In this article, I’m going to cover clause 10.2 Incident, nonconformity and corrective action. I’m going to break this clause down and turn it into something you can all understand. You’ll then be able to apply this to your own organization's system and understand what the requirements will look like for you.
Before I get started on the clause, I think it’s important to understand the definition of nonconformity and an incident. After all, if we don’t know how to recognize one then we won’t know when to take action, will we? Referring to clause 3 of ISO 45001 states that an incident is an occurrence arising out of, or in the course of, work that could or does result in injury and ill health.
Therefore, if an event occurs while we are at work and we are injured or become sick this is considered an incident.
Then the definition of a nonconformity states that it is a non-fulfilment of a requirement and the definition of a requirement is a need or expectation that is stated, generally implied or obligatory. These requirements that we are bound to conform with may come from our customers, product or legal requirements, ISO Standard requirements, or even our own OH&S management system requirements. Put simply, we need to identify and understand what our requirements are and then follow them. When we don’t that is a nonconformance.
This will now help us as we move through the clause requirements so let’s get started. Let’s take a look at what Clause 10.2 wants us to do. The clause starts off by stating that ...
The organization shall establish, implement and maintain a process(es), including reporting, investigating and taking action, to determine and manage incidents and nonconformities.
When an incident or nonconformity occurs, the organization shall:
a) react in a timely manner to the incident or nonconformity and, as applicable
1) take action to control and correct it:
2) deal with the consequences
Points 1) and 2) of taking action and dealing with the consequences can be referred to as the action. This is the first step we take to deal with the consequences of an incident or nonconformance. If it is an incident, it would be managing an injury, isolating the area or machine that may have caused it, and so on. Basically, mop up what’s happened and put some actions in place immediately to ensure nobody else is injured.
This is not a long-term fix or corrective action. It is just getting it under control initially.
The next part of the clause is where we look at the long-term fix or corrective action. Therefore, this clause states that the organization shall:
b) evaluate, with the participation of workers (see 5.4) and the involvement of other relevant interested parties, the need for corrective action to eliminate the cause(s) of the incident or nonconformity, in order that it does not recur or occur elsewhere, by:
1) investigating the incident or reviewing the nonconformity;
2) determining the cause(s) of the incident or nonconformity;
3) determining if similar incidents have occurred, if nonconformities exist, or if they could potentially occur.
You will have noticed that the overarching goal is to prevent the incident or nonconformity from recurring or occurring elsewhere. And this is done by reviewing and analyzing the incident or nonconformity to determine the cause or causes. By doing this we also have the opportunity to find out whether there have been similar nonconformities that have already occurred or have the potential to occur.
For example, if a nonconformance has been raised several times at different locations for workers not wearing the required PPE, this may indicate that the root cause has not been identified and appropriate corrective action implemented as the issue continues to reoccur. This could be further exacerbated if an incident occurs and the investigation identifies that the correct PPE was not being worn. The intent is to investigate, determine the cause and then implement corrective action to prevent the nonconformance or incident from happening again, not only where they were identified in the first place, but in any other location or situation as well. This all feeds nicely into the next set of clause requirements which are:
c) review existing assessments of OH&S risks and other risks, as appropriate (see 6.1)
d) determine and implement any action needed, including corrective action, in accordance with the hierarchy of controls (see 8.1.2) and the management of change (see 8.1.3).
e) assess OH&S risks that relate to new or changed hazards, prior to taking action
This is building on the steps I talked about earlier of identifying the cause and implementing corrective action. It would be beneficial as part of the investigation to determine whether the potential OH&S risk had been identified as part of the proactive process of hazard identification.
Meaning, did the business identify that there was a risk that workers would not follow the requirements for wearing PPE? If it wasn’t identified, part of the corrective action should loop it back to be included and if it WAS identified, what controls were to be put in place? These controls should follow the hierarchy of controls.
Then finally when new or changed hazards are identified, be sure to assess these so you understand the level of risk and impact if they do occur. To understand this more be sure to read the article for clause 6.1.2.2 Assessment of OH&S risks and other risks to the OH&S management system.
This leads us to the next part of this clause which states ...
f) review the effectiveness of any action taken, including corrective action and
Not only do we implement the corrective action, but we should also be giving it sufficient time to be followed and used so that we can review whether it has effectively prevented the issue from recurring. Therefore, in this example, you would continue to monitor the use of PPE across all locations, and determine if the corrective action you put in place is actually working.
If it isn’t completely working, you might tweak the corrective action or ask for feedback from workers as to what is working and what is not working. You will continue to monitor until you are getting feedback and evidence that PPE is being worn to requirements and there haven’t been any follow-up nonconformances raised.
Then the final point ...
g) make changes to the OH&S management system, if necessary and Corrective actions shall be appropriate to the effects or the potential effects of the incidents or nonconformities encountered.
These couple of points are saying that when there has been a nonconformity does this mean that there are additional risks or opportunities that may have been missed in your initial assessment of the process or operations? And if so, does this change your OH&S management system and associated procedures? This provides that final loop back from an Operations level up to a Systems level.
And of course, the corrective action taken should be at a level that is suitable for what actually occurred. For example, corrective action of firing all of the workers for not wearing PPE the first time it has occurred may be a little over the top and not proportionate to the actual issue and in particular even the root cause.
The final section of this clause states …
The organization shall retain documented information as evidence of:
- the nature of the incidents or nonconformities and any subsequent actions taken;
- the results of any action and corrective action, including their effectiveness.
The organization shall communicate this documented information to relevant workers, and, where they exist, workers’ representatives, and other relevant interested parties.
Any incidents and nonconformities identified need to be recorded as to what they were and what actions were taken, including the results (successful or otherwise) of the corrective action taken. This is normally in the form of an Incident Report, Incident Register, Nonconformance Report, and Nonconformance Register.
You can call it whatever you want and you could combine the reporting and registers for nonconformances and incidents, as long as it does record this information at a minimum.
Other information that this register might also include that is helpful is:
- who is responsible
- created or occurrence date
- the due date for corrective action
- the due date for review of implemented corrective action
- any links to photos or investigations
- identified by category (which might be an internal audit, external audit, daily operation, customer complaint, and so on)
These are just a few additional fields that I have come across that help with analyzing ongoing improvements.
This then makes it easy to communicate to workers and any other parties that may have been impacted by the incident or nonconformance or will be impacted by the corrective actions.
Now that you have a better understanding of these requirements, it's time to take action and implement them in your own organization and ISO 45001 OH&S management systems.
If you'd like to learn more about ISO 45001, why not take a look at our other articles on the topic, starting with What is ISO 45001 and OHS Management Systems?
If you prefer watching over reading, head to our ATOLTV ISO 45001 playlist on YouTube, either way, be sure to check out our range of ISO 45001 OH&S management systems courses and qualifications today.