Introduction
When a product, service, or in-process output fails to meet requirements, Clause 8.7 governs exactly what must happen next. The goal is straightforward: prevent nonconforming outputs from reaching customers or being used unintentionally within operations.
Most organizations fix the issue and move on — skipping the structured cycle the clause actually requires. Identification, controlled action, re-verification, and documented evidence are all mandatory steps. Fixing something isn't enough if you can't prove you did it correctly.
This guide covers what quality managers and operations teams need to implement Clause 8.7 correctly:
- What qualifies as a nonconforming output under the standard
- The four prescribed actions in Clause 8.7.1
- Mandatory documentation under Clause 8.7.2
- Practical implementation steps
- How Clause 8.7 differs from Clause 10.2
- Common audit failures — and how to avoid them
What Is a Nonconforming Output Under ISO 9001?
ISO 9000:2015 defines "nonconformity" as "non-fulfilment of a requirement" and "output" as the "result of a process." Combined, the definition covers any process result that fails a specified requirement — and the range of outputs that qualify is wider than many organizations initially assume.
Scope: Beyond Defective Finished Products
A nonconforming output is any process result that fails a specified requirement — regardless of what set that requirement. Customer specifications, internal standards, and regulatory obligations all count.
Examples that fall under Clause 8.7 include:
- A machined part outside of tolerance
- A flawed design drawing issued for production
- An invoice with incorrect line items
- A service delivery that missed a contractually defined response time
- A software build that fails acceptance testing
The ISO/IAF service-organization guidance explicitly links service-process nonconformities to Clause 8.7 — so professional services firms, logistics providers, and testing labs are just as subject to this requirement as manufacturers.
When Can a Nonconformity Surface?
At any point. During production, inspection, testing, peer review, service delivery, or after delivery to the customer. The stage of detection doesn't change the obligation — it only changes which response options are practical.
The Four Actions for Nonconforming Outputs — Clause 8.7.1
Clause 8.7.1 of ISO 9001:2015 requires organizations to take "appropriate action based on the nature of the nonconformity and its effect on conformity of products and services." Four actions are defined:
- Correction — rework, revise, or reprocess the output until it meets requirements
- Segregation, containment, return, or suspension — isolate the output to prevent unintended use
- Informing the customer and obtaining concession — notify affected parties and document authorization to proceed
- Stopping production or delivery — halt the process when other actions are insufficient
Each action is covered below.
Correction
Correct the output directly — rework it, revise it, or reprocess it until it meets requirements. After any correction, conformity must be re-verified before the output is released. This re-verification step is where many organizations slip: they fix the problem but release the output without confirming it now passes acceptance criteria.
A practical example: a CNC-machined shaft that was turned 0.003" oversize gets re-machined to spec, then remeasured against the original drawing before it moves to assembly.
Segregation, Containment, Return, or Suspension
When correction isn't feasible — or when further use of the output would create risk — the right move is isolation. Physical segregation means placing nonconforming items in a designated hold area and tagging them clearly so no one inadvertently uses them.
Containment may mean halting a production run, pulling a batch from distribution, or suspending a service. This action also applies to supplier-provided nonconforming goods: if incoming material fails inspection, it goes on hold and may need to be returned to the supplier.
Informing the Customer and Obtaining Concession
If a nonconforming output has already been delivered, or if the organization wants to offer it to the customer despite the nonconformity, the customer must be notified. ISO 9000:2015 defines a concession as "permission to use or release" a product or service that does not conform to specified requirements. That permission must be documented — an informal verbal agreement won't satisfy the standard.
Concessions are a deliberate, authorized decision. They are not a workaround for avoiding rework.
Proportionality Matters
Across all four actions, one principle governs how far the response should go: the action must match the severity of the nonconformity. A cosmetic blemish on a non-critical surface that doesn't affect function warrants different handling than a structural weld defect in a pressure vessel.
A simple test: what is the worst plausible outcome if this output is used as-is? That answer should drive which action — or combination of actions — the organization selects.
Documentation Requirements Under Clause 8.7.2
Clause 8.7.2 is a mandatory retained documented information requirement. The organization must keep records — not just take action.
What a Nonconformance Record Must Include
Four elements are required:
- Description of the nonconformity — what failed, where, and how it was identified
- Description of actions taken — which 8.7.1 disposition was applied and what was done
- Description of any concessions obtained — including the customer's authorization
- Identity of the person or role who authorized the disposition decision
These records are typically maintained in a Nonconformance Report (NCR) form and tracked in an NCR Register or log.
Maintain vs. Retain — A Critical Distinction
ISO 9001:2015 uses these two terms deliberately. Per ISO/TC 176 documented information guidance:
- Maintain = keep a living procedure document that supports how the process operates
- Retain = archive evidence (records) that prove what actually happened
Clause 8.7 sits on the "retain" side. That means NCR records must be archived for a defined period consistent with your Clause 7.5 documented information control procedures — not just created and then discarded.
The Strategic Value of Good Records
A well-maintained NCR log does more than satisfy an auditor. Over time, it becomes a data source for:
- Trend analysis (which processes generate the most nonconformities?)
- Management review inputs
- Root cause analysis
Repeated similar nonconformities showing up in the log are a red flag for auditors, and should be a trigger internally to escalate to a Clause 10.2 corrective action.
That escalation is only reliable when your NCR records are complete, searchable, and linked to corrective actions — not buried in a shared drive or split across spreadsheets. Synergistic Systems' cloud-based QMS intranet centralizes NCR records, corrective action tracking, and management review inputs in one system, so the data your log generates actually drives improvement rather than sitting in a folder.
How to Implement Clause 8.7 in Practice
Compliance starts with a documented procedure that tells any employee — not just quality staff — exactly what to do when they find something that doesn't meet requirements. Vague instructions produce inconsistent outcomes.
The Implementation Sequence
Follow these steps in order:
- Identify and place on hold — tag the nonconforming output and move it to a designated quarantine area or halt further processing
- Notify the responsible person — alert the quality function or process owner immediately
- Evaluate and select the action — assess severity, then choose the appropriate 8.7.1 disposition (correction, segregation, customer notification, or concession)
- Execute the action — carry out the disposition; if correction was applied, re-verify the output against acceptance criteria before releasing it
- Document in the NCR log — record all four required elements from Clause 8.7.2
- Evaluate for escalation — determine whether the issue meets your organization's criteria for a Clause 10.2 corrective action
Training Beyond the Quality Department
The sequence above only works if nonconformities are caught where they happen — on the shop floor, in a service delivery role, during a design review. That means training must reach production operators, service technicians, and anyone who might encounter a nonconforming output before it reaches a quality checkpoint.
Synergistic Systems addresses this directly through working sessions with client teams at every level, from top management to hourly employees. The goal is to embed nonconforming output control into daily operations — so the procedure gets followed consistently, not just documented.
Multi-Site Consistency
Once training is in place, organizations with multiple locations face a separate challenge: keeping nonconformance identification and handling consistent across all sites. A centralized, cloud-based procedure system helps by giving every location access to the same documented procedure and a standardized format for recording required NCR information — so records are comparable and auditable regardless of which site generates them.
Clause 8.7 vs. Clause 10.2: Understanding the Key Difference
Both clauses address nonconformities — but they operate at different levels. Here's how they divide the work:
| Clause 8.7 | Clause 10.2 | |
|---|---|---|
| Focus | The specific nonconforming output | The systemic root cause |
| Scope | Immediate output-level response | Organization-wide corrective action |
| Records | NCR log entry (description, action, concession, authority) | Evidence of root cause analysis, actions taken, and results |
| Trigger | Any identified nonconforming output | Recurring, systemic, or high-risk nonconformities |
A Practical Example
A single batch of products is incorrectly labeled. You catch it before shipment, re-label the batch, document it, and close the NCR. That's Clause 8.7 — handled.
Now mislabeling occurs across three different batches over two months. That pattern points to a systemic failure — a process gap, a training deficiency, or a labeling control that was never properly defined. Clause 10.2 kicks in: root cause investigation, corrective action plan, effectiveness verification.
One event can trigger both. A major nonconformity might require immediate Clause 8.7 action on the output and a Clause 10.2 investigation running in parallel. Organizations that treat these as mutually exclusive leave themselves exposed during audits. Your NCR procedure should include explicit escalation criteria so this decision isn't left to judgment in the moment.
Common Audit Findings Under Clause 8.7
NQA's audit evidence guidance identifies four types of evidence auditors expect for Clause 8.7: nonconformance reports, quarantine or hold labels, corrective or rework records, and authorized disposition decisions. Gaps in any of these are audit vulnerabilities.
The most common findings include:
- No physical segregation — nonconforming items are not visually identified or separated from conforming stock; auditors will walk the floor and look
- Incomplete NCR documentation — actions were taken but not recorded, or concessions were given verbally without documentation
- No re-verification after correction — corrected outputs were released without being re-checked against acceptance criteria
- No post-delivery process — organizations that only handle pre-delivery nonconformities are exposed when auditors ask how customer complaints or field failures are linked back to Clause 8.7
That last point catches many organizations off guard. If a customer calls about a defective shipment and your organization has no documented process connecting that complaint to Clause 8.7 controls, it is a finding.
These are exactly the gaps that surface during Synergistic Systems' Step 8 system-wide internal audit — conducted before the Stage 1 or Stage 2 registration audit so vulnerabilities get closed on your terms, not the registrar's.
Frequently Asked Questions
What is ISO 9001 Clause 8.7 control of nonconforming outputs?
Clause 8.7 requires organizations to identify any output — product, service, or in-process result — that fails to meet requirements, take controlled action to prevent its unintended use or delivery, and retain documented records of the nonconformity and all actions taken.
What should be done if nonconforming outputs are identified during an internal audit?
The auditor records the finding, and relevant personnel must segregate or control the nonconforming output immediately. Appropriate Clause 8.7.1 disposition action must follow. If the issue is systemic or recurring, a Clause 10.2 corrective action should be initiated alongside the immediate response.
What ISO clause covers control of documented information?
Clause 7.5 governs documented information in ISO 9001:2015, covering how documents and records are created, updated, and controlled. Clause 8.7.2 sits within that framework as a specific requirement to retain records about nonconforming outputs.
How is Clause 8.7 different from Clause 10.2?
Clause 8.7 addresses the immediate control and disposition of a specific nonconforming output. Clause 10.2 requires root cause analysis and a corrective action plan to prevent recurrence of systemic or repeated nonconformities. Both may apply to the same event.
Can a nonconforming product or service be released to a customer?
Yes, but only under concession. The customer must be informed and must provide documented authorization to accept the nonconforming output. That authorization must be retained as part of your documented records.
What records must an organization retain under Clause 8.7.2?
Four elements are mandatory: a description of the nonconformity, the actions taken, any concessions obtained, and the identity of the person who authorized the disposition decision.
