You should share the data the supplier needs to understand the non-conformance, determine affected scope, investigate root cause, and respond with containment or corrective action. You should not share all related records by default.
In practice, the right data set depends on part criticality, contractual obligations, customer flow-downs, export control limits, security rules, and how your NCR, ERP, PLM, MES, and supplier quality processes are configured. In regulated and high-traceability environments, over-sharing can create control problems, while under-sharing can delay containment and drive poor corrective actions.
Supplier and purchase order identifiers, including line item and release if relevant.
Part number, revision, description, and affected quantity.
Lot, batch, serial, heat, or other traceability identifiers tied to the affected material or product.
Date discovered, receiving or production step where found, and current disposition status if one exists.
A clear description of the non-conformance, including requirement violated and observed condition.
Objective evidence such as inspection results, measurements, photos, test data, or defect images, if permitted.
Reference to the governing requirement, such as drawing characteristic, specification clause, work instruction step, or purchase requirement.
Scope of suspected impact, including whether the issue appears isolated or potentially systemic across lots, jobs, or shipments.
Requested response content and due dates, such as containment, sort criteria, replacement plan, 8D, or RCCA expectations.
Some data may be necessary in some cases, but should be shared only after classification and access review:
Customer names, end-use details, or program information.
Controlled technical data, including ITAR- or defense-restricted content.
Full drawing packages, models, or process details not needed for the investigation.
Internal risk assessments, audit notes, or privileged legal analysis.
Other suppliers’ information, comparative source data, or internal cost models.
Broader manufacturing history that is not relevant to the event.
If the supplier needs controlled technical context to investigate, share the minimum necessary version under the approved channel and retain a record of what was sent, to whom, when, and under what authority.
The data is only useful if it is specific, versioned, and traceable. A vague supplier NCR with no exact requirement reference, no affected identifiers, and no evidence often produces weak responses and repeated exchanges.
At minimum, make sure the supplier can answer these questions:
What exactly failed?
Against which requirement or revision?
Which units, lots, or shipments are affected?
Where was it found?
What evidence supports the finding?
What response is required, and by when?
In many plants, the needed data is split across QMS, ERP, MES, PLM, receiving, inspection systems, email, and shared drives. That means the practical answer is not just policy. It depends on whether your item master, revision control, supplier records, and traceability links are reliable enough to assemble a correct supplier package quickly.
If your systems are not well integrated, do not assume a portal or workflow tool will fix the problem by itself. Supplier-facing NCR workflows are only as good as the underlying part, revision, lot, and evidence data. In regulated environments, full replacement of legacy stacks often fails because of validation burden, downtime risk, integration complexity, and long asset lifecycles. A controlled coexistence approach is usually more realistic, with clear system-of-record rules and audited handoffs.
Share the minimum complete data set needed for effective supplier action. Minimum means controlled and need-to-know. Complete means enough to support containment, impact analysis, and root cause work without guesswork.
That usually requires a standard supplier NCR package, a data classification rule, and approval logic for controlled technical data. It also requires change control over forms, fields, and integrations so that what you send is consistent and reconstructable later.
No single list fits every supplier or every event. For a cosmetic defect on a standard part, the package can be narrow. For a traceability break, special process issue, or potential escape on serialized product, the package will usually need more evidence, tighter scope definition, and stronger access controls.
Whether you're managing 1 site or 100, C-981 adapts to your environment and scales with your needs—without the complexity of traditional systems.
