What records do AS9100 auditors typically request for nonconformances?

AS9100 auditors typically request a cross-section of records that show how you identify, evaluate, disposition, correct, and prevent recurrence of nonconformances. The exact list depends on your QMS structure, digital systems, and audit scope, but the themes are consistent.

1. Nonconformance & defect records

Auditors usually start with the core evidence that you recognize and document nonconformances:

• Nonconformance reports (NCRs) for product, process, documentation, and supplier issues
• Links from NCRs to specific parts, lots, work orders, serial numbers, and revisions
• Evidence of who detected the issue (inspection, operator, customer, supplier, internal audit, etc.)
• Classification/criticality (e.g., minor/major, safety-impacting, flight-critical, special processes)
• Date/time stamps for detection, logging, and closure to demonstrate timeliness

In digital environments, this can span MES, QMS, and ERP. Auditors will want to see how you maintain traceability when multiple systems are involved.

2. Containment, segregation, and risk control

Next, auditors look for how you prevent suspect product from escaping or being used:

• Records showing physical segregation or positive control of nonconforming product (quarantine locations, hold tags, status in MES/ERP)
• Hold/release transactions and status changes with user and timestamp
• Line stop / work stop / ship hold records, where applicable
• Evidence of notification to affected internal stakeholders (planning, production, quality, supply chain, MRO) when risk is broad

Where containment is modeled in multiple systems (e.g., ERP inventory hold plus MES operation block), auditors usually probe for gaps or mismatches.

3. MRB and disposition decisions

AS9100 emphasizes controlled disposition of nonconforming outputs. Auditors typically sample:

• MRB (Material Review Board) records for rework, repair, use-as-is, scrap, or return to supplier
• Engineering and quality approvals, including signatures or validated e-signatures
• Technical rationale for disposition decisions, particularly for use-as-is and repair
• Associated concessions/deviations and customer approvals where required by contract
• Linkage between MRB decisions and configuration/airworthiness impact for serialized and safety-critical items

In brownfield environments, parts of MRB evidence may exist in PLM, engineering change tools, or email archives. Auditors often test whether all required disposition approvals are captured in a controlled record, not just in ad hoc communication.

4. Corrective action and root cause analysis (when required)

Not every NCR requires a full corrective action, but auditors expect a consistent method to determine when to escalate. They typically request:

• Corrective action requests (CARs) or CAPA records linked to significant or recurring NCRs
• Root cause analysis documentation (e.g., 5-Why, fishbone, 8D or RCCA reports)
• Identification of systemic vs. isolated causes, and justification when no systemic action is taken
• Defined corrective actions, owners, due dates, and status tracking
• Risk evaluation: impact on safety, conformity, delivery, and customer obligations

If problem-solving is done in spreadsheets or local templates instead of a central QMS, auditors typically probe for version control, access control, and completeness of records.

5. Implementation and effectiveness of actions

AS9100 auditors nearly always ask for evidence that actions were both implemented and effective:

• Records showing implementation of process, documentation, or training changes (e.g., revised work instructions, updated control plans, updated inspection plans)
• Training and qualification records for affected personnel, where new methods or criteria were introduced
• Verification/validation of effectiveness (e.g., defect trend charts, capability studies, audit checks, sampling results)
• Documented closure of corrective actions with rationale for why actions are considered effective

Where systems are fragmented, auditors may challenge the traceability from a CAPA record to actual changes implemented in MES routes, ERP BOMs, PLM revisions, or work instructions.

6. Linkage to configuration, documents, and change control

Nonconformances in aerospace often have configuration and document impacts. Auditors commonly review:

• References from NCRs and CAPA records to applicable drawings, specifications, and revision levels
• Links to engineering change requests/orders where design changes were triggered by recurring nonconformances
• Evidence that obsolete instructions, forms, and inspection criteria were removed from use after changes
• Controlled templates and forms used for NCR, MRB, and RCCA and their current revision status

In brownfield plants, changes may be updated in PLM but lag in MES or paper travelers. Auditors often test whether nonconformance learnings are actually propagated into the operating instructions and systems used on the line.

7. Trend, risk, and management visibility

AS9100 requires using nonconformance data for improvement and risk-based thinking. Auditors usually request:

• Nonconformance and defect trend reports by part family, process, line, supplier, or program
• Analysis outputs that feed risk registers, FMEA updates, or control plan adjustments
• Management review inputs and minutes that show discussion of significant nonconformances and systemic actions
• KPIs related to nonconformances (e.g., internal PPM, scrap, rework, major vs. minor findings, supplier defect rates)

If data is pulled manually from multiple systems, auditors may question data integrity, completeness, and repeatability of the analysis.

8. Supplier and customer-facing nonconformance records

For organizations with extensive supply chains or direct OEM contracts, auditors also request:

• Supplier NCRs and associated communications (returns, corrective action requests to suppliers, and approvals)
• Customer nonconformance/escape reports and returned product records
• Evidence of timely response to customer-issued corrective actions and 8D/RCCA requests
• Concession/deviation records and customer approvals where nonconforming product was accepted under controlled terms

Where supplier and customer quality portals are used, auditors may also ask how data from those portals is integrated into your internal NCR and CAPA system.

9. System evidence: access, audit trails, and validation

In digital and mixed paper/digital environments, AS9100 auditors often look at the robustness of the underlying systems:

• System audit trails showing who created, modified, and closed NCR/MRB/CAPA records
• User access controls and role definitions for approving dispositions and corrective actions
• System validation or qualification documentation where systems are used to control and retain quality records
• Backup and retention policies for nonconformance records consistent with contract and regulatory expectations

If different plants or business units use different tools (e.g., one site on QMS software, another on Excel), auditors typically test whether each approach is adequately controlled and yields complete, retrievable records for the required retention period.

10. Brownfield and coexistence considerations

In long-lifecycle aerospace environments, nonconformance evidence is rarely in a single system. Auditors are accustomed to seeing:

• Legacy NCR records in older QMS or MES platforms with partial migration to newer tools
• Mixed paper and electronic MRB records, especially for older programs
• Email or shared-drive usage to supplement formal systems

This is not automatically noncompliant, but it increases audit risk if traceability is weak or if records are hard to retrieve or verify. Full replacement strategies can be challenging because they require data migration, re-validation, and re-training under tight downtime constraints. Auditors typically care less about tool standardization and more about whether your chosen mix of systems consistently produces complete, controlled, and retrievable nonconformance records with clear traceability.

Ultimately, AS9100 auditors look for objective evidence that nonconformances are systematically captured, risk-controlled, technically justified, escalated when needed, and used to drive effective, verified corrective actions. The stronger and more traceable your record set across NCR, MRB, CAPA, and change control, the smoother the audit will be.