Quality Assurance: Nonconformance Reporting Standards
Nonconformance reporting (NCR) is the formal mechanism by which organizations identify, document, and disposition products, materials, services, or processes that fail to meet specified requirements. NCR standards define the structure of that mechanism — the mandatory data elements, escalation thresholds, disposition authorities, and linkage to corrective action processes. Failure to maintain a functional NCR system is a cited finding in audits conducted under ISO 9001, AS9100, FDA 21 CFR Part 820, and equivalent frameworks across regulated industries.
Definition and scope
A nonconformance is any departure from a specified requirement — a drawing dimension, a contractual specification, a regulatory threshold, or an internal procedure. The nonconformance report is the controlled document that captures that departure, assigns accountability, and establishes a disposition pathway before the affected item or process is released, used, or delivered.
Scope under major frameworks varies:
- ISO 9001:2015, Clause 8.7, requires that nonconforming outputs be identified and controlled to prevent unintended use or delivery, and that disposition decisions be documented (ISO 9001:2015).
- AS9100 Rev D, used in aerospace and defense, extends this to nonconforming product at supplier facilities and mandates notification to customers when nonconforming product has been delivered (SAE International AS9100D).
- FDA 21 CFR Part 820.90 (for medical devices) requires formal nonconforming product control procedures, documented disposition authority, and investigation when nonconformance is recurring (21 CFR Part 820).
- FDA 21 CFR Part 211 (pharmaceutical current Good Manufacturing Practice) requires rejection and quarantine procedures for out-of-specification materials (21 CFR Part 211).
The quality assurance regulatory framework governing a specific sector determines which of these standards applies, and whether cross-framework alignment is required.
How it works
An NCR system operates through a defined sequence of phases, each with mandatory outputs:
- Detection and identification — The nonconformance is observed and tagged. Physical product is typically segregated and labeled "Hold," "Reject," or "Nonconforming" to prevent inadvertent use. Process nonconformances are documented at the point of detection.
- Documentation — A formal NCR is opened. Required data elements typically include: part number or process identifier, revision level, quantity affected, description of the departure, detected-by information, date of detection, and applicable specification reference.
- Containment — Immediate actions are taken to prevent the nonconformance from propagating — quarantine of affected stock, process halt, or customer notification where required by contract or regulation.
- Disposition — A Material Review Board (MRB) or qualified disposition authority evaluates the nonconformance. Standard dispositions include: Use As Is (departure has no functional impact), Rework (bring into conformance), Repair (restore function without full conformance), Return to Supplier, or Scrap/Reject. AS9100 Rev D explicitly limits "Use As Is" and "Repair" dispositions to authorized personnel and may require customer concurrence.
- Closure and records — Disposition actions are verified and the NCR is closed. Records are retained per applicable requirements — FDA 21 CFR Part 820 requires device history records to be retained for a period equal to the design and expected life of the device, but not less than 2 years from the date of release for commercial distribution.
- Escalation trigger — Recurring nonconformances meeting defined thresholds trigger a formal corrective action request (CAR), linking the NCR system to root cause analysis and systematic remediation.
Common scenarios
NCRs arise across all stages of production and service delivery. Documented scenarios by category include:
- Incoming inspection failures — Supplier-delivered material fails dimensional, chemical, or functional acceptance criteria. The NCR is opened against the purchase order lot and disposition authority determines whether a supplier corrective action request (SCAR) is issued.
- In-process nonconformances — A manufacturing step produces output outside control limits or tolerance. First-article inspection failures at a machining operation are a typical trigger.
- Final inspection rejections — Finished product fails end-item acceptance testing. In medical device manufacturing, a finished device lot failing sterility or bioburden testing generates an NCR that must be evaluated against 21 CFR Part 820.90 requirements before any disposition.
- Process deviations — A documented procedure was not followed, even if the output appears acceptable. Process-based NCRs are common in pharmaceutical manufacturing under cGMP and in software development environments aligned to CMMI framework practices.
- Delivered nonconforming product — Product shipped to a customer is subsequently found nonconforming. AS9100 Rev D Clause 8.7.3 requires notification to affected customers in this scenario, with documented evidence of that notification.
Decision boundaries
The NCR system intersects with — but is distinct from — three adjacent processes:
| NCR Element | Corrective Action | Preventive Action |
|---|---|---|
| Addresses a specific, detected departure | Addresses root cause of a nonconformance | Addresses potential future nonconformances |
| Disposition is product/process-specific | System-level response | Risk-based, prospective |
| Closed when disposition is verified | Closed when recurrence is prevented | Closed when risk is mitigated |
Use As Is vs. Repair dispositions carry distinct engineering and regulatory implications. "Use As Is" certifies that the nonconforming characteristic does not affect form, fit, or function — a determination requiring documented engineering authority. "Repair" returns an item to a serviceable but not fully conforming state, and in aerospace and defense contexts, AS9100 Rev D requires this disposition to be authorized by a designated engineer and, where applicable, the customer.
Threshold-based escalation rules determine when an NCR must generate a corrective action. A single isolated NCR may close through disposition alone. An NCR that recurs 3 or more times within a defined period, or that affects safety-critical characteristics, typically crosses the escalation threshold into formal corrective action under most Quality Management System (QMS) procedures. The specific numeric thresholds are organization-defined but must be documented in the QMS to satisfy ISO 9001:2015 Clause 10.2 requirements.
References
- ISO 9001:2015 — Quality Management Systems: Requirements
- SAE International AS9100D — Quality Management Systems: Requirements for Aviation, Space, and Defense Organizations
- 21 CFR Part 820 — Quality System Regulation (FDA Medical Devices)
- 21 CFR Part 211 — Current Good Manufacturing Practice for Finished Pharmaceuticals
- FDA Guidance: Quality System Regulation — Nonconforming Product (HHS/FDA)
- American Society for Quality (ASQ) — Nonconformance Reporting