Control of nonconforming outputs

To meet the ISO 9001:2015 control of nonconforming outputs requirement, you must reliably identify any product, service, or process output that fails requirements and control it so it cannot be used or delivered unintentionally, then document the disposition and follow-up. Build a closed-loop workflow: detect, contain, decide disposition, communicate as needed, and retain objective evidence.

Key takeaways:

• You need a documented, repeatable method to identify and control nonconforming outputs before they reach a customer or downstream process.
• “Control” means active containment plus an authorized disposition (correction, concession, scrap, rework, etc.) with records.
• Auditors look for traceability: where it was found, what happened to it, who approved the disposition, and what prevented recurrence.

ISO 9001 Clause 8.7 is a day-to-day operational control, not a policy exercise. The standard expects you to prevent unintended use or delivery of outputs that do not meet requirements, whether those outputs are physical products, service deliverables, software releases, purchasing outputs, or internal process results. If your organization produces anything that can “move forward” to the next step (shipping, installation, invoicing, release to production, customer reporting, regulatory submission), you need an explicit mechanism to stop and control it when it is nonconforming.

For a Compliance Officer, CCO, or GRC lead, the practical objective is simple: make nonconformance handling predictable, documented, and auditable across teams, including third parties in your supply chain. That means clear definitions of “nonconforming output,” consistent tagging/segregation/containment methods, authorized disposition decisions, and records that prove you did what you said you would do.

This page gives requirement-level implementation guidance you can operationalize quickly: who owns what, what workflow steps must exist, what evidence to retain, and what auditors typically challenge.

Regulatory text

ISO 9001:2015 Clause 8.7 excerpt: “The organization shall ensure that outputs that do not conform to their requirements are identified and controlled.” ¹

What the operator must do:
You must implement a controlled process that (1) detects and clearly identifies nonconforming outputs, (2) prevents their unintended use or delivery through containment/segregation or equivalent controls, (3) determines and executes an authorized disposition (for example correction, rework, scrap, return to supplier, concession), (4) communicates with customers when required, and (5) keeps documented information showing what happened and who approved it. The requirement is outcome-based: auditors will test whether nonconforming outputs can “escape” and whether you can prove the controls worked. ¹

Plain-English interpretation (what Clause 8.7 is really asking)

If something doesn’t meet defined requirements, you must stop it from moving forward by default, decide what to do with it using authorized approval, and keep records that show the full chain of custody and decision-making. The control must work for:

• Outputs made internally (manufacturing, engineering, QA, customer support, finance operations).
• Outputs received from third parties (incoming materials, outsourced processes, cloud services deliverables, contract manufacturers, consultants’ deliverables).
• Outputs already delivered, if the nonconformance is discovered later (you still need documented actions and communication).
  ¹

Who it applies to

Entity scope: Any organization operating an ISO 9001 quality management system. ¹

Operational context (where this bites in practice):

• Manufacturing: out-of-tolerance parts, mislabeled lots, failed inspections, calibration failures impacting product acceptance.
• Software/SaaS: releases failing acceptance criteria, security defects that violate defined requirements, incorrect customer reports, broken integrations.
• Services: missed SLA deliverables, incorrect professional services work product, incomplete customer onboarding outputs.
• Supply chain: nonconforming incoming goods, counterfeit parts risk, outsourced process outputs not meeting requirements.
• Regulated environments: any deliverable that could become part of a regulatory submission or required customer documentation.

What you actually need to do (step-by-step)

Implement the workflow below as a single, auditable “closed loop.” If you already have NCRs (nonconformance reports), align them to this structure.

1) Define “requirements” and “nonconforming output” in operational terms

• List the requirement sources that can make an output “nonconforming” (specs, drawings, acceptance criteria, SLAs, contract terms, customer requirements, internal procedures).
• Define thresholds: what is a defect vs. a nonconformance requiring formal control.
• Define scope: product, service, process output, and third-party provided outputs.
  ¹

Operator tip: Auditors will ask “nonconforming to what?” If you cannot point to the requirement, you will struggle to justify dispositions consistently.

2) Establish detection points (“where nonconformances are found”)

Minimum viable detection coverage usually includes:

• Incoming inspection/verification for externally provided outputs.
• In-process checks (manufacturing steps, code review gates, service delivery checkpoints).
• Final acceptance/release checks (final QC, release management, customer deliverable review).
• Post-delivery feedback channels (complaints, support tickets, monitoring).
  ¹

3) Identify and contain immediately

Once detected, you need controls that prevent unintended use or delivery:

• Physical product: quarantine location, hold tags/labels, ERP inventory status “blocked,” lot segregation.
• Software/services: release freeze, feature flags off, access restrictions, rollback plan, “do not use” flags for templates/reports.
• Documents/data outputs: revoke distribution, correct versioning, remove from customer portal where feasible.
  ¹

Containment must be default behavior, not optional. If teams can bypass holds, auditors often treat it as a control failure.

4) Log the nonconformance with required minimum fields

Create a consistent record (NCR, deviation, defect ticket) with:

• Unique identifier
• Date/time discovered and detection point
• Description of nonconformance and requirement reference
• Affected product/service/output, quantity/instances, batch/version (as relevant)
• Immediate containment action taken
• Owner and stakeholders (including third party, if applicable)
  ¹

5) Decide disposition using authorized approval

Define standard disposition paths and who can approve them. Common dispositions include:

• Correction / rework (bring into conformity)
• Repair (if allowed by requirement set and controlled)
• Scrap / discard
• Return to supplier / reperform outsourced work
• Use-as-is under concession (explicit authorization, typically with customer approval or internal delegated authority)
• Regrade / downgrade (if requirements allow and labeling is controlled)
  ¹

Decision control: Use a disposition matrix (below) so “use-as-is” does not become a loophole.

Disposition decision matrix (practical)

Scenario	Default action	Required approval	Customer notification?	Evidence to retain
Safety/regulatory/customer-critical requirement not met	Contain + scrap/rework	Quality + accountable process owner	Often yes if shipped/impacted	NCR + risk assessment + rework verification
Cosmetic/non-critical requirement not met	Contain + rework or concession	Quality or delegated approver	If contract requires	NCR + concession rationale
Third-party provided output nonconforming	Contain + return/SCAR	Quality + procurement/supplier owner	If delivery impacted	NCR + supplier communication + receipt disposition
Detected after delivery	Assess impact + customer communication + correction	Quality + customer owner	Yes when requirements/impact demand	Complaint record + corrective actions + customer comms
1

6) Execute the disposition and verify the result

• If reworked/corrected, perform re-verification against the original acceptance criteria.
• If scrapped/returned, ensure inventory/records reflect removal and cannot be shipped later.
• If concession, ensure the acceptance is documented and traceable to the specific nonconformance instance.
  ¹

7) Decide what follow-up is required (link to corrective action)

Clause 8.7 focuses on control and disposition, but operators should have a clear rule for escalation:

• Repeat issues, high-risk impacts, or systemic causes should trigger corrective action work (root cause, preventive changes).
• Low-risk isolated issues may only require documentation and trend monitoring.
  ¹

8) Monitor trends and management visibility

Build basic oversight:

• Trending by product, process step, third party, defect type.
• Review recurring concessions (a common audit hotspot).
• Confirm closure timeliness and verification completion.
  ¹

Tooling note (where Daydream fits naturally): If your nonconformance records, supplier follow-ups, and evidence live across email, Jira, spreadsheets, and an ERP, audit prep becomes a scavenger hunt. Daydream can act as the system of record for nonconforming output workflows and evidence collection, with standardized fields, approval routing, and an audit-ready export trail.

Required evidence and artifacts to retain

Auditors typically want objective evidence that the control works end-to-end. Keep:

• Procedure/work instruction for control of nonconforming outputs (scope, roles, containment methods, disposition approvals). ¹
• Nonconformance records (NCRs) with required fields and disposition approvals. ¹
• Containment evidence: quarantine logs, inventory status screenshots/transactions, release hold tickets, access control changes, recall/removal actions. ¹
• Verification records after rework/correction (inspection results, test reports, acceptance sign-off). ¹
• Concession/waiver documentation: rationale, risk acceptance, customer authorization where applicable, scope limitations. ¹
• Third-party communications: RMA, supplier corrective action requests, emails/portal messages confirming disposition. ¹
• Training/competency evidence for staff authorized to disposition or release product. ¹
• Trend reports and management review inputs (especially for recurring issues and concessions). ¹

Common exam/audit questions and hangups

Expect these questions in audits:

1. “Show me how you prevent shipment/release of nonconforming product.”
   Auditors will follow a sample from detection to containment to final disposition. If you rely on tribal knowledge, this fails.

2. “How do you control nonconforming outputs from third parties?”
   They will check incoming inspection, quarantine, and supplier disposition paths.

3. “Who can approve a concession, and how do you document it?”
   Many organizations lack a clean authority model. Auditors often probe concession trends.

4. “What happens if nonconformance is found after delivery?”
   They will ask for a recent example: customer communication, correction, and records.

5. “How do you ensure rework is verified?”
   Rework without re-verification is a classic gap.

Frequent implementation mistakes (and how to avoid them)

• Mistake: “Nonconforming” is undefined or inconsistently applied.
  Fix: Tie nonconformance to explicit acceptance criteria and contract/customer requirements. Maintain a simple decision rule.

• Mistake: Containment depends on a person remembering to do it.
  Fix: Make containment an enforced system status (blocked inventory, release gate, or workflow step requiring proof).

• Mistake: Concessions become routine.
  Fix: Require documented rationale and approval, trend concessions, and escalate recurring concessions to corrective action review.

• Mistake: Third-party outputs are handled informally.
  Fix: Treat third-party nonconformance the same as internal: quarantine, record, disposition, and verification.

• Mistake: Records lack closure evidence.
  Fix: Require a closure checklist: disposition completed, verification attached, approvals captured, and affected items accounted for.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement. Practically, weak control of nonconforming outputs increases the likelihood of unintended delivery, customer harm, contract disputes, and repeat nonconformances that can become systemic audit findings under ISO 9001 certification audits. ¹

Practical 30/60/90-day execution plan

Use phased execution without assuming calendar-day certainty. The goal is to stand up a working control quickly, then harden it.

First phase (immediate): stop the bleeding and standardize intake

• Map where nonconforming outputs can be detected across product, service, and third-party processes.
• Define the minimum NCR fields and a single intake channel (form/ticket/workflow).
• Implement containment controls at the highest-risk release points (shipping, production release, customer delivery, software deployment).
• Publish a disposition/approval matrix and name authorized approvers.
  ¹

Second phase (near-term): make it auditable and repeatable

• Write or revise the procedure/work instruction for Clause 8.7, aligned to your actual workflow.
• Train teams who detect, contain, and approve dispositions. Focus on: default containment, concession discipline, and re-verification.
• Implement evidence capture requirements (attachments, screenshots, test results) as part of closure.
  ¹

Third phase (ongoing): mature the control and reduce recurrence

• Add trend reporting (by process step, product line, third party) and review it in quality or operational governance forums.
• Tighten “use-as-is” approvals with risk rationale and (when applicable) customer authorization.
• Integrate third-party follow-up (supplier corrective actions) into the same system so the chain of custody stays intact.
  ¹

Frequently Asked Questions

Does “output” include services and software, or only manufactured product?

“Output” covers any deliverable from your processes, including services and software releases, if it has defined requirements and can be delivered or used downstream. Your control method can differ by output type, but identification, containment, disposition, and records still apply. ¹

What is the minimum documentation an auditor expects for a nonconformance?

You need a record that identifies the nonconforming output, shows containment action, documents the disposition decision with approval, and shows completion and verification where applicable. Missing approvals or missing verification evidence are common findings. ¹

Are concessions allowed under ISO 9001 Clause 8.7?

Clause 8.7 allows acceptance under concession, but it must be authorized and controlled so the acceptance is explicit and traceable to the specific nonconformance. Treat concessions as exceptions with clear approval authority. ¹

How do we handle nonconforming outputs discovered after delivery?

Record the nonconformance, assess impact, communicate with the customer when required by the situation or agreement, and document corrective steps and any remediation. Auditors will check that post-delivery issues still follow controlled disposition and evidence retention. ¹

How should we control nonconforming outputs from a third party?

Use the same core controls: identify, quarantine/contain, record, decide disposition (return, rework, concession), and retain communications and verification evidence. Ensure procurement and supplier owners are part of the approval and follow-up path. ¹

Can we manage nonconformances in Jira/ServiceNow/ERP instead of a dedicated QMS tool?

Yes, if the tool enforces containment steps, captures approvals, and retains objective evidence with traceability. If evidence and approvals sprawl across systems, consider consolidating in a system like Daydream to keep the audit trail intact.

Footnotes

1. ISO 9001:2015 Quality management systems — Requirements