FAA and EASA do not work from a fixed, universal checklist of non-conformance records. Instead, they sample evidence that shows your approved processes are being followed and that safety and airworthiness risks are being controlled. In practice, that typically includes the following categories of non-conformance (NC) records and related evidence.
1. Non-conformance reports and defect records
Auditors commonly request examples of:
- Internal non-conformance reports (NCRs) / nonconformance documents raised on parts, assemblies, software, tooling, or processes.
- External / supplier non-conformance reports and incoming inspection rejections.
- Concessions, deviations, or waivers raised against design or process requirements.
- Rework and repair records tied to specific NCs, including re-inspection evidence.
- Scrap records where material was dispositioned as scrap due to non-conformity.
They will usually trace from a part, lot, or order back into at least one NC case to confirm that detection and documentation are functioning as defined in your procedures.
2. Disposition, MRB, and engineering decision records
Authorities typically focus on how non-conformances were evaluated and dispositioned, not just that they were logged. Expect requests such as:
- Material Review Board (MRB) records, including documented dispositions (use-as-is, repair, rework, scrap, return to supplier) and justification.
- Engineering dispositions and approvals for deviations from type design or approved data.
- Evidence that required signatories (e.g., DER, DOA, delegated engineering, quality) were involved where your procedures require it.
- Records showing that limits of authority were respected (what shop, MRB, and quality are allowed to decide vs. what must go to design or the approval holder).
Inadequate justification, missing approvals, or unclear authority boundaries are common audit findings.
3. Corrective and preventive action (CAPA) records
For systemic or repeated non-conformances, FAA or EASA will usually expect to see how you addressed root cause. They may request:
- Corrective action requests linked to significant NCs, escapes, or customer complaints.
- Root cause analysis records (e.g., 5-Why, fishbone diagrams, FMEA updates) demonstrating structured investigation.
- Implementation evidence for corrective actions (procedure changes, tooling updates, software changes, training, etc.).
- Verification of effectiveness (data trends, reduced recurrence, audit or inspection results).
- Preventive actions where risks were addressed before recurrence or escape.
Authorities often test whether you escalate appropriately: which non-conformances stay local and which trigger formal CAPA under your quality system.
4. Traceability and genealogy related to non-conformances
Beyond isolated NC records, auditors will usually test how you contain and trace issues. They may ask for:
- Traceability from an NC to affected lots, serial numbers, batches, and delivered products.
- Evidence of containment actions: holds, quarantines, stock sweeps, and recall decisions.
- Configuration and revision status of the affected products and processes at the time of non-conformance.
- Linkage between NC records and associated work orders, travelers, inspection plans, and as-built/as-maintained records.
Weak linkage between NCs and product genealogy is a significant risk area, especially in brownfield environments where ERP, MES, and QMS are not fully integrated.
5. Supplier-related non-conformance records
Regulators pay close attention to how you control and react to supplier issues. They often request:
- Supplier non-conformance reports, including delivery rejections and quality notifications.
- Records of supplier corrective actions, including verification of effectiveness.
- Evidence of flow-down of airworthiness or criticality requirements to suppliers.
- Supplier performance metrics or trend reports where NCs are aggregated and analyzed.
In complex supply chains, they may trace a single NC from your shop floor back through multiple tiers to understand systemic risk.
6. Concessions, deviations, and repairs to approved data
Where non-conformances affect airworthiness or type design, auditors often sample:
- Deviation permits, concessions, or waivers, including justification and scope limitations.
- Repair approvals, references to approved repair data, and evidence that approved instructions were followed.
- Evidence of feedback to the design organization (e.g., DOA, TC/PC holder) for recurring deviations.
- Records showing that any deviation from approved data was appropriately controlled and not applied outside its scope.
Here, traceability to approved design or repair data and clear boundaries of authorization are critical.
7. Rework, re-inspection, and re-release records
Authorities may want to see that once a part or assembly is found nonconforming, it does not re-enter the system without proper control. Typical evidence includes:
- Rework instructions and routing changes linked to the original NC.
- Post-rework inspection and test results.
- Updated as-built, as-repaired, or maintenance records reflecting the work performed.
- Final acceptance and release records indicating the basis for restoring conformity.
Audit findings often arise where rework is done informally or not fully captured in the traceable record.
8. Trending, analysis, and management review inputs
At the quality system level, FAA and EASA may request evidence that you analyze NC data and act on trends. Examples include:
- Non-conformance trend reports by part family, line, process, or supplier.
- Risk assessments where recurring NCs affect safety, reliability, or continued airworthiness.
- Inputs to management review that summarize NC performance and CAPA status.
- Decisions and actions recorded from management review meetings.
Authorities are looking for a closed loop: detection, correction, analysis, and prevention.
9. How system coexistence affects what you can show
In brownfield environments, non-conformance information is usually scattered across QMS, MES, ERP, and sometimes spreadsheets. This affects what you can readily provide during an audit:
- If systems are not integrated, be prepared to manually demonstrate linkage (e.g., NCR number to work order to serial number).
- Interfaces and data transfers should themselves be under change control and validation where your procedures require it.
- Replacing legacy systems solely to “look better” in audits is risky; regulators care more about control, traceability, and evidence than about specific tools.
Weak integration does not automatically mean non-compliance, but it raises the burden on local procedures, training, and evidence retrieval during audits.
10. Constraints and variations you should account for
The exact non-conformance records requested will depend on:
- Your approval basis (e.g., Part 21, Part 145, Part 145 approval in Europe, POA/DOA arrangements, production vs. maintenance).
- The scope of the audit (system-level vs. product-specific, initial approval vs. continued oversight).
- Your own documented procedures and how you define and categorize NCs, CAPA, and MRB.
- Past findings, occurrences, or incidents that may trigger targeted sampling.
There is no guarantee that a specific set of records will satisfy an auditor; what matters is consistency with your approved system, clear traceability, and evidence that non-conformances are controlled, analyzed, and fed back into continuous improvement.
