Non-conformances

Non-conformances

From the moment something goes wrong to the closed-out record an auditor will read — investigated, evidenced, and traceable.

For
Quality Managers, investigators, anyone who raises NCRs
Find it at
Sidebar → Non-conformances
Reading time
9 min

In one sentence

A non-conformance record (NCR) walks every issue from intake through investigation to closure — with the timeline, root cause work, and evidence captured in a way that auditors can follow back through later.

Three things to remember
  • An NCR is structured by tab — Overview, Define, Containment, Timeline, Root Cause, Actions, Evidence. Each tab has a single job; you don't have to hold the whole thing in your head.
  • The Timeline (ECFC) is the investigation. Capture events as you uncover them and the story builds itself.
  • The NCR can't close without its mandatory evidence. That's by design — the gate keeps records audit-ready.

How an NCR moves through QFormance

1
Raise it
Title, source, severity. AI can draft the basics from one sentence.
2
Contain
What you did to stop it spreading. Lives in its own tab.
3
Investigate
Timeline + root cause analysis. Pick the method that fits the failure mode.
4
Act
Corrective, containment, and preventive actions with evidence on closure.
5
Close
Mandatory evidence checks pass; the record locks.

Most NCRs touch every step. Some — small observations — skip RCA and close on evidence alone.

Raising an NCR

Click New NCR from the list page. The form asks for:

  • Title and description
  • Source — Internal Audit, Customer Complaint, Process Inspection, etc.
  • Severity — Critical, Major, Minor, or Observation
  • Detection date
  • Investigation lead
  • Facility and department scope

If AI is enabled and the NCR drafting feature is on, a Sparkles / AI Draft button appears at the top.

app.qformance.io/non-conformances/new

The new-NCR form with the AI Draft button at the top and a one-sentence description below

save as: public/docs-screenshots/non-conformances/ai-draft.png
1

AI Draft. Type a one-line description, click the button, the form fills in.

2

You stay in the chair. Every field the AI fills is editable. It's a draft, not a submission.

If AI is off at the org or feature level, the button just doesn't appear — the form works the same way without it.

Similar NCRs — recurring-issue detection

QFormance looks for past NCRs that resemble the one in front of you and surfaces them in two places. Behind both is the same hybrid search: a semantic embedding of the NCR's text is matched against the org's other NCRs, and a keyword (full-text) search runs in parallel; the two rankings are fused so the strongest matches rise to the top whether the wording is identical or just conceptually close. If embeddings can't run (AI off, provider down), the panel falls back to keyword-only ranking automatically.

On the AI Draft

When you use the AI Draft button, the draft also runs a similarity check. If close prior NCRs are found, the Recurrent issue flag is checked for you and the matches are listed in an amber notice above the form, each linking out to the past NCR. You can uncheck the flag if it doesn't apply — the notice is a heads-up, not a constraint.

On the NCR detail page

The Links area on every NCR's detail page carries a Similar NCRs panel showing up to five closest matches from the same organization. Each row shows the NCR number, title, and current status with one-click navigation. The panel only renders when there are matches — empty results hide it. It updates as the NCR's description, root cause, and other text fields evolve.

This pattern isn't NCR-specific — the same engine powers Similar Meetings, Similar Audit Findings, Similar Risks, and Similar Exemptions on those modules' detail pages. Each module has its own per-feature AI toggle (under Admin → AI Settings), so an org can opt into similarity on the modules that matter to them and leave others off.

The tabs at a glance

TabWhat lives here
OverviewSummary of every section, total losses, access status
DefineCore details, severity, losses
ContainmentImmediate containment actions
Timeline (ECFC)Structured event log of what happened
Root Cause Analysis5-Why, Fishbone, or Fault Tree
ActionsCorrective, containment, preventive
EvidenceMandatory and additional evidence files
AttachmentsGeneral file attachments not tied to a question
LinksConnections to documents, audits, meetings, risks, and products
AccessPer-record access control (if you have the capability)
HistoryThe unified record-history feed — see Record history

Timeline (ECFC)

The Timeline is where the investigation lives. It's not free text — it's a dual-lane log that distinguishes between what happened and the conditions around it.

app.qformance.io/non-conformances/NCR-2026-0418/timeline

The ECFC dual-lane timeline showing events on the left and conditions on the right

save as: public/docs-screenshots/non-conformances/timeline.png
  • Left laneEvents (blue) and Actions (green): what happened and what was done.
  • Right laneConditions (amber) and Decisions (purple): circumstances at the time and choices that were made.

Each entry has a timestamp, description, and can carry photos or files. Files uploaded to the timeline also appear in the Evidence tab automatically — you don't double-upload.

Losses

The Define tab has a Losses section. Each row captures one cost line:

  • Category — Labor, Materials, Penalties, or anything else you've configured.
  • Amount and Currency — multi-currency, one currency per row.
  • Notes — optional context.

Overview totals losses by category, so you see the financial impact alongside the investigation. Useful for the inevitable management review question: "what did this NCR actually cost?"

Root cause analysis

Pick the method that fits the failure mode. Each has its own structured editor — none of them are free text.

  • 5-Why — iterative why? drilldown. Best for human-error and process-gap failures.
  • Fishbone (Ishikawa) — causal categories radiating from the effect. Best for multi-factor failures.
  • Fault Tree — boolean-logic tree of contributing failures. Best for technical / safety-critical investigations.

You only need one. Switching mid-investigation is allowed but loses the prior method's content.

Capturing residual risk

When the RCA reveals an exposure that's bigger than this single NCR — a recurring failure mode, a missing control, an industry-wide concern — push it to the Risk Register without leaving the page.

app.qformance.io/non-conformances/NCR-2026-0418/rca

The Capture Residual Risk modal with an AI-drafted title, description, suggested controls, and a risk-level badge

save as: public/docs-screenshots/non-conformances/capture-residual-risk.png
1

AI-drafted title and description based on the root cause, corrective actions, and losses.

2

Suggested risk level — calibrated against your org's monetary thresholds and risk matrix bands.

3

Re-draft with AI if the suggestion isn't right; edit anything before confirming.

The new risk is a first-class register entry. It can be imported into MOCs, Exemptions, or JHAs from those modules' "Import from Register" flow.

The Capture Residual Risk button is disabled until root cause text exists, and hidden once the NCR is closed.

Actions

NCR actions roll up into the global Actions page — they're not buried inside the NCR. Each action has:

  • Type: Corrective, Containment, or Preventive
  • Assignee and due date
  • Status: Open → In Progress → Completed → (optionally) Verified
  • Closure notes — required before marking complete
  • Verification evidence — files, URLs, or document references
  • Optional link to the meeting where it was closed out

Evidence

The Evidence tab has two categories:

  • Mandatory — the NCR cannot close without these.
  • Additional — supporting artifacts that strengthen the record but aren't gate items.

Every upload tracks who and when. Files dropped on Containment, Timeline, or Actions also show up here, so the Evidence tab is the single inventory of the NCR's paper trail.

Watch out for: trying to close before evidence is in

The system blocks closure when mandatory evidence is missing. The Overview tab lists what's still required so you don't go hunting tab by tab.

Closing an NCR

Closing requires the Close NCR permission. With every mandatory evidence item present and every action complete, change status to Closed on the Overview.

If your organization has Require passkey for approvals turned on, closing an NCR prompts for a fresh passkey confirmation. The confirmation lasts 5 minutes. The user closing must have at least one passkey enrolled — see Auth policy and Passkeys.

Once closed:

  • All tabs become read-only.
  • The Activity log preserves the complete history.
  • The record stays searchable in the audit trail forever.

If new evidence emerges later that contradicts the closure, the Reopen button is available to anyone with the capability — reopening is itself logged in Activity.

Finding NCRs in the list

The NCR list page has a filter for every column right in the table header — narrow by source, severity, status, scope, and so on, all at once. A count of matching NCRs sits in a footer strip below the table, so you always know how big the set you're looking at is.

Was this helpful?
Suggest an edit →