Aerospace companies should use a structured, risk-based triage process so that only nonconformities with real safety, regulatory, or systemic risk enter formal corrective action. Not every NCR warrants a full CAPA or 8D, and overusing formal corrective action can hide the signals you actually need to act on.
Start from your QMS and regulatory obligations
Before defining prioritization, confirm what your quality management system and customer / regulatory commitments already require. In many AS9100-based systems, you must treat as candidates for formal corrective action any nonconformities that:
- Impact airworthiness, safety, or mission performance
- Indicate a systemic failure of a process, procedure, or control
- Result in delivered nonconforming product or an external escape
- Recur despite previous containment or correction
- Originate from audit findings classified as major or systemic
These obligations set the floor. Your internal prioritization model can be stricter, but not looser.
Define explicit triage criteria
To avoid subjective case-by-case decisions, define clear criteria that determine which nonconformities are escalated into formal corrective action. Common dimensions include:
- Safety and regulatory impact
Does the nonconformity affect structural integrity, flight safety, containment, or mission-critical performance? Does it violate certified configuration, controlled characteristics, or regulatory approvals?
- Escape and field risk
Did the nonconformity escape to the customer or into the field? Could similar issues be undetected in other lots, aircraft, or assemblies?
- Frequency and recurrence
Is this a repeat of the same or similar issue (same part family, process, station, supplier, or failure mode)? Has it occurred across multiple programs or sites?
- Systemic vs isolated
Does it point to a gap in procedures, training, design, tooling, planning, or software configuration, as opposed to a one-off execution error?
- Severity of consequence
What is the worst credible consequence if the nonconformity goes undetected? Consider safety, functional performance, customer impact, scrap, rework, and schedule disruption.
- Detection and containment effectiveness
Was the issue caught by robust controls at the point of introduction, or did it bypass multiple layers of inspection and test?
- Customer and program sensitivity
Is the part, program, or customer classified as critical, strategic, or highly visible, where low tolerance for risk is documented?
Use a risk-based scoring or matrix
Many aerospace organizations formalize these criteria in a simple risk matrix or scoring tool, aligned with AS9100 principles. A typical approach is to rate each nonconformity on:
- Severity (impact if undetected)
- Occurrence (likelihood or demonstrated frequency)
- Detection (how easily it is or can be detected)
You can then define thresholds, for example:
- High risk: Mandatory formal corrective action (e.g., CAPA / 8D with full root cause analysis, verification, and effectiveness checks).
- Medium risk: Limited-scope corrective action or focused problem-solving (e.g., streamlined 5-Why or containment plus targeted prevention) with documented justification.
- Low risk: Correction only (fix and record), no formal corrective action, but still trended and visible in your quality metrics.
The important part is consistency and documented rationale. Auditors and customers generally expect to see that your criteria are defined, applied, and periodically reviewed.
Do not send every NCR into CAPA
Routing every nonconformity into a full corrective action workflow is usually a failure mode, not a best practice. Problems include:
- Signal dilution: High-severity issues are buried under low-impact events.
- Overload: Engineering, quality, and MRB resources spend time on trivial issues, delaying work on true systemic risks.
- Poor quality of analysis: Staff learn to “check the box” on root cause analysis instead of doing serious investigation where it is warranted.
- Audit exposure: Large backlogs of open, low-impact CAPAs can draw auditor scrutiny and create the perception of an ineffective system.
A risk-based triage process should show that most nonconformities are corrected, recorded, and trended, while a smaller, high-risk subset is escalated into formal corrective action.
Clarify roles and decision points
A practical prioritization model defines who makes the call and when. For example:
- Front-line quality or inspectors initiate NCRs with required data fields (part, operation, defect code, suspected cause, detection point).
- An MRB or similar cross-functional body performs initial triage, using your risk matrix and criteria.
- High-risk cases are immediately escalated into formal corrective action workflows in the QMS.
- Medium- and low-risk cases follow documented paths for correction, concession/deviation (if allowed), and trend monitoring.
The decision and rationale should be recorded in the NCR or CAPA record, not just decided verbally. This supports traceability and audit defense.
Integrate with existing NCR, QMS, and MES systems
In brownfield aerospace environments, nonconformities are often scattered across MES, ERP, PLM, and standalone QMS tools. Prioritization will only work if:
- NCRs capture the data you need for risk assessment (severity, escape, recurrence, safety relevance, detection point).
- Your QMS or CAPA system can distinguish between correction-only events and formal corrective actions, with clear statuses and links to the original NCRs.
- MRB and quality engineers have visibility across systems (e.g., can see historical NCRs on the same part or process) without manual spreadsheet work.
- Changes resulting from major CAPAs (work instructions, routings, tooling, inspection plans) flow through controlled change processes and reach the shop floor consistently.
Full replacement of legacy QMS or MES tools solely to improve NCR triage is rarely practical in aerospace due to validation burden, requalification of processes, downtime constraints, and the need to preserve long-term traceability. Most organizations incrementally layer better triage rules, workflows, and data integration on top of existing systems.
Use trending to refine what gets a formal corrective action
Prioritization is not static. Over time, you should use trend data to adjust what warrants formal corrective action:
- Identify low-severity issues that are becoming frequent enough to indicate a systemic problem.
- Reclassify repeated “minor” issues into higher risk categories when they cross defined thresholds.
- Retire CAPAs that no longer add value, while maintaining surveillance on the associated metrics.
- Feed lessons learned into design, FAI planning, process FMEAs, and inspection strategies.
This requires that even correction-only NCRs remain visible in dashboards or reports so that emerging patterns are not missed.
Common pitfalls to avoid
- No written criteria: Relying on individual judgment without documented rules leads to inconsistent decisions and weak audit posture.
- Ignoring escapes: Treating customer escapes as routine NCRs instead of triggers for formal corrective action.
- Under-documenting rationale: Failing to record why a nonconformity did or did not get a corrective action assignment.
- Disconnected systems: NCR, CAPA, and MRB data spread across tools with no consolidated view of risk, recurrence, or effectiveness.
- Not validating changes: Implementing process changes from CAPA without proper validation, training, and change control, which can introduce new failure modes.
When prioritization is risk-based, criteria-driven, and integrated with your existing NCR and QMS infrastructure, aerospace companies can focus formal corrective action on the relatively small set of nonconformities that pose real safety, regulatory, or systemic risk, while still maintaining traceability and continuous improvement across the broader nonconformance population.
