V5 Ultimate
Quality · The complete guide

Nonconforming Product (21 CFR §820.90)

TL;DR

21 CFR §820.90 — Nonconforming Product — and its QMSR successor ISO 13485 §8.3 define how a medical-device manufacturer identifies, segregates, evaluates, dispositions and documents any product that does not meet specified requirements. This guide walks the four mandatory controls, the disposition decisions (rework, regrade, use-as-is concession, return-to-supplier, scrap), the rework-revalidation rule, the link to CAPA and complaint handling, and how the evidence is captured in an eDHR so a Form 483 cannot land on §820.90.

Reviewed · By V5 Ultimate compliance team· 2,100 words · ~10 min read
AI · Explain it for MY operation

How does Nonconforming Product (21 CFR §820.90) apply to your shop floor?

Pick your industry and scale — Ask V5 rewrites the definition in your context, gives a worked example, and shows what V5 does on day one.

Your scale

01What §820.90 actually requires

21 CFR §820.90 is a short clause with four mandatory controls: identify nonconforming product, document the nonconformity, evaluate the nonconformity, and dispose of it under a documented procedure. ISO 13485 §8.3 — which becomes the binding text under QMSR on 2 February 2026 — adds two explicit requirements that QSR left implicit: maintain records of the actions taken and re-verify reworked product before release.

Mandatory controlQSR (§820.90)ISO 13485 §8.3 (QMSR)
IdentificationRequiredRequired, explicit
Documentation of nonconformityRequiredRequired, with description of nature
Evaluation (incl. need for investigation)RequiredRequired, risk-based
DispositionRequired, by responsible personRequired, with authority to disposition
Records of disposition and rationaleImplicitExplicit — must be retained
Re-verification after reworkImplicit (via §820.80)Explicit (§8.3.4)
Concession (use-as-is) notification to customerNot requiredRequired where regulatory or contractual

02Identification and segregation — the most-cited failure

Identification is more than a red hold-tag. The system must positively prevent the nonconforming unit from being used or shipped — physical segregation (a quarantine cage), electronic segregation (a status flag in the MES/WMS that blocks pick and ship transactions), and labelling must all align. A unit that is physically in a quarantine cage but still showing 'available' in the ERP is a §820.90 finding waiting to happen, as is a unit with a hold flag in the system but no physical tag.

The most common failure mode is the 'engineering loaner' or 'sample for the trade show' that is pulled from quarantine without re-dispositioning. The audit trail of who removed the unit, under what authority, and what happened to it after must exist; otherwise the system is presumed not to control nonconforming product.

03Evaluation — and when an investigation is mandatory

Every nonconformance must be evaluated. The evaluation answers three questions: what is the extent (one unit, one lot, many lots), what is the risk (does this unit / lot present a hazard if it had been used), and is an investigation required (is the cause known, or does it need root-cause work).

§820.90(a) requires an investigation 'as required by §820.100', i.e., when the issue is systemic, recurrent, or has effectiveness implications beyond the immediate event. ISO 13485 §8.3 is more explicit: investigation is required whenever the impact extends beyond the immediate product. A documented decision either way must exist in the NCR.

  1. Extent assessment — single unit, lot-wide, or multi-lot. Lot-wide and multi-lot trigger broader sampling under §820.250.
  2. Risk assessment — link to the ISO 14971 risk file. If the failure mode was already characterised, the existing risk control adequacy is re-evaluated. If it is a new failure mode, the risk file is updated.
  3. Cause assessment — known cause (e.g., a documented procedural deviation that already has a root cause) vs unknown cause. Unknown cause requires a documented root-cause analysis before disposition.
  4. Trend assessment — is this the third occurrence in 90 days? Recurrence triggers a CAPA per §820.100 regardless of the individual severity.

04The disposition decision — five options

DispositionWhen usedRe-verification required
ReworkDefect can be corrected by additional processing using the approved procedureYes — re-verify per the same acceptance criteria as the original process; revalidation if rework procedure is not part of the validated process
Repair (rework with deviation)Defect corrected outside the original validated processYes — full re-verification plus risk assessment of any deviation from validated process
RegradeUnit does not meet original spec but meets a lower-spec variant that has its own DMRYes — verify against the lower-spec acceptance criteria
Use-as-is (concession)Defect is judged not to affect safety / effectivenessDocumented justification + customer notification where contractually or regulatorily required; ISO 13485 §8.3.3 explicit
Return to supplierDefect attributable to incoming material and supplier accepts returnN/A — unit leaves the QMS; supplier corrective action under §820.50 / §7.4
ScrapDefect is unrecoverable or rework is uneconomicDestruction record under §820.184 — DHR closure for the unit

Disposition authority must be assigned in the procedure. Typically QA has final authority for use-as-is and scrap; manufacturing engineering can authorise rework against the validated procedure; only the change-control board can authorise repair (rework outside the validated process).

05Rework re-validation — the §820.90(b)(2) rule

§820.90(b)(2) is one of the QSR clauses that catches most manufacturers: 'The activities of rework, including a re-evaluation of the nonconforming product after rework, shall be documented in the DHR.' The re-evaluation has to use the same acceptance criteria as the original — you cannot rework a unit to a looser standard than the original passed-or-failed against.

If the rework operation itself is not part of the original validated process — for example, a unit that has been re-soldered after a cold-joint failure when the original process did not include a re-solder step — then the rework procedure must itself be validated, or the rework must be authorised as a repair under change control with a documented risk assessment. This is the most-cited rework finding in 483s.

06Concessions and customer notification

A concession (use-as-is) under ISO 9000 §3.12.5 vocabulary is permission to release product that does not conform to specified requirements. ISO 13485 §8.3.3 adds two device-specific constraints:

  • Concessions require justification, approval and identification of the responsible person — the same level of rigor as any other disposition.
  • Where the original requirement was a regulatory requirement (e.g., a labelling requirement under §801) or a customer requirement explicitly captured in the contract, the concession requires notification to the regulator or the customer before release.

Concessions cannot be used to release product that fails a safety or effectiveness requirement — the only legitimate dispositions for a unit that fails a safety/effectiveness requirement are rework (to meet the requirement), scrap, or return to supplier. A concession on a safety requirement is, by definition, releasing unsafe product and is the basis for an inspectional finding of inadequate quality system controls.

Frequently asked questions

Q.Does §820.90 require a written procedure?+

Yes. §820.90(b) requires 'procedures' for the disposition of nonconforming product. The procedure must define responsibility, authority, the disposition options, and the documentation requirements. A common 483 observation is that the procedure exists but does not assign disposition authority by role.

Q.Is use-as-is the same as a concession?+

Yes in substance. ISO 9000 uses 'concession'; many US device manufacturers use 'use-as-is' as the legacy QSR term. Both mean releasing product that does not meet specified requirements with documented justification and approval. The terminology choice does not matter to the inspector; the documentation rigour does.

Q.Can I scrap a unit without a documented investigation?+

Only if the investigation requirement is documented as not applicable per §820.90(a) and §820.100. Scrap is a valid disposition but the decision to scrap without investigating cause must itself be justified — if the cause is unknown, the next unit could fail the same way and the scrap decision is hiding a recurring issue.

Q.Does §820.90 cover incoming nonconforming material?+

Yes. §820.90 covers product at any stage — incoming, in-process, finished, returned. The disposition decision (return to supplier vs rework vs use-as-is concession with supplier corrective action) is the part that differs, but the four mandatory controls apply identically.

Q.What changes under QMSR for nonconforming product?+

§820.90 is superseded by ISO 13485 §8.3. The two additions worth noting in SOPs: §8.3.3 makes customer/regulator notification for concessions an explicit step, and §8.3.4 makes re-verification after rework an explicit named step rather than an implied requirement under §820.80. Procedures should be updated to cite §8.3 and to call out these two steps by name.

Q.How long do I have to investigate a nonconformance?+

There is no universal regulatory deadline. Most manufacturers' SOPs set targets — 30 days for initial assessment, 60–90 days for closure. The inspectional expectation is that units and lots affected by an open NCR cannot be released until the NCR is closed and the disposition is approved.

Primary sources

Further reading

See Nonconforming Product (21 CFR §820.90) working on a real shop floor

V5 Ultimate ships with the Nonconforming Product (21 CFR §820.90) controls already wired in — audit trail, e-signatures, validation evidence. Free trial, no credit card, onboard in days, not months.