A Non-Conformance Report (NCR) is the "check engine light" of your operation, a signal that something has deviated from the standard, requiring investigation and correction.
In principle, no one objects to this. We all want safe products, reliable data, and compliant processes.
In practice, as companies scale, the sheer volume of issues can turn this safety mechanism into a bottleneck. When the process becomes too painful, teams drift into dangerous extremes: either fixing problems 'off the books' to avoid paperwork, or flooding the system with trivial data out of fear.
This is a guide on how to handle the operational reality of non conformances without letting the process paralyze your business or jeopardize your audit standing.
When a Problem Becomes a Non Conformance
A non conformance report (NCR) is a formal record used in life sciences to document when something does not meet a defined requirement, and to ensure the issue is investigated, addressed, and prevented from recurring.
In practice, an NCR answers four core questions regulators care about:
-
What went wrong?
-
What requirement was not met?
-
What is the impact or risk?
-
What was done about it?
The first point of friction is the "threshold of reporting." Issues in life sciences are discovered everywhere, including during incoming inspection of raw materials, on the manufacturing floor during assembly, through supplier notifications, or during final release checks.
The tension lies in distinguishing between a standard correction (rework) and a reportable non conformance.
The Regulatory Expectation vs. The Operational Reality
Regulators, such as FDA, EMA, and ISO auditors, have a specific expectation rooted in control. They require you to control non conforming product to prevent its unintended use. If the "form, fit, or function" is affected, or if the process deviated from the validated state, an NCR is generally non negotiable.
However, the "grey area" is vast.
Scenario A involves a label applied crookedly. The operator peels it off and applies a new one immediately. Is this an NCR? Likely not. It is standard rework, provided your SOP allows for it.
Scenario B involves a label applied crookedly because the labeling machine’s tensioner failed. Now you have a process failure. This is an NCR.
Teams often get this wrong because they focus on the outcome (the label is fixed) rather than the mechanism (why it failed).
The Danger of the "Hidden Factory"
When the threshold for opening an NCR is too high, meaning it is too hard or scary to open one, you create a "Hidden Factory." This is an informal system where skilled technicians fix errors without documenting them. They know how to jiggle the handle to get the machine working, or they know which batch of resin acts weird and adjust the temperature manually.
While this gets product out the door, it destroys your data integrity. When that technician leaves, the process collapses. Furthermore, if an auditor discovers undocumented rework, they will pull on that thread until the entire quality system unravels.
Key Takeaway: You must foster a culture where opening an NCR is not seen as "getting in trouble." It must be viewed as the primary mechanism for maintaining control. An open NCR is better than a hidden fix.
Non Conformance vs. Deviation vs. CAPA: Where Teams Get It Wrong
One of the quickest ways to annoy an auditor, and confuse your own staff, is using quality terminology interchangeably. While these processes are related, they are distinct instruments with different triggers and burdens of proof.
1. Deviation: The Process "Oops"
A deviation is usually a departure from an approved procedure or standard during execution. It focuses on the activity. For example, the SOP states a reaction must stir for 60 minutes. Due to a power outage, it stirred for 50 minutes. You have deviated from the procedure. Note that deviations can be planned (temporary change) or unplanned.
2. Non Conformance (NCR): The Product "Uh Oh"
An NCR is the failure of a product, material, component, or output to meet specified requirements. It focuses on the result. For example, because the reaction only stirred for 50 minutes, the viscosity of the final solution is out of spec. The solution is non conforming. A deviation (process) often results in an NCR (product), but not always. You can have a deviation that results in good product, and you can have an NCR where the procedure was followed perfectly, suggesting the procedure itself is bad.
3. CAPA (Corrective and Preventive Action): The Systemic "Never Again"
CAPA is the heavy artillery. It is not a bucket for every error. CAPA is a systemic investigation triggered when an NCR (or a trend of NCRs) indicates a deeper root cause that requires process improvement to prevent recurrence. The mistake many companies make is opening a CAPA for every NCR. This leads to "Death by CAPA," where the quality team is investigating 500 root causes simultaneously, forcing them to rush closures. Auditors view open, aging CAPAs as a sign that you cannot solve your own problems.
What Auditors Actually Expect to See in a Non Conformance Report
When an inspector from the FDA or a Notified Body looks at your NCR log, they are not just checking for completion. They are reading a story. They are looking for the narrative arc of the failure.
Red flags appear when that story has plot holes. Here is what they scrutinize:
1. Completeness of the Description
"Product failed test" is an insufficient description. It forces the auditor to ask questions, which is exactly what you don't want. "Housing cracked" is bad. A better description would be "Hairline fracture observed on the distal end of the lower housing assembly (Lot #123) during visual inspection step 4. Fracture is approximately 2mm in length."
2. Immediate Containment
Before you find the root cause, what did you do with the bad stuff? Auditors look for segregation. Did you physically move the bad parts to a quarantine cage? Did you lock the lot in your ERP system? If the NCR doesn't explicitly state that the affected material is secured, the auditor assumes it might have been shipped.
3. Impact Assessment
This is the most frequently missed section. You found a problem with this unit. Does it affect the other 99 units in the box? Does it affect the previous lot? Does it affect the raw material used in three other product lines? Crucially, does this affect product already in the field? This triggers recall potential. If your NCR says "disposition: scrap" without answering "what else is at risk?" you have a finding.
Ownership Is the Hidden Failure Point
We have discussed definitions and regulations, but the biggest friction point in NCR management is purely human: Ownership.
In many organizations, the Quality Assurance (QA) department ends up acting as both the owner and the bottleneck. The logic goes, "It’s a quality form, so Quality handles it." This is a recipe for failure. QA cannot investigate a software bug; Engineering must do that. QA cannot investigate a molding error; Manufacturing must do that.
Yet, because the process is often managed via emails, spreadsheets, or disconnected SharePoint folders, the "ball" is constantly dropped. QA ends up acting as a project manager, chasing engineers for data, nagging suppliers for responses, and begging for signatures. The NCRs sit open for months not because the problem is unsolvable, but because the workflow is broken.
How Modern Systems (like Kivo) Change the Dynamic
This is a scenario where the process breakdown is structural, not educational. You cannot "train" people to be better at replying to emails. You need a system that enforces the workflow.
This is where a platform like Kivo becomes a natural fit. Kivo supports clear, role-based ownership while preserving QA oversight.
The Shift: Instead of QA emailing an engineer to ask for an investigation, the system assigns the "Investigation" phase to the Engineering role.
The Accountability: The system tracks the due date and the owner. The engineer logs in, inputs the data, attaches the evidence, and signs off.
The Oversight: QA retains final approval authority. They don't do the work; they review the work to ensure it meets compliance standards.
The Outcome: By utilizing a system that enforces role-based workflows, the "chase" is eliminated. Teams spend less time asking "whose court is this in?" and more time reviewing quality decisions. NCRs move forward because responsibility is structurally clear, creating a self-driving compliance engine rather than a QA driven drag.
Deciding When a CAPA Is Truly Required
The transition from an NCR to a CAPA is perhaps the most anxiety inducing decision point in the quality workflow. It acts as a gate where you decide to keep it local (NCR) or escalate it to the system level (CAPA).
If you escalate everything, you drown. If you escalate nothing, you are negligent.
The Risk Based Approach
Auditors generally do not object to the decision you make, provided the rationale for that decision is documented and sound. They object when the decision looks arbitrary.
You need a consistent rubric. Common triggers for CAPA include high risk, where the failure could cause patient harm (even if it only happened once). Recurrence is another trigger, such as the third time a seemingly minor issue has happened this quarter. Systemic failure is the third main trigger, meaning the procedure itself is wrong or the validation was flawed.
Defensibility through Documentation
If you choose not to elevate an NCR to a CAPA, you must explicitly justify why. "Risk is low" is not enough. You need to reference why the risk is low.
Escalation decisions are where defensibility matters most. In a manual system, the "Why" is often lost in a meeting note or a mental check. Kivo allows teams to document these escalation decisions in context.
-
You can link the NCR directly to the current Risk Management File (e.g., FMEA) to show that the failure mode was already anticipated and the risk is within acceptable limits.
-
You can link to historical trends within the platform to prove this is an isolated incident.
This linkage makes a "no CAPA required" decision much easier to justify during an inspection that might happen two years later. It gives teams confidence that their escalation decisions will hold up under scrutiny, even if the Quality Manager who made the decision has since left the company.
Timing, Documentation, and the Cost of “We’ll Fix It Later”
There is a prevalent, dangerous mindset in high pressure manufacturing environments: "We’ll open the NCR later, let's just fix the line now so we can hit the shipment target."
This is known as a Retrospective NCR. To an auditor, this looks indistinguishable from a cover up.
The Data Integrity Trap
Documentation must be contemporaneous, meaning it is recorded at the time the event occurred. If you wait three days to write up the NCR, you are relying on memory. Details fade. Lot numbers get mixed up. The "story" becomes fiction.
Furthermore, if you fix the product before you open the NCR, you have technically performed unauthorized rework. You have altered the evidence before the investigation could start.
The "Open/Close" Metric
Auditors also look at the "Time to Closure." If your average NCR takes 120 days to close, it signals that your organization is sluggish or under resourced. However, rushing to close them in 2 days without data is equally bad.
Best Practice: Open the NCR immediately (within 24 hours). Perform the containment immediately. Then, take the appropriate time to investigate. It is better to have an open NCR that is clearly "In Investigation" than a closed NCR that is empty.
Trending Non Conformances to Prevent Repeat Findings
If you are only looking at NCRs one by one, you are playing "whack a mole." You are fixing symptoms, not the disease.
The true power of a Quality Management System (QMS) lies in Trending. Regulators (specifically under 21 CFR Part 820.100 and ISO 13485:2016) explicitly require you to analyze data sources to identify existing and potential causes of non conforming product.
The Spreadsheet Failure Mode
This is where Excel based or paper based systems break down completely. You have an NCR log in Excel. You have a Supplier Corrective Action log in a different sheet. You have Complaint files in a third location.
To see a trend, someone has to manually export, clean, and merge this data. Because this is hard work, it usually only happens once a year, right before the Management Review meeting. By the time you spot the trend, you have been manufacturing bad product for six months.
Trending should be continuous, not annual. Because NCRs, CAPAs, documents, and supplier records live in one underlying system in Kivo, meaningful trend analysis happens without manual data wrangling.
-
You don't need to be a data scientist to see that "Supplier A" is responsible for 40% of your material rejections this quarter.
-
You can instantly see that "Machine 4" has 3x the error rate of "Machine 2."
When these patterns emerge early, leadership sees systemic risk sooner. Corrective action becomes proactive. When an auditor asks, "How do you monitor process capability?" you don't show them a spreadsheet from last year; you show them a live dashboard. This shifts the audit dynamic from defense ("We fixed it") to demonstration of control ("We saw it coming").
The Most Common Non Conformance Report Mistakes
Beyond the structural issues, there are specific execution pitfalls that trip up even experienced teams. Watch out for these:
1. The "Human Error" Trap
Listing "Human Error" as a root cause is the most common mistake in the industry.
-
The Auditor's View: If a human can make an error that results in a non conformance, the process is not robust.
-
The Fix: Don't stop at the human. Ask why the human erred. Was the SOP unclear? Was the environment distracting? Was the tool ergonomically poor? The root cause is almost always the process, not the person.
2. Copy Paste Root Causes
If 50% of your NCRs have the exact same root cause description, you aren't investigating; you are copy pasting. This signals laziness and a lack of critical thinking.
3. Under Documentation of Disposition
Closing an NCR with "Use As Is" requires a technical justification. Why is it okay to use? Who authorized it? If you scrap it, do you have a Certificate of Destruction? The closure phase requires as much evidence as the opening phase.
4. Disconnected Records
An NCR often triggers a Change Order (ECO) to update a document. If the NCR says "Fixed by updating SOP-001" but there is no link to the ECO that actually updated SOP-001, you have a broken traceability chain.
Managing Non Conformances Without Slowing the Business
The ultimate goal of all of this, including the software, the definitions, and the workflows, is to manage non conformances without paralyzing the business.
There is a misconception that "more quality" means "slower speed." This is only true if your quality system is inefficient. A chaotic NCR process slows the business because engineers are stuck in meetings explaining what happened, batches are held in quarantine for weeks awaiting signatures, and audits drag on for days because documents can't be found.
When you have a single source of truth, meaning structure, clarity, and linked records, compliance becomes a natural output of the work rather than an administrative hurdle added at the end. Speed comes from clarity.
Non Conformance Reports Are a Signal
If handled correctly, an NCR is not a badge of shame; it is a high value operational signal. It tells you exactly where your process is drifting and gives you the opportunity to correct it before it impacts a patient or triggers a recall.
The difference between a struggling quality system and a mature one is rarely intent, as everyone wants to make safe products. The difference is execution.
By clarifying ownership so that the right people work on the right problems, ensuring defensible escalation so you don't drown in CAPAs, and leveraging tools like Kivo to turn fragmented data into visible trends, you transform the NCR process. It shifts from a burdensome compliance tax into a competitive advantage that drives continuous improvement.
