The aerospace standard, AS9100C—“Quality management systems—Requirements for aviation, space and defense organizations,” (aka AS9100:2009 Revision C) has been released for some time now, and the early results are in. For the most part, our customers, those of National Quality Assurance (NQA), that have transitioned to the new standard, have successfully navigated myriad new deadlines, rules, requirements, and even new audit report forms to enjoy successful audits. Feedback to date from both auditors and customers about the best way to prepare for and eventually get registered to this new standard is significant, though we have done our best to outline the high points below.
Step one in your journey is to get a copy of the latest version of the AS9100C standard, which was published January 2009, (or AS9110A—“Quality management systems—Requirements for aviation maintenance organizations,” or AS9120A—“Quality management systems—Requirements for aviation, space and defense distributors,” both published June 2009), and understand the new additions, subtractions, and revisions. After reviewing these changes, you should implement them within your quality management system (QMS) and then conduct a thorough internal audit using auditors who are well-versed in the changes both large and small. The results of this audit should be presented to management, and those areas found to be lacking should be addressed.
Next, communicate to your certification body your intention to upgrade to this new standard, keeping in mind that all audits starting after July 1, 2011, must be in compliance to the newest versions of the AS9100, AS9110, and AS9120 standards. All companies registered to one of these standards must have completed the upgrade audit process before July 1, 2012.
You should be aware of a number of changes that may have an impact on your third-party audits. For example:
• There is a new requirement that an auditor cannot lead an audit for more than two consecutive cycles (that’s two three-year periods) at one company. Consequently, if your third-party auditor has been auditing for more than six consecutive years as the lead auditor, he will be replaced as the lead auditor for at least one audit activity.
• There are new definitions and rules governing multiple-site companies. Though these rules have not been formalized, they are forthcoming and may affect your company if you have multiple locations under the same scope of registration. Watch for further updates in the future affecting multiple-site companies.
• There are new rules regarding “right of access” for regulatory agencies, accreditation bodies—such as ANSI-ASQ National Accreditation Board (ANAB)—and others to access your facility and your records that are pertinent to your QMS. Your lead auditor should be contacting you regarding these rules before your upgrade audits.
• Prior to contracting for and conducting aerospace audits, registrars shall ensure that classified material or export control requirements are disclosed to aviation, space, and defense customers. Once again, your lead auditor will be evaluating the effect of this rule on your company.
All of the above points will be evaluated by your third-party auditor to determine the effect on your company. In addition, the standard AS9101D—“Quality management systems—Audit requirements for aviation, space, and defense organizations” (published March 2010) requires your auditor to review and evaluate “performance measures and trends for the previous 12 months” for any company either transitioning to the newest revisions to the standards or attempting to attain registration to one of the new aerospace standards for the first time. This requirement has caused significant confusion within the aerospace industry, and therefore ANAB has issued Heads Up 187, which goes on to say:
“If there are no performance measures available for the previous 12 months, there should be no stage 2 audit. However, there is not a requirement that it has to be ‘new’ data after the QMS was set up to the new 9100. There should be performance measures and trends supporting ‘quality’ and ‘on-time delivery.’”
In short, if your QMS has been up and running for a significant period of time and your company has collected appropriate data on quality and on-time delivery along with any other performance data that indicate the effectiveness of your processes, you should be fine. Conversely, if your company is less than one year old, or you do not have credible data that include trends related to quality and on-time delivery, your company may have to wait until such a time that you have collected and documented 12 months of data before attempting a stage 2 or upgrade audit.
When preparing for your upgrade or stage 2 audit for AS9100C, AS9110A, and AS9120A, one of the most important things you can do to help yourself is complete a process effectiveness audit report (PEAR) for each of your key or core processes. The PEAR form represents the most significant departure from the old audit forms you have grown accustomed to. The PEAR form is key in that it alone documents the effectiveness of the processes that make up your QMS. Because the AS9100C standard is an effectiveness standard and promotes process auditing, this one document addresses process effectiveness and therefore becomes very important for both the auditor and auditee.
Within the PEAR form itself, block 9 (process details, including associated process interfaces) and block 11 (organization’s method for determining process effectiveness) are of the utmost importance. Specifically, information that goes into block 9 should include information about the key or core process being audited to include a summary of the process activities, the purpose of the process, and inputs and outputs, including the associated process interfaces (i.e., what other processes it is related to). Information that goes in block 11 should include a description of the method used by the organization to control the process, plus methods to determine process effectiveness—e.g., identification of key performance indicators (KPIs) and associated targets and process capability data.
Your third-party auditor will attempt to complete a PEAR for each of your key or core processes, especially in sections 7.1–7.6 of the standard. The reason it is important that your company attempt to complete PEARs for your key or core processes before your audit is that if you cannot complete a PEAR for these processes due to their immaturity, lack of process that is measurable, or a lack of understanding how the processes interact with one another, then your third-party auditor will not be able to complete a PEAR either. And if she cannot complete a PEAR for each of your key or core processes, it will be difficult (to say the least) for you to enjoy a successful audit.
After completing a number of audits to the AS9100C standard, the NQA, USA auditors have provided the following feedback on areas most often cited for nonconformances. Though some of these areas are specific to the new standard, a number of them are not, and in fact, there are areas that have continued to plague its customers for quite some time.
Failure to act on customer satisfaction data: The AS9100C standard includes specific information that must be monitored and used for evaluating customer satisfaction data. That information is to include product conformity, on-time delivery, customer complaints, and corrective action requests. In addition, it requires that organizations develop and implement plans for customer-satisfaction improvement that address deficiencies identified by evaluations, and assess the effectiveness of the results. Resources for obtaining this information can include supplier rating report cards, survey data, feedback from trip reports, or feedback through the International Aerospace Quality Group’s (IAQG) Online Aerospace Supplier Information System (OASIS) database maintained by the Society of Automotive Engineers (SAE) Aerospace division. Often, this information is not being reviewed by the top management, there have been no actions taken to improve performance, the actions taken have not been evaluated for effectiveness, or the actions taken are ineffective.
Lack of understanding of the concepts of special requirements, critical items, and key characteristics: “Special requirements” and “critical items” are terms new to the AS9100C standard, and consequently are frequently misunderstood and then misapplied. Because they are cited in sections 7.1, 7.2, 7.3, 7.5, and 8.2 of the standard, a company cannot avoid them, and therefore it is important that they are understand and addressed within the company’s current aerospace QMS. Specifically, it is important to understand the relationship between special requirements and critical items, and the application of risk when they are identified by either the customer or the organization. It is recommended that you understand these terms, determine their application within your company, and evaluate the adherence of your aerospace QMS to these new requirements in the AS9100C standard.
Risk management: There is still confusion regarding when to apply risk-management techniques and how much evidence must be shown to the third-party auditor to demonstrate the effective implementation of risk management principles. In addition, it has been found that risk management is not implemented across all processes, contracts, supply-chain management, planning, and production processes, that there are little to no defined tools or methodologies to handle risk-based activities, and that there is a general lack of risk-mitigation plans and evidence that they have been reviewed. Finally, there is still less understanding of special requirements, critical items, key characteristics, and the application of risk to them. Although the word “risk” is mentioned many places in the standard, its application cannot be underestimated and should be considered when any decision point is reached.
Project management: Project management has always been an integral part of any company’s efforts when it comes to managing tasks. The AS9100C standard, though, gives further direction on how to carry out project management and requires a structured and controlled approach while considering acceptable risk (there’s that term again)—all within resource and schedule constraints. At large multisite organizations, a formal and structured approach to project management is generally ingrained within their cultures. Smaller companies, on the other hand, often wrestle with a structured approach and consequently do not apply project management techniques commensurate with a project’s importance or scope. Regardless of the approach employed, successful project management relies on the company to determine the nature and the scope of the project, identify risks associated with it, complete needed tasks, monitor the results of the completed project, and apply lessons learned on future projects.
Configuration management: AS9100C is more specific than the outgoing AS9100B (published in January 2004) regarding configuration management, which in short is the management of change. This requirement has been moved into the standard’s Planning of Product Realization section because it must be emphasized and determined during the planning process of product realization. Determining the level of configuration management should take into account the type of organization, the nature and complexity of the product, and any contractual requirements. Specifically, NQA’s audits conducted to the AS9100C standard to date show a general lack of understanding of configuration-status accounting and configuration audits. Companies preparing for their AS9100C audit would benefit from reading ISO 10007—“Guidelines for configuration management” to learn more about these terms.
Management responsibility and review: Each audit requires an interview with top management to defined criteria (as defined in AS9101). NQA has observed numerous instances where performance is not meeting customers’ expectations but with little or no action by top management. It is expected that there will be commitment, involvement, and follow-up on continual-improvement initiatives, and review and evidence that action has been taken on processes that are underperforming and considered ineffective. Top management should be aware of and involved in these initiatives.
Ineffective internal audit processes: In many instances, internal audits are still not process-based but instead are scheduled and audited in response to elements of the standard, not on processes carried out by the company. Additionally, it has been determined that internal auditors are not trained on process auditing, and audit programs do not include contractual or customer-specific requirements. Though process auditing was required and expected by the AS9100B standard, many companies have still not fully embraced this concept. The result is that a third-party auditor will conduct a process audit at a company that is not being audited internally using a process approach, and will come up with disastrous results.
Ineffective corrective-action process: Auditors are finding a lack of containment and immediate correction, insufficient root-cause analysis, failure to fully implement actions to address the root cause, failure to follow up to determine effectiveness of actions taken, and recurring nonconformities resulting from ineffective corrective action. Though this is not specific to new requirements of the AS9100C standard, it continues to be the No. 1 cause of unsuccessful audits.
Failure to incorporate customer requirements: In preparation for audits, NQA auditors will determine who the suppliers’ main customers are and will be reviewing customer requirements, evaluating the OASIS database for customer feedback, and structuring audits to evaluate the effectiveness of processes and their ability to meet customers’ requirements and expectations. There have been many instances where customer flow-down requirements are not being implemented internally, or flowed down to sub-tier suppliers. In addition, many companies are still unaware that their customers can and do use the IAQG's Online Aerospace Supplier Information System (OASIS) database as a vehicle to inform the certification body that the company is not meeting customers’ expectations. Consequently, your auditor may come to your facility armed with information regarding poor levels of customer satisfaction and will most certainly want to see your corrective action plan.
Preparing for an upgrade to one of these new standards is challenging because there are a number of new requirements, terms, and concepts to understand and implement within your aerospace QMS. Understanding the processes that make up your quality system in great detail, along with getting the appropriate people within your company involved in the implementation of these new standards, are paramount. Finally, always bear in mind that open and continuous communication with your certification body’s office and your auditor is critical for a successful third-party audit.