Nonconformity and PDCA: How to address failures with root cause analysis, corrective actions, and continuous improvement (ISO 9001)

Artur Heitzmann— Partner, DMS Partners.

In growing companies, non-conformity is not "an error to be corrected," it's a management signal: a requirement has not been met (standard, law, contract, or internal procedure) and, therefore, there is a real risk of recurrence, hidden costs, and loss of trust. The difference between mature and reactive organizations lies less in "having or not having NC" and more in how they handle NC: with method, evidence, and disciplined execution.

The PDCA cycle (Plan, Do, Check, Act) is a practical way to transform nonconformity into continuous improvement because it imposes a logical sequence: understand the problem, act on the cause, measure effectiveness, and institutionalize learning. In practice, PDCA functions as an "operating system" for corrective actions: it reduces improvisation, increases traceability, and creates a replicable problem-solving standard.

1) What is a nonconformity (and why does it matter)?

A nonconformity is the failure to meet an established requirement, whether it be a standard like ISO, a legal requirement, an internal procedure, a customer criterion, or a technical standard. The risk of treating this superficially is high: when the company focuses only on immediate correction, it may even "close the incident," but it leaves the root cause intact, which increases the likelihood of recurrence and escalation of the problem.

A useful (and very common) approach in audits is to distinguish between "correcting" and "eliminating the cause": correcting can resolve the effect; corrective action exists to prevent recurrence. Requirement 10.2 of ISO 9001:2015 reinforces this logic by indicating that the organization must react to nonconformity, control/correct it, deal with consequences, determine causes, implement necessary actions, and review effectiveness.

2) PDCA applied to NC: the step-by-step process that closes the cycle

PDCA addresses nonconformity in a systematic and iterative way (not as a checklist "for the auditor to see"). Below is the most effective roadmap for using PDCA in handling nonconformities with the right tools at each stage.

P (Plan): Diagnose and get to the root cause. Here, the goal is not to "explain well," but to provewhy it occurred: use 5 Whys or an Ishikawa Diagram to get to the root cause and, from there, build an action plan (for example, with 5W2H) to eliminate the cause and reduce the chance of recurrence.

D (Do | Execute): Implement corrective actions (and containment, if necessary). This is the execution of the plan, with an owner, deadline, and evidence; and, if the failure is critical, containment actions must occur before the complete plan to mitigate damage (e.g., block batch, suspend step, adjust provisional parameterization).

C (Check): measure effectiveness with data and indicators. Checking is not about "thinking it improved": it's about collecting data and observing indicators that demonstrate that the nonconformity was resolved and that no side effects arose in the process.

A (Act): Standardize what worked (or restart the cycle). If it worked, standardize it: update the procedure, provide training, include it in onboarding, review the checklist/internal audit; if it didn't work, restart the PDCA cycle with a new hypothesis of the cause and a new round of tests/actions.

3) Best practices at the "consulting level" to increase success rate

Companies that make the most progress in audits and operational performance tend to have three standards of excellence in handling non-conformities.

• Distinguish between correction, containment, and corrective action: containment and correction control the impact; corrective action eliminates the cause and prevents recurrence.

• Evidence before opinion: root cause analysis requires facts (data, records, traceability), not narratives; without evidence, the plan becomes "activity" and not improvement.

• Standardization as the final deliverable: NC only "generates value" when the learning becomes a new standard (procedure, work instruction, control, training, and indicators).

In the language of requirement 10.2, this translates to closing the entire loop: react, assess the need for action to eliminate causes, implement, review effectiveness, and update necessary changes to the management system. In other words, the goal is not just to "resolve the nonconformity," but to improve the system that allowed it to exist.

4) Application example (quick template)

Imagine a recurring nonconformity (NC) of "outdated document being used in the operation". A well-executed PDCA cycle would typically find a root cause (e.g., failure in version control and single point of access), implement actions (e.g., official repository + print blocking + training review), verify indicators (e.g., number of occurrences, monthly sample audit), and standardize the new workflow.

This model works because it creates a prevention mechanism, not just a correction one, aligned with the concept of corrective action as eliminating the root cause to prevent recurrence. The benefit is twofold: it reduces rework costs and increases process predictability.

Artur Heitzmann— Partner, DMS Partners.