Nonconformance

This topic is part of the SG Systems Global quality, deviation, CAPA & traceability glossary for regulated manufacturing.

Updated December 2025 • Deviation & Nonconformance (NC), Nonconformance Report (NCR), Nonconforming Material Report (NCMR), CAPA, Root Cause Analysis (RCA), SCAR, OOS, Quality Risk Management (QRM), QMS, SPC, 21 CFR 820

Nonconformance is the blunt reality check inside a quality system: something – product, process, document, equipment, label or service – did not meet a defined requirement. It is the moment where “it should have been fine” gives way to “it wasn’t, and now we have to deal with it”. A mature operation does not treat nonconformances as personal failures or paperwork to be buried; it treats them as signals that the system, the process or the assumptions are not as robust as advertised. Done well, nonconformance management turns every miss into structured learning and targeted correction. Done badly, it becomes a bureaucratic graveyard of NCR numbers nobody reads until a regulator or customer forces the issue.

“If your nonconformances only appear when an auditor is on site, you don’t have a highly compliant plant – you have a highly edited story.”

1) What Is a Nonconformance?

In quality terms, a nonconformance (NC) is any instance where a requirement is not met. Those requirements may be:

• Product requirements: specifications, tolerances, label claims, regulatory monographs.
• Process requirements: validated parameters, approved methods, SOP steps.
• System requirements: QMS procedures, training status, document control rules.
• Regulatory requirements: obligations under 21 CFR, EU GMP, ISO, GFSI, customer quality agreements.

Nonconformances are typically documented through:

• a general Nonconformance Report (NCR) for any kind of NC
• a Nonconforming Material Report (NCMR) for material- or product-specific issues
• a SCAR when supplier performance is at the root of the problem

At its core, a nonconformance is a simple idea: “this is not what we said we would do or deliver”. The complexity comes from the variety of ways that gap can appear and how seriously it should be treated.

2) Why Nonconformance Management Matters

Nonconformances are uncomfortable – they expose gaps between theory and reality. Ignoring them, however, is much more expensive than dealing with them. Nonconformance management matters because it directly affects:

• Patient / consumer safety: Product that does not meet requirements can harm people. Catching and containing nonconforming lots is basic risk control.
• Regulatory compliance: ISO, FDA, EMA, MHRA, GFSI and others all expect formal processes for identifying, documenting and reviewing nonconformities.
• Cost of poor quality (COPQ): Scrap, rework, complaints, returns, concessions and discounts are often just the visible tip of a larger nonconformance iceberg.
• Customer relationships: Repeated small issues can erode confidence faster than a single well-managed major event.
• Continuous improvement: You cannot improve a process you are unwilling to admit is failing in specific ways.

A plant with “no nonconformances” is not a world-class operation; it is a place where people avoid writing things down. A plant with a steady, well-analysed nonconformance stream and a strong closure rate is usually far closer to real control.

3) Types of Nonconformance

Not every nonconformance is created equal. Separating them into sensible categories helps you design appropriate responses.

• Product nonconformance: Finished goods or intermediates fail to meet specification – wrong strength, weight, fill level, impurity, micro result, packaging defect, label mismatch.
• Process nonconformance: Manufacturing steps performed outside approved parameters – temperature out of range, mixing time incorrect, cleaning step skipped, wrong sequence of operations.
• Material nonconformance: Raw materials, components or packaging that fail incoming or in-process checks – off-spec assay, physical defects, wrong grade, incorrect CoA or documentation.
• Documentation nonconformance: Incomplete, illegible, altered or missing records, incorrect versions of SOPs or forms in use.
• Training / competence nonconformance: Tasks performed by personnel without the required training or authorization as defined in the training matrix.
• Supplier / service nonconformance: Failures originating from suppliers, contract manufacturers, labs or logistics providers – leading to SCARs or equivalent actions.
• System nonconformance: Failures in the QMS itself – missing procedures, ineffective change control, recurring audit findings.

The label “nonconformance” should not be reserved for catastrophic defects. Minor issues, if they repeat, often tell you more about your system than the rare headline event.

4) Nonconformance vs Deviation, OOS, Complaint and CAPA

Quality jargon is messy. Four terms are frequently mixed: nonconformance, deviation, OOS and CAPA. They overlap but are not identical:

• Nonconformance: The broadest term – anything that does not meet a requirement. Many organisations use “NC” as the umbrella.
• Deviation: Often used for planned or unplanned departures from approved procedures or parameters in GxP environments. Many deviations are nonconformances; some NCs (for example, supplier paperwork issues) are not “deviations” in the narrow sense. See Deviation & Nonconformance (NC).
• OOS (Out of Specification): A test result outside predefined acceptance criteria. OOS is a type of nonconformance that triggers specific investigation requirements.
• Customer complaint: External feedback about perceived defects. Complaints often reveal underlying nonconformances that were missed or wrongly accepted internally.
• CAPA: Corrective and Preventive Action is not an event; it is the structured response to patterns of nonconformance or significant single events. You do not “have a CAPA”; you raise a CAPA because of nonconformances.

In a clean model, nonconformance is the raw fact that something is wrong; deviation, OOS and complaints are different entrance doors; CAPA is one of the possible exits when risk and recurrence justify deeper work.

5) What a Good Nonconformance Record Captures

Nonconformance records are not just flags; they are structured snapshots that future you – or an inspector – will rely on. A well-designed NCR / NCMR typically captures:

• Identification: Unique NC number, date/time opened, site/area, product, batch/lot/serial, customer (if relevant).
• Classification: Type (product, process, material, documentation, supplier, system), severity (critical/major/minor), GxP relevance.
• Description of the event: Clear, factual description of what was observed – no theories, no blame, no “probably”.
• Requirements breached: Specs, SOPs, standards or contracts that were not met – linked to document numbers and versions.
• Immediate containment: Actions to stop the bleed – isolation of product, line holds, stop-ship, customer notification, service stop.
• Impact assessment: Scope of potentially affected lots, customers, patients, markets, documentation and data.
• Investigation & root cause: Summaries of RCA, data reviewed, interviews, and the most probable underlying cause(s).
• Decision on CAPA: Whether a CAPA is warranted; if yes, reference to CAPA record; if no, documented rationale.
• Disposition: Decisions for nonconforming product or materials – scrap, rework, regrade, concession/waiver, return to supplier.
• Approvals & closure: QA and other function sign-offs, with dates and any follow-up actions or monitoring.

In a digital environment like V5, most of this is not typed from memory at the end; it is pulled from linked objects – batches, jobs, test results, training records – and enriched with investigation notes, saving time and reducing fiction.

6) Nonconformance Workflow & Lifecycle

A practical nonconformance process usually follows a predictable pattern, regardless of industry:

• 1. Detection: Someone – operator, inspector, lab analyst, customer, auditor, system check – spots that something is off. In V5 this may come from line checks, SPC trends, digital work instructions, or external feedback.
• 2. Logging: The issue is recorded as an NC / NCR / NCMR in the QMS or integrated MES–QMS system. Bare minimum is who, what, when, where.
• 3. Containment: Suspect product is held, further production may be stopped or adjusted, and customers may be warned depending on risk.
• 4. Triage: QA and operations quickly classify severity, potential impact and urgency. Not every NC needs a six-month multi-functional project; some just need clean documentation and simple correction.
• 5. Investigation: Data and records are reviewed, people are interviewed, equipment and materials are checked, and the story of “what actually happened” is reconstructed.
• 6. Root cause analysis: Structured methods (5-Why, Fishbone, FMEA, fault tree, etc.) are used to move beyond symptoms and blame towards underlying process or system causes.
• 7. Decision on systemic action: Based on risk and recurrence potential, the team decides whether to open a CAPA, raise a SCAR, update procedures/training, or treat the NC as a one-off with limited action.
• 8. Disposition & correction: Nonconforming product is scrapped, reworked, reclassified or waived following defined rules and approvals.
• 9. Closure & effectiveness check: Records are reviewed, approvals captured and – where there is a CAPA – effectiveness is checked after implementation.

Good NC workflows are tight enough to prevent drift and hand-waving, but pragmatic enough that people will actually use them instead of hiding problems off the books.

7) Common Failure Modes & Red Flags

Nonconformance processes go wrong in predictable ways. Useful red flags include:

• “We don’t have many nonconformances.” Either you are running a fantasy plant or issues are being contained informally (rework, sorting, “just fix it”) without documentation.
• NCs logged with one-word causes. Root causes like “operator error” and “training” are rarely root causes; they usually mean “we stopped thinking after the first why”.
• NCs living in email. Real work is happening in side channels; the official system is just being updated after the fact (if at all).
• Long NC queues with no closure. Lots of events opened to appease auditors, but very few closed with meaningful actions or checks.
• Same issues recurring. Complaints, deviations or NCs that keep popping up in slightly different guises without any visible trend downwards.
• “Root cause” is always the last person in the chain. If every heatmap points to operators, inspectors or a single supplier, you are probably missing systemic design, planning or management issues.
• NCs opened only during audits. Sudden spikes in nonconformance activity whenever auditors or customers arrive is a sign the system is reactive and performative, not embedded.

Nonconformance processes should be slightly uncomfortable – they expose reality. If they are too comfortable, they are probably not honest.

8) What Nonconformance Management Means for V5

In the V5 ecosystem, nonconformance management is not a separate spreadsheet or bolt-on; it is woven through MES, QMS, WMS and the V5 Connect API:

• V5 MES – Detection & context:
  • Nonconformances can be raised directly from digital work instructions, travellers, line checks and in-process results when operators see or record an issue.
  • NC records automatically inherit context: job/batch, product, line, shift, equipment, materials and operators involved.
  • Integration with SPC and alarms allows automatic NC proposals when rules are breached.
• V5 WMS – Material & inventory control:
  • Nonconforming material can be quarantined in specific locations and statuses; holds are visible to operations, planning and shipping.
  • Lot- and serial-level genealogy supports tracing of related stock so containment boundaries are data-driven, not guesswork.
• V5 QMS – Governance & CAPA:
  • NC, NCR and NCMR records are managed in the QMS, with workflows for review, investigation and approval.
  • Links to QRM, CAPA, SCAR, change control and training records allow a complete picture of cause and response.
  • Audit trails show who changed what, when, and why, supporting data integrity expectations.
• V5 Connect API – Integration & customers:
  • External systems (ERP, LIMS, PLM, CRM) can feed defect, test or complaint data that triggers NCs in V5.
  • Where appropriate, customers and suppliers can receive structured reports derived from NC records instead of ad-hoc emails.
• Analytics & reporting:
  • Nonconformances can be analysed by product, line, shift, equipment, supplier, root cause, closure time and CAPA effectiveness.
  • Dashboards highlight hotspots and trends, feeding back into risk registers and investment decisions.

In short, V5 turns nonconformances from isolated PDF forms into live objects in your data model. That makes it much harder for “we’ve always had this issue” to survive unchallenged.

9) Implementation Roadmap & Practice Tips

Putting serious nonconformance management in place is less about tools and more about honesty and discipline. A pragmatic roadmap looks like this:

• Define what must be logged. Be explicit about which kinds of issues require an NC (product out of spec, process outside ranges, repeated minor issues, audit findings, supplier defects, etc.). Grey zones are where problems go to hide.
• Standardise forms and fields. Design NCR / NCMR templates with clear fields for description, requirement, impact, cause, actions and approvals. Remove duplicate or confusing sections that encourage half-completed records.
• Make logging easy, not heroic. In V5, allow operators and supervisors to raise NCs in a couple of clicks from where they spot the issue, without hunting for codes or URLs.
• Separate triage from deep investigation. Have a fast, light triage step to classify and either close low-risk events with simple correction or escalate significant ones into deeper RCA and possible CAPA.
• Set expectations for timelines. Define reasonable, enforced targets for containment, investigation and closure. Endless “open” NCs quietly destroy credibility.
• Train on writing factual descriptions. Teach people to write what happened and what was observed, not opinions or blame. Good NC descriptions make root cause work faster and more objective.
• Use structured RCA tools. Require at least basic 5-Why or another method for moderate and high-risk NCs. Drive causes beyond “human error” and “retrain operator” unless there is clear evidence and no deeper systemic factor.
• Close the loop. For NCs linked to CAPA, build in effectiveness checks, not just “implemented” tick boxes. If the issue recurs, that is a signal that the CAPA needs review, not a sign to write another identical CAPA.
• Review patterns, not just individuals. Analyse NCs by process, product, shift, equipment and supplier, not just by person. Reward teams for finding and fixing systemic causes, not for hiding problems.

The goal is not to minimise the NC count at all costs. It is to make sure the NCs you do have are real, well-understood and used to improve the system instead of being buried until the next inspection.

FAQ

Q1. Is a nonconformance the same as a deviation?
Not necessarily. A deviation is usually a specific type of nonconformance where an approved procedure or parameter was not followed in GxP environments. Nonconformance is the broader term: any failure to meet a requirement, which may include deviations, test failures, documentation issues, supplier problems and more. Some companies use the terms interchangeably; others reserve “deviation” for process-related events and “nonconformance” for product or system issues.

Q2. Does every nonconformance require a full CAPA?
No – and forcing that is a good way to paralyse the system. Many nonconformances can be addressed with correction and local action. CAPA should be reserved for issues with meaningful risk, recurrence potential or systemic causes. The key is to have clear risk-based criteria for when a CAPA is required and to document the rationale when you choose not to open one.

Q3. Isn’t it risky to “log everything” – won’t it make us look bad to regulators?
Regulators are more concerned about problems you didn’t catch than about evidence that you are catching and managing issues. A realistic, well-managed nonconformance portfolio with clear investigations and closures is generally seen as a sign of control. A suspiciously clean record in a complex operation is more likely to invite deeper questioning.

Q4. How detailed should a nonconformance investigation be?
Detail should follow risk. Minor, low-impact NCs may only need a short description, quick check and simple fix. Higher-risk or recurring NCs deserve full root cause analysis, documented evidence, risk assessment and follow-up. Forcing the same level of bureaucracy on every event encourages people to under-report or to game the categorisation to avoid workload.

Q5. How does nonconformance data feed continuous improvement?
When NCs are recorded consistently and linked to products, lines, equipment, suppliers and root causes, they become a rich improvement dataset. You can rank processes by defect cost, spot systemic weaknesses, justify investments, measure the impact of changes and feed a real risk register instead of guessing. Without that data, “continuous improvement” is mostly opinion and PowerPoint.

Related Reading
• Events & Records: Deviation & Nonconformance (NC) | Nonconformance Report (NCR) | Nonconforming Material Report (NCMR) | Out of Specification (OOS)
• Root Cause & Actions: Root Cause Analysis (RCA) | CAPA – Corrective & Preventive Action | SCAR – Supplier Corrective Action Request | Quality Risk Management (QRM)
• Systems & Governance: Quality Management System (QMS) | Change Control | Management of Change (MOC) | V5 Solution Overview