to the organization's internal specifications but acceptable according to the customer's specifications, then a concession can
be issued by the organization. However, if the product is nonconforming according to the customer's specifications, then the concession can only come from the customer.
The term "concession" may cause some confusion. It's nothing more than an agreement to use, release or accept a product. Concessions are always
recorded; otherwise, they're worthless. If no record of the concession exists, then the organization has nothing to stand behind in the case of later disputes.
Moreover, ISO 9001:2000 requires concessions to be recorded.
Concessions normally include the following details:
* The condition or quality level that has been accepted
* The quantity of product that is covered under the concession
* The person who has authorized the concession, including a signature, if
* The date and time the concession was granted
These could be recorded on the original sales order, the customer's purchase order, internal quality assurance records or other relevant documentation.
Regardless of where and how the concession is recorded, the important thing is that it's clear and unambiguous.
By taking action to preclude its original intended use or application. This
disposition can lead to a number of different actions. Ultimately, the product isn't going to be used or applied as it was originally intended. This normally occurs
through one of the following actions:
* Scrapping. This action that actually gets rid of the product, such as tossing it into a dumpster.
Recycling. The product is sent to an outside party who can recycle the product or its components into something usable
The product is changed into something entirely different from what was originally intended.
* Regrading. This is possible when the product was nonconforming according
to one set of requirements but it conforms to a lesser or different set of requirements. ISO 9000:2000 lists regrade as an example of "eliminating a
detected nonconformity," but it seems to fit more logically under this category.
In their procedures for controlling nonconforming products, some organizations
stipulate time limits within which a disposition must be accomplished (e.g., "Nonconforming products must be dispositioned within 30 days of being
identified."). However, common sense dictates that some dispositions may take longer to arrive at than others. Time limits are rarely a good idea, and they usually
result in the organization violating its own procedures. If organizations want to reduce the amount of time between identification and disposition, managers
simply need to monitor products in their nonconforming areas, a responsibility that is often ignored.
The standard requires that records be maintained describing the nature of nonconformities along with any subsequent actions taken. This requirement has
given people a lot of heartache: "We're going to spend all our time filling out records!" The truth is that if an organization has that many nonconformities,
completing records is the least of its problems.
At least the first three of the following pieces of information must be recorded:
A description of the nonconformity
Action taken, otherwise known as "disposition"
Reverification (i.e., when the nonconformity has been corrected)
Details of concessions, if any
Because we've already discussed documenting the concession, let's focus on the other three items. The description of the nonconformity and action taken can
easily be recorded on the form that identifies the product as nonconforming. Keep it simple. Like most paperwork, the more complex a record is, the less
employees will use it. The best option is electronic record keeping, particularly for organizations that identify nonconforming products through barcodes or other electronic means.
Reverifying nonconforming products
When nonconforming products are corrected, they must be reverified. This
verification must match the original requirements that the product was intended to meet--otherwise, you've regraded the product. Reverification can be done
through the original inspection process or by a completely different function--it doesn't matter. The important thing is that the reverification is recorded, just like
any formal verification. Two elements must be included in this record:
Evidence of conformity with acceptance criteria (i.e., actual measurements or observations)
Identification of the person authorizing the release (i.e., the person performing
the verification or responsible for seeing that the task is carried out)
The reverification record can be kept anywhere that makes sense to the
organization. The only imperative is that the relevant people know where it is and can retrieve it.
Nonconformities detected later
Occasionally--but presumably not often--nonconformities will be detected after delivery or after the customer has used the product. The standard requires that
the organization take action appropriate to the effects or potential effects of the nonconformity. This can mean a number of things. Typically, organizations
institute a returned goods process to deal with nonconformities that are detected after delivery or use has begun. For most goods, this system works fairly well and follows this general sequence:
1. The customer contacts the organization to report the nonconformity.
2. If it's determined to be appropriate, the customer is issued a tracking number
of some sort. This number is often referred to as RMA (returned materials authorization) or RGA (returned goods authorization).
3. The customer is asked to mail or ship the product back to
the organization, referencing the assigned tracking number.
4. When the product returns to the organization, it's handled much like any other nonconformity. The primary difference is that there may be the additional issue of
crediting the customer for all or part of the product's cost.
5. Corrective action is initiated to determine and eliminate the root cause of the
nonconformity, as with in any other nonconforming product situation. The key benefit of a returned goods process is that the organization can see the
nonconformity for itself, rather than just hearing about it.
Sometimes the "effects" of the nonconformity may require more or less action
than the returned goods process described above. For wide-ranging or potentially harmful nonconformities, the organization may institute a universal
recall of all products sold within a certain time period. For very small nonconformities, the customer may simply receive an automatic credit and be
asked to discard the nonconforming product. In any case, the organization must consider the nonconformity's effects and take action that logically matches those effects.
Integrating to corrective action
Do all instances of nonconforming products result in corrective action? This is a
very good question, and the answer requires some interpretation.
The ISO 9001:2000 requirements for corrective action are straightforward. "The
organization shall take action to eliminate the causes of nonconformities in order to prevent recurrence." This basically means that all nonconformities will be
submitted for corrective action, but the very next sentence provides something of a trap door: "Corrective actions shall be appropriate to the effects of the
nonconformities encountered." My interpretation is that "appropriate actions" can include anything from companywide initiatives to no action at all. It all depends on
the effects of the nonconformities. In other words, the organization must evaluate, among other considerations, the organizational risk and potential impact on
customer satisfaction, and then take action that logically fits the description of "appropriate." As long as there's evidence that the organization has performed
this evaluation and has an objective basis for its action--or nonaction--then nobody should object.
Keep in mind that the corrective and preventive action system is worthless if it's not used. An organization should look for every possible opportunity to put it to
use and enforce root-cause investigation into nonconformities. Clearly, the link between corrective actions and control of nonconforming products is one of the
most critical relationships within any management system. In the end, your system for controlling nonconforming products will be fatally flawed if it doesn't include a
clear and direct connection to your corrective action system.
About the author
Craig Cochran is an RAB-certified lead auditor and a project manager with the Center for International Standards & Quality, which is part of
Georgia Tech's Economic Development Institute. CISQ can be reached at (800) 859-0968 or on the Web at www.cisq.gatech.edu . E-mail Cochran at
email@example.com. Letters to the editor regarding this article should be e-mailed to firstname.lastname@example.org .