Enterprise Deviation System: From Registration to Improvement
Mistakes happen in all businesses. The difference lies in what happens afterwards. A deviation system ensures that incidents are not just recorded, but analysed, followed up with actions, and lead to real improvement. Here's what ISO requires, how the process works in practice, and what you should look for when choosing a system.
Table of contents
What is a deviation system?
In short, a deviation is something that has happened that shouldn't have happened. Manufacturing errors, breaches of procedure, an HSE incident, a delivery that doesn't meet specifications.
Many businesses have some way of managing such incidents. Many have it in an Excel file, some in email, others in the head of whoever happened to be present. It works completely fine. Right up until someone asks: «Has this happened before? What did we do last time? Was the measure implemented?»
What does ISO 10.2 require?
A deviation system that meets ISO 9001 must cover all seven requirements of clause 10.2. ISO 9001, ISO 14001 and ISO 45001 All have a clause 10.2 dealing with deviations and corrective actions. Read more about which requirements Business Online covers in these ISO standards here. The requirements are more concrete than many believe:
| Requirements in ISO 10.2 | What that means in practice |
|---|---|
| Respond to the deviation | Immediate measures must be documented. Not just fix the problem, but write down what you did. |
| Determine causes | Root cause analysis. Not just "what happened", but "why did it happen". |
| Consider the need for measures | Could it happen again? Are there similar deviations occurring elsewhere in the company? |
| Implement corrective actions | Concrete measures with responsible person and deadline. |
| Review effect | Did the measure work? This step is most often skipped. |
| Update risk assessment | Has the deviation changed the risk profile? Then the risk matrix shall be updated. |
| Store documentation | Full traceability from incident to closure. |
ISO 45001 places emphasis on: incidents shall be investigated with worker participation, and measures shall follow the hierarchy of controls. Eliminate the hazard first. Technical measures next. Administrative measures last.
Most businesses we speak to know they need this. The challenge is rarely the will. It's about making it happen in practice, consistently, week after week.
This is how exception handling works in Business Online
Business Online QHSE has a 5-step workflow for deviation management. It covers the entire ISO 10.2 process, but that's not why it's built this way. It's built this way because it's the shortest path from «something went wrong» to «we know why, and it's fixed».
Step 1: Registration
Any employee can report a deviation. From PC or mobile. The notification arrives directly in Teams, where people are already working. No extra login required.
The form asks for the most important information: what happened, when, immediate actions, suggestions for long-term actions, and attachments (photos straight from the camera will suffice). The KHMS manager will be automatically notified via email and Teams.
There is also anonymous reporting as a separate function. Anonymous cases are only accessible to HR managers. ISO 45001 explicitly requires this (clause 5.1 k): employees shall be protected from reprisal when reporting.
Step 2: Coding and Assignment
The KHMS manager reviews the case, sets a priority, and assigns a case handler. The case is linked to the correct project, customer, or department. The case handler receives a notification.
A short, but important step, because it ensures that someone owns the case from day one. The system measures how many days it takes from registration to assignment.
Stage 3: Classification and root cause analysis
This is where the weight lies. The case handler classifies the deviation with a category, sub-category, direct cause, and root cause. Severity is assessed on four dimensions: health, finance, reputation, and environment. Each with actual and potential consequences.
Measures are then created. Each measure is assigned a responsible person, a deadline, and a type: corrective (rectifies the error) or preventive (prevents recurrence). For larger cases, the case handler can create a separate workspace where several people collaborate on the investigation.
Root cause analysis is what differentiates a deviation system from a log. Without it, you'll end up treating symptoms.
Stage 4: Cost and evaluation
The case officer documents hours, internal costs and external costs. These figures are gold when you are prioritising preventative work. If one type of deviation costs 50,000 kroner every time it occurs, it is easier to argue for investing in prevention.
__OPENROUTER_FAILED__.
Step 5: Approval and Closure
The KHMS responsible person reviews the entire case. Is the root cause analysis good enough? Have the measures been implemented? Have they had an effect? The case can be approved and closed, or sent back with a new deadline. The person who reported the discrepancy will receive a notification when the case is closed.
The entire process has timestamps, assignees, and notifications at each step.
More than just «deviations»
Deviation systems often only handle deviations. But in reality, businesses need to capture more than that. Business Online KHMS has six registration types, all following the same workflow:
| Type | Used for | Example |
|---|---|---|
| HMS event | Accident or emergency situations that have or could have led to injury | Tools falling from scaffolding, near miss at machine |
| Quality incident | Deviations during operation or production | Error in delivery, procedure not followed |
| Supplier deviation | Problems with supplier products or services | Incorrect component supplied, delay on critical equipment |
| Observation | Circumstances to be noted without formal deviation | Wear observed at customer's location |
| Suggestions for improvement | Staff ideas | Proposal for a new assembly checklist |
| Customer feedback | Customer feedback outside of customer surveys | Complaint about response time, positive feedback after audit |
The beauty of having everything in the same system: supplier deviations provide documentation for supplier evaluation (ISO 9001 clause 8.4). Improvement suggestions cover the requirement for continual improvement (clause 10.3). And customer feedback documents customer focus (clause 9.1.2). Three ISO requirements covered without extra work.
Want to see what this looks like in practice?
Read more about how Izomax uses Business Online KHMS as its deviation system.
The real problem is not a lack of a system
Most companies we encounter already have something. An Excel spreadsheet. A form in SharePoint. A procedure that states deviations should be reported to the quality manager.
The problem is that no one uses it.
Registration is becoming cumbersome. It’s taking too long. A form in SharePoint registers the incident but offers no workflow for follow-up, root cause analysis, or approval. It works perfectly fine. Until someone asks: «Has this happened before? What did we do last time? Was the measure implemented?"
The system may only be available from the office, and the deviations occur externally. Employees don't see the point because nothing visible happens with the issues they report. It's a typical growing pain that the system that worked with 15 employees no longer works with 50. Eventually, people stop reporting.
__OPENROUTER_FAILED__.
When a better system is implemented, something seemingly paradoxical happens: the number of reported deviations increases. This is a good sign. It means that the actual occurrences are finally being made visible. The more data you get in, the easier it is to see patterns and prioritise where it counts.
Dashboard: From individual cases to trends
Structured recording with standardised categories and causes allows for analysis.
Business Online integrates with Power BI, which provides real-time dashboards.
- Number of deviations per type over time.
- They look at whether HMS incidents are increasing or decreasing, where the problems arise, and what they
actual cost. - Average processing time. In total, how many days on average pass from when the deviation occurs until it is closed.
- Deviations per project, department or location.
- The cost distribution across the various deviations.
- See which root causes reappear again and again.
During an ISO audit, this is the documentation the auditor is asking for. In everyday life, it's the tool that allows management to make decisions based on data, not gut feeling.
Deviance system vs. quality system
A quality system is the overarching framework: guidelines, procedures and instructions to ensure that quality requirements are met. Think of it as the company's operating system for quality.
A non-conformance system is part of this framework. In ISO terminology: the non-conformance system covers clause 10.2 (non-conformity and corrective action), while the quality system covers the entire standard.
In Business Online, the deviation system is integrated with document management, risk management, and project management. A deviation registered on a project is automatically linked to the correct context. An action that requires an update to a procedure is handled in the same system. No manual linking between separate tools.
Quality systems and internal control are closely linked. Read more about internal control here.
8 things to consider when choosing a deviation system
| Property | Why it is important | Questions to ask |
|---|---|---|
| User-Friendliness | Lower threshold = more registrations = better data | Can a field technician register a deviation in under 2 minutes? |
| Mobile access | Deviations happen where the work is done, not in front of a PC | Does the system work on a phone with photo uploads from the camera? |
| Structured workflow | ISO requires a traceable process with defined roles. | Does the system have phases for notifications, deadlines and approval? |
| Root cause analysis | Corrective actions require that the cause has been identified | Does the system support categorisation of direct and underlying causes? |
| More registration types | Businesses need more than just «deviations» | Does the system HMS, quality, supplier, observations and suggestions for improvement cover everything? |
| Integration with project/client | Deviations occur in context. Context provides meaning. | Can the deviation be linked directly to the project, customer, or contract? |
| Dashboard and analysis | Data without insight is just archiving | Can you visualise trends, turnaround times and costs in real-time? |
| Anonymous reporting | ISO 45001 requires protection against retaliation | Is there a separate channel for anonymous messages? |
Frequently Asked Questions about the Deviation System
What is the difference between a deviation and an observation?
A deviation is something that breaks a company standard, procedure, or requirement. An observation is a condition that should be noted, but which does not necessarily constitute a breach. In practice, observations are often used when employees are working at customer sites, or to distinguish minor findings from formal deviations.
How many deviations should we register?
There is no right number. A company that registers zero non-conformities doesn't have zero problems. It has a system that no one uses. The focus should be on the trends, not the number.
Does ISO 9001 require a digital non-conformance system?
No. The standard only requires documented management (clause 10.2) but does not specify the format. In practice, it is very difficult to meet the requirements for traceability and corrective action verification with manual systems when the company grows beyond 20 to 30 employees.
Root cause analysis
When conducting a root cause analysis, one attempts to find the underlying cause, not just the direct cause. A fitter used the wrong component. That is the direct cause. The root cause could be that the components were not labelled, that the procedure was outdated, or that the training was insufficient. Corrective actions should then be aimed at the root cause. Otherwise, it will happen again.
Can we use the deviation system for improvement suggestions?
Yes, both ISO 10.1 and 10.3 require the organisation to capture opportunities for improvement. A system that gathers nonconformities and suggestions for improvement within the same workflow ensures that good ideas do not get lost in an inbox.
What is the auditor looking for?
That deviations have been recorded, that root causes have been analysed, that measures have been implemented and that the effect has been verified. A dashboard showing trends, treatment time and deviation distribution per category is the quickest way to show this. The auditor will also see that the system is actually used, not just that it exists.
"A deviation system is not an archive for errors. It is the tool that allows errors to lead to improvement."
See how the deviation system works in practice
We'll show you how Business Online can provide you with a deviation system that employees actually use. 30 minutes, no commitment.
