Nonconformance and Compliance Management

Nonconformance and compliance management constitutes the structured set of processes by which organizations identify, document, evaluate, and resolve deviations from specified requirements — whether those requirements originate in contractual terms, regulatory mandates, or internal quality standards. The discipline spans detection through disposition, linking individual failure events to systemic corrective and preventive action cycles. It functions as a core pillar within quality management systems (QMS) governed by frameworks including ISO 9001, AS9100, and 21 CFR Part 820, among others.

Definition and scope

A nonconformance (NC) is any condition in which a product, process, service, or system fails to meet a defined requirement. The requirement source determines the classification and severity of the nonconformance — a deviation from an internal work instruction carries different disposition authority than a violation of a Federal Aviation Administration (FAA) airworthiness directive or a Food and Drug Administration (FDA) design control requirement under 21 CFR Part 820.

Scope boundaries in nonconformance management are defined across three primary dimensions:

1. Product nonconformance — a physical unit, batch, or deliverable fails dimensional, chemical, functional, or labeling requirements.
2. Process nonconformance — a manufacturing, service delivery, or administrative process deviates from a validated or documented procedure.
3. System nonconformance — the QMS itself fails to satisfy audit criteria, regulatory expectations, or certification body requirements such as those maintained by the American Society for Quality (ASQ) or the International Organization for Standardization (ISO).

Compliance management intersects nonconformance management at the point where an identified deviation has regulatory consequence. Under ISO 9001:2015 clause 8.7, organizations must control nonconforming outputs to prevent unintended use or delivery — a requirement that obligates documented disposition records regardless of whether the NC originates internally or through supplier channels. The quality-assurance-regulatory-framework page addresses the broader structure of regulatory obligations that frame these requirements.

How it works

Nonconformance management follows a discrete sequence that transforms an observed deviation into a closed, documented record with verified effectiveness.

1. Detection — An NC event is identified through incoming inspection, in-process monitoring, final inspection, customer complaint, or audit finding. Statistical process control charts, as described in quality-assurance-statistical-process-control, are a primary detection mechanism in manufacturing environments.
2. Segregation and containment — Nonconforming material or output is physically or digitally quarantined to prevent use, shipment, or further processing pending disposition.
3. Documentation — A nonconformance report (NCR) is opened, capturing the requirement violated, the observed condition, the detection point, and responsible parties. Documentation standards vary by sector; aerospace organizations operating under AS9100 Rev D are required to retain NCRs as quality records with traceability to the affected part number and serial or lot identity.
4. Disposition — A material review board (MRB) or designated authority assigns one of four standard dispositions: use-as-is, rework, repair, or scrap/reject. Use-as-is and repair dispositions in regulated industries typically require engineering or regulatory authority approval.
5. Root cause analysis — For recurring or high-severity NCs, a formal root cause investigation is initiated. Methods include 8D, fishbone (Ishikawa) analysis, and the 5-Why technique, each producing a documented causal chain.
6. Corrective action — Verified root causes drive corrective action requests (CARs), which are tracked to closure with evidence of effectiveness. This phase is detailed in quality-assurance-corrective-action.
7. Effectiveness verification — Closed corrective actions are monitored over a defined period — typically 30 to 90 days — to confirm recurrence has been eliminated.

Common scenarios

Nonconformance events arise in predictable patterns across regulated industries:

• Incoming material rejection — A supplier delivers components outside the tolerance band specified in the purchase order or drawing. The receiving organization initiates a supplier corrective action request (SCAR) and may impose hold status on the supplier's qualification rating.
• In-process deviation — A machining operation produces parts with surface finish values outside the specification limit. Containment requires sorting the affected run, and disposition authority rests with the quality engineer.
• Audit finding — An ISO 9001 third-party surveillance audit identifies that calibration records for 3 measuring instruments have lapsed beyond the required interval, generating a major nonconformance against clause 7.1.5.
• Software defect release — In medical device software regulated under FDA guidance on software validation, a defect discovered post-release that affects device safety classification triggers a formal NC and may initiate a CAPA (corrective and preventive action) event reportable under 21 CFR Part 803.
• Document control failure — An obsolete revision of a work instruction remains accessible on the production floor, constituting a system-level nonconformance against ISO 9001 clause 7.5 (documented information control).

Decision boundaries

Not every deviation qualifies as a nonconformance requiring full NCR processing. Organizations operating under mature QMS frameworks establish written criteria that distinguish between concessions, observations, and formal nonconformances.

Concession vs. nonconformance: A concession (also called a "deviation permit" in ISO terminology) is pre-authorized acceptance of a known departure from a requirement before production or delivery. A nonconformance is an unplanned departure discovered after the fact. ISO 9001:2015 clause 8.7 treats these as distinct events with different documentation obligations.

Minor vs. major classification: An audit nonconformance is classified as minor when a single isolated element of a requirement is not fully met but the overall system remains functional. A major nonconformance signals systematic breakdown or complete absence of a required element, and in certification audits conducted by accredited certification bodies, a major NC suspends or prevents certification until resolved. The International Accreditation Forum (IAF) Mandatory Document MD 5 governs these classification criteria for accredited certification bodies.

Escape vs. internal catch: An NC detected before delivery to the customer is an internal catch; an NC discovered by the customer or end-user is an escape. Escapes carry substantially higher compliance risk — including potential FDA field correction obligations, FAA service difficulty reports, or contractual penalties — and trigger mandatory escalation paths that internal catches may not require.