NCRNon-Conformance Report

A Non-Conformance Report (NCR) is the formal record opened when a product, material, process or system fails to meet specification or a requirement. It captures what was found, where, when, by whom, the immediate containment, the investigation, the disposition decision (use as-is, rework, regrade, reject, recall) and the linkage to any downstream CAPA. It is the first formal artefact in the quality response to a failure and the audit-trail anchor for everything that follows.

NCRs are required, in essentially the same shape, by every regulated-manufacturing regime. 21 CFR 820.90 (medical devices) calls them 'control of nonconforming product'. 21 CFR 211.192 (pharma) addresses them through deviation and production-record review. 21 CFR 117.150 (food, FSMA) addresses them through corrective-action records. ISO 13485 §8.3 and ISO 9001 §8.7 both require formal control of nonconforming output. Every GFSI scheme (SQF, BRCGS, FSSC 22000) requires equivalent records.

820.90(a) requires procedures to control nonconforming product: 'The procedures shall address the identification, documentation, evaluation, segregation, and disposition of nonconforming product.' Five activities, in that order, with evidence at each step.

820.90(b)(1) governs nonconformity review and disposition: 'The procedures shall define the responsibility for review and the authority for the disposition of nonconforming product.' Disposition must be one of: rework, use as-is (with documented justification and concession), reject. 820.90(b)(2) requires that the disposition decision be documented.

820.90(b)(3) requires that rework procedures, when used, be performed in accordance with documented procedures, that the rework be re-evaluated to ensure it meets current specifications, and that the rework and re-evaluation be documented.

An NCR record that satisfies 820.90 must therefore show: identification (what, when, where, who), evaluation (what failed which spec, severity), segregation (where the product is now held, under what control), disposition (decision, authoriser, rationale), rework evidence where applicable, and the link to any CAPA the NCR triggered.

ISO 13485:2016 §8.3 mirrors and extends 820.90. The 2016 revision split the clause into four sub-clauses to clarify the lifecycle expectations.

• §8.3.1 General — procedure exists, responsibility defined, records retained.
• §8.3.2 Actions in response to nonconforming product detected before delivery — segregate, evaluate, action, document.
• §8.3.3 Actions in response to nonconforming product detected after delivery — appropriate to the effects, including issuing advisory notices and field actions where required.
• §8.3.4 Rework — when performed, controlled by documented procedure, re-evaluated, and the impact of rework on the product evaluated and documented.

§8.3.3 is the post-delivery sub-clause that links NCRs to field actions and advisory notices — the regulatory bridge from internal nonconformity to MDR (Medical Device Reporting) and recall. An NCR opened on a delivered product that meets MDR criteria must trigger the advisory-notice workflow within the regulatory timeframe.

These three terms are related and often confused. The right reading is: NCR is the umbrella term; deviation and OOS are specific subtypes that have their own predicate-rule expectations.

In practice, an OOS often generates an NCR on the lot; a deviation often generates an NCR on the affected batch. A modern eQMS treats them as related records — the deviation or OOS triggers the NCR, and the NCR may in turn trigger a CAPA. The chain must be linked end-to-end in the audit trail.

1. Identification

The nonconformity is discovered — by an operator at the kiosk, by a QC inspector, by an incoming-goods checker, by an internal audit. The record captures what was found, against which requirement, where, when and by whom.

2. Containment / segregation

Immediately on identification, the affected product is segregated and placed on hold. The hold prevents accidental use or shipment. The hold must be physically meaningful (quarantine area, locked status in inventory) and the hold record must be linked to the NCR.

3. Investigation and evaluation

Determine the scope (only this lot? upstream lots? parallel lines?), the severity (minor, major, critical), the likely root cause, and whether the NCR rises to CAPA. The investigation may be lightweight for a simple NCR or a full RCA for a systemic one.

4. Disposition decision

The authoriser — defined by procedure under 820.90(b)(1) — chooses: use as-is (with concession and rationale), rework, regrade, reject, recall. The decision is recorded with the authoriser's e-signature and a meaning enum on the signature.

5. Action

Execute the disposition. If rework, run the rework procedure and re-evaluate. If reject, document destruction or return. If use-as-is, document the concession with the customer where required. If recall, hand off to the recall workflow.

6. Closure and CAPA decision

Close the NCR with the action evidence. At closure, the triage decision is made: does this NCR escalate to a CAPA? Documented rationale either way. Closure is two-component e-signature by the quality unit.

820.90(a) explicitly requires segregation. The product must be physically separated from production-ready material and held under a logical status that prevents use. Inventory systems must respect the hold; a kiosk that lets an operator dispense from a held lot is non-compliant.

Modern inventory designs use a status field on the lot ('available', 'quarantine', 'hold', 'rejected') that the dispense and pick workflows enforce at the database tier. The hold is created automatically when an NCR is opened against a lot; the hold is released only when the NCR disposition is finalised. The audit trail records every hold creation, release, and the NCR that authorised each.

Inspectors check this by inspecting the quarantine area physically against the hold register in the system. A discrepancy — product in quarantine not on the register, or product on the register not physically held — is a major finding.

The disposition decision is the highest-authority step in the NCR lifecycle. The authorising role is defined by procedure (typically QA Director, QP, or a designated reviewer) and the decision carries a regulated e-signature with a meaning enum.

• Use as-is — the product is released despite the nonconformity, with documented justification and (where customer-specific) a concession from the customer. Use-as-is on a critical nonconformity is rare and requires QP or equivalent authority.
• Rework — the product is brought into specification through a documented rework procedure (820.90(b)(3)) and re-evaluated. Rework is itself documented and the impact on the product evaluated.
• Regrade — the product is reclassified to a lower-grade use where it meets that grade's specification. Common for food and chemical commodities; rare for drugs and devices.
• Reject — the product is destroyed or returned to supplier. The destruction is witnessed and recorded.
• Recall — if the nonconformity is on already-distributed product, the recall workflow is triggered with regulatory notification per the predicate rule.

Each disposition has its own evidence pack. Inspectors trace from disposition decision back to the evidence supporting it — a use-as-is with no documented technical justification is a critical finding.

Not every NCR becomes a CAPA. A trivial one-off NCR with low impact and no recurrence pattern can be closed at the NCR level with documented rationale. A systemic NCR, a repeat NCR, a high-severity event, or an NCR with patient/consumer impact must escalate to CAPA.

The triage decision must be made by a qualified reviewer and the rationale must be recorded on the NCR. 'No CAPA required because this was a one-off' is acceptable if the data supports it; 'no CAPA required' on its own is not. Inspectors look closely at NCRs closed without CAPA — they are testing whether the triage was honest.

Trend analysis is the safety net. A series of small NCRs each closed without CAPA can still indicate a systemic problem. Modern eQMS runs trend analysis over NCR root-cause categories and flags repeat patterns to management review even when each individual NCR was triaged as not-CAPA.

ISO 13485 §5.6 and 820.20 both require management review to consider information from monitoring and measurement, complaints, audits, and corrective and preventive actions. NCRs feed all of these. The management-review input pack includes open NCRs by severity and age, NCR trends by root cause, NCRs closed without CAPA, and NCRs escalated to CAPA.

A management review without NCR data is structurally blind. The number-one Warning Letter pattern is a quality unit that knew of recurring NCRs but lacked the visibility or authority to drive systemic fixes. Management review is the structural answer.

1. NCR opened but the affected lot was never placed on hold — segregation requirement broken.
2. Disposition decision made by the same person who originated the NCR — independence broken under 820.90(b)(1).
3. Use-as-is disposition with no documented technical justification.
4. Rework performed without a documented rework procedure or without re-evaluation against current specifications.
5. NCR closed without a CAPA triage decision — no record of whether escalation was considered.
6. Trend analysis not performed across NCR root causes — repeat patterns invisible to management.
7. Hold released before disposition was final — product shipped that should not have been.
8. NCR on delivered product not assessed for advisory notice / field action under ISO 13485 §8.3.3.
9. NCR closed with action evidence missing — auditor cannot reconstruct what was actually done.
10. Free-text NCR with no structured fields — disposition, severity, root cause cannot be queried or trended.

V5 treats NCRs as a structured workflow that bridges the kiosk capture, the hold on inventory, the disposition decision and the optional CAPA escalation. Every step writes to the immutable audit trail with the meaning enum on every e-signature.

• NCRs can be opened from the kiosk (operator-found), from QC (inspection-found), from incoming goods (supplier-found), from internal audit, or from a customer complaint. The source is captured on the record.
• Opening an NCR against a lot automatically places the lot on hold; the kiosk dispense and pick workflows respect the hold at the database tier. Override of a held lot is impossible by design.
• The investigation step uses a structured RCA template; severity (minor, major, critical) and scope (lot, batch, upstream, cross-line) drive the action workflow.
• Disposition decision is two-component e-signature by a qualified authoriser, defined by the workspace role configuration. The authoriser cannot be the originator (independence enforced at the database tier).
• Use-as-is requires a technical justification field and, where applicable, a customer concession link. Rework requires reference to a documented rework procedure and a re-evaluation result.
• Closure triggers the CAPA triage prompt — escalate to CAPA or document the rationale not to. The decision and reviewer are captured.
• Trend analysis runs continuously over NCR root-cause categories and flags repeat patterns to management review even when individual NCRs were not escalated.
• Post-delivery NCRs prompt the ISO 13485 §8.3.3 evaluation: does this require an advisory notice or field action? The decision is recorded with rationale.

See below for regulator-grade answers to the questions buyers ask most often about NCRs.