Mastering Non-Conformance Reports: A Guide for Quality Management

""How do you log and deal with non-conformities so that faulty products don't end up in the hands of customers? How do you make that process the 'way you do things' as a business without disrupting the way you work whenever an issue is uncovered? It all starts with your non-conformance reporting.

What is a non-conformance?

In quality terms, a non-conformance or non-conformity is any output that doesn't meet requirements, specifications or expectations. Non-conformities can arise in materials, products, and software, as well as in services and working practices.

What is a non-conformance report?

A non-conformance report (NCR) is a documented identification of a deviation or noncompliance from established standards, specifications, or procedures raised within a quality management system (QMS). The purpose of an NCR is to formally record the details and severity of the nonconformity, in order to trigger appropriate corrective and preventive action.

Why do non-conformances matter?

Quality is often defined as the ability to meet requirements.

When a product doesn't function as it should, when a component arrives damaged at a factory, or when a machine operator does not follow documented SOPs - then an output has not conformed to expectations. All these events should be logged as quality failures, their potential impact assessed, and required actions taken to correct the problem.

Each non-conformity might be a quality failure, but different incidents can represent different levels of severity and risk for your company.

Very minor non-conformities may be merely irritating or disappointing – a small scratch on a product or a failure of someone to correctly carry out a job. Severe or critical non-conformities, on the other hand, can be costly, damaging, or even life-threatening.

Download our easy to use non-conformance report template (in Word Format)

Who needs to control non-conforming products?

Every business should have a way to ensure quality is monitored and issues acted on to prevent waste and customer dissatisfaction. But for some, this is an absolute requirement.

For example, those working in high-tech businesses or medical device developers who need to gain ISO 9001 or ISO 13485 must have a formal, documented NCR process in place to meet the standards.

Both ISO 9001 and ISO 13485 say you must 'identify and control' non-conformities in your products and services. Here's how ISO 13485 describes it:

"The organisation shall ensure that product which does not conform to product requirements is identified and controlled to prevent its unintended use or delivery."

Both standards require you to have a system in place that will document NCRs and determine any actions that need to be taken in a way that is proportional to the risk involved. 

How do you identify and control non-conformances?

1. Put a documented process in place

In order for your Quality Management System to help you capture, categorise and deal with non-conformances when discovered, you should:

  • Have a documented NCR process that everyone in your organisation can consistently follow to report on defects, assess severity, and determine next steps.
  • Keep accurate records of defects so that trends in non-conformities can be analysed and reported to senior management. This will help you deliver on the proactive CAPA requirements specified in standards like ISO 13485.

When a non-conformance (such as a problem with a component) is detected, your team have a range of options available to resolve the situation. But how do they determine which approach is most suitable and ensure required follow-up actions are taken?

2. Fill out you non-conformance report (NCR)

A non-conformance report should be raised that can:

  • Capture the details of the identified non-conformance, such as the day, date, description of the defect, and whether it is of internal origin or a customer complaint.
  • Categorise its severity—determining if it is a critical, major, or minor non-conformance.
  • Record any immediate corrections undertaken.
  • Trigger a full CAPA (Corrective and Preventive Actions) process when required.
  • Contribute to your data-gathering process, to spot trends and prevent future incidents.

3. Categorise non-conformance type to trigger suitable responses

Some non-conformities are so severe they need immediate investigation to fix a problem that could have a devastating impact on your business or your end users. For example, defects in medical device components may have life-threatening consequences. Other non-conformances may have a less serious impact on your business or end users, but will still require correction and investigation. There are also those non-conformities that would be good to fix but are not urgent - they can be subject to a separate 'Opportunity for Improvement' (OFI) process.

Every business is different and will have different tolerance levels to non-conformities, depending on the sector you work in and the applicable standards. But having clear definitions for different levels of NC severity will help your team develop a consistent and repeatable process for handling them.

How should you categorise your non-conformances?

Type of non-conformity 




"Drop everything and fix this immediately"

Existential risk, health/welfare risk, uncontrolled product/service, security breach, substantial data loss, major business failure, severe cost impact.


"Make this a high priority"

Significant quality risk, high failure rate/waste, consistent rework, many bugs/service failures, non-compliance, inappropriate processes, unmet customer expectations, wasted effort.


"Fix this when you can"

No significant quality risk, higher waste/rework, more bugs than desired, partial compliance, errors in QMS documents, partial customer expectation compliance, significant wasted effort.

Opportunity for improvement 

"You might like to think about..."

Non-systematic one-offs, ways to improve, best practice suggestions, minor errors (typos/clarifications), ideas for investigation, modest wasted effort.

You can download Cognidox's suggested severity definitions to help develop a system that works for you.

4. Take action and document the steps taken

Once you've identified a non-conformance - immediate action should be taken to:

  • Record the defect.
  • Assess its potential impact on end users.
  • Inform all relevant stakeholders.
  • Make any required corrections to contain its impact.

When you come across a non-conformance, the different actions you can undertake may include:

  • Eliminate the non-conformity (e.g. rework a faulty product).
  • Avoid using it (e.g. scrap a faulty product or return to the supplier).
  • Accept it under concession (with records kept of the justification and those responsible for it).
  • Permanently change the requirements and accept the product unconditionally.
  • Look for other instances of this or similar non-conformities to determine if the problem is part of a pattern.
  • Trigger a CAPA process to determine root cause and correct a systemic problem.

It should be noted that not every non-conformance report warrants launching a full CAPA (Corrective and Preventive Action) process.

If it's a one-off failure, it may be enough to remove the offending article from circulation and make a note of the problem. But you should have a system in place to make that assessment and trigger an investigation where a systemic issue is suspected. You need a process to identify and correct the root cause of any major non-conformity or defect that may threaten to recur.

Why corrective action management goes wrong - and what to do about it?

What about non-conformities detected in products that are already on sale?

If a non-conforming product is detected after delivery, the action taken should be appropriate to the effects, real or potential, of the non-conformity e.g. recall, rework in the field, restrictions on usage etc.

Using data NC data proactively to trigger preventive action

But it doesn't stop there. You may also need a system in place to identify potential non-conformities too. This is a requirement of the ISO 13485 standard. If you've been recording quality events effectively, this data can point to failure patterns with particular suppliers or in processes that should be changed to prevent future quality issues.

5 tips to design a more effective non-conformance reporting system

Designing an effective non-conformance report (NCR) can be hard. Getting busy workers to remember and follow defined procedures can be harder. Here are some practical tips to make life easier for your team.

1. Make sure your NC report is easy to use and uncluttered

A well-designed Office document (locked for editing) is often the best way to achieve this. You don't need a full-blown electronic QMS with built-in forms to operate an effective process, but you do need a way of capturing key details that covers all requirements but doesn't intimidate and overwhelm your team.

2. Ensure your NCR process is understood throughout your organisation

A document management system with a graphical interface will help your team visualise workflows more easily. Select a system that lets you build out the workflows that support your procedures, with deep links to relevant documentation to help them execute these tasks.

What does a NCR process workflow look like?

Graphic displaying non conformance process

A sample NCR process built using Cognidox

Download the NCR process workflow

3. Automate your workflows - trigger CAPAs when required

Your non-conformity report needs to be automatically shared with the right individuals (or groups) to ensure they are actioned and followed up appropriately. Choose a system that lets you set up bespoke workflows for NCRs that can meet the regulation and reflect the way you work. Make sure you have a system to trigger and complete a full-blown CAPA process if required.

Alerts and reminders will tell stakeholders when actions need to be taken and ensure nothing falls through the gaps when quality is at stake.

4. Create an audit trail

Make sure your system leaves an audit trail of your NCR process - capturing details of when issues were raised, by whom, and what actions were taken. Ensure you can prove process has been followed and the right actions triggered at the right times in your investigations.

5. Gather quality data

Make sure you're using the information you are gathering to inform your approach to quality. Make the data around NCRs and CAPAs available as part of your supplier quality management system so that you know when to take the right steps to improve performance. Recording this data will help you detect patterns and act proactively to correct potential quality issues.

See our CAPA solution in action


The NCR process is a vital part of any Quality Management System. Get this wrong and your team may not action quality issues correctly and could miss vital opportunities to identify systemic issues.

Choose digital tools that are robust enough to meet the quality assurance requirements of ISO 13485 and ISO 9001 but can be customised to reflect the way your organisation operates. Get this balance right, and your NCR system will simply become 'the way you work' rather than a set of onerous procedures that your team are obliged to follow.

New call-to-action

Last updated on 11/03/2024

Tags: Quality Management System, Compliance

Joe Byrne

Written by Joe Byrne

Joe Byrne is the CEO of Cognidox. With a career spanning medical device start-ups and fortune 500 companies, Joe has over 25 years of experience in the medical device and high-tech product development industries. With extensive experience in scaling businesses, process improvement, quality, medical devices and product development, Joe is a regular contributor to the Cognidox DMS Insights blog where he shares expertise on scaling and streamlining the entire product development cycle, empowering enterprises to achieve governance, compliance, and rigour.

Related Posts

10 Steps for Seamless EQMS Data Migration

Transferring data to a new electronic Quality Management System (eQMS) can seem like a daunting ...

The Vital Role of ALCOA Principles in Data Integrity for Life Sciences

Data integrity is central to the safe development and manufacturing of every life-science product ...

Navigating UKCA Marking for Medical Devices: What You Need to Know

Post-Brexit, there is still confusion about the future use of the UKCA (UK Conformity Assessed) ...

5 Steps to a Robust Corrective Action Process

It’s the job of your corrective action process to identify and eliminate the systemic issues that ...

5 Challenges in Building a Pharmacovigilance System Master File

Managing the integrity and accessibility of a PSMF (Pharmacovigilance System Master File) is a key ...