Handling Nonconforming Products and Services Under ISO 9001

ISO 9001 Clause 8.7

This clause requires the organisation to ensure that any outputs which do not conform to its requirements are identified and controlled.

What Does ISO 9001 Clause 8.7 Require?

Clause 8.7 of ISO 9001:2015 requires the organisation to identify and control outputs that do not conform to requirements - to prevent them from being unintentionally used or delivered. The clause applies both during the delivery process and after delivery, where a nonconformity is discovered post-release.

How Must Nonconforming Outputs Be Dealt With?

The organisation must deal with nonconforming outputs using one or more of the following approaches: correction (fixing the nonconformity); segregation, containment, return or suspension of provision of products and services; informing the customer; or obtaining authorisation for acceptance under concession. Where a nonconforming output has been corrected, it must be re-verified against requirements before release.

The clause also requires the organisation to determine whether similar nonconformities exist or could occur elsewhere - preventing the same problem from arising in other products, services or processes.

Documented Information Required

The organisation must retain documented information describing the nonconformity, the actions taken, any concessions obtained, and identifying the authority who decided what action to take. This provides an auditable trail of how nonconformities are managed and evidence that appropriate action has been taken.

When I'm auditing against Clause 8.7, I'll look for evidence that nonconforming outputs are being identified, controlled and dealt with - not just in theory but in practice. I'll ask to see the nonconformance register or equivalent, check that recent nonconformities have been documented with actions taken, and look for evidence that corrected outputs were re-verified before release. I'm also interested in whether the organisation is learning from nonconformities - whether patterns are being identified and addressed rather than just individual instances being closed out. Where I find nonconformities that have been resolved without documentation, or where the same issue keeps appearing without root cause action, those are findings I'll raise.

The nonconformance register - whether it is the ER1 Issues and Actions Register or a separate nonconformance log - is the central tool for Clause 8.7. Every nonconformity should be recorded with a description, the action taken, who authorised the action, and confirmation of re-verification where applicable. Keeping this register current and reviewing it as part of the management review process ensures that nonconformity data feeds into the improvement cycle rather than sitting as a standalone record.

If something doesn't meet requirements, don't let it go to the customer and record what you did about it. That is the core of Clause 8.7. A nonconformance register on a spreadsheet, or the ER1 Issues and Actions Register, gives you the record you need. Log the problem, log the action, log who approved it, and if you fixed it, confirm it passed re-check before release. Review the register periodically to spot patterns - the same type of nonconformity appearing repeatedly is a sign something needs addressing at source.

Practical Compliance Guidance

To comply with Clause 8.7, the organisation needs a defined process for identifying and controlling nonconforming outputs, so that they can then be dealt with and verification can take place ensuring that they are closed out.

To do this, a company cna set-up a non-conformance regsiter, which details any non-conformances which occur, including a description, a category, a due date for closure, the action taken, verification that the action taken was effective, a due date for verification, responsibility and open/closed status. This will allow the company to track all non-conformances, problems and other relevant actions taken as required - it can combine this register to also include customer complaints, or keep this seperate.

Individual non-conformance forms can also be used, which can be combined with the register, or kept seperate, however they should capture the same information.

alphaZ document	How it supports Clause 8.7
ISO 9001 Management System Toolkit	The complete toolkit including the issues and actions register and all supporting documents for nonconformance management.
ER1 Issues and Actions Register	Provides the central record for logging nonconforming outputs, actions taken, authorisation and re-verification - directly meeting the documented information requirements of Clause 8.7.2.
F-Q10 Significant Problem Incident Complaint Form	Individual form for logging and investigating problems, incidents and complaints.

Note - all the above files can be downloaded with an alphaZ subscription

Frequently Asked Questions

Does Clause 8.7 apply to nonconformities discovered after delivery?

Yes. The clause explicitly covers nonconforming outputs that are discovered after delivery or during delivery. Where a nonconformity is found after a product has reached the customer or a service has been completed, the organisation must take appropriate action - which could include customer notification, correction, replacement or recall depending on the nature and severity of the nonconformity. Post-delivery nonconformities should be documented in the same way as pre-delivery ones.

What is the difference between Clause 8.7 and Clause 10.2?

Clause 8.7 addresses the immediate control and disposition of nonconforming outputs - what to do with something that doesn't meet requirements right now. Clause 10.2 covers nonconformity and corrective action - analysing why the nonconformity occurred, determining the root cause, and taking action to prevent recurrence. The two work together: Clause 8.7 deals with the immediate problem, Clause 10.2 addresses the underlying cause. Both require documented information, and both feed into the continual improvement process.

Further Resources