Skip to content
CHANGEROUTE

Non-Conformance Report (NCR) Guide for UK Manufacturers

What Is a Non-Conformance Report?

A non-conformance report (NCR) is the document a quality manager raises when a product, process, material, or service fails to meet a specified requirement. The requirement might come from a customer specification, an internal procedure, an ISO 9001 control point, or a regulatory standard. The NCR records what happened, contains the issue, and triggers the corrective action process.

For UK manufacturers certified to ISO 9001:2015, NCRs are the daily evidence that the quality management system is working. Auditors do not look for an absence of NCRs — they look for NCRs that are raised quickly, contained properly, and closed with verified corrective action.

This guide covers what an NCR must contain, how it differs from a corrective action request (CAR), what ISO 9001:2015 actually requires (clauses 8.7 and 10.2), and how an SME quality manager can run an audit-ready NCR process without drowning in paperwork.

When Does an NCR Get Raised?

An NCR is raised the moment a non-conformance is detected. Common triggers in UK manufacturing SMEs:

  • In-process inspection finding — a CNC operator measures a dimension out of tolerance, a paint coating fails an adhesion test, a torque value is below specification
  • Goods-inwards rejection — material from a supplier fails incoming inspection (wrong grade, surface defect, missing certificate of conformity)
  • Final inspection failure — finished product fails a functional or dimensional check before despatch
  • Customer complaint — a customer returns product, raises a quality claim, or sends a Supplier Corrective Action Request (SCAR)
  • Internal audit finding — an ISO 9001 internal audit identifies a procedure not being followed
  • External audit finding — a UKAS-accredited certification body identifies a non-conformance during a surveillance or recertification visit
  • Management review observation — KPI data shows a process trending out of control

The trigger does not change the report structure. Whether the source is internal or external, the NCR records the same core information.

What an NCR Must Contain

ISO 9001:2015 clause 8.7 covers control of nonconforming outputs and clause 10.2 covers nonconformity and corrective action. Neither clause prescribes a fixed NCR form — the standard requires the information to be documented, not a specific format. That gives UK manufacturers flexibility, but most audit-ready NCRs contain the same fields:

Identification

  • NCR number — a unique reference (e.g. NCR-2026-014). Sequential numbering makes audit trails simple.
  • Date raised — when the non-conformance was detected
  • Raised by — name and role of the person raising the NCR

Description of the Non-Conformance

  • What is non-conforming — product, batch, process, document, or service
  • The requirement that was not met — drawing reference, customer specification, procedure number, ISO clause, or regulatory requirement
  • What was found — the actual condition observed, with measurements or evidence where possible
  • Quantity affected — number of parts, batch size, or scope of process affected
  • Where the non-conformance is located — work-in-progress area, finished goods, customer site, supplier

Containment Action

  • Immediate action taken — quarantine, hold, recall, stop-the-line, customer notification
  • Disposition decision — use-as-is (with concession), rework, return to supplier, scrap
  • Who authorised the disposition — name, role, date

Cause Analysis

  • Suspected immediate cause — initial assessment of why the non-conformance occurred
  • Root cause analysis required? — yes or no, and if yes which method (5 Whys, fishbone, 8D — our root cause analysis comparison explains when to use each, and the Fishbone Diagram Maker and 8D Report Builder tools help you run them). For systemic process risks, a Process FMEA review is a useful upstream technique.
  • Root cause(s) identified — once analysis is complete

Corrective Action

  • Action to address the immediate non-conformance — rework instructions, replacement, repair
  • Action to prevent recurrence — procedure change, training, design revision, supplier development
  • Who is responsible for closing the action
  • Target completion date

Verification of Effectiveness

  • How effectiveness will be measured — repeat inspection result, audit outcome, KPI trend
  • Verification result — pass or fail, with evidence
  • Verified by — name, role, date
  • NCR closure date

A one-page NCR form covering all these fields suits most SME operations.

NCR vs CAR: What's the Difference?

The terms NCR and CAR are sometimes used interchangeably, but they describe different stages of the same process.

Document Purpose When Raised Closes When
NCR (Non-Conformance Report) Records and contains the actual non-conformance At the moment the non-conformance is detected The non-conforming output has been dispositioned (used, reworked, returned, or scrapped)
CAR (Corrective Action Request) Drives the investigation, root cause analysis, and preventive action When the NCR shows a systemic issue, or when management/customer requires it Root cause is identified, corrective action is implemented, and effectiveness is verified

Not every NCR requires a CAR. A one-off operator slip on a single part may be closed with a rework instruction and a brief training note. A repeated dimension failure across multiple batches almost certainly requires a CAR with root cause analysis.

The decision criteria most UK SME manufacturers use:

  • Single occurrence, low impact — NCR only. Contain, disposition, close.
  • Repeat occurrence (same non-conformance seen before) — raise a CAR. Repetition is evidence the original corrective action was insufficient.
  • High-impact occurrence — raise a CAR regardless of frequency. High impact includes customer complaint, safety implication, regulatory non-conformance, or significant cost.
  • Customer or auditor required — raise a CAR. Customer SCARs and ISO audit findings almost always demand a documented investigation.

Linking the NCR to its CAR (and vice versa) is good practice. Auditors check that the two records are connected when reviewing a sample.

What ISO 9001:2015 Actually Requires

The two relevant clauses are 8.7 and 10.2. Neither prescribes form layout or numbering systems — they describe the outcomes the QMS must produce.

Clause 8.7 — Control of nonconforming outputs requires the organisation to identify and control nonconforming outputs to prevent their unintended use or delivery. The standard expects the organisation to:

  • Take appropriate action based on the nature of the non-conformance and its effect on conformity of products and services
  • Apply corrections such as segregation, containment, return, suspension of provision, or informing the customer
  • Obtain authorisation for acceptance under concession where applicable
  • Verify conformity to the requirements after correction

Clause 10.2 — Nonconformity and corrective action requires the organisation to react to non-conformance, evaluate the need for corrective action, implement action, and verify effectiveness. The standard expects documented information showing:

  • The nature of the non-conformity
  • The action taken
  • The results of corrective action

A complete NCR — with containment, disposition, cause analysis, corrective action, and verification — produces all the documented information the two clauses require. UK certification bodies (UKAS-accredited bodies such as BSI, NQA, LRQA, SGS) will sample NCRs at every surveillance visit.

For the verbatim text of clauses 8.7 and 10.2, refer to the official ISO 9001:2015 standard (available through ISO or BSI). The standard is paywalled — this guide describes its requirements but does not reproduce its text.

Running an Effective NCR Process in an SME

Larger manufacturers run NCRs through dedicated QMS software with workflow approvals and dashboards. SMEs with 5-50 employees rarely need this complexity. A simple but disciplined process is enough:

Step 1: Make NCRs Easy to Raise

Anyone in the organisation should be able to raise an NCR — operators, inspectors, customer service, purchasing. If the process requires three approvals to start an NCR, people will avoid raising them, and non-conformances will go unrecorded. The quality manager triages and ensures every NCR is properly progressed.

Step 2: Contain First, Investigate Second

The first priority is always to stop non-conforming product from reaching the next process step or the customer. Containment is recorded on the NCR before any cause investigation begins.

Step 3: Match Investigation Depth to Impact

A single out-of-tolerance part needs a containment action and a brief operator review. A batch of customer-rejected parts needs a structured root cause analysis. A safety-critical non-conformance needs a full 8D investigation. The depth of investigation is the quality manager's call — over-investigating routine issues is as wasteful as under-investigating serious ones.

Step 4: Close NCRs Within Defined Timescales

Most UK manufacturers set internal targets:

  • Containment — within 24 hours of detection
  • Disposition decision — within 5 working days
  • Corrective action implemented — within 30 calendar days
  • Effectiveness verified — within 90 calendar days of corrective action

Auditors look for NCRs that drag on indefinitely. An NCR open for 18 months without closure is a finding waiting to happen.

Step 5: Trend NCR Data

Individual NCRs answer "what happened to this part?" NCR trend data answers "where is our QMS failing?" Most ISO 9001 management reviews include NCR data: total raised, total closed, average closure time, recurring root causes, customer-reported vs internal-detected ratio.

The trend data is what drives system-level improvement. Twenty individual NCRs about the same machine producing the same dimension failure is not a quality control problem — it is a process capability problem requiring engineering investigation.

Common NCR Mistakes

UK certification body auditors regularly find the same NCR weaknesses across SMEs:

  • Containment recorded but disposition unclear — the NCR says "quarantined" but does not record whether the parts were eventually used, reworked, or scrapped
  • Root cause superficially described — "operator error" is not a root cause; the root cause is why the operator made the error (training gap, ambiguous work instruction, fatigue, tool failure)
  • Corrective action that only addresses the immediate occurrence — replacing the rejected parts is correction, not corrective action; corrective action prevents recurrence (see the CAPA guide for the correction vs corrective action distinction auditors test)
  • Effectiveness verification missing or rubber-stamped — auditors check that the verification record contains evidence (re-inspection result, audit outcome, KPI improvement), not just a signature
  • NCRs that never close — long-open NCRs suggest the organisation lacks the discipline or resource to drive issues to resolution

Avoiding these mistakes does not require sophisticated software. It requires a quality manager who reviews open NCRs weekly and chases each one to closure.

NCR Record Retention

ISO 9001:2015 does not prescribe a fixed retention period for NCR records, but most UK manufacturers retain NCRs for:

  • 3 years minimum — common SME default
  • 7 years — where the product is safety-critical (e.g. aerospace, medical devices, automotive safety parts)
  • Product life + statutory liability period — where the product is covered by extended warranty or statutory liability rules

Customer contracts often specify retention requirements that override the default. The retention period should be documented in the QMS procedure and applied consistently.

How ChangeRoute Fits

NCRs are one of the most common triggers for an Engineering Change Request (ECR). A pattern of NCRs against the same drawing or process is often the evidence base for a design change. ChangeRoute will link NCRs into the engineering change workflow — when an NCR indicates a design or process change is needed, the NCR raises an ECR automatically, with the supporting evidence attached.

If you run a UK manufacturing SME and want to spend less time managing quality paperwork in spreadsheets and Word documents, join the waitlist for early access.

Sources

  • ISO 9001:2015 — Quality management systems — Requirements. Available from ISO and BSI (paywalled).
  • ISO/TC 176 — the ISO Technical Committee responsible for ISO 9001: iso.org/committee/53882
  • UKAS — United Kingdom Accreditation Service, the UK accreditation body for certification bodies issuing ISO 9001 certificates.

Ready to automate your change management workflow?

ChangeRoute replaces paper ECRs with a structured digital workflow. Join the waitlist for early access.

No spam. Unsubscribe any time. Privacy policy.

Related guides

Corrective Action and Preventive Action (CAPA): An ISO 9001 Guide for UK Manufacturers

What CAPA means under ISO 9001:2015, why 'preventive action' became risk-based thinking, and how UK manufacturing SMEs run an audit-ready corrective action process.

Change Control Procedure for ISO 9001: A Practical Template for UK Manufacturers

How to write a change control procedure that satisfies ISO 9001:2015 clause 8.5.6. A step-by-step structure UK manufacturing SMEs can adopt, with the records auditors check.

Root Cause Analysis: 5 Whys vs Fishbone vs 8D — When to Use Each

A decision-support guide for UK manufacturers: when to use 5 Whys, a fishbone diagram, or an 8D report for root cause analysis. Includes free tools for each method.