AS9100 auditors look for objective evidence that you systematically identify, control, investigate, and prevent recurrence of nonconformances. The exact records they request depend on audit scope, your QMS implementation, and how you structure NC/CAPA, but there are common patterns.
1. Nonconformance identification and logging
Auditors typically start by sampling from your nonconformance (NC) population, then tracing each case end to end. They usually ask for:
- Nonconformance reports / records (NCRs), including:
- Unique NC ID and date opened/closed
- Clear description of the nonconformance (what, where, when)
- Source (in-process, final inspection, internal audit, supplier, customer, field return, etc.)
- Reference to applicable requirements (drawing, specification, work instruction, contract requirement)
- Classification / severity (e.g., major/minor, safety/airworthiness impact if used internally)
- NC logs or registers (summary listing) to show volume, trends, and status
- Evidence that NCs are raised consistently (e.g., examples from shop floor, inspection, MRB, internal audit)
2. Containment, segregation, and disposition
AS9100 emphasizes preventing unintended use or delivery of nonconforming product. Auditors usually request:
- Records showing immediate containment actions:
- Quarantine / hold tags or system holds in MES/ERP
- Blocked stock, WIP, or shipments
- Communication to affected areas (production, planning, quality, logistics)
- Material Review Board (MRB) or equivalent disposition records:
- Use-as-is / repair / rework / scrap decisions
- Engineering review and approvals when requirements are deviated from
- Concession/deviation permit records (including customer approval when required by contract)
- Reinspection / verification results after rework or repair
- Traceability records to ensure all affected lots/serials were captured in the containment scope
3. Risk assessment and impact analysis
For significant nonconformances, auditors expect evidence that you assessed risk and impact, especially for product already delivered or installed. Common records include:
- Risk assessments or impact analyses:
- Evaluation of potential effect on flight safety, reliability, or performance when relevant
- Assessment of impact on in-service product, spares, or downstream assemblies
- Review of previous lots, similar parts, or similar processes to check for systemic issues
- Records of field actions or service bulletins initiated as a result of the nonconformance (if applicable)
4. Root cause analysis records
AS9100 auditors focus heavily on whether root cause for significant or recurring NCs is identified and supported by evidence. They typically request:
- Root cause analysis documentation for sampled NCs, such as:
- 5 Whys, fishbone (Ishikawa), fault tree, or similar tools
- Interviews, data analyses, or experiments that support the stated root cause
- Distinction between immediate cause, contributing factors, and systemic/organizational causes
- Evidence of cross-functional participation (engineering, manufacturing, quality, supply chain as appropriate)
- Linkage between root cause and selected corrective actions (i.e., actions logically address the cause)
5. Corrective actions, preventive actions, and CAPA control
For nonconformances that trigger corrective action, auditors will test your CAPA process. Commonly requested records include:
- Corrective Action Requests (CARs) or CAPA records with:
- Problem statement tied to the NC record(s)
- Documented root cause and analysis method used
- Defined corrective actions (who, what, when) and completion dates
- Preventive or systemic actions when appropriate (e.g., procedure changes, training, poka-yoke, design review)
- Evidence of implementation:
- Updated procedures, work instructions, or drawings
- Training records and competence verification
- Changes in programs/parameters in machines or test equipment
- Supplier communication and approvals when the action involves suppliers
- Effectiveness checks:
- Follow-up audits or inspections targeted at the previous failure mode
- Trend data showing reduction or elimination of the issue over a defined period
- Closure approval indicating actions were reviewed and accepted by an authorized person
6. Linkage to production, configuration, and traceability records
In aerospace environments, auditors usually follow a nonconformance backward and forward through your records. They often request:
- Device history / batch records, routers, or travelers showing where and how the affected product was built
- Inspection and test records for affected and comparable product
- Configuration and revision history (drawings, BOMs, software/hardware baselines) valid at the time of the NC
- Calibration and maintenance records for equipment that contributed to the NC
- Supplier records:
- Certificates of Conformance (CoCs)
- FAI reports when relevant
- Supplier NC and corrective action records if the NC originated at a supplier
- Shipping and delivery records to identify where affected product went
7. Governance, trend analysis, and management review inputs
AS9100 requires that nonconformance and corrective action data feed into broader quality management processes. Auditors will typically ask for:
- Trend and KPI reports related to nonconformances and CAPA, such as:
- NC frequency by product, process, or supplier
- Repeat NCs and overdue CAPAs
- Scrap, rework, and associated cost of poor quality (where tracked)
- Internal audit reports and follow-up records where NCs were raised
- Management review inputs and outputs referencing NC/CAPA performance and decisions
8. Evidence of control in mixed and legacy system environments
In brownfield environments, nonconformance records often span paper, legacy MES/ERP, eQMS, and shared drives. Auditors typically do not require a single system but do expect:
- Clear document control and record retention rules for NC and CAPA records, regardless of system
- Ability to retrieve all related records for a sampled NC efficiently, even if they are spread across systems
- Traceable links between system identifiers (e.g., NCR number in eQMS and batch/lot numbers in ERP or MES)
- Change control records for any QMS or MES/eQMS configuration changes that affect NC/CAPA processes
Full replacement of legacy NC/CAPA tools purely for “audit readiness” can be high risk in regulated, long-lifecycle environments due to validation, integration, and downtime burdens. Auditors generally focus on consistency, traceability, and effectiveness rather than on a specific toolset.
9. Typical pitfalls auditors uncover
Across sites, auditors often find issues not because records do not exist, but because they are incomplete or inconsistent. Common problems include:
- Nonconformances logged without clear requirement references
- Containment documented for the initial lot only, with no evidence of broader impact checks
- Root cause statements that simply restate the problem or blame “operator error” without analysis
- Corrective actions that are either too narrow or not implemented as documented
- Effectiveness checks skipped, weak, or done too early to be meaningful
- Poor linkage between NCs, CAPAs, and production/traceability records, especially across systems
Preparing for an AS9100 audit typically means ensuring that, for a sample of nonconformances, you can pull a complete story: discovery, containment, root cause, corrective/preventive action, effectiveness, and traceability across all relevant systems and documents.
