ISO 9001 Corrective Action: Using Root Cause Analysis for Nonconformities
ISO 9001 certification audits routinely surface a consistent pattern: organizations that log nonconformities, assign corrective actions, and close the record — but find the same issue in the next audit cycle. The paperwork is complete. The problem is not.
Clause 10.2 of ISO 9001:2015 does not ask organizations to document that something went wrong. It requires them to determine why it went wrong and demonstrate that their corrective actions actually worked. This guide covers what that requires in practice, how to structure a root cause analysis process that satisfies audit scrutiny, and the specific gaps that generate findings.
What ISO 9001 Clause 10.2 Actually Requires
Clause 10.2 establishes the requirements for nonconformity and corrective action. The obligations are more specific than a surface reading suggests.
When a nonconformity occurs, the standard requires that the organization:
- React and contain — take action to control and correct the nonconformity, and deal with its consequences
- Evaluate the need for corrective action — determine whether action to eliminate the root cause is warranted, to prevent recurrence or occurrence elsewhere
- Determine root causes — investigate until the underlying cause is identified, not just the immediate trigger
- Check for similar nonconformities — assess whether the same failure mode exists or could exist in other products, services, or processes
- Implement corrective action — address the identified root cause with actions proportionate to the finding
- Review effectiveness — after implementation, verify that the corrective action actually worked
- Update risks and opportunities — if the nonconformity reveals a gap in the organization's risk planning, update accordingly
- Retain documented information — maintain records of the nonconformity's nature, the actions taken, and the results of any corrective action
The distinction between correction and corrective action matters here. Correction means fixing the immediate problem — reworking a nonconforming product, re-issuing a document. Corrective action means eliminating the cause so the problem does not happen again. ISO 9001:2015 requires both, and auditors are trained to distinguish between organizations that genuinely do both and those that relabel corrections as corrective actions.
One point that often generates findings: the requirement to assess whether similar nonconformities "exist or could potentially exist" elsewhere. An organization that investigates a single instance without checking for systemic exposure is not meeting the full scope of Clause 10.2.
Root Cause Analysis: What the Standard Expects
ISO 9001:2015 does not mandate a specific root cause analysis method. It requires organizations to "determine the causes of the nonconformity" — which means the method used must be sufficient to actually identify causes, not merely document that the activity occurred.
Three methods are commonly used in quality management contexts:
5 Whys asks "why" sequentially until reaching the systemic failure that allowed the problem to occur. It requires minimal preparation and produces a documented cause chain auditors can follow. The method fails when organizations stop at a convenient answer. "Operator did not inspect the component" is an observation. Asking why the operator skipped inspection may reveal an absent process step, inadequate training, or production pressure that made compliance impractical. Those answers produce corrective actions that can actually hold.
Fishbone (Ishikawa) Diagram maps potential causes across categories — Equipment, Method, Material, Measurement, Environment, People. It is well-suited to complex or ambiguous nonconformities where multiple contributing factors may be in play, and produces documentation that demonstrates systematic thinking under audit review.
Fault Tree Analysis works backward from the failure event using logic structures to identify all contributing pathways. It is more resource-intensive but appropriate for high-consequence nonconformities where a more defensible analysis is warranted.
The method should fit the problem. A documentation gap in a single process does not require fault tree analysis. A recurring customer complaint about product dimensions does not warrant a 5 Whys session that takes 15 minutes. Quality managers who match method to problem complexity produce better analyses and more sustainable corrective actions.
The Corrective Action Process: A Clause 10.2-Compliant Sequence
The following sequence reflects what a compliant corrective action process looks like in practice for quality management nonconformities.
Step 1: Contain, Correct, and Define
Before root cause analysis begins, address the immediate situation: quarantine nonconforming product, pause the affected process if necessary, and notify downstream stakeholders. Then define the nonconformity precisely. Record the specific requirement not met, when and where the failure occurred, and the extent of the deviation. Vague descriptions produce vague analysis. "Product did not meet specification" is a starting point; the specific dimension, the production run, the detection point, and the magnitude of the deviation are what an investigation actually needs.
Step 2: Conduct Root Cause Analysis
Apply a structured method appropriate to the nonconformity's complexity. Document the method used, the analysis process, and the cause chain. The documentation matters as much as the analysis — an auditor who cannot follow the investigative logic will treat the analysis as incomplete regardless of the quality of the actual thinking.
The analysis should reach beyond individual behavior. If the finding is that a person made an error, the root cause investigation should examine the conditions that made the error possible: process design, training adequacy, measurement systems, supervision, or workload. Corrective actions that target only individual behavior recur predictably.
Step 3: Assess for Similar Nonconformities
Before finalizing the root cause and developing corrective action, check whether the same failure mode exists or could exist in other processes, product lines, or locations. This is an explicit Clause 10.2 requirement that is frequently skipped. Organizations that miss it create audit exposure and, more practically, allow the same problem to surface elsewhere.
Step 4: Develop and Assign Corrective Action
Corrective actions should address the identified root cause, not just the immediate symptom. Each action should have a named owner — a specific individual, not a team or department — and a documented due date. The action should be defined specifically enough that completion can be verified: a procedure updated and acknowledged, a process parameter changed and validated, a supplier qualification requirement added.
Vague actions — "improve quality awareness," "reinforce the procedure" — cannot be verified and will generate audit findings. They also do not work.
Step 5: Implement, Verify Effectiveness, and Retain Records
After implementation, verify that the action actually eliminated the root cause. Effectiveness verification is a distinct step — it happens at a defined interval after implementation, not on the day the action is assigned. For a process change, verification might mean monitoring output over a defined production run. For a documentation gap, it might mean an internal audit check at the next scheduled review. The standard requires evidence of verification, not just a checkbox.
Clause 10.2 requires documented information on the nature of the nonconformity, actions taken, and results. A complete record should contain the nonconformity description, immediate correction, root cause analysis, corrective actions with named owners and due dates, implementation evidence, effectiveness verification, and closure date. These records are the primary evidence auditors review — incomplete or inaccessible records create problems that are entirely avoidable.
Generate Countermeasures with AI
Based on what you've learned, try our AI-powered countermeasure generator. Enter an incident and the AI will suggest both immediate and permanent countermeasures.
AI対策案ジェネレーター
事象を入力するだけで、AIが即時対策と恒久対策を提案
業界別のサンプル事象を選ぶか、自由に入力してください。
Common Gaps That Generate Audit Findings
Auditors reviewing Clause 10.2 compliance look for predictable failure patterns. Understanding them allows quality managers to address them proactively.
Root cause analysis that terminates at individual behavior. Finding that an operator did not follow a procedure and stopping there is a description of the symptom, not a root cause. Auditors will probe whether the investigation examined why the procedure was not followed: whether training was adequate, whether the procedure was accessible, whether production pressure made compliance impractical. Corrective actions that address only the individual recur at the next audit cycle.
Corrective actions closed on assignment, not on verification. Auditors distinguish between "planned," "implemented," and "verified effective." A record that shows a closed status with no verification evidence will produce a finding. The closure date must reflect when the action was confirmed effective, not when it was assigned.
No check for similar nonconformities. Auditors will ask what the investigation found when it looked at related processes or products. "We did not check" is a gap in both the record and the process.
Corrective actions too vague to verify. "Retrain the team" and "review the procedure" cannot be confirmed complete or effective. Specific, verifiable actions — a named training with attendance records, a procedure revision with a documented change, a process parameter adjusted to a defined value — are both better corrective actions and more defensible records.
Recurring findings across audit cycles. A nonconformity that appears in the same area across two surveillance cycles indicates a previous corrective action was closed without resolving the root cause. Auditors treat recurrence as a systemic failure.
ISO 9001 Corrective Action in WhyTrace Plus
WhyTrace Plus provides structured workflows for ISO 9001 nonconformity management — from initial capture through root cause analysis, corrective action assignment, and effectiveness verification — in a single system with full traceability.
Connecting Clause 10.2 to the Broader QMS
Corrective action is not a standalone administrative process. It is a primary feedback mechanism in a QMS built on Plan-Do-Check-Act. Nonconformities that reveal unidentified risks should update the risk assessment (Clause 6.1). Root causes involving training gaps feed into competence planning (Clause 7.2). Corrective actions that change process parameters update operational controls (Clause 8.1). Corrective action status and trends are required management review inputs under Clause 9.3.2. Patterns across multiple findings drive the systemic improvement Clause 10.3 is designed to produce.
Organizations that treat each nonconformity as an isolated administrative event capture the finding without using it. Those that connect findings back through the QMS demonstrate a functioning system — not just documented compliance.
Audit Preparation: What to Have Ready
A quality manager preparing for a Clause 10.2 audit review should be able to demonstrate the following:
- A documented procedure defining how nonconformities are captured, classified, and escalated
- A complete record for each nonconformity in the audit period, including the nature of the finding
- Root cause analysis documentation showing the method used and the cause chain — not just a conclusion
- Evidence that the check for similar nonconformities was conducted
- Corrective actions with named owners, due dates, and implementation status
- Effectiveness verification records for closed corrective actions — with dates and evidence, not just a status field
- Evidence that findings with systemic implications triggered risk assessment or QMS updates
- Corrective action data referenced in the most recent management review inputs
The test is not whether records exist — it is whether they tell a coherent story from finding to root cause to action to verified outcome.
Audit-Ready Corrective Action Records
WhyTrace Plus maintains the complete corrective action record — from nonconformity capture through root cause analysis, implementation, and effectiveness verification — in a single system with full audit trail. When an auditor asks for the record, it is already complete.
Key Takeaways
- ISO 9001 Clause 10.2 requires root cause analysis, a check for similar nonconformities, corrective action addressing the identified root cause, and documented verification that actions were effective — not just logged.
- The standard does not specify a method, but the method used must be sufficient to identify actual causes. 5 Whys, fishbone diagrams, and fault tree analysis each suit different problem types and severities.
- The most common audit findings are root cause analysis that stops at individual behavior, corrective actions closed on assignment rather than verified effectiveness, and recurring findings showing previous actions did not resolve the underlying cause.
- Corrective action findings should connect back to risk assessments, competence records, and management review inputs. The standard is built as a feedback system, not a record-keeping exercise.
Related Resources
| Resource | Description | Best For |
|---|---|---|
| 5 Whys Analysis: Complete Guide | Full walkthrough of the 5 Whys method with manufacturing and quality examples | Applying structured RCA to ISO 9001 nonconformity investigations |
| Corrective Action Management: Stop Losing Track of Your CAPA Items | Why CAPA items fall through the cracks and how to build a system that closes actions on time | Quality managers with high volumes of open corrective actions |
| RCA Method Comparison | Side-by-side comparison of 5 Whys, fishbone, fault tree, and other methods | Choosing the right root cause method for different nonconformity types |
| AI-Assisted Root Cause Analysis | How AI tools support investigation accuracy and documentation speed | Organizations scaling corrective action quality across multiple sites |
| ISO 45001 Incident Investigation: Requirements and Best Practices | Clause 10.2 compliance guide for OHS management systems | Quality managers with dual ISO 9001 and ISO 45001 responsibilities |