ISO Digital Solutions Get the QMS Framework

SGRII Insights  ·  ISO 9001:2015  ·  2026

Release & Nonconforming Outputs — The Last Line of Defence and What Happens When It Fails

Concessions without authority. Rework without re-verification. Release decisions made by people who weren’t authorised to make them. This is where conformity either holds or collapses.

Clause 8.6 — Release of Products and Services: Who Decides, and on What Basis?

Clause 8.6 requires the organisation to implement planned arrangements at appropriate stages to verify that product and service requirements have been met. Release shall not proceed until the planned arrangements have been satisfactorily completed — unless otherwise approved by a relevant authority and, as applicable, by the customer.

Two elements are non-negotiable: the release criteria must be defined in advance (the “planned arrangements”), and the person authorising release must have the documented authority to do so. In many SMEs, neither condition is fully met. Release decisions are made informally — a supervisor checks the product, nods, and it ships. No record of what was checked, against what criteria, or who authorised the decision. When an auditor asks to see release evidence for a specific batch, the answer is silence or a retrospective signature.

The standard also requires the organisation to retain documented information on the release, including evidence of conformity with acceptance criteria and traceability to the person authorising the release. This isn’t bureaucratic — it’s the mechanism that allows the organisation to respond when a customer questions whether a product met specification at the point of release. Without this record, the organisation has no defence.

The Concession Problem

The “unless otherwise approved” provision in Clause 8.6 creates a controlled mechanism for concession — releasing product that doesn’t meet all specified requirements, with documented approval. In practice, this mechanism is abused. Products are released with known deviations under time pressure, with verbal approval from someone who may or may not have the authority to grant concession, and without documented justification of why the deviation is acceptable.

A well-designed concession process requires: identification of the specific deviation, risk assessment of the deviation’s impact on product performance and safety, approval by a designated authority (not the person who produced the deviation), customer notification where required, and a documented record. If any of these elements is missing, the concession is uncontrolled — and the release decision is a nonconformity in itself.

The SGRII framework builds concession authority directly into the release procedure. The authority level for standard release, concession release, and rejection is defined — so the system doesn’t depend on ad hoc judgment under pressure.

Clause 8.7 — Control of Nonconforming Outputs: Beyond the NCR Form

Clause 8.7 requires the organisation to ensure that outputs not conforming to requirements are identified and controlled to prevent their unintended use or delivery. The clause specifies four disposition options: correction (fix it), segregation/containment/return/suspension, informing the customer, and obtaining authorisation for acceptance under concession.

Most organisations have a nonconformance report (NCR) form. Many have a stack of NCR forms that follow a predictable pattern: describe the nonconformity, circle “rework” as the disposition, sign off the rework, close the NCR. This captures the event but adds no value. The questions that would add value — what caused this, has it happened before, could it happen again, what does the pattern tell us — are deferred to Clause 10.2 corrective action, which often isn’t triggered because the NCR is “closed.”

The critical missing step is re-verification. Clause 8.7.1 explicitly requires that when nonconforming outputs are corrected, they shall be subject to re-verification to demonstrate conformity with requirements. Rework without re-verification is incomplete disposition — the organisation has attempted to fix the product but cannot demonstrate the fix worked. This is a common audit finding that surfaces during product traceability reviews: the NCR shows rework was performed, but no record exists of the product being re-inspected against the original acceptance criteria.

Nonconforming Outputs in Service Organisations

Service organisations often struggle with Clause 8.7 because the “output” is intangible. A consulting report with incorrect analysis. A training session delivered with outdated content. A logistics service that delivered to the wrong address. Each is a nonconforming output, but traditional NCR forms designed for physical products don’t capture them well.

The standard doesn’t prescribe the format — it prescribes the controls. The organisation must identify the nonconformity, determine the disposition, take action, and retain documented information. For a service nonconformity, this might mean: identifying the service failure, determining the corrective service action (re-delivery, re-performance, compensation), verifying the correction was effective, and recording the event. The mechanism is identical; only the application changes.

The connection to Clause 10.2 is where real value emerges. A single nonconforming output is an event. A pattern of nonconforming outputs is a system problem. The NC & CA Register should capture both — and the analysis should identify whether the cause is a process deficiency, a competence gap, an equipment failure, or an external provider issue. Each root cause category points to a different clause and a different corrective action pathway.