Nonconformance and Compliance Management

Nonconformance and compliance management encompasses the structured processes organizations use to identify, document, evaluate, and resolve instances where products, services, processes, or systems fail to meet specified requirements. Applicable across manufacturing, healthcare, aerospace, food production, and regulated services, these processes operate under frameworks established by bodies including ISO, the U.S. Food and Drug Administration (FDA), and the Department of Defense (DoD). Failures to manage nonconformances systematically expose organizations to regulatory penalties, product liability, and audit findings that can affect certification status.

Definition and scope

A nonconformance — sometimes written as nonconformity — is the failure to fulfill a requirement, as defined in ISO 9000:2015, the foundational vocabulary standard for quality management systems. Requirements may originate from customer specifications, regulatory mandates, internal procedures, or industry standards such as ISO 9001 and AS9100.

The scope of nonconformance management extends across two primary classification levels:

1. Minor nonconformance — a single isolated lapse that does not affect the integrity of the quality management system or the safety of the product. An example is a single mislabeled document that does not propagate through the system.
2. Major nonconformance — a systematic failure, absence of a required element, or a pattern of minor lapses that collectively undermine the quality management system. Under ISO 19011:2018 audit guidelines, a major nonconformance will typically prevent certification or trigger mandatory corrective action before a certificate is issued or renewed.

A third classification — observation or opportunity for improvement — exists in many audit frameworks but does not carry a formal corrective action obligation. The distinction between minor and major is consequential: major findings under FDA's Quality System Regulation (21 CFR Part 820) can trigger Warning Letters, consent decrees, or product seizure actions administered by the FDA's Office of Regulatory Affairs.

Understanding the full compliance landscape begins with the compliance standards overview, which maps the interrelationships between sector-specific requirements.

How it works

The nonconformance management process follows a defined sequence that most regulated quality management systems share, regardless of the governing standard:

1. Detection and identification — A nonconformance is discovered through inspection, testing, customer complaint, internal audit, or process monitoring. The triggering event is documented in a Nonconformance Report (NCR) or equivalent record.
2. Containment — Affected product, materials, or outputs are segregated, quarantined, or placed on hold to prevent further distribution or use. Under 21 CFR Part 820.90, medical device manufacturers must establish and maintain procedures for the control of nonconforming product.
3. Disposition decision — The nonconforming item is evaluated and assigned one of four standard dispositions: rework, repair, use-as-is (with authorized concession), or scrap/reject. Use-as-is dispositions typically require documented justification and customer or regulatory concurrence.
4. Root cause analysis — For major nonconformances or patterns of recurrence, root cause analysis is mandatory. Methods include the 5-Why technique, fishbone (Ishikawa) diagrams, and failure mode and effects analysis (FMEA).
5. Corrective and preventive action (CAPA) — Findings from root cause analysis feed directly into the CAPA compliance process, which is a separately documented and trackable workflow under both ISO 9001 and FDA regulations.
6. Verification of effectiveness — The corrective action is verified as effective before the NCR is formally closed. This step is specifically required under ISO 9001:2015 clause 10.2 and under FDA 21 CFR Part 820.100.

The entire process must be supported by document control compliance practices, which ensure NCR records are version-controlled, retrievable, and protected from unauthorized alteration.

Common scenarios

Nonconformances occur across a predictable set of operational contexts in regulated industries:

• Incoming material rejection — A supplier delivers raw materials or components that fail dimensional, chemical, or functional acceptance criteria. The receiving NCR triggers supplier corrective action requests (SCARs) and may affect supplier qualification status.
• In-process deviation — A manufacturing step produces output outside control limits identified through statistical process control. In pharmaceutical GMP environments governed by 21 CFR Part 211, in-process deviations must be investigated and documented in batch records.
• Finished product nonconformance — Final inspection reveals a product that does not meet release specifications. Disposition decisions at this stage carry the highest risk profile, particularly in medical device and aerospace contexts.
• Process or documentation nonconformance — A required procedure was not followed, a calibration record was not completed, or a training record is missing. These are systemic findings that typically elevate to major status under ISO 19011 audit criteria.
• Post-market or post-delivery nonconformance — Customer complaints or field failures trigger reactive nonconformance investigations. In the medical device sector, these may activate Medical Device Reporting (MDR) obligations under 21 CFR Part 803.

Decision boundaries

The critical decision points in nonconformance management determine both the regulatory exposure and the resource commitment required:

Minor vs. major classification drives the corrective action obligation. A single clerical error in a low-risk document is categorically different from a repeated failure to perform required incoming inspections across 12 consecutive receiving lots.

Use-as-is vs. rework/scrap decisions carry different documentation burdens. Use-as-is dispositions in aerospace supply chains governed by AS9100 Rev D require engineering authority approval and are subject to customer flow-down requirements. Unauthorized use-as-is dispositions in safety-critical applications constitute a separate and more serious nonconformance.

Isolated vs. systemic determination governs whether a CAPA is required or whether the NCR can be closed with a simple correction. Systemic determination depends on trend data — if the same defect code appears across 3 or more NCRs within a defined review period, most quality management systems treat the pattern as systemic by default.

Regulatory reportability is a binary decision boundary with significant consequences. Not all nonconformances require external reporting, but those involving safety, significant product failures, or deviations from approved processes in FDA-regulated industries may trigger mandatory reporting obligations independent of the internal disposition.

The risk-based compliance approach provides the analytical framework for calibrating response severity to the actual risk profile of a given nonconformance, rather than applying uniform corrective action to every finding regardless of consequence.

References

• ISO 9000:2015 — Quality management systems: Fundamentals and vocabulary
• ISO 9001:2015 — Quality management systems: Requirements
• ISO 19011:2018 — Guidelines for auditing management systems
• FDA 21 CFR Part 820 — Quality System Regulation (Medical Devices)
• FDA 21 CFR Part 211 — Current Good Manufacturing Practice for Finished Pharmaceuticals
• FDA 21 CFR Part 803 — Medical Device Reporting
• SAE AS9100 Rev D — Quality Management Systems: Requirements for Aviation, Space, and Defense Organizations
• FDA Office of Regulatory Affairs