Identification, segregation, evaluation, and disposition of nonconforming product — 820.90 NCR process structure preserved.
Concession authorization records and rationale must be documented; advisory notice procedures (§8.3.3) must be ready for deployment at any stage.
Concession justification records and impact-on-delivered-product assessment — disposition decisions without explicit regulatory-compliance verification are frequently cited.
Maps to
QMSR / ISO 13485: §820.90 Nonconforming product.
ISO 13485: §8.3 Control of nonconforming product
Requirement text
Nonconforming product shall be identified and controlled to prevent unintended use or delivery.
Why this clause exists
Physical segregation and formal disposition of nonconforming product prevent a straightforward but persistently recurring failure mode: nonconforming units that are not clearly identified and physically separated from conforming stock can be inadvertently released, mixed into production, or delivered to customers. Identification and segregation are preconditions for every downstream control — disposition cannot be deliberate, rework cannot follow procedure, and concession authority cannot be exercised if the nonconforming unit is not positively identified and held apart from the production flow. Disposition decisions must be documented because disposition is a quality decision with regulatory consequences: the choice between scrap, rework, use-as-is (concession/deviation), or return to supplier determines whether a nonconforming unit leaves the facility in any form. Use-as-is or concession dispositions are particularly high-risk because they represent an explicit departure from specification, and the authority and rationale for that departure must be on record. Rework procedures must be documented rather than improvised because rework activities introduce additional processing steps that may affect device safety or performance — reworked product must be re-inspected to original acceptance criteria to confirm that rework restored conformance rather than creating new deficiencies. Trending of nonconformance data across lots and over time provides the signal data that feeds CAPA and supports the systemic improvement objectives of the broader quality system.
What changed
§820.90 — Part 820 (legacy)
"Control of nonconforming product. Each manufacturer shall establish and maintain procedures to control product that does not conform to specified requirements. The procedures shall address the identification, documentation, evaluation, segregation, and disposition of nonconforming product. The evaluation of nonconformance shall include a determination of the need for an investigation and notification of the persons or organizations responsible for the nonconformance. The evaluation and any investigation shall be documented. Nonconformity review and disposition. (1) Each manufacturer shall establish and maintain procedures that define the responsibility for review and the authority for the disposition of nonconforming product. The procedures shall set forth the review and disposition process. Disposition of nonconforming product shall be documented. Documentation shall include the justification for use of nonconforming product and the signature of the individual(s) authorizing the use. (2) Each manufacturer shall establish and maintain procedures for rework, to include retesting and reevaluation of the nonconforming product after rework, to ensure that the product meets its current approved specifications. Rework and reevaluation activities, including a determination of any adverse effect from the rework upon the product, shall be documented in the DHR."
§8.3 — ISO 13485:2016 (current)
"8.3.1 General The organization shall ensure that product which does not conform to product requirements is identified and controlled to prevent its unintended use or delivery. The organization shall document a procedure to define the controls and related responsibilities and authorities for the identification, documentation, segregation, evaluation and disposition of nonconforming product. The evaluation of nonconformity shall include a determination of the need for an investigation and notification of any external party responsible for the nonconformity. Records of the nature of the nonconformities and any subsequent action taken, including the evaluation, any investigation and the rationale for decisions shall be maintained (see 4.2.5) 8.3.2 Actions in response to nonconforming product detected before delivery The organization shall deal with nonconforming product by one or more of the following ways: a) taking action to eliminate the detected nonconformity; b) taking action to preclude its original intended use or application; c) authorizing its use, release or acceptance under concession. The organization shall ensure that nonconforming product is accepted by concession only if the justification is provided, approval is obtained and applicable regulatory requirements are met. Records of the acceptance by concession and the identity of the person authorizing the concession shall be maintained (see 4.2.5). 8.3.3 Actions in response to nonconforming product detected after delivery When nonconforming product is detected after delivery or use has started, the organization shall take action appropriate to the effects, or potential effects, of the nonconformity. Records of actions taken shall be maintained (see 4.2.5). The organization shall document procedures for issuing advisory notices in accordance with applicable regulatory requirements. These procedures shall be capable of being put into effect at any time. Records of actions relating to the issuance of advisory notices shall be maintained (see 4.2.5). 8.3.4 Rework The organization shall perform rework in accordance with documented procedures that takes into account the potential adverse effect of the rework on the product. These procedures shall undergo the same review and approval as the original procedure. After the completion of rework, product shall be verified to ensure that it meets applicable acceptance criteria and regulatory requirements. Records of rework shall be maintained (see 4.2.5)."
Δ Splits post-delivery nonconformance into a distinct clause with an advisory notice procedure requirement; rework procedures must now undergo the same review/approval as original procedures.
Common gaps (what we see in audits)
- No Assessment of Impact on Delivered Product — ISO 13485 requires that when nonconforming product is detected after delivery, the organization must take action appropriate to the effects of the nonconformity. Many NCR procedures focus only on in-process or in-stock product without systematic evaluation of whether the nonconformity could affect product already in the field.
- Weak 'Use-as-Is' justifications — Product is conceded (used-as-is) without a documented technical rationale explaining why the non-conformance doesn't affect safety or performance. ISO 13485 §8.3.2 requires this rationale.
- No Formal Concession Procedure — ISO 13485 requires documented procedures for accepting nonconforming product under concession, including recording the identity of the authorizing person and verifying that regulatory requirements are still met. Many Part 820-era NCR systems allow disposition as "use as is" without a formal concession process, authorization records, or regulatory compliance check.
- Missing Advisory Notice Procedures — ISO 13485 clause 8.3.3 requires documented procedures for issuing advisory notices that can be activated at any stage. Many organizations lack a standalone advisory notice procedure or have field action procedures that are not linked to the nonconforming product control process.
- Weak NCR-to-CAPA Escalation Criteria — ISO 13485 requires integration between nonconforming product control and CAPA. Many organizations lack defined criteria for when an NCR should trigger a CAPA, leading to either over-escalation or under-escalation of quality issues.