Nonconforming Product Control in ISO 13485 Explained: What Clause 8.3 Really Requires

ISO 13485 Nonconforming Product Control Is Where Weak Quality Systems Start to Show

If your team does not control nonconforming product properly, the rest of your quality system starts to weaken around it. Product gets moved without a clear status. Deviations are handled informally. NCRs are raised inconsistently. Rework happens without proper review. Concessions are approved without documented rationale. Then the same issues come back again through complaints, repeat CAPAs, and audit findings.

That is why iso 13485 nonconforming product control matters so much. Clause 8.3 is not just about logging a defect. It is about building a disciplined system for identification, segregation, evaluation, disposition, escalation, and recordkeeping whenever product does not meet requirements.

Many medical device companies think they are handling nonconformances because they have a basic NCR form. That is not enough. Auditors want to see a live operating process that controls product status, prevents unintended use or release, documents decision-making, and links appropriately into investigation, concession, rework, risk review, and corrective action.

If your current process is informal or inconsistent, this is usually one of the easiest places for an auditor to find control gaps. If you need a stronger Clause 8 framework rather than isolated forms, the strongest approved resource for this topic is the QMS Core Bundle (ISO 13485 Clauses 4–6 & 8).

What ISO 13485 Clause 8.3 Actually Requires

Clause 8.3 requires the organisation to ensure that product which does not conform to requirements is identified and controlled to prevent unintended use or delivery. It also requires a documented procedure defining controls and responsibilities for identification, documentation, segregation, evaluation, and disposition. The evaluation must include deciding whether investigation is needed and whether an external party responsible for the nonconformity must be notified.

In plain language, that means you need more than a defect log. You need a system that answers these questions clearly:

• How do you identify nonconforming product?
• How do you stop it from being used, released, or mixed with good product?
• Who reviews it and decides what happens next?
• When is investigation required?
• When is concession allowed, and who can approve it?
• How is rework controlled and verified?
• What happens if the issue is found after delivery?
• When does the issue escalate into CAPA, complaint handling, or wider regulatory action?

If your procedure cannot answer those points cleanly, your nonconformance iso 13485 controls are probably underdeveloped.

What Counts as Nonconforming Product in a Medical Device System

Nonconforming product is any product that does not meet specified requirements. That sounds simple, but in medical devices it can cover far more than a visible manufacturing defect.

Examples include:

• failed incoming inspection results;
• out-of-specification dimensions or attributes;
• labelling errors;
• traceability gaps;
• expired or incorrect components used in production;
• packaging defects;
• sterile barrier issues;
• unfinished or incorrectly processed product;
• documentation mismatches that affect release;
• product affected by an unapproved deviation or process failure.

That is why good Clause 8.3 implementation depends on cross-functional thinking. Nonconforming product can be identified by warehouse staff, production, QA, QC, engineering, service teams, or post-market functions. Your procedure has to work across those interfaces, not just inside Quality.

Why Nonconforming Product Control Is More Than an NCR Form

The typical weak system goes like this: someone spots an issue, opens a basic NCR, moves the material to one side, and waits for Quality to decide what to do. A few emails happen. Someone informally approves rework. The product eventually gets used, scrapped, or re-labelled. The NCR is closed. No one is fully sure whether the same issue happened before or whether it should have triggered CAPA.

That is not a controlled process. That is documentation layered on top of ad hoc decisions.

A strong ncr medical device process should do three things well:

1. control product status immediately;
2. support sound disposition decisions;
3. generate useful quality intelligence for escalation and prevention.

If the system only records what happened after the fact, it is too weak. If it cannot separate minor isolated issues from systemic failures, it is too weak. If it does not stop unintended use, it is definitely too weak.

The Core Elements of an Audit-Ready Nonconforming Product Process

A practical, audit-ready Clause 8.3 process usually includes the following elements:

• a documented control of nonconforming product procedure;
• clear definitions for nonconformance, deviation, concession, and rework;
• product status identification rules;
• segregation and containment requirements;
• NCR form or log with mandatory decision fields;
• review and approval responsibilities;
• disposition options and decision criteria;
• escalation logic into CAPA, risk review, supplier issues, or complaints;
• rework controls and post-rework verification;
• rules for nonconformities found after delivery.

Most organisations do not fail because they have none of these. They fail because half of them exist in isolation and do not work together. That is why Clause 8 processes are often easier to stabilise using a structured resource rather than trying to build disconnected forms from scratch. The approved closest-match resource for both NCR and deviation-management structure is the QMS Core Bundle (ISO 13485 Clauses 4–6 & 8).

Nonconformance, Deviation, Concession, and CAPA Are Not the Same Thing

One of the most common reasons systems become messy is that teams use these terms interchangeably.

Nonconformance

A nonconformance is a failure to meet a specified requirement. It is the condition or event you are controlling under Clause 8.3.

Deviation

Deviation management iso 13485 usually refers to a documented departure from an approved process, instruction, or requirement. Some deviations result in nonconforming product. Some do not. The important point is that deviations need controlled assessment, not informal acceptance.

Concession

A concession is an authorised acceptance, release, or use of nonconforming product under defined conditions. This is not a shortcut. It requires justification, approval, and compliance with applicable regulatory requirements.

CAPA

CAPA is not the same as the NCR. CAPA is the escalation path when the issue indicates recurrence, systemic weakness, inadequate process control, or need for root-cause elimination. Not every NCR requires CAPA. But repeat NCRs without escalation are a major red flag.

If your organisation blurs these terms, decision-making becomes inconsistent. That inconsistency is exactly what auditors pick up.

How to Manage Product Status and Segregation Properly

The first job in controlling iso 13485 nonconforming product is to stop unintended use or release. That sounds obvious, but many companies rely on verbal awareness instead of a real status-control method.

Good control usually includes:

• clear physical or electronic status identification;
• segregated storage or hold locations;
• restricted access where appropriate;
• status labels or system flags;
• defined rules for who can move, review, or release held product.

If nonconforming product can be mistaken for conforming product, your system is weak no matter how good the paperwork looks. This is one reason Clause 8.3 often overlaps heavily with document control, records control, traceability, and training.

What an NCR Should Capture

A useful NCR should support control, evaluation, and trend analysis. It should not just describe the defect in vague language.

A strong NCR record usually captures:

• product identification and traceability details;
• where and when the issue was found;
• description of the nonconformity;
• quantity affected;
• containment actions taken;
• initial risk or impact assessment;
• suspected source if known;
• disposition decision;
• whether investigation is required;
• whether CAPA is required;
• approvals and rationale;
• verification of completed action where relevant.

The point is not to create a bloated form. The point is to make sure the record supports good decisions and later review. If your NCR cannot show why the product disposition was chosen, it is incomplete.

Disposition Options Under Clause 8.3

Disposition is where many organisations become inconsistent. Under Clause 8.3, typical response options include:

• correcting the detected nonconformity;
• precluding the original intended use or application;
• authorising use, release, or acceptance under concession;
• scrapping or destroying the affected product;
• reworking the product under controlled procedures.

Each option needs decision logic. For example, concession should never become a convenience mechanism to keep production moving. Rework should never happen without documented procedures and subsequent verification. Scrap should be controlled so the product cannot re-enter inventory or be used unintentionally.

This is also where the CAPA Toolkit becomes commercially relevant. If your team is using repeated concessions or rework to manage recurring failures, that is often a sign the problem belongs in CAPA, not just NCR closure.

When Concession Is Allowed and Why It Is Often Mishandled

Concession is one of the most misused parts of nonconforming product control. Teams sometimes treat it as a practical release tool when they are under pressure on delivery, cost, or timelines.

That creates risk fast.

A properly controlled concession process should require:

• clear justification;
• formal approval;
• review of applicable regulatory requirements;
• evidence that the product remains acceptable for the intended use or restricted use;
• traceable record of who authorised it.

If concession approvals are vague, undocumented, or overly routine, your Clause 8.3 process is probably enabling weak decisions instead of controlling them.

How Rework Should Be Controlled

Rework is not just “fixing the issue”. Under ISO 13485, rework must be performed in accordance with documented procedures that consider any potential adverse effect on the product. After rework, the product must be verified again against applicable acceptance criteria and regulatory requirements.

This matters because rework can alter fit, function, cleanliness, sterility, traceability, or product history. In medical devices, rework without proper controls can easily create a worse compliance problem than the original defect.

A strong rework approach includes:

• approved rework instructions;
• defined authority for rework approval;
• assessment of product impact;
• clear re-verification requirements;
• record retention of what was done and who approved it.

What Happens When the Problem Is Found After Delivery

Clause 8.3 does not stop at pre-release issues. If nonconforming product is detected after delivery or after use has started, the organisation must take action appropriate to the effects or potential effects of the nonconformity.

This is where nonconforming product control overlaps with complaint handling, advisory notices, field action, and post-market processes. The severity of the issue, the product affected, and the potential impact on safety and performance will determine how far the response needs to go.

If your post-delivery escalation logic is weak, your organisation will struggle to respond consistently when a serious issue is found in the field. That is why the CAPA, Complaints & Post-Market collection is a natural supporting destination for readers dealing with broader remediation.

How to Decide When an NCR Should Escalate to CAPA

This is one of the biggest practical questions in medical device quality systems. Not every NCR needs a CAPA. But many companies under-escalate because they do not want more workload, and some over-escalate because they have no clear criteria.

Good escalation criteria usually look at:

• recurrence of the issue;
• severity or potential impact;
• trend evidence;
• systemic process failure;
• supplier-related recurring failure;
• field or complaint linkage;
• evidence that simple correction will not prevent recurrence.

If your system does not define when NCRs trigger deeper investigation or CAPA, you will get inconsistent decisions. That inconsistency usually becomes visible in audits, especially when repeat issues exist with no evidence of escalation.

ISO 13485 Nonconforming Product Checklist

Use this checklist to assess whether your Clause 8.3 process is genuinely audit-ready:

• Do you have a documented procedure for control of nonconforming product?
• Does it define identification, segregation, evaluation, disposition, and responsibilities?
• Can you show how nonconforming product is prevented from unintended use or delivery?
• Do your NCRs capture enough information to support good decisions?
• Are concession decisions justified, approved, and recorded properly?
• Is rework controlled by approved procedures and re-verification?
• Do you have escalation logic for CAPA and deeper investigation?
• Can you show what happens if the issue is found after delivery?
• Are repeat nonconformities reviewed for trends and recurrence?
• Can records be retrieved quickly during audit sampling?

If several answers are no, your nonconforming product process likely needs strengthening before certification or surveillance audit.

Common Audit Findings in Clause 8.3 Systems

Most audit findings in this area are not about missing awareness of the requirement. They are about inconsistent execution.

Common findings include:

• nonconforming product not clearly identified or segregated;
• NCRs with vague descriptions and weak disposition rationale;
• no documented investigation where one was clearly needed;
• concession used without formal approval or justification;
• rework performed without approved procedures;
• repeat NCRs with no CAPA escalation;
• poor traceability of quantities and affected batches;
• post-delivery nonconformities not linked to complaint or advisory processes;
• unclear authority for disposition decisions;
• trend data not being used to drive improvement.

These are all fixable. But they require a process redesign mindset, not just a form update.

What Good Looks Like in a Mature Clause 8.3 Process

Good nonconforming product control is not overly complex. It is disciplined, consistent, and easy to follow under pressure.

What good looks like:

• product status is visible and controlled immediately;
• NCR records are clear and decision-ready;
• disposition pathways are defined and used consistently;
• concession is controlled tightly, not used casually;
• rework is documented and verified properly;
• repeat issues trigger investigation and CAPA when needed;
• post-delivery issues link into complaint and field-response systems;
• trend data from NCRs is used to improve the system.

That kind of process is easier to operate, easier to audit, and far more useful to the business than a pile of loosely managed NCRs.

How to Improve the System Without Rebuilding It Badly

Many teams know their NCR and deviation process is weak, but they try to fix it by adding one more form or one more approval field. That usually creates more admin without solving the structural problem.

The better approach is to tighten the system logic: define status control, strengthen the disposition workflow, clarify concession and rework rules, and connect the process properly into CAPA, complaints, post-market action, and data analysis.

If you need product-based implementation support, the strongest approved commercial routes for this topic are the QMS Core Bundle (ISO 13485 Clauses 4–6 & 8) for Clause 8 structure and the CAPA Toolkit for escalation, investigation, and recurrence control.

If you need service-led support instead, review the consulting services or compare options via the pricing page.

Final Thoughts on ISO 13485 Nonconforming Product Control

ISO 13485 nonconforming product control is not about paperwork for defects. It is about protecting product, controlling risk, preventing unintended release, and making sure poor quality events are handled with discipline rather than improvisation.

If your Clause 8.3 process is informal, overloaded with shortcuts, or disconnected from CAPA and post-delivery actions, it will eventually become an audit finding or a bigger compliance problem.

The fix is to build a system that is clear on identification, segregation, evaluation, disposition, concession, rework, and escalation. That is what makes the process practical and defensible.

For broader reading on related systems, explore the CAPA, Complaints & Post-Market collection. If you are ready to tighten the process now, start with the right templates or contact ISO Cloud Consulting directly for implementation support.

Need a Stronger Clause 8.3 System?

If your current nonconforming product process is creating repeat issues, inconsistent decisions, or audit exposure, do not wait until certification pressure forces a rushed fix. Use a stronger Clause 8 foundation, connect NCR handling to CAPA properly, and make your deviation and disposition logic clean enough to defend.

CTA: Strengthen your nonconformance system with structured templates and proven Clause 8 resources. Start with the Clause 8-focused bundle, add the CAPA toolkit where recurrence is an issue, and use consulting support when you need faster remediation across NCRs, concessions, rework, and audit readiness.

• Suggested related resources:
  • CAPA Toolkit
  • ISO 13485 Gap Assessment Starter Pack
  • Monitoring & Measurement of Product Toolkit