Nonconformance Reporting Requirements

Nonconformance reporting (NCR) is a formal quality system process that documents, tracks, and initiates disposition for products, processes, or materials that fail to meet specified requirements. Federal regulations across industries — from FDA medical device rules to Department of Defense acquisition standards — mandate structured nonconformance documentation as a core element of quality management. Understanding what triggers a nonconformance report, how it moves through the system, and where decision authority lies is essential for maintaining quality-control compliance requirements and avoiding enforcement findings.

Definition and scope

A nonconformance is any instance where a product, process, service, or material deviates from a documented requirement — a drawing dimension, a material specification, a process parameter, or a regulatory standard. Nonconformance reporting is the systematic activity of capturing that deviation in a controlled record before any disposition decision is made.

Scope varies by industry and regulatory framework:

• ISO 9001:2015, published by the International Organization for Standardization, requires organizations to retain documented information describing the nonconformity, the actions taken, any concessions obtained, and the authority approving the disposition (ISO 9001:2015, §10.2).
• 21 CFR Part 820, the FDA Quality System Regulation for medical devices, mandates nonconforming product control procedures under §820.90, including identification, documentation, evaluation, segregation, and disposition.
• AS9100 Rev D, the aerospace quality management standard maintained by SAE International, imposes additional requirements for first-article inspection failures, escape reporting, and customer notification thresholds not present in baseline ISO 9001.
• 10 CFR Part 50 Appendix B, governing nuclear facility quality assurance, requires nonconformance control as one of 18 mandatory quality assurance criteria (NRC, 10 CFR Part 50 Appendix B).

A nonconformance differs from a defect in a legally significant way: a defect implies a product has failed to meet a safety or fitness-for-purpose requirement, triggering potential recall obligations under statutes such as the Consumer Product Safety Act. A nonconformance may be a dimensional tolerance deviation that is entirely dispositioned by rework or acceptance-as-is without safety implications. That distinction shapes the reporting path and the disposition authority required. For products approaching defect thresholds, product recall and withdrawal compliance obligations may apply in parallel.

How it works

The nonconformance reporting process follows a discrete sequence regardless of industry, though specific form requirements and timelines vary by regulatory framework.

1. Detection — A nonconformance is identified during incoming inspection, in-process inspection, final inspection, customer receipt, or audit. The detecting party places the material or process output on hold pending documentation.
2. Documentation — An NCR is initiated in the document control system, capturing: part number, lot or serial number, quantity affected, description of the deviation, the requirement that was violated (with reference to the applicable drawing, specification, or regulation), and the name of the detecting individual.
3. Segregation and identification — Nonconforming items are physically labeled and segregated to prevent inadvertent use or shipment, as required by 21 CFR Part 820.90 and ISO 9001:2015 §8.7.
4. Evaluation and disposition — A Material Review Board (MRB) or equivalent authority reviews the NCR and assigns one of four standard dispositions: Use-As-Is (deviation does not affect form, fit, or function), Rework (item can be brought into conformance), Repair (item is brought into serviceable but non-drawing-conforming condition, requiring customer or engineering concession), or Scrap (item cannot be economically or safely brought into conformance).
5. Closure — After disposition is implemented and verified, the NCR is closed with evidence of the corrective action taken, and the record is retained per applicable retention schedules.
6. Trend analysis — Closed NCRs feed into trend monitoring. ISO 9001:2015 §10.2.1(e) requires organizations to update risks and opportunities identified during planning if the nonconformance reveals systemic patterns.

For recurring nonconformances, a formal corrective and preventive action compliance process is initiated as a downstream step, separate from the NCR closure.

Common scenarios

Nonconformance reports arise in three primary categories:

Product nonconformances include dimensional out-of-tolerance conditions, material certificate failures, surface finish deviations, and label errors. In pharmaceutical manufacturing under 21 CFR Part 211 (Current Good Manufacturing Practice for Finished Pharmaceuticals), out-of-specification laboratory results require a defined investigation process before any disposition — an NCR alone is insufficient.

Process nonconformances occur when a production process deviates from a validated method or procedure. Under FDA process validation guidance and AS9100 Rev D §8.5.1, processes whose outputs cannot be verified by subsequent inspection are classified as "special processes," and any process deviation in these categories triggers mandatory NCR with engineering review.

Supplier nonconformances are initiated when purchased material or services fail to meet purchase order or specification requirements. AS9100 Rev D §8.4.3 and ISO 9001:2015 §8.4.3 both require that supplier nonconformances be communicated back to the supplier and that the supplier's disposition response be documented. Supplier quality compliance programs typically track supplier NCR rates as a key performance metric.

Decision boundaries

The critical decision in nonconformance management is determining which disposition category applies and who holds authority to approve it.

Use-As-Is vs. Repair is the highest-stakes boundary. In aerospace, a Use-As-Is disposition on a structural characteristic requires authorized engineering signoff and, in many cases, customer concurrence under AS9100 Rev D. A Repair disposition — meaning the item will not conform to the original drawing but will be made serviceable — almost universally requires customer or regulatory authority approval in regulated industries. The FDA does not recognize Repair as a standard disposition under 21 CFR Part 820; the applicable options are rework, return, or scrap.

Minor vs. major nonconformances represent a classification that determines escalation paths. ISO 9001 auditing practice, as documented in IAF Mandatory Document MD 3, defines a major nonconformance as the absence or total breakdown of a system requirement, while a minor nonconformance is a single observed lapse. A single NCR for a dimensional deviation is typically minor; repeated NCRs for the same characteristic without corrective action constitute a major finding.

Regulatory reportability adds a separate decision layer. Medical device manufacturers must evaluate whether a nonconformance constitutes a malfunction or failure that could cause or contribute to serious injury, triggering Medical Device Report (MDR) obligations under 21 CFR Part 803. Nuclear licensees must assess whether a nonconformance qualifies as a reportable condition under 10 CFR 50.55(e). These regulatory reporting thresholds exist independently of — and in addition to — the internal NCR process.

References

• ISO 9001:2015 — International Organization for Standardization
• 21 CFR Part 820 — FDA Quality System Regulation (eCFR)
• 21 CFR Part 803 — Medical Device Reporting (eCFR)
• 21 CFR Part 211 — Current GMP for Finished Pharmaceuticals (eCFR)
• 10 CFR Part 50 Appendix B — NRC Quality Assurance Criteria
• AS9100 Rev D — SAE International
• IAF Mandatory Document MD 3 — International Accreditation Forum