Nonconformance: Definition, Types, Causes, and Process

A nonconformance is any failure of a product, process, or system to meet defined requirements, including specifications, approved procedures, or applicable regulatory requirements. Nonconformances compromise product conformity, regulatory compliance, and may indicate deficiencies in process control or quality system effectiveness.

Nonconformances are typically classified as minor, major, or critical, depending on their impact on product quality, patient or user safety, and regulatory compliance. Nonconformances may also be categorized by origin, such as material or component defects, process control failures, or documentation and record-keeping errors.

The nonconformance management process follows a structured, risk-based workflow beginning with identification and documentation in a Nonconformance Report (NCR). Standard steps include detection and reporting, segregation and containment, impact assessment, structured investigation with root cause analysis, implementation of Corrective and Preventive Actions (CAPA), and verification of effectiveness. 

Internationally recognized standards and regulations require formal processes for controlling nonconformances. These include ISO 13485:2016, FDA 21 CFR Part 820.90 and 21 CFR Part 211.192, EU GMP, and ICH Q10.

The cost of nonconformance includes both direct costs, like scrap, rework, and delays, and indirect costs such as recalls, regulatory actions, and reputational damage.

Preventing nonconformances requires a proactive, risk-based approach supported by robust quality processes, supplier control, and continuous training. Implementation of electronic Quality Management System (QMS) software strengthens compliance by automating NCR documentation, ensuring audit-ready traceability, integrating CAPA, and enabling data-driven trending and analysis to manage nonconformances effectively and prevent recurrence.

SimplerQMS provides life science organizations with a cloud-based QMS solution that includes end-to-end nonconformance management capabilities, such as electronic NCR creation, CAPA linkage, automated approval workflows, traceability, and records that demonstrate continuous regulatory compliance.

What Is Nonconformance?

Nonconformance refers to the failure of a product, process, service, or system to meet specified requirements. These requirements may be internal, such as standard operating procedures, or external, such as regulatory requirements. Nonconformances must be identified, documented, and controlled through a defined process to maintain product quality and ensure regulatory compliance and audit readiness.

Nonconformances are typically classified by severity and risk to determine the appropriate level of investigation, escalation, and corrective action. Nonconformances are typically classified as minor, major, or critical based on their impact on product quality, safety, and regulatory compliance.

Nonconformances could be referred to by various terminologies within an organization. Synonyms and common terminology used to describe nonconformances are listed below.

• Nonconformity
• Non-conformance
• NC (Nonconformance)
• NC deviation

In some sectors, OOS (Out of Specification) or OOT (Out of Tolerance) may be used when referring to test results or measurements that fall outside of defined limits.

A nonconformance is distinct from related terms listed below.

• Deviation: Refers to a planned or unplanned departure from an approved procedure or instruction, often used in GMP environments.
• Defect: refers to a physical or functional flaw in a product that renders it unfit for intended use.
• Noncompliance: A broader regulatory term indicating failure to meet legal or regulatory requirements, which may include nonconformances but is not limited to them.

Deviations and defects are subsets of nonconformances within the QMS and can be managed through distinct procedures, such as Deviation Management, Complaint Handling, or CAPA.

Identifying and documenting the nonconformance is essential for maintaining the integrity of the QMS. It enables the application of containment measures, root cause analysis, corrective actions, and preventive actions as applicable, supporting continuous improvement and regulatory conformance.

Nonconformances are typically detected through formal quality control mechanisms such as the incoming inspection of materials or components, in-process or final product inspection and testing, and internal audits or third-party audits. Nonconformances can also be identified through equipment calibration or maintenance activities. Quality events such as customer complaints can also identify nonconformances that were not previously detected during manufacturing and testing.

What Are the Different Types of Nonconformances?

Nonconformances are classified based on severity and risk. Commonly used categories are listed below.

• Minor Nonconformance: A low-risk issue that does not impact product safety, performance, or regulatory compliance. Minor nonconformances are often isolated incidents or procedural lapses, such as a missing signature on a form.
• Major Nonconformance: A more serious issue that may impact product quality or compliance with regulatory or internal requirements. Major nonconformances often indicate failure in a process or a breakdown in the implementation of documented procedures. For example, the use of an outdated specification.
• Critical Nonconformance: A severe issue that poses a significant risk to patient or user safety, product integrity, or does not meet a critical regulatory requirement. Critical nonconformances typically require immediate containment, escalation, and formal CAPA. For example, the release of a nonconforming product without approval.

Minor Nonconformance

A minor nonconformance is a limited deviation from a regulatory requirement, standard operating procedure (SOP), or product specification. A minor nonconformance does not pose an immediate or significant risk to product quality, patient safety, or regulatory compliance. Minor nonconformances do not compromise the essential conformity of a product or process and typically reflect isolated or procedural oversights rather than systemic failures.

Minor nonconformances differ from major and critical nonconformances in terms of severity, scope, and potential impact. Minor nonconformances are typically low-risk, infrequent, and unlikely to affect final product performance, safety, or compliance outcomes.

A minor nonconformance typically involves low-risk issues such as documentation discrepancies, procedural lapses, or isolated incidents of operator error that are unlikely to affect product quality or result in regulatory violations. However, repeated or unaddressed minor nonconformances may signal emerging trends that require further investigation and escalation.

Within a quality management system (QMS), minor nonconformances should be documented, evaluated, and monitored to ensure appropriate control and resolution. Root cause analysis may be performed based on risk and recurrence. In many cases, immediate corrective actions such as retraining or minor procedural updates are sufficient. Formal CAPA may not be required unless the issue recurs or reveals a broader systemic issue.

Standards such as ISO 9001:2015, ISO 13485:2016, and regulations such as FDA 21 CFR Part 820 require documented handling of nonconforming outputs, including minor deviations or nonconformities. Effective implementation of internal procedures must demonstrate that even low-risk issues are subject to ongoing review and addressed as part of continuous improvement where appropriate.

Minor nonconformances may be addressed through targeted corrective actions, such as clarification of work instructions, localized retraining, or documentation revision. Preventive actions may include trend monitoring, internal audits, and proactive communication across teams to mitigate future occurrences. The goal is to maintain a state of control and prevent minor issues from evolving into more significant risks over time.

Minor Nonconformance Examples

The different examples of minor nonconformances are listed below.

• Missing Signature on a Training Record: A training record is found without a sign-off from the trainee or trainer. This is classified as a minor nonconformance because it does not indicate a lack of training, only incomplete documentation, and poses no direct risk to product quality.
• Incorrect Document Formatting: A standard operating procedure (SOP) is issued with an outdated template version or a missing header. Incorrect document formatting does not affect the technical content or compliance of the SOP and is tracked as a minor issue.
• Label Misalignment on Outer Packaging: A product label is applied slightly misaligned on the outer packaging. All other required information is legible and correct. No impact on usability, traceability, or regulatory compliance is identified. Therefore, the issue is considered minor.
• Non-Critical Equipment Calibration Slightly Overdue: A thermometer used for ambient storage temperature monitoring was calibrated three days after its due date. The equipment is not directly involved in critical process control. Therefore, the nonconformance is classified as minor.
• Incomplete Line Clearance Checklist: A production line clearance checklist was submitted without checking one non-critical item (e.g., waste bin empty). Oversight does not impact product identity or mix-up risk. Therefore, the nonconformance is considered minor.

Major Nonconformance

A major nonconformance is a significant failure to meet a regulatory requirement, standard operating procedure (SOP), or product specification that could impact product quality, patient safety, or regulatory compliance. Major nonconformances significantly compromise product conformity or regulatory compliance, even if they do not present an immediate patient or user safety risk. They generally signal systemic deficiencies, such as ineffective process controls, inadequate risk management, or failures in QMS implementation and oversight.

Major nonconformances differ from minor nonconformances in terms of severity, risk, and potential impact. While a minor nonconformance poses limited risk, a major nonconformance could result in compromised product performance, process integrity, or regulatory compliance.

The impact of a major nonconformance may include the release of a nonconforming product, regulatory noncompliance, or delays in manufacturing or market release. It may also trigger audit findings, inspection observations, or mandatory reporting as per FDA or EU MDR requirements.

Within a QMS, major nonconformances require immediate containment, a structured root cause analysis, and documented CAPA aligned with risk management processes. Associated risk assessments should be reviewed and updated as needed. All actions must be implemented, verified for effectiveness, and fully documented in line with internal procedures and applicable regulatory requirements.

Regulatory authorities require that major nonconformances be escalated and managed with urgency and documented evidence of effective resolution. Standards and frameworks such as ISO 9001:2015, ISO 13485:2016, IATF 16949, AS9100, EU GMP, and ICH Q10 require organizations to control nonconforming outputs. Control of nonconforming product involves segregation, identification, and documented evaluation to prevent unintended use or delivery. Control of nonconforming product also extends to addressing systemic causes when multiple processes are affected.

Major nonconformances often require corrective actions to be initiated with immediate effect. Corrective actions may include process revalidation, personnel retraining, procedural updates, or system-level changes to quality system processes. Preventive actions may also be initiated to address the potential occurrence of the initial nonconformance in other product lines, sites, or systems.

Major Nonconformance Examples

Examples of major nonconformances are listed below.

• Omission of Required Process Step in a Validated Procedure: A production technician skips a mandatory step in a validated manufacturing process, such as torque verification in device assembly. This constitutes a major nonconformance as failure to follow controlled procedures affected the final product’s quality.
• Failure to Implement Change Control Procedures: A design modification is introduced without following the required change control process. Non-adherence to the change control procedure introduces risks for both regulatory compliance and traceability. Therefore, failure or mismanagement of change control procedures is a major nonconformance.
• Incomplete or Missing Training Records for Key Personnel: During an audit, training records for staff performing critical operations are found to be outdated or missing. Absence of training records indicates that personnel may not be adequately qualified to perform assigned duties. Such a lapse could significantly affect product or process quality and is therefore considered a major nonconformance.
• Lack of Supplier Qualification Documentation: A supplier is used for a critical component without documented qualification or approval. Inadequate supplier evaluation or the absence of supplier control procedures may impact the reliability of externally provided products. This affects both regulatory compliance and final product quality and is therefore considered a major nonconformance.
• Incorrect Labelling of Non-Sterile Products as Sterile: A batch of non-sterile products is mislabeled as sterile. The batches are identified and quarantined before release. The mislabelling error could reflect an insufficient label control process. Mislabelling errors affect product safety and are therefore a major nonconformance.

Critical Nonconformance

A critical nonconformance is a failure that results in, or has the potential to result in, significant risk to patient safety, product quality, or regulatory noncompliance. Critical nonconformance often arises from a fundamental breakdown in the quality management system. Critical nonconformances must be treated as a top-priority quality event and often necessitate immediate containment, comprehensive root cause analysis, and executive-level oversight.

Critical nonconformances are classified based on their direct impact on product safety, intended use, or failure to meet mandatory specifications, procedures, or applicable regulatory requirements. Critical nonconformances typically include release or distribution of nonconforming products, falsification or absence of required records, and systemic QMS issues such as ineffective management review or uncontrolled design changes.

The consequences of a critical nonconformance may include product recalls, regulatory enforcement actions (such as FDA 483 observations, warning letters, and CE certificate suspensions), and potential legal liability. Critical nonconformances could also trigger unannounced inspections or intensified regulatory oversight.

Within a compliant QMS, critical nonconformances must be immediately contained and escalated to quality and regulatory functions. Critical nonconformances require structured root cause analysis, such as 5 Whys. Critical nonconformances also require risk-based corrective and preventive actions (CAPA) aligned with ISO 13485, 21 CFR Part 820, 21 CFR Part 211, or other applicable industry standards. Interim controls must be implemented to prevent further risk exposure until permanent corrective actions are verified and closed. Regulatory authorities expect nonconformities to be addressed in a timely and effective manner.CAPAs must address systemic gaps and include objective evidence of effectiveness, such as procedural revisions, retraining, revalidation, and documented verification of compliance. All records must be maintained in a controlled environment with audit trail functionality to meet traceability requirements.

Critical Nonconformance Examples

Examples of critical nonconformances are listed below.

• Release of Product Without Required Testing: A batch of finished products is released to market without completing final sterility testing. Bypassing an essential quality control step introduces unacceptable risk to patient safety. Such an occurrence is classified as a critical nonconformance.
• Use of Expired Raw Materials in Production: A production lot is manufactured using expired critical raw materials due to insufficient inventory control. The lapse directly affects product quality and could compromise product efficacy or safety, therefore, it constitutes a critical nonconformance.
• Failure to Implement Previously Committed Regulatory Corrections: A corrective action plan submitted to a regulatory authority is not implemented as promised during a follow-up inspection. This places the organization at risk of enforcement action or market withdrawal and is therefore classified as a critical nonconformance.

What Are the Causes of Nonconformance?

Nonconformances arise from gaps in people, processes, equipment, or systems that prevent outputs from meeting defined requirements.

The different causes of nonconformance are listed below.

• Human Error: Human error consists of mistakes such as incorrect data entry, skipped process steps, or mislabeling during packaging. Human errors can lead to nonconforming outputs such as inaccurate batch records or mislabeled finished products. These errors could be due to inadequate training or unclear instructions, insufficient supervision, among others.
• Process Deficiencies: Process deficiencies arise when processes are inadequately defined or controlled, resulting in inconsistent outputs or failure to meet specified requirements. Process deficiencies may include the absence of in-process controls or inadequate validation of critical parameters. Examples include missing documented work instructions for a critical operation or failure to validate sterilization processes.
• Equipment Issues: Malfunctioning, unqualified, or poorly calibrated equipment can introduce deviations from specifications. For example, an uncalibrated scale that produces inaccurate weights results in defective batches.
• Material or Component Quality: Incoming materials or components that fail to meet specifications create downstream risks. For instance, a substandard raw material supplied without proper certificates of analysis can compromise the final product.
• Documentation and Record-Keeping Gaps: Missing, incomplete, or outdated records create nonconformances by compromising traceability and violating regulatory documentation requirements. For example, an SOP in use that has not been updated after a process change.
• Supplier or Vendor Noncompliance: Nonconformance can result from suppliers or service providers not adhering to defined specifications, regulatory requirements, or quality agreements. This often reflects inadequate supplier qualification, monitoring, or change control processes. For example, delivery of sterilized components without validated sterilization records constitutes a major nonconformance.
• Environmental Conditions: Nonconformance may occur when controlled environmental parameters are not maintained within specified limits. Deviations include temperature excursions, uncontrolled humidity, or failure to sustain required cleanroom classifications. For instance, loss of particulate control in a cleanroom can result in non-sterile or contaminated products.
• Systemic or Management Failures: Weak quality culture, lack of oversight, or insufficient resourcing lead to systemic nonconformances. This includes inadequate CAPA follow-up or failure by management to review and to act on recurring quality trends.

What is the Nonconformance Management Process?

The nonconformance management process refers to a systematic and documented sequence of activities required to detect, assess, control, and resolve nonconformities.

The steps in the nonconformance management process are listed below.

1. Identification and Reporting: The identification and reporting process involves the detection and formal reporting of a nonconformance by personnel or through automated quality control checks.
2. Documentation: All nonconformances must be formally documented in a controlled system, including relevant details such as date, location, product or process involved, and initial observations.
3. Containment and Segregation: Immediate containment actions are implemented to isolate affected products, halt associated processes, and prevent further impact.
4. Initial Assessment: A preliminary risk assessment is conducted to evaluate the potential severity, frequency, and detectability of the nonconformance.
5. Investigation: A structured root cause analysis (RCA) is carried out to identify systemic, process-based, or procedural causes that led to the nonconformance.
6. Evaluation of Impact: An impact analysis is performed to assess the effect on product quality, patient safety, regulatory compliance, or customer satisfaction. This includes reviewing historical batches or trends.
7. Classification: The nonconformance is classified based on severity, minor, major, or critical, according to predefined risk-based criteria. The risk classification determines the level of investigation and CAPA.
8. Disposition: A risk-based disposition decision is made on the handling of nonconforming items (e.g., rejection, rework, or acceptance under concession) based on investigation results and impact on quality, safety, and compliance, with the outcome documented and controlled.
9. Corrective and Preventive Action (CAPA): CAPA is initiated where required to address the root cause and prevent recurrence.
10. Effectiveness Verification: Effectiveness checks are conducted to verify whether corrective actions have resolved the identified nonconformance and mitigated the risk of recurrence.
11. Closure: Once verified, the nonconformance record is formally closed with documented evidence of resolution, approval by authorized personnel, and inclusion in quality metrics and management review.

1. Identification and Reporting

The first step in the nonconformance management process is identifying and reporting the nonconformance. This step is critical for initiating timely containment, corrective action, and securing regulatory compliance.

The primary objective of nonconformance identification and reporting is to ensure that any failure to meet approved specifications, procedures, or regulatory requirements is promptly recognized, accurately documented, and escalated for evaluation. This includes deviations identified during in-process inspections, final product release, audits, and customer complaints.

Key activities include identifying the nonconformance, documenting it in the nonconformance record or quality event management system, and notifying the appropriate quality personnel. Operators, inspectors, or any employee who detects a nonconformance is responsible for initiating the report using controlled forms in the QMS. The record must include a detailed description of the issue, affected materials or lots, date and location of detection, and responsible parties.

Timely identification and reporting enable early containment of potentially defective or noncompliant products, minimizing downstream risks and maintaining compliance.

Where appropriate, nonconformance dispensations or nonconformance concessions may be initiated during this phase. A dispensation is a formal approval to proceed with a known nonconformance under defined conditions prior to use. A concession is granted after the nonconformance is discovered, allowing for conditional release or use of nonconforming material. Both dispensation and concession require documented justification, risk assessment, and approval from authorized quality and/or regulatory personnel. However, formal disposition decisions shall be made following completion of the investigation and impact assessment to ensure decisions are aligned with the verified root cause and risk evaluation.

For example, if a minor printing error is found on labeling that does not affect readability or regulatory compliance, a concession may be documented and approved, allowing release of the product. Such exceptions must be logged in the nonconformance record and linked to risk mitigation activities.

Identification and reporting directly feed into the documentation step, where the nonconformance is formally captured, reviewed, and assigned for further investigation and classification.

2. Documentation

The second step in the nonconformance management process is documentation. Documentation ensures that all relevant details of the identified nonconformance are formally recorded in a controlled and traceable manner.

The primary purpose of documentation is to establish an auditable record that captures the nature, scope, and context of the nonconformance, enabling accurate assessment, investigation, and resolution. It provides the foundation for risk-based decision-making throughout the nonconformance workflow.

Key activities include entering all necessary information into the Nonconformance Report (NCR) or digital QMS record. This includes a detailed description of the issue, affected materials or components, such as batch number, the date of occurrence, detection point, requirement violated, and responsible departments. Quality Assurance (QA) personnel or designated system users are typically responsible for completing or verifying the documentation to ensure accuracy and completeness. All entries must follow Good Documentation Practices (GDP), meet organizational operating procedure (SOP for nonconformance), and adhere to applicable regulatory requirements.

Thorough documentation is critical for maintaining data integrity and supporting root cause analysis. Incomplete or inaccurate documentation can compromise investigations and lead to ineffective corrective actions. For example, if a missing inspection record is discovered during final release, the nonconformance documentation should specify the missing document, associated batch, product stage, date of occurrence, and any initial impact assessments performed. Such information directly supports the subsequent initial assessment and containment phases.

Complete and compliant documentation is a prerequisite for progressing to the next step in the process.

3. Containment and Segregation

The third step in the nonconformance management process is containment and segregation. This step ensures that any affected product, equipment, or process is immediately isolated and controlled to prevent further quality or safety risks.

The purpose of containment and segregation is to implement swift and effective interim controls to halt the impact of the nonconformance while the root cause is under investigation. Interim controls are especially critical when a defective product may have already entered downstream processes or reached the market.

Key activities include physical or electronic quarantine of affected lots, halting production lines, placing product on quality hold, issuing notifications, and initiating temporary procedural changes. QA and production typically coordinate this activity.

Effective containment prevents the use or distribution of nonconforming material and demonstrates robust regulatory control. For example, if a batch of raw material fails identification testing, it must be immediately quarantined and labeled as ‘Rejected’ in both physical and electronic inventory systems. All batches produced using that material are placed on hold pending further investigation.

4. Initial Assessment

The fourth step in the nonconformance management process is initial assessment. Initial assessment evaluates the immediate severity, potential risk, and scope of the identified nonconformance.

The purpose of the initial assessment is to determine whether the nonconformance poses a critical risk to product quality, patient safety, or regulatory compliance, and to prioritize actions accordingly. A preliminary risk-based assessment of the identified nonconformance enables appropriate resourcing and escalation pathways.

Key activities include a preliminary risk evaluation conducted by Quality Assurance or a cross-functional team to assess the severity, occurrence, and detectability of the identified nonconformance. A risk evaluation typically involves reviewing available data, assessing whether the nonconformity identified is isolated or systemic, and determining whether immediate escalation or batch quarantine is necessary. An initial risk-based classification (e.g., minor, major, critical) may be determined at this stage. Initial assessment also verifies that containment measures previously implemented provide adequate control. Final classification shall be confirmed following completion of the investigation and comprehensive impact assessment, once the full scope and verified root cause of the nonconformance are established.

Initial assessments are crucial for triaging nonconformances, ensuring swift mitigation of high-risk events, and providing an early decision on whether a full investigation is required. For example, if a sterility breach is suspected during aseptic processing, the initial assessment would immediately escalate the event, verify containment effectiveness, and determine the need for formal investigation and potential regulatory notification.

This initial assessment step sets the stage for the investigation phase to identify underlying causes for the nonconformance.

5. Investigation

The fifth step in the nonconformance management process is investigation. The investigation phase determines the underlying root cause of the nonconformance using structured problem-solving tools.

The purpose of the investigation is to ensure that effective and appropriate corrective actions are initiated based on evidence, facts, and a clear understanding of the sequence of events that led to the nonconformance. Investigations can reveal root causes in one or more areas, including process control gaps, inadequate documentation, insufficient training, equipment malfunction, or supplier-related issues.

Key activities involve root cause analysis using methodologies such as 5 Whys, Fishbone (Ishikawa), or fault tree analysis. Cross-functional teams often participate in the investigation, reviewing evidence such as batch records, equipment logs, and training files, and performing interviews with personnel involved, to identify root causes. The outputs of the investigation directly inform the evaluation of impact and the development of appropriate CAPA.

6. Evaluation of Impact

The sixth step in the nonconformance management process is evaluation of impact. The evaluation of the impact stage assesses the consequences of the nonconformance on the released product, in-process material, and patient safety, among other factors, based on the complete investigation data.

The purpose is to conduct a thorough evaluation to determine whether the nonconformance has affected product integrity, regulatory compliance, or customer trust and whether further action is warranted to secure the same.

Key activities include product impact assessment, lot history review, trending of similar events, and stability data analysis. Subject matter experts and QA evaluate the severity and risk of the potential impact. Impact evaluation ensures that appropriate risk-based decisions are made and documented. For example, if a fill-weight deviation is detected post-release, QA initially assesses potentially affected lots and initiates customer notifications as needed. Root cause analysis subsequently identifies an equipment calibration drift over a 2-week period. In such cases, the impact assessment must be extended to include all lots manufactured during the affected period, including a review of stability and trending data. A documented risk evaluation should be conducted to confirm that the product remains safe, effective, and compliant despite the deviation.

7. Classification

The seventh step in the nonconformance management process is classification. The classification step formally determines the risk level of the nonconformance. Nonconformances are typically categorized as critical, major, or minor, based on risk to product quality, patient/end user safety, and compliance.

The purpose of classification is to ensure consistent risk-based prioritization and regulatory alignment. The assigned classification determines incident reporting obligations, resource allocation, and the scope of CAPA activities.

Key activities involve applying internal classification criteria such as potential impact on product quality or safety, degree of regulatory noncompliance, and recurrence or history of similar issues.

QA generally leads nonconformance classification with cross-functional input as needed. For example, a major nonconformance could involve an out-of-specification sterility test, which directly impacts product quality. A minor issue could involve a missing operator signature detected during batch review.

Nonconformances involving dispensations (authorized deviations before production) or concessions (acceptance of nonconforming product) often require automatic elevation in classification due to intentional deviation from standard or approved requirements. Dispensations and concessions are formal decisions to accept or manage risk, requiring documented justification and traceability to ensure safe use. The outcome of the classification directly determines whether a CAPA is required and defines the level of action needed to address the nonconformance.

8. Disposition

The eighth step in the nonconformance management process is disposition. Disposition determines the outcome for nonconforming materials, components, or products. This step ensures that all nonconforming items are controlled appropriately to prevent unintended use or release.

The purpose of disposition is to document a risk-based decision regarding the management of nonconforming items, considering the impact on product quality, safety, and compliance. Any residual risk must be assessed, mitigated, and documented.

Key activities include reviewing investigation results and classification outcomes to determine appropriate disposition actions. Depending on the risk assessment and nature of the nonconformance, items may be rejected, reworked, regraded, or accepted under concession or dispensation. Each decision must be justified based on evidence, supported by risk evaluation, and documented in the Nonconformance Report.

All disposition decisions must be reviewed and approved by QA.

9. Corrective and Preventive Action (CAPA)

The next step in the nonconformance management process is corrective and preventive action (CAPA). CAPAs ensure that root causes are effectively addressed and recurrence is systematically prevented.

The purpose of CAPA is to implement effective corrective actions that eliminate the identified causes of a nonconformance and to establish preventive measures, as required, to reduce the likelihood of similar issues occurring elsewhere in the process or system.

Key activities include defining corrective actions such as procedure revisions, equipment modifications, or retraining. Preventive actions may also be implemented, where appropriate, such as improving documentation practices and updating training programs. Responsibilities, timelines, and effectiveness checks must be clearly defined.

All CAPAs are tracked in the quality system with closure criteria. For example, if a nonconformance occurred due to incorrect batch record entry, a CAPA might include redesigning the form to reduce ambiguity and retraining operators.

CAPA implementation is followed by a verification step to confirm effectiveness.

10. Effectiveness Verification

Effectiveness verification confirms that implemented CAPAs have effectively eliminated the root cause of the identified nonconformance and prevented its recurrence. The effectiveness verification step is typically performed by QA and must be documented with objective evidence.

Examples of effectiveness verification include assessing process or performance data after CAPA implementation to confirm no recurrence using trend analysis or the monitoring of KPIs. Verification is considered complete when objective evidence demonstrates that the root cause has been sufficiently addressed by the corrective and preventive actions initiated. For example, a software change was implemented to prevent data-entry errors. Effectiveness verification confirms that data-entry errors have been eliminated or significantly reduced over a defined monitoring period. Elimination or significant reduction in errors can be done by reviewing post-implementation performance metrics or user feedback. Once effectiveness is demonstrated and no recurrence is observed, the nonconformance can be formally closed.

11. Closure

The final step in the nonconformance management process is closure. The closure step formally concludes the nonconformance record in the quality system after all actions have been completed, verified, and documented.

The purpose of the closure step is to formally document that all corrective and preventive actions have been completed, verified for effectiveness, and approved by Quality Assurance to ensure full compliance and readiness for audit.

Key activities include QA review of the entire record, ensuring completeness, accuracy, documented justifications, and CAPA implementation and effectiveness. Closure requires final QA approval before archiving the nonconformance record in the QMS.

Closure ensures data integrity, supports inspections, and enables trend analysis. For example, a closed record may include linked deviations, impacted lots, documentation of CAPA implementation, and effectiveness checks.

Closure marks the formal end of the quality event lifecycle and may feed into periodic management review or nonconformance trend reports.

What Is a Nonconformance Report (NCR)?

A Nonconformance Report (NCR) is a formal document used to identify, document, and track deviations from approved specifications, procedures, or regulatory requirements. NCRs are a critical tool in quality management systems for ensuring traceability, accountability, and resolution of quality issues.

The purpose of a nonconformance report is to capture nonconformances in a controlled and auditable manner, perform robust investigation, implement corrective actions to prevent recurrences of nonconformances, and ensure regulatory compliance.

A typical NCR includes essential details such as the nonconformance description, affected product or process, date and location of occurrence, responsible department, risk classification, containment actions, root cause analysis, and corrective/preventive actions.

In most organizations, quality assurance or quality control personnel initiate the NCR. However, cross-functional inputs may be required for review. Final approval is typically overseen by QA management to ensure compliance with internal SOPs and applicable regulations.

The NCR serves as input to the CAPA, trend analysis, audits, and management reviews. The NCR is a structured record from issue detection to resolution and serves as objective evidence during inspections.

The NCR template is configured to reflect the organization’s QMS requirements, risk management procedures, and any industry-specific requirements. You can download our free nonconformance report template sample in Microsoft Word format.

How to Write a Nonconformance Report?

The steps involved in the writing of a nonconformance report are listed below. The steps are outlined in a logical sequence. However, some activities, such as containment, investigation, or impact assessment, may be performed in parallel based on the complexity of the nonconformance

1. Describe the Nonconformance: Document the issue clearly and factually, including what was observed, where and when it occurred, the affected product or lot, and supporting data. Identify the nonconformance type and its potential severity or risk level.
2. Assign an NCR Number: Generate a unique identifier using your QMS or eQMS system. This enables traceability and supports document control during audits and investigations.
3. Reference the Applicable Standard or Requirement: Cite the SOP, specification, or regulatory clause not met to ensure traceability to the relevant standard or regulatory requirement.
4. Initiate Containment Actions: Implement immediate measures to isolate or control nonconforming material or output. Segregate affected items, such as issuing a product recall. Record all containment steps taken to control the identified nonconformance.
5. Conduct a Bracketing (Impact) Assessment: Assess the full scope of impact using traceability data to identify related lots or equipment runs that may be affected. Extend containment and evaluation to all potentially impacted areas where applicable to ensure product quality and compliance are maintained.
6. Determine Product Disposition: Determine the handling of the affected product or process, such as rework, regrade, use-as-is, or scrap. Each decision must be supported by a risk assessment. Final disposition requires review and approval by authorized quality personnel to ensure compliance and product quality. 
7. Conduct Root Cause Analysis: Apply a validated methodology such as 5 Whys, Ishikawa Diagram, or Failure Mode and Effects Analysis (FMEA) to determine the underlying cause(s).
8. Define Corrective Actions: Define corrective actions to address the root cause of the nonconformance, to restore compliance, and control the affected product or processes.
9. Define Preventive Actions: Include preventive actions, when applicable, for example, if the RCA or corrective actions reveal a potential risk to other processes, products, or departments that have not yet experienced the issue.
10. Submit for Review and Approval: Route the NCR for review, ensuring all required fields are completed, objective evidence is attached, and applicable requirements are met before approval.
11. Follow Up and Close: Verify the effectiveness of corrective and preventive actions, where applicable. Document closure and archive the record in accordance with retention requirements.

What Are Nonconformance-Related Regulatory and Compliance Requirements?

Regulatory and compliance requirements related to nonconformance are defined across various international standards and regulations as listed below.

• ISO 9001:2015: ISO 9001:2015 is a global quality management standard. Clause 8.7 requires organizations to identify and control nonconforming outputs by ensuring appropriate actions (e.g., correction, segregation, or approved concessions) are documented and authorized. Clause 10.2 requires organizations to establish a process for identifying and documenting nonconformities. Clause 10.2 also requires the organization to identify the root cause of the nonconformity and implement corrective actions to prevent recurrence.
• ISO 13485:2016: ISO 13485:2016 is a quality management standard specific to medical devices. Clause 8.3 requires organizations to establish processes for the control of products not conforming to product requirements. Organizations are also required to identify and control these products to ensure that they are not used and distributed further. This process needs to be documented and maintained. Clause 8.5 of ISO 13485 requires organizations to identify root causes of nonconformities, implement timely actions, and verify effectiveness to prevent recurrence.
• FDA 21 CFR Part 820: 21 CFR Part 820 governs quality system requirements for medical devices in the United States. 21 CFR Part 820.90 requires medical device manufacturers to establish and maintain procedures for controlling products that do not meet specified requirements. The regulation also requires that evaluations include the determination of the need for investigation, and that all evaluations and investigations are documented.
• FDA 21 CFR Part 211: 21 CFR Part 211 sets cGMP requirements for finished pharmaceuticals. Section 211.192 requires thorough investigations of any discrepancies or batch failures to meet specifications, with documentation of findings and follow-up actions.
• EU MDR 2017/745 and EU IVDR 2017/746: The EU MDR and EU IVDR are European regulations that establish requirements for the safety and performance of medical devices and in vitro diagnostics. These regulations require manufacturers to establish and maintain a quality management system (QMS) that includes processes for CAPA, complaint handling, and post-market surveillance. These activities depend on the effective identification and control of nonconforming products and processes.
• ICH Q10: ICH Q10 provides guidelines for pharmaceutical quality systems. ICH Q10 provides guidance in relation to the management of nonconformances in terms of CAPA, process, and product monitoring and management review systems.
• EU GMP: The EU Good Manufacturing Practice (GMP) guidelines establish rules governing medicinal products in the European Union. As per Section 1.8, any significant deviations are fully recorded, investigated with the objective of determining the root cause, and appropriate corrective and preventive actions are implemented.
• MDSAP: The Medical Device Single Audit Program (MDSAP) provides a unified auditing framework recognized by multiple regulatory authorities and is aligned with ISO 13485 requirements for nonconforming product, investigation, and CAPA. As per Chapter 3, Task 8 requires organizations to ensure that nonconforming products are identified and controlled to prevent their unintended use or delivery. Tasks 3 and 4 address the investigation of nonconforming material, and Task 5 covers CAPA implementation.
• WHO GMP: The World Health Organization (WHO) GMP guidelines set global standards for pharmaceutical manufacturing. As per Annex 2, Chapter 1 (Pharmaceutical quality system), step 1.5, deviations, suspected product defects, and other problems must be reported, investigated, and recorded, as appropriate. Root cause analysis should be performed to identify the root cause and implement appropriate corrective actions and/or preventive actions (CAPAs). The effectiveness of CAPAs should be monitored.

What Is the Cost of Conformance and Nonconformance?

The Cost of Conformance (CoC) represents the total investment a company makes to ensure its products or services meet defined quality requirements. Costs of conformance are proactive costs, including both prevention activities, such as quality planning and employee training, and appraisal activities like calibration, quality audits, and final batch release testing. Together, these efforts aim to prevent quality issues before products reach the customer.

The Cost of Nonconformance (CoNC) refers to the expenses incurred when products or processes fail to meet specified quality standards. Costs of nonconformance are reactive costs and can occur internally through rework, scrap, or failed batch investigations, or externally, through customer complaints, product recalls, field corrections, or regulatory enforcement actions.

Balancing CoC and CoNC is essential for maintaining an effective quality management system. Investing appropriately in prevention and appraisal activities strengthens process control, minimizes deviations and CAPAs, and reduces the risk of regulatory findings. Achieving this balance supports sustained compliance, consistent product quality, and long-term customer confidence.

How To Prevent Nonconformances or Minimize Risk?

To prevent nonconformances and minimize risk, quality-driven organizations must take a proactive, process-based approach aligned with risk-based thinking and continuous improvement principles. This involves implementing controls at critical control points (CCPs), maintaining a state of control across systems, and ensuring compliance with applicable regulatory requirements and quality standards.

Steps that can be considered to prevent nonconformances and minimize risk are listed below.

1. Strengthen Training and Competency Programs: Maintain an approved, controlled training matrix linked to job roles and GMP-relevant tasks. Training records should be tracked in a controlled system, with periodic requalification to ensure personnel remain compliant and competent in executing current SOPs and work instructions.
2. Implement Robust Risk Assessments: Use formal risk management tools such as FMEA (Failure Mode and Effects Analysis), HACCP (Hazard Analysis and Critical Control Points), or ISO 14971 risk files to identify, quantify, and prioritize risk across product life cycle stages. Documented risk mitigation measures should be traceable to the assessed risk level and reviewed periodically.
3. Standardize and Update Procedures (SOPs): Maintain SOPs under document control with defined change control procedures. SOPs must reflect validated processes, include version history, and require periodic review and approval by QA to ensure alignment with current regulatory expectations and process requirements.
4. Improve Supplier and Material Controls: Implement a risk-based supplier qualification and audit program, including supplier quality agreements (SQAs) and material specifications. Incoming materials should be subject to sampling plans with traceability through batch/lot records.
5. Conduct Internal Audits and Self-Inspections: Perform scheduled internal audits per a documented audit program, covering all quality system elements such as CAPA, change control, or batch release. Self-inspections should be documented with follow-up on corrective actions and tracked to closure under QA oversight.
6. Integrate CAPA Effectively: CAPA should be triggered based on trend analysis from deviations, audit findings, or complaints, with root cause analysis (RCA) tools like 5 Whys or fishbone diagrams. All CAPAs must include effectiveness checks, defined deadlines, and documented QA review and approval.
7. Use Process Validation and Continuous Monitoring: Validate manufacturing processes per process design, qualification, and verification. Use Statistical Process Control (SPC) for ongoing monitoring and early signal detection.
8. Promote a Quality-First Culture: Encourage cross-functional accountability for quality through visible management support, Quality Metrics programs, and GMP reminders. Promote “see something, report it” behavior via anonymous reporting tools, deviation logs, and open-door QA communication policies.
9. Consider Implementing QMS Software: Deploy a validated electronic QMS (eQMS) platform to manage document control, training, nonconformance handling, audit tracking, CAPA, and change control workflows. Integration with business process software, such as Enterprise Resource Planning (ERP) systems, to improve traceability.
10. Equipment and Facility Management: Maintain validated equipment and controlled facilities through calibration, preventive maintenance, environmental monitoring, and documented qualification.

How Does QMS Software Support Efficient Nonconformance Management?

QMS software with nonconformance management capabilities provides a centralized, validated environment for recording, evaluating, and resolving nonconformances in compliance with regulatory and quality system requirements.

An eQMS integrates structured workflows and version-controlled documentation. This ensures procedural consistency and supports adherence to SOPs and applicable regulatory requirements. An eQMS also ensures traceability across the product lifecycle, supports closed-loop quality processes from issue identification to CAPA. An eQMS also maintains data integrity through audit trails and electronic signatures compliant with 21 CFR Part 11 and EU Annex 11 requirements. For QA professionals, QMS software supports faster containment, clearer accountability, and reduced risk of compliance gaps during audits.

The QMS software functionalities that assist with nonconformance management are listed below.

• Structured Nonconformance Intake Forms: Standardized digital forms ensure consistent capture of critical details such as event description, lot/batch number, affected product, date/time of occurrence, and initial classification.
• Workflow Automation with Role-Based Tasks: Automates the routing of nonconformance records to appropriate functional roles, such as QA reviewers and approvers, with escalation rules to prevent delays or bottlenecks.
• Integrated Root Cause Analysis (RCA): Supports quality investigations using methodologies such as 5 Whys, Ishikawa, and Fault Tree Analysis (FTA).
• Linkage to CAPA and Risk Management Modules: Enables seamless transition to CAPA, incorporating risk assessments, severity/occurrence analysis, and updating the risk management file. 
• Audit-Ready Documentation with eSignatures: Ensures compliance with 21 CFR Part 11 and EU Annex 11 requirements through secure, time-stamped audit trails and compliant electronic signatures.
• Nonconformance Reporting and Trend Analysis: Highlight recurring nonconformance patterns, supporting proactive quality improvements and early issue detection.

SimplerQMS is a fully validated QMS solution tailored for life science companies, including medical device and pharmaceutical companies. SimplerQMS supports a wide range of quality processes, including nonconformance management.

SimplerQMS includes built-in support for ISO 13485, 21 CFR Part 820, EU MDR/IVDR, EU GMP, ICH Q10, and other regulatory frameworks. It helps quality and regulatory teams maintain inspection readiness and ensure compliance with electronic record requirements. The system also streamlines documentation control and record management, reducing the workload and compliance risks associated with manual or hybrid processes.

SimplerQMS helps RA/QA teams manage nonconformances efficiently, escalate issues when needed, and document actions with full traceability.