Nonconformance Report (NCR)

« Back to Glossary Index

What it is

Nonconformance Report (NCR) is a controlled record used to document and manage any product or process that does not meet a specified requirement. In medical devices, NCRs capture the issue, contain the risk, define disposition (e.g., rework, scrap, concession), and ensure traceable closure. They are a core Quality Management System control and feed CAPA when problems are systemic (ISO 13485:2016 §8.3; FDA 21 CFR 820.90; MDR 2017/745 Art. 10(9)).

Control nonconforming productTraceable dispositionInputs to CAPA

Regulatory framework

  • ISO 13485:2016: Control of nonconforming product (§8.3); links to corrective action (§8.5) and acceptance activities (§8.2.6).
  • US (FDA): 21 CFR 820.90 (nonconforming product control, dispositions, and rework/reevaluation §820.90(b)(2)); related records in §820.80 (acceptance), §820.184 (DHR), §820.198 (complaints), and field actions under 21 CFR 806 (if distributed product is affected).
  • EU (MDR): Manufacturer QMS must ensure control of nonconforming product and corrective actions (Art. 10(9)); traceability/UDI duties apply when product identity changes (Annex I Ch. III; Arts. 27–28).

Key elements

  • Problem statement: What failed, requirement reference, scope/quantity, and detection point (in-process, final, supplier, field).
  • Containment: Immediate segregation and status identification; risk check for released lots.
  • Disposition: Rework/repair with approved instructions; use-as-is by documented concession; scrap with reconciliation; or return to supplier.
  • Verification: Re-inspection/re-test and, where applicable, re-validation before release.
  • Traceability & records: Lot/serial, UDI, DHR links, signatures/dates, and evidence of final acceptance.

Process — how it works

  • Detect & log: Anyone who finds a nonconformance opens an NCR with requirement citation and objective evidence.
  • Contain: Quarantine affected units, stop further use, and assess impact on released product.
  • Decide disposition: Cross-functional review selects rework, repair, use-as-is (via concession), scrap, or supplier return; document rationale and approvers.
  • Execute & verify: Follow controlled work instructions; then re-inspect/re-test to verify conformity (21 CFR 820.90(b)(2)).
  • Close & trend: Close with complete records; trend NCRs and escalate to CAPA when recurrence, severity, or risk warrants it (ISO 13485 §8.5).

Common pitfalls

  • Releasing product after rework without documented re-evaluation or proper approvals.
  • Using “use-as-is” concessions routinely instead of fixing the root cause.
  • Poor requirement traceability in the NCR (no spec/standard cited), which weakens audits.
  • Skipping UDI/lot updates and DHR corrections after disposition.
  • Failing to trend NCRs and therefore missing signals that require CAPA or supplier action.

Quick checks

  • Is the failed requirement cited, not just a symptom?
  • Are containment and quantity at risk clearly defined (including released product)?
  • Does disposition have approvals and, if rework, a validated instruction and re-test record?
  • Have we trended this NCR type and opened CAPA if thresholds were crossed?
  • Do DHR/UDI/labels reflect the final accepted state?

FAQ

When do we open an NCR vs a CAPA?

Open an NCR to control a specific nonconformance. Open CAPA when issues are systemic, high risk, or recurring per your escalation rules (ISO 13485 §8.3 → §8.5).

Can we ship product under concession?

Yes, but only with documented justification, defined limits, and appropriate approvals; ensure risks are acceptable and records are traceable (ISO 13485 §8.3).

What are valid dispositions?

Rework/repair with approved instruction and re-test (21 CFR 820.90(b)(2)), use-as-is by concession, scrap, or supplier return with documented evaluation and acceptance.

Do supplier issues need NCRs?

Yes. Log supplier nonconformances, then apply risk-based controls (e.g., SCAR, incoming inspection changes) and trend performance (ISO 13485 §7.4; FDA 21 CFR 820.50).

When does an NCR become a field action?

If affected product was distributed and risk warrants action, evaluate for corrections/removals and reporting per 21 CFR 806 and MDR vigilance rules before executing.