Surviving AS9100 Rev. D Task 2: Implement the Process Approach Clause addressed: 4.4 Quality Management System and its Processes 6.2 Quality Objetives and Planning to Achieve Them Many readers of the new AS9100 standard are inclined to launch into the COTO stuff first, identifying stakeholders and issues of concern, but I find this inefficient. For one thing, COTO leads quickly into Bt and you're not ready to take on that mindless animal yet. Next, having your processes clearly defined firs will help you do the COTO work, and not the other way around. So, instead, let’s tackle it this way: TASK 2: Implement the Process Approach Assess your company’s activities and divide them into logical top-level processes. Now, for each top-level process: 22 |e assign responsibilities and authorities for the process have top management make sure the process is properly resourced (people, 23 equipment, etc) 34 |* start thinking about risks and opportunities related to the process, but keep them in your pocket for now; we'll examine them in detail later. 2.5 | Make table of the applicable AS9100 Clauses for each process. oO o — a o OPTION A: Complete a Process Definition document for each top-level process. 2.64) | Utilize the sample Process Definition template on the Oxebridge website. Use this | to define inputs, ourputs, process steps, check points, responsibilities & authorities, les and control methods. OPTION B: Rather than create a Process Definition for each top-level process, 2.6(b) | consider filing out a Process Definition Table to include in your Quality Manual.A! template for this appears on the Oxebridge website. 26(@) | OPTION C: Make Fucking Turtle Diagrams for each of your top-level processes, | but don’t tell me about it because I will come burn your house down, Begin developing supporting procedures and work instructions for each top-level process. The level of supporting documentation will be dependent on the nature and complexity of the process; this is an ongoing task, and you will want to push 2.7 | ahead with the other implementation tasks concurrently. Certification note: it is mot a necessary to have 100% of all work instructions written prior to any third-party audit, as long as you are working on the problem. Remember, you decide the level of necessary documentation, no one else can — o | a Create a single high-level map of how the processes interact, and hold it aside for 28 now: Create a two-column table: in the left column list the top-level processes, and in 2.9 | the right column list the applicable AS9100 clauses for each process. Put this aside | for use later. 220Surviving AS9100 Rev. D Begin populating the “quality objective table” by assigning atleast one ie objec to exch top-level process. Then assign at lest one measurable merc TF ‘each process objective. Remember, each top-level process may have objective and metric pair, but must have at least one. 5 je Direction Prompt your senior management to begin thinking about the Strategic Dire’ s of the company, and warn them you'll be coming back to check on their progres shortly.Surviving AS9100 Rev. D Task 3: The COTO Exercise — First Pass Clanses addressed 4.1 Understanding the Organigation and Its Contest 4.2 Understanding the neds and expectations of interested partes With our processes identified, its time to identify the interested parties (stakeholders) and their particular issues of concern. This means taking the first few steps of the COTO (context of the organization) Exer- cise. We will come back to this a few times later, and that’s by design. TASK 3: The COTO Exercise — First Pass Make a rough list of the known stakeholders who are affected by your products or services, as well as those stakeholders who can have an effect on them. Now layer on top any stakeholders that may be affected by, or have an effect on, the QU itself ‘Now hold a meeting with senior management, or perhaps just send an email to them, in 33. | order to poll them on any additional stakeholders they may be aware of, that you didn’t include on your list. Update your list accordingly. ‘Obsain the COTO Log template from the Oxebridge website, and customize it ace cordingly. Ensure itis entered into your document control system as a controlled form 33. | Populate the first tab “Parties” with your lst of interested parties ‘Now determine the major issues each stakeholder would have, relative to their concemne 36 | with your products, processes, QMS or organization. Enter these in the “Issues” of the COTO Log, |_| Now laver on top any other issues you might have related to these stakeholders as well 37 | Enter these in the “Issues” tab of the COTO Log. tab Save your COTO Log and put it aside for now, we'll be coming back to it later.surviving AS9100 Rev. D Task 4: Scope the QMS Gasse addressed: 4.3 Determining the Scope of the Quality Management System With your processes defined, you are ready to scope the QMS. This assumes, of course, that you already now the products and services you are selling, which if you don't, you might want to have yourself checked foran unnoticed traumatic brain injury: Just saying, You will want to consider the products and services, along with the processes and your organization's ysical locations (if more than one), along with departments and divisions, ete. You will determine which of these will be considered “in-scope” of AS9100, and thus part of your QMS, and which are not, and thus utof-scope.” Re-read chapter 4.3 to see my warnings and caveats about getting too creative here "TASK 4: Scope the QMS Review your products and services, and determine which will be included in your QMS. Determine the processes required for provision of those products and services that will thus be included in your QMS. Determine which locations of your organization (facilities, buildings, addresses, etc) will be included in your QMS. Determine what industries you will be providing products and services to, based on your review of interested parties and issues of concern Craft the QMS scope statement from the above information, per the instructions herein for clause 4.3, Write this down. Extra points: determine your organization's industry codes (SIC, NACE, NAICS, IAF, etc.) Don’t add these to the Scope Statement, but keep them handy, as your registrar may | O ask for these later. “ o;o};a;ajo 22319100 Rev. D Task 5: Develop the Quality Policy Clense addressed: 5.2 Policy Now me to write your Quality Policy the great placebo that makes auditor’ think you're passing great, of loyal supplicants, divine wisdom you received from the mountaintop, onto your swirling ma TASK 5: Develop the Quality Policy Cratt the Quality Policy, being sure to include language claiming your “commitment to satisfy de requirerents” anda commitment fo continual improvement” o€ the QMS. Ensure top management has written of, at least, has approved the Quality Policy. We will publish the Quality Policy later as a controlled document, so put it aside for now. 224Surviving AS9100 Rev. D oy | | ask 6: Determine Your Approach to Documentation gavallmsd: 7.5 Documented information srs Tisk s only slightly related to AS9100's clause on “Documented Information,” and we will get wo _gonimplementation of “document control” later. For now, however, you must decide on how you want pdeament Your QMS, This means tackling ewo subjects: the amount of documentation you want, and the Jarbation format. ehted to the amount of documentation, you have a few options: Option 1: Write a Quality Manual that follows the AS9100 clause structure and mostly re-states the standard; then, reference supporting procedures which provide details on how each clause is implemented. ‘This option might be good for those companies who have customers who expect or even require ~ a Quality Manual that shows proof of complying with each individual AS9100 chuse (if you're bidding on a US Federal agency contract, its likely you fit into this category) Keeping the procedures outside of the Manual keeps the Quality Manual smaller, and you won't | have to revise the Manual every time you revise a procedure; that may or may not be something you are worried about, The Oxebridge site has a template manual of this type available. CAUTION: AS9100 may revise itself and abandon the current paragraph numbering scheme sometime in the future, so there’s some risk associated with this. Option 2: Write a clause-based Quality Manual that includes the procedures within its text, rather than references them as separate documents, This may be preferred if you want to keep all the information in one place, and don't mind updating the entire Manual every time you updates single Procedure. CAUTION: Again, if AS9100 changes its numbering scheme, you're hosed. Option Write a free-form Quality Manual that follows its own logic and paragraph order, and does not follow the AS9100 clause structure, and which references separate documented proce- dures, Better yet, organize the Quality Manual by your top-level processes, to make itan easy-to-use document for process owners and their subordinates. For this option, you may want to include a cross-reference table that shows which section of your Quality Manual addresses each AS9100 clause; technically, even this isn't necessary, since there are entire clauses in AS9100 that you don't have to document at all, but expect problems with your registrar if you don’t hand them a guide map. Option 4: Write a free-form Quality Manual that includes the procedures mithin it. Option 5: Write a 4-page “lite” version of a Quality Manual that includes a general list of interest- ed parties, the scope of the quality management system, a description of your top-level processes, map showing the sequence and interaction of the processes, and some text defining the respon- sibilities and authorities for the processes. Consider including a list of subordinate procedures. Use this option with eaution, as customers tend to view this as te not really serious about this,” rand registints will be inclined to ask more questions. Stil ie¥ an option. ‘The Oxebridge site has 2 template manual of this type available, - : ; vaca] ena’t know which option you've selected, the rest of Pare Two of this book assumes you are wit son Tong-form Quality Manual with separate documented procedures referenced ~ not included 1d mean option 1 or 3 above. You'll have to figure out which specific Step to ignore if you've ing a separates = in it; this wowSurviving AS9100 Rev. D selected a different option, but by making this assumption, I can provide the greatest level of dealin my implementation advice. So wherever I say, “develop a procedure” its up to you to decide (a) whether to do so or not, and then (b) whether to include it as part of the Quality Manual, or make it a separate document. “The second aspect to consider — which may help you decide on which option of documentation io select —is to determine how you intend on using and distributing documents. By this I mean through hard. copies, softcopies (electronic documents) or some mix thereof. I recommend, to whatever extent possible, you avoid hardcopies other than for log sheets and forms that are intended to be filled in by hand; hardcopy document management is a nightmare, and it never really works, Plus, the technology for developing 2 sof imply using the software copy documentation management system is already on your computer; it’s done by you already have, and the operating system. You don’t need to purchase ISO 9001 or AS9100 document control software if you have MS Office® and MS Windows®, or their Apple equivalents. If you intend on creating and distributing documents using only software, then you might not care about how big documents are, nor how they are revised, since it won't kill trees; that may influence your decision on the level and type of documentation. If you rely only on distributed hardcopies, you may want to keep your Quality Manual light, and your documents separate, so you don’t murder a forest every time you update a single sentence. Most companies will have a hybrid system, that relies almost entirely on softcopy documents distributed ‘on dedicated, user-rights controlled folders on their server, with a handful of printed documents used in departments without computers, or where computers can't physically be put. Again, how you approach this is up to you, and each company will have their own preferences. You will notice I have not suggested writing the actual Quality Manual yet, that’s intentional; in fact it will be the last step. Most people start with this — and often I do, too — and then have to come back and edit it over and over as the QMS develops. If you like, you can certainly start this now, especially if you need to have a Quality Manual in place to show someone prior to fully implementing the QMS; if so, skip to Task 40 and then come back. Otherwise, | recommend waiting and doing it at the end, since the Quality Manual will be pointing to and referencing things that don’t exist yet. Step TASK 6: Determine Your Approach to Documentation 6.1 | Decide on an approach for the Quality Manual and subordinate procedures. 6.2. | Decide on a method for creating and distributing QMS documentation. Develop a template for your second-tier procedures; the Oxebridge website has such a 6.3. | template. There are no firm requirements for such documents, other than to have a means of showing revision and approval, so the actual format and content is up to you. Write a procedure for Control of Documents; this should include the methods of creat- 64 | ing, updating, approving, distributing, using and obsoleting documents. A sample proce- dure is available on the Oxebridge website 6.5 | Ensure the procedure is reviewed, approved and published. a ySurviving AS9100 Rev. D Task 7: Define Roles and Responsibilities Genes adresse: S41 Leadership and commitment - General 53 Organizational Roles Responsibilities and Authorities Throughout the implementation work, you are identifying various responsibilities and authorities, during such activities as writing procedures, assigning process owners, etc. So there’s not much to do separately "TASK 7: Define Roles and Responsil [a Develop an Organizational Chart that shows the titles and reporting structure of the positions within the company: You may include all positions in the company, even those out of scope, if you like; but if you do, use some form of formatting (shading, dotted borders, etc.) to indicate which positions are out of scope of the QMS. Do not use peo-| ple’s names, use only titles. If a person has more than one title, indicate this as multiple boxes in the Org Chart; it is common to have more positions indicated in an Org Chart than actual people. Assign a QMS Management Representative and ensure they can take responsibility for the requirements of 5.2 (a) through (c). Later, you will identify this person (by title) in the] O Quality Manual. Make a mental note that as you write subordinate procedures later, include text that de-| py fines the applicable responsibilities and authoritics. during this ‘Task; that’s by design, [sep Beyond this, keep an eye on further tasks and steps, and be sure to assign responsibility and authority to appropriate personnel, when applicable. 227Surviving AS9100 Rev. D Task 8: The COTO Exercise — Second Pass Clause addressed: 6.1 Actions to address risks and opportunites Now we return to the COTO Log for a slight expansion, in preparation of the next Task, which will dump us head-first into the “risk-based thinking” puddle of joy. Here, you want to review your work on the COTO Log to date, take a second look at it, add depth, and begin to flag which entries in the Issues log you will treat as risks, wl +h you will treat as opportunites, and which you will treat as either “mixed” (containing elements of both risk and opportunity) or “neutral” (here the positive opportunity and negative risk of an issue cancel each other out.) ‘TASK 8: The COTO Exercise - Second Pass ‘Take a second pass over the COTO Log, adding and enhancing entries in the Parties and Issues tabs. Be sure proper management has assisted in providing input on this, so that it’s as comprehensive as it can be. 8.2 | On the Issues tab, assign a “bias” to each issue noted: positive, negative, or mixed. For each issue, indicate a “treatment” — for negative risks, this treatment should seek to mitigate the risk (reduce its likelihood and consequence) while for positive opportunities, 83 the treatment will seek to maximize the likelihood and benefit of the issue. For entries indicated as “mixed,” these are more complicated, so note them per the advice herein on. | clause 6.1 Now review what you've done and draft a documented procedure on Context of the 8.4 | Organization, defining how you have addressed the requirements of AS9100 clause 4.0. A sample procedure is available on the Oxebridge website. 85 | Ensure the procedure is reviewed, approved and published. Keep the COTO Log handy, as you're going to need it for the next Task. 228Surviving AS9100 Rev. D Task 9: Risk and Opportunity Clanses addressed: 6.1 Actions to address risks and opportunities 41.1 Operational Risk Management Now that you've identified which of your issues of concern are negative risks vs. positive opportunities sou're going to get muddy knees as you muck it up in the fever swamp of “risk-based thinking’ Step TASK 9: Risk and Opportunity a Decide on firm definitions of the terms “risk” and “opportunity,” so that your definitions are better than what is presented in AS9100. Jot these down for later. Q 9. 4 For each any “negative” issue indicated in your Issues log where you feel an FMEA-style 9.2 _| risk treatments the best approach, enter these in the Risk Register within the COTO Log. | Work the issue by moving left to tight in the register. Now go back and layer in additional risks related to manufacturing operations and specific 9.3 | jobs, to the extent that you can. These would be more specific to “operational” risks, at | the levels closes to the work, as opposed to higher level QMS risks. Hold a meeting, or submit a poll email, asking process owners to provide additional risks 9.4 | to consider; enter these as “Issues” in the Issues tab of the COTO Log, and if the appro- | priate treatment is the Risk Register, enter them there as wel For each any “positive” issue indicated in your Issues log where you think assessing and monitoring them is prudent, enter these accordingly in the Opportunity Register within} O] the COTO Log, Work the issue by moving left to right in the register. ‘Again, poll process owners for any opportunities they think are worthwhile pursuing, and | enter these in the Opportunity Register. ‘Write a procedure on Risk and Opportunity Management, defining the methods and steps 9.7. | you've adopted. A sample procedure is available on the Oxebridge website. Include the | 0 definitions you determined in Step 9.1. 95 L 9.6 9.8 | Ensure the procedure is reviewed, approved and published. Oo ‘There's more to risk-based thinking than just this, of course, and we will continue to come back to the COTO Log and other tisk-related subjects throughout the implementation. Just keep the notion of identi- fying risks and opportunities alive at all imes, and always feel free to come back to the COTO Log and add or update entries as you think of things. 229Surviving AS9100 Rev. D Task 10: Corrective and Preventive Action Clause addressed: 10.2 Nonconformity and corrective action [As I discussed in nauseating detail earlier, TC 176 thought it would be useful to remove the most important clause ISO 9001 ever had, that being the one requiring a formal system to identify and process potential problems requiring preventive action; AS9100 didn sce fit to add it back in, either, presumably because they prefer to investigate crashes after they happen. So we are going to assume that you have not suddenly been infected with a brain-cating amoeba and are still blessed with functioning common sense, and agree to put “preventive action” back in, Thus, this Task involves implementing both corrective and preventive action, ‘This Task also assumes you have not purchased a third-party “CAPA” software package; if you have, then obviously tailor the advice to align with whatever software you are using. Step TASK 10: Corrective and Preventive Act “Assign someone the role of CAR Administrator to process CARs, track them, and scream bloody murder when they are overdue. This is an administrative function only, so it does not need to be an in-house “ISO” expert; they need only have knowledge of the staff | 0 structure of the company (who's responsible for what) and how to work the CAR forms or software, 10.1 Develop a “Corrective and Preventive Action Request” form (Cm abbreviating it as “CAR” herein), to be used by employees who want to report an existing problem (requir- 10,2, | in corrective action) or a potential problem (requiring preventive action) Bonus points | if you also include a third option, for suggestions or “opportunities for improvement” which are not related to any problem at all. A template CAR form appears on the Oxe- bridge website 103. | Develop @ Corrective and Preventive Action Log that can be used to track individual CARs. A template CAR Log appears on the Oxebridge website. 10.4. | Wait a procedure on Corrective and Preventive Action, defining the methods and steps you've adopted. A sample procedure is available on the Oxebridge website. 10.5 | Ensure the procedure is reviewed, approved and published. 10.6 | Ensure the CAR Form is made available to all employees, typically as a controlled form. During training — whether you include this in a later training session on AS9100, or if 10,7, | 8ou hold a special session — inform all employees that they may now file CARs when they ‘want to report problems or offer suggestions. Point them to the procedure if they need information on how to file a CAR. Tf you have “suggestion box” in the lunch room, or anywhere else, throw it out. Destroy 10.8 | it with an ax. Burn it during a company bonfire. Your CAR system now replaces this, and it.was a stupid idea anyway. Review the COTO Log and file CARs for any issues that might be best pro- cessed using a CAR. Be sure to reference the CAR number in the COTO Log, 10.9 | for easy cross-referencing. You can enter negative-biased issues as either cor. rective or preventive CARs, and positive-biased issues as opportunities for im- provement. a “Throughout the rest of this implementation, use the CAR system as much as possible to process prob- Jems you encounter; the more CARs you have in your system prior to any third-party audit will be better, andSurviving AS9100 Rey, D to use the CAR system as a natural tool for fon we rea system should be the lifeblood of a QMS, p _ Aro i 7 aahing out the bacteria, ‘mally handing anything that comes your ping nutrients throughout the company, 231Surviving AS9100 Rev. D Task 11: Address Leadership and Commitment Clause addressed: 5.1 Leadership & Commitment “This one isn't very complicated, as you either have leadership and commitment, or you don't. If you dont, its up to you the AS9100 implementer ~to get it, And pulling enthusiasm ftom your bosses isan att, if not the subject of another entire book. This ‘Task assumes you can muster the bare minimum. m4 Step. ‘TASK 1: Address Leadership and Commitment Double-check your own work related to the QMS implementation, and its involvement, with top management. If you've been doing it all alone, ask yourself if that’s your fault (you haven’t invited them to participate, or you were too afraid to ask them in anticipation of their reficsal to participate) or their fault (they rejected you outright.) If the former, then do your due diligence and invite top management to participate in the formation of the QMS. Get them excited, and get them involved. If that’s impossible, just push ahead to the next Step. Asa general practice, ensure that top management — at least — is getting regular reports on. the implementation status of the QMS. Send them even if you think they aren't reading them, Be sure to include management in the review and approval of procedures and documents that affect them, 14 Consider holding a brief (45 minute) “AS9100 Overview” training session with top man- agement, Just go over a few key points: What AS9100 is, What a QMS is Your approach to documentation. ‘What their role, as top management, is. pege Then, tell them there will be a test. It's called a third-party audit, and they need to be up to speed for the audit. That should shake them up. Keep records of any training you give top management. Qo You will define some of this later in the Quality Manual, so for now, you can just make notes on your approach to this clause. 232Surviving AS9100 Rex. D Task 12: Change Management lances addressed: 6.3 Planning of changes 85.6 Control of changes AS9100 addresses change management in two clauses: 6.3 (“Planning of Changes”) which addresses changes to the QMS as a whole, and 8.5.6 (“Control of Changes”) which addresses changes specific only to your production or service provision activities. I elect to save time and space by combining them into a single “change management” function. Step ‘TASK 12: Change Management 12.1 | Determine how you control changes to the top-level processes. 12.2. | Determine how you control changes to the documented procedures and other documen- tation, Determine how you control changes to production activities, or service delivery. Write a procedure on Change Management, defining the methods and steps you've adopt- ed. A sample procedure is available on the Oxebridge website. If you have complicated process or manufacturing activities that require a formal Change Control Board to review and authorize changes, write a procedure for this as well. Because these differ dramatically, there is nof a sample for this on the Oxebridge site. af a o;o;o]joja Ensure the procedures are reviewed, approved and published. 233Surviving AS9100 Rex: D Task 13: Organizational Knowledge Clanse addresred: 7.1.6 Organizational knowledge You are likely to take a broad interpretation of the new AS9100 clause regarding “Organizational Knowl- edge,” since it’s faiely cleat the authors didn’t know what they were talking about, either. The best approach here is to simply put some language about it in the Quality Manual, taking credit for things you are already doing, I also recommend a few additional steps, all of which are optional TASK 13: Organizational Knowledge 13.1. | Decide how your company defines “knowledge” for the purposes of its QMS. Q Consider developing a “Lessons Learned” database or log to capture high-level informa- 13.2_ | tion on contracts lost, contracts won, major complaints, major successes, etc. Do this only | 0 if irs not redundant with other logs, such as the COTO Log, Jot down how you currently capture and disseminate knowledge. Consider all the sources 13.3 mentioned in the guidance herein on clause 7.1.6. Keep these notes on hand for later,) 0 when you write the Quality Manual. There's no need to write a full procedure on this. 234Surviving AS9100 Rex. D Task 14: Communication Clanses addressed: 14 Communication 421 Customer communication Once again, AS9100 split two related clauses, this time on communication, and once again merging them up forthe purposes of implementing a QMS is typically a good idea. So with this one Task we will address both internal communication per 7.4, and customer communication per 8.2.1 Step) ‘TASK 14: Communication 144 Make a list of the methods you currently use to conduct internal communication between staff and top management (in both direction); include such things as informal meetings, “open door” policy with management, formal grievance procedures (if any), etc. If you have opened up your CAR system to all employees (as I have suggested), include that as well. Keep this list aside for now. [= 142 143, Now, make a list of how incoming customer communication is processed; who answers phones, how calls are routed based on subject of the call, who is responsible for commu- nicating with the customer. Keep this very broad, don't get into too much detail, but cover the basics. When referencing people, use titles, not names. Finally, make a list of how outgoing customer communication is handled, and by whom, ‘This might be in relation to communicating changes to orders or contracts to the cus- a tomer, updating them on complaints, et. When referencing people, use tides, not names Hold all of this information for now, as you will add it to the Quality Manual later. I don't recom- ‘mend writing a separate procedure unless your company is very large and processing communication is complicated. 235Surviving AS9100 Rex: D Human Resources and Training Task 15 Clauses addressed 7.1.1 Resources 7.4.2 People 7.2 Competence 7.3 Awareness If brevity is the soul of wit, then call me Oscar Wilde, because I am about to address three clauses in one fell swoop. These are all dealing with hiring and training people in some fashion or another, and are best dealt with collectively: ‘The advice in this Task assumes you have not purchased a software-based Learning Management Sys- tem package; if so, follow the methods dictated by your LMS software instead. Step. TASK 15: Human Resources and Training Review the responsibilities and authorities work you did in Task 7, and the leadership and 15.1 | commitment work you did in Task 11. Keep this in the back of your mind as you move forward. [Jor down some language about how top management provides the people necessary for 152. } the QMS; you'll add this later to your Quality Manual. There's no need for a formal pro- cedure here. Work with your appropriate process owners or managers to make a comprehensive list 153. | Of all positions in the company; you can limit this to those positions that are in-scope of | “> | che QMS, but be careful you don't accidentally leave a position out by assuming it’s out of scope. (Review the scoping requirements in we discussed in section 4.3) Develop a Position Requirements Table that defines the minimum requirements for each company position related to education, training and previous experience. These should be the requirements that candidates must have in order to qualify for hiring or assignment 154. | into the position; this is not a job description that defines the work to do after hiring| py {although you may use a single form for both, if you like; AS9100 does not require tradi- tional job descriptions, however) Be sure you don't “overcook” the requirements $0 that the requirements ae stricter than the current qualifications of the people already in those positions, A sample table is available on the Oxebridge website Ensure the Position Requirements Table is formally approved and published, ypically a8] a controlled form, within your QMS, Now, review all employees against the Position Requirements Table for the job() they perform, Create a record showing that they mect these requirements; where they do not 15.6 | meet a requirement, either file a CAR to provide training or some other mitigation, or} 0 record a “waiver” as to why that particular employee docs not need to have that certain requirement. az Greate an Employee Tiaining Record form 10 be used to capture onthe job taining 15.7 | OJT). A template form is available on the Oxebridge website. You will use this in the} future, whenever you conduct OJT of any training that requires a record. Ensure the Employee Training Record form s formally approved and published, ypically 158° | Ensure calibrated devices are properly stored and handled to prevent accidental de-cali- 21-10 | bration or damage. oO 24.11 | Wsite a procedure on Calibration of Equipment, defining the methods you've adopted | o SUIE [nbove. A sample procedure is available on the Oxebridge website. 21.12 | For any in-house calibrations or verifications that you conduct, assess the need for writen | py ZENS [work instructions, and develop these as needed. 24,13 | Ensure the Calibration of Equipment procedure and related work instructions are re-| a A119 | siewed, approved and published, Subject the devices to calibration; for third-party calibrations, obtain a certificate of cal- 21.14 | ibration and maintain on file; for in-house calibrations, create an in-house calibration} record and keep on file, 24.15 | Esure any third-party calibration labs are included as approved suppliers (later in Task 1-19 | 26) and that calibration is listed as an outsourced process (later in Task 27.) 21.16 | Update the Calibration Log as tools are calibrated. Qa 21.17 | Update the calibration stickers on the devices as tools are calibrated, so the new ealibra-| tion dates are indicated. a1.1g | For devices discovered, during calibration, to have been out of tolerance, conduct an “out 271-18 [of tolerance impact study” per the advice given herein for clause 7.1.5. SPECIFIC STEPS FOR PROCESS MEASUREMENT DEVICES AND METHODS, Determine which of the process measurement tools and methods you want to opt into 21.26 | your calibration and verification program. Repeat the other steps within this Task as nec- essary to incorporate these process measurement tools or methods. ADDITIONAL GENERAL STEPS Ensure all tools and methods are calibrated prior to any third-party audigy this Is nof an 21.27 | area you have leeway on and must be 100% implemented prior to your CB audit.Surviving AS9100 Rev. D qask 22: Contract Review hase: 4.22 Determining the requirements related to products and services 423 Review of requirements related to products and services 424 Changes fo requirements for products and services 180.9001 — and thus AS9100 — dropped the name “contract review” for this clause many years ago, but it sill works much better than the clumsy “requirements for products and services.” especially since they ate using the phrase in the context of customer requirements in clause 8.2, but previously used the same exact teem torefer to internal requirements in clause 8.1. So re-branding this Task as “Contract Review will, hopefully be helpful. ‘The thrust here is to capture all the expectations and requirements of your customer, as well as any ancillary ones dictated by statutes and regulations, to ensure you can meet them prior to accepting the con. tmct or order, It may surprise you that many, if not most, companies struggle with adhering to this concept, be one of them; so move through this Task with care. and yours may Assess your sales and marketing activities to ensure you are not promising products or services outside of your current capabilities. If you are, correct the sales and marketing accordingly: (This would not apply to sales and marketing of products or services ouside | of the scope of your QMS) Assess which generic statutes and regulations (S&Rs) apply to you, within the scope of |p your QMS. See my guidance on FARs, DFARs, ITAR, etc. in the section for clause 8.2. 223, | If customers send “requests for quotes” (RFQs) prior ro an actual order oF conteact. de | termine methods to review such RFQs and prepare corresponding, quotes Ensure quotes are sent with an approval authority (name or signature) indicating review | and approval of the quote before release. ‘As new orders or contracts come in, be sure they define the necessary requirements and | if not, that you clarify such requirements with the customer. ‘Obtain any third-party or customer specifications, standards that are referenced in the customer contract or order be sure to obtain the exact revision indicated by the customer | Q 0%, if no revision is indicated, the latest version. Unless incoming orders are repetitive and simple, consider developing a “contract review checklist” of standard data points to check, including a ceview of “fine print” terms and | conditions that often get missed. Write a procedure on Contract Review, defining the methods you've adopted for quoting. intake and review of customer quirements, and then approval/rejection of the job pit to exceton. nude How changes o eng ones oF consacts ate man this is already’ addressed in your Change Management procedure (per Task 12. procedure is available A the Oxebridge website, Consider adding your " Checklist” 1 the procedure Taaure the Contract Review procedure and related work insta at eel ted work instructions are reviewed, ap. | oO ed, unless )Nsample| O ‘contract reviewSurviving AS9100 Rex: D 9919 | HF you eect to utlize the Contract Review Checklist as a form, ensure the form is te Tit [sewed approved and published. Ensure implementation of the methods and procedure, and begin ensuring that only or- 2211 | ders and contracts are taken if all requirements have been determined, reviewed, and accepted, =| Ensure that if the customer mandates any vendors for subcontract processes these are clized purchasing staff is notified (see Task 26.) + Your customer require special process providers «0 be Nadcap accredited, providers have a current and valid Nadcap accreditation certificate for the cs being purchased. Obtain copies of the certs and keep them on file 2243 a if the customer intends to require use of their property, the controls over customer-owned property are adhered to, per Task 246 \Surviving AS9100 Rev. D Clanss addressed: 422 Determining the requirements related to products and services, 423 Review of requirements related to products and services Because of the likelihood that ITAR and/or EAR applies to you (since you're in the aerospace industry), Isuggest the following Task be completed. If you're absolutely sure these regulations do not apply to you, vel, you're probably dead wrong, But you can skip this step if you ae realy sure of yourself, understanding that if you eventually get arrested, that's on you. Go read Part Five, too. This checklist is not intended to be a comprehensive ITAR/EAR compliance tool! You really must celucate yourself or hire a separate consultant for your own safety. : TASK 23: ITAR / EAR Review current customer PO terms and conditions, supplier quality requirements and 23.1 | other contractual flowdowns from the customer. Look for any requirements that refer- | O ence export controls through ITAR and/or EAR. 23.2_| Read and understand fully said requirements. a 23.3. | Assign a senior manager the role of Empowered Official. Have that person manage the K ITAR/EAR control rollout. 7 23.4. | Verify 100% of your current employees to ensure their “US Person” status. Don't skip | py anyone. 235, | You're going to need help here; this book’s focus is not on ITAR and EAR compliance, | So go read Part Five right now. 23.6 | Undergo necessary ITAR/EAR export control training by your selected consultant, o 23.7 Per your ITAR consultant, develop the necessary documented procedures and polices. | C1 23,8. | Implementa guest badging system that utlizes two ters: one for escorted visitors, one for | py “escort not required” visitors. 23,9 _| Implement a US persons verification method forall “escort not required” visitors, which | |__| requires capturing birth information for any such person. Consider marking ITAR controlled documentation that reaches the floor in some way SO 23.10 | that itis identifiable by employees; this may mean a bright red cover page, a red folder, or | 1 23.11. | Register with US Dept. of State as a handler of ITAR property: a 23.12 | Ensure your exports comply with EAR and are not made to any restricted country o Flow down ITAR/EAR requirements to suppliers (see Task 26), o fo read Part Five again, and follow all additional advice provided to you by your ITA mais | Comedoa ional advice provided to you by your ITAR/ | srrested because you ir r— | a 247 eySurviving AS9100 Rev. D Task 24: Design and Development Clanses addressed: 8.3 Desig and development §.1.2 Configuration Management OK, engineers, it's time to bring your particular set of skills to the AS9100 implementation, Here we take on the “design” clause and all its eather prescriptive conditions. TASK 24: Design and Development g Determine the scope of your design activities; see the advice given in the chapter on 24.1 8. Qa clause 83. 342 | Draft language regarding vour interpretation and application of the 83 design clause. 24.2. | Hold this for now, as it will be entered into your Quality Manual later. Q 343, | Develop a Design Control Form (or equivalent tool). A sample Design Control Form | “4° | DCP is available on the Oxebridge website. L 244 | Ensure the Design Control Form is reviewed, approved and published. o Formalize your methods and formats for any design outputs you create; this inclades 245. | drawings, models, schematics, specifications, ete. This should ensure that all designers are | working to the same set of methods and formats. Ensure designs inclade acceptance criteria and tolerances for manufacturing and inspec- 246 tion, and that the company has sufficient resources (measuring equipment, trained staff) | to verify the criteria and tolerances. Ensure the design defines the configuration baseline and applies other configuration man- agement controls (revisions, approvals, updating when changed, etc) oq 24g | Develop a formal method for controlling product design changes, per the guidance in the | chapter on clause 8.3, [~___ [Write a procedure on Product Design defining the methods you've adopted for design 249 | of products. A sample procedure is available on the Oxebridge website, but use it with | [Ey 249 | caution, as every onganization’s design activity is dramatically different. This may not be practical when designing complex systems and flight hardware; if so, skip this step. L 24.10 | Ensure the Product Design procedure is reviewed, approved and published, a 24.11 | Establish a formal repository for design records, typically by-product. a If you perform testing as part of design verification or validation, develop test proce- 24.12 | ures; refer to the guidance on clause 8.3.4.1 a 24.13 | Ensure the test procedures are reviewed, approved and published. o Ee) 248 ~ eeeSurviving AS9100 Rex. D Jask 25: Counterfeit Part Control Cnte addressed: 8.1.4 Prevention of Counterfeit Parts Here we tackle AS9100's new clause on counterfeit part prevention. This will largely impact on Purchasing and Receiving Inspection personnel, but general awarenes J of the controls by all employees is recommended, Step TASK 25: Counterfeit Part Control iia 25,1 | Hdentify whether you work with electronic components and/or simple raw materials ('materiel”). o 252. | If you work with electronic components, buy a copy of ASS553 and AS6O81. IF not, [oy skip this step. i Jf you work with bulk raw Is (metals, plastics, bulk chemicals, etc.) buy a copy 253 you work with bulk raw materials (metals, plastics, Is etc), PY ‘of ASGI74, eo 25.4 | Read over the standards you just purchased. oO Read through any customer purchase order terms and conditions or supplier quality 255 aoa (per Task 22), and highlight any requirements for control or reporting of | counterfeit or suspect counterfeit product. Write a procedure on Counterfeit Part Control; a sample is available on the Oxebridge 25,6 |site. Customize this as to whether you work with electronic components, materiel or py both. Ensure the applicable requirements of the applicable AS standards are included, as well as any flowdown requirements form your customers re: counterfeit part control Ensure the procedure puts in place controls to prevent counterfeit or suspect counterfeit 25.7 ieee found by you from being returned to suppliers or re-introduced into the supply | chain. 25.8 _| Ensure the procedure is reviewed, approved and published. a as | Tila Purchasing staff on bow to propedy ensure suppliers are leydiate sourees of supply, per the requirements of the AS standards you purchased and your inter 1Pur-| O chasing procedure. “Train your receiving inspection staff on how to identify suspect counterfeit product, and 25.10 | how to report it. This should include inital review of certificates received, packaging, | _{ the prods hemes Provide training on identifying suspect counterfeit certificates or test reports; who rer 25.11 | ceives this training will be depended upon who in your organization reviews such doc- a covide all hands taining on the dangers of counterfeit products, and how wu 249Surviving AS9100 Rev. D Task 26: Purchasing 4 Control of externally provided processes, products and services Clanse adresse Most companies meet AS9100's requirements for purchasing nearly entitely, although pethaps with a few minor gaps. This Task assumes you do not have an ERP system in place to manage your purchases, suppliers and inventory; if you do, tailor the advice given here to align with your ERP software. step_| TASK 26: Purchasing a Obuain a list of all your suppliers and subcontractors; this can typically be extracted as 26.1 |a data dump from your accounting software, using a broad filter such as reporting oa} anyone you ever made a payment 10. Go through the list and highlight the suppliers of exideal materials and services, such as: * Suppliers of all raw materials that are incorporated into, or become part of, the product * All outsourced process providers 26.2 |* Subcontractors working on tasks that fall within the scope of the QMS a Suppliers of critical support services such as calibration, equipment maintenance, contract internal auditing, QMS certification services, training, IT services, etc. Those highlighted should reflect all the suppliers whose performance is critical to your own QMS, Delete all the non-critical suppliers from the list; this leaves you with alist of only your] critical suppliers. Filter the list for any critical suppliers who you have not used in a long time, and who 26.4 | you ate unlikely to use again; here we are trying to make the list smaller and more man- | O] 26.3 ageable, = | Now remove any suppliers who you have intentionally disapproved, due to poor past 26.5 a performance or other problems. Develop an Approved Supplier List (ASL) form that captures the suppliers, their ap- p an Appr ppl pt 26.6 | proval status, the scope of products or services you are approving them for, and terms} 1] Pr pe of pr y PP? e Of periodic re-approval. A sample ASL form can be found on the Oxebridge website. 26.7 | Ensure the ASL form is reviewed, approved and published. a | * Provisional - staff can only buy products or services from the supplier temporar- ily, for the purposes of inspecting or testing the items in order to then establish a different approval rating based on the results, Set rules for how long a supplier may 26.8 be ranked “Provisional” before a final rating must be assigned. Qa Approved — staff can buy anything from the supplier Restricted - staff can only buy certain products or services from the supplier (indicate which) + _Disapproved - staff may nof buy anything from the supplier. Develop an approval status grade system for suppliers, such 26.9 | Populate the ASL with the filtered list of critical suppliers. o | 250ing AS9100 Rev. D —Tssign approval status grades 10 each. Since you have already filtered out any disap- 6:10. | proved suppliers, you may not have any marked as “Disapproved' at cis time, but the | rating is useful if you disapprove any listed suppliers in the future. Publish the completed ASL as a record — not a document — so that purchasing staff and 2611 | others can refer to it. Prohibit purchasing from any supplier not on the list or marked | Q) as “Disapproved.” Develop evaluation criteria to consider when adding new suppliers to the system. This 26.12 | could be as simple as “pricing, availability, reputation, terms” or it could be complex.| O You decide. Develop a list of supplier monitoring methods and controls, such as receiving inspec- 26.13 | tion, on-site audits, surveys, post-service performance assessments, etc. You will add this | to the procedure later in this Task. Develop a formal purchase order (PO) form if you do not already have one as part of your accounting system. This will be used to formally communicate purchases to your suppliers. Ensure the PO includes, at a minimum: * Date of order * Items or services ordered a © Quantity ordered * Delivery date desired (must be an actual date, not “ASAP") * Flowdown of any requirements (specifications, certifications, testing required, per- sonnel requirements, terms & conditions, etc) * A space to show evidence of approval of the PO by your staff before release of the PO to the supplier; this can be a signature, initials or even a typed name. Establish a set of standard Terms and Conditions which would apply to all suppliers, if 26,15 | Necessary; make this part of the PO form or send it to suppliers are part of their con- tract with you. Some of the more common AS9100 related T’s and C’s are provided in the Oxebridge template kit. Review your customer's T’s & C’s from Task 22. Identify which of these the customer explicitly demands be flowed down to your supplies, s well s those which clearly must 26.16 | be flowed down even if not identified as such. This should include any requirements related to Digital Product Definition (DPD) data handling, Add these to your own pur- chase T’s and C’s from Step 26.15. PeaG you have developed a PO form, ensure its reviewed, approved and published the | cy PO is patt of the accounting software, you may skip this step. 26.14 a 26.18 | Begin using POs whenever purchasing produets or services from the suppliers listed on | : the ASL. Disallow any purchases for such products or services without a formal PO. i a Tmplement receiving inspections of received products or raw materials, to check at a minimum: © Quantity — were the correct number of items received? 26.20 |* Condition is there any obvious damage? Te Correct items — were the correct items received? “This may require ensuring that Receiving has a copy of your PO to compare with the suppliers packing list or shipping documentation.Surviving AS9100 Rev. D 26.21 26.22 26.23 26.24 26.25 Develop a Receiving Log form that captures the evidence and results of the rece civing] inspection. The form should allow for rudimentary trend analysis, to highlight whe particular supplier is exhibiting more problems than others. A sample form can be foun on the Oxebridge website. ms ind eae ie eee ie eee tee eure eran een eee ea Review data from the Receiving Log, as well as any complaints you have with the sapph er, to adjust the approval rating of the particular service provider in the ASL. PP” For received services, a form may not be useful since the type of services provided might be very different; instead, poll the recipients of the services for their views on the quality of services received, and use this to adjust the approval rating of the particular service provider in the ASL. Develop a Supplier Corrective Action Report (SCAR) form to use when a problem wih 1 supplier is significant enough to warrant requesting formal corrective action by them. ‘A sample SCAR form can be found on the Oxebridge website. i a o 26.26 26.27 Ensure the SCAR form is reviewed, approved and published. Begin filing SCARs to problematic suppliers as needed; because the sumber of these is likely to be low, there should be no need to develop a specific Log for these; instead, keep the SCAR in a separate file for reference. 26,29 ‘Write a procedure on Purchasing, defining purchasing activities and supplier controls you have developed above. A sample procedure is available on the Oxcbridge website. You may elect to create a separate procedure for Receiving, or include this in the Pur- chasing procedure. Ensure the Purchasing and/or Receiving procedures are reviewed, approved and pub- lished.Surviving AS9100 Rev. D qask 27: Outsourced Processes Clases addressed: $8.1 Operational planning and control 84 Control of externally provided processes, products and services 1 find that many people worry about how to control their outsourced processes — these are things you pay another company to do, but which from the customer's point of view you're nevertheless responsible for ~ when in fact, they are usually doing about 90% of what's expected already. I suspect you will find this Task relatively simple. however. Sep. ‘TASK 27: Outsourced Processes a 27.1 | Identify your outsourced processes. a Make a table of the outsourced processes and the controls you have implemented for 27.2 | them. Take credit for standard controls, such as receiving inspections (of product pro-| py cessed by outsourced process providers), requirements for Certificates of Conformity, L third-party testing, flowdown of specifications and/or certifications, etc. Review your customer’ requirements per Task 22. Identify if they flow down any required 27.3. | “special process providers” or vendors of outsourced processes If so, be sure you com-| Fy ‘municate this to Purchasing so that these services are only bought from the customer-ap- mec "| If you require any special certifications, qualifications or other controls on the suppliers of such outsourced processes, indicate this in the table. (For example, you may require! ISO 17025 accreditation for outsourced calibration services) Ensure you are flowing down these special requirements to outsource process suppliers 275 you are flowing pecial req P ppl through your purchase orders or contracts. a Write a procedure on Outsourced Processes, defining general controls over such process= 27.6 | es and their suppliers; include the table you created above. A sample procedure is available | lon the Oxebridge website. [_27.7_| Ensure the Outsourced Processes procedure is reviewed, approved and published. oO Ensure all outsource process providers are listed as approved suppliers in your purchass 27.8. | ing system per Task 26, This would not apply to suppliers mandated by your comes, oSurvi ig AS9100 Rey. D Task 28: Production / Service Control Clause addressed: 8.5.1 Control of production and service provision Many of the requirements of clause 8.5.1 are addressed in greater detail in other clauses, and as a result the implementation advice for these requirements appear in other Tasks herein, So don't be alarmed if this checklist seems litte small compared to clause 8.5.1 in the standard, Ie’ also important to read the sections in this book that discuss clause 8.5.1. ‘TASK 28: Production / Service Control Determine what “documentec Step formation” is requised for work; this may be work or- 28.1 | ders, ravelers, ete, Be sure you fully understand “work packets” that go to the floor. “To the extent possible, adopt ecror-proofing practices and methods to reduce human ag._| et70r, such as poka-yoke. This can be a continuous improvement activity you do the in farure, but if you have any such things underway, make note so you can take eredit for) © them later. Implement some method to track work as itis done; this is typically through a work order 283. | router or traveler system. How you implement this will be dependent on your size and] current software platforms. This may be paper-based or wholly electronic. Ensure that routers/travelers have sign-offs for key process steps including the in-process and final inspections. ag | Ensure that routers/travelers have a means of tracking lots or product quantities through- 789 [out the production cycle 28.6 | If possible, add specific steps for periodic FOD checks. a Wherever possible (and this ean be tricky), for each inspection step called out on a travel- ag7_ | indicate the measurement device(s) to be used. Include a space where the operator can] 78" | record the serial number of the device actually used when inspection is complete. This will help with traceability later, if a device is found out of tolerance (see Task 21), 28.8 | Implement inspection records that capture in-process and final inspection results. a 1f you utilize sampling plans, ensure these are statistically valid (based on industry stan- dards if possible), and document them. Avoid out-of-thi fifth product” or “every hour” unless you have data to support that plan, If your production operations are not overly complicated, consider writing a Production 28.10 | Control procedure that defines how jobs are scheduled, how work packets (travelers, rout- es, ete) are developed and used, how inspections are catried out, etc 281 |B ure the procedure is reviewed, approved and published. Consider developing visual aides and workmanship standards to put on the floor. If these 2g,12 | documents, ensure they are controlled (see ‘Task 6). If this includes sample products (whether as examples of good product or bad), mark the products as “visual aid” or mila, so that it cannot be misinterpreted as finished product. 254a) Task 29: Special Processes Clause addressed: 8.5.1.2 Validation and Control of Special Processes AS we discussed, “special processes” are things you do which cannot be cles inspected or tested ltr and 10 addtional controls must be implemented to ensure the quality of the process. The chapter in this boo on clause 8.5.1.2 discusses these in detail. It's likely you may have in-house special processes (that you perform) as well as outsourced ones, Its als likely that your customer will mandate which suppliers you must use for outsourced special processes ‘The customer may also mandate you become Nadcap accredited for your processes, if you conduct them in-house. Neither this book nor this ‘Task covers the full Nadcap accreditation process requirements, so tailor your expectations here. Step TASK 29: Special Processes a 293, | Make a table of the special processes uslized within your QMS, per the guidance on clause | 8.5.1 regarding “Special Processes.” Write a procedure on Special Processes and place your special process table within it. Define the controls you employ to control such special processes. A sample procedure is 29.4 | available on the Oxebridge website. Alternatively if the procedure is particularly short, | you may want to put this language in the Quality Manual instead of a standalone proce- lure, 29.5 _| Ensure the procedure is reviewed, approved and published a 29,6. | Verify your customers’ requirements to see if they require your special processes to be | Gy Nadcap accredited. 29,9 | If Nadcap is required, then you must either implement the appropriate Nadcap program | ‘or outsource the work to an approved Nadcap accredited supplier (see Task 27). Ensure each of you in-house special processes complies with the applicable specifications 29.10 y pec PP P a (AMS, ASTM, etc) 29.11, | Write supporting procedures or work instrvtions to define how in-house special process: | 11 | es are to be carried out; these should comply with any applicable specifications. Ensure these procedures / work instructions are reviewed, approved and published. a Tf special process operators require third-party taining and certification, implement his | and capture records of theie training / certifications. ed maintenance and (if a aintenanee and GF | TF applicable, implement third-party testing of products processed under your in-house cial processes, to validate those processes. Q 2551g AS9100 Rev. D Survi Task 30: Production Equipment, Tooling & Programs Clauses addressed: 8.5.1 Control of Production and Service Provision 85.1.1 Control of Equipment, Tools and Software Programs $9100 is particularly fas: dated before making any planes or rockets. Go figure. about ensuring your equipment, tooling and CNC programs are properly vali- ‘This task addresses some minor passing comments made in 8.5.1 and then tackles the AS9100 bolt-on clause of 8.5.1.1 entirely: This goes beyond the simple equipment controls and maintenance discussed in ‘Task 16, however, and is more about validating these things before they are used in earnest. Step) 30.1 Define the rules for validating new equipment in your Validation and Use of Equipment and Facilites procedure from ‘Task 16. Some sample language appears in the kit procedure on the Oxebridge site. This should require new equipment to be marked “do not use” until validated, cither through first article, sample test runs, etc. TASK 30: Production Equipment, Tooling & Programs w 30.2 In that same procedure, “grandfather” existing equipment by stating anything already in use prior 10 the date of the procedure is considered previously validated. For any equipment being installed or under validation, add signage to the equipment read- ing “Do Not Use for Production.” Putting an engineer's email address or phone number a good idea, too. uu defined per the procedure. srform the validation oO oO o a a a a Implement the tooling controls you defined in the procedure for all critical tools and [2 a oO a 304 ew equipms In the procedure, define clearly which “tools” will require validation, and which will not. 30.5. | (AS9100 isn't clear on this, so you have to be) In many cases (but not all), hand tools would be exempt, for example. 50.6, | Im the procedure, require thar the controlled tools (and tooling) be validated prior to use, typically through running prototype products through them, first pieces, first articles, ete Establish a tooling identification method that shows when tools were validated, by whom, 30.7 | and any dates for re-validation if necessary. This is often done by bolted nameplates or simple labels. 308 J pooling For CNC software, define the controls to ensure the programs are checked before release 30.9 | to the machine, and the controls to prevent machine operators from changing critical pa- rameters (speeds, feeds, tool wear offsets, etc. are OK.) Add this to the procedure. 30.10 | Implement the controls for the CNC software used. 30.11 | Ensure the procedure is reviewed, approved and published. Tf your company is large, implement a recurring internal audit to verify the storage condi- 30.12 | Bom preservation and maintenance of equipment and tools/tooling in use. You may want to add this to the internal audit procedure developed as part of Task 43. If your company is small, then just do this as part of normal internal audits. a 256 \ LSurviving AS9100 Rev. D Task 31: Identification and Traceability Clanse addressed: 8.5.2 Identification and traceability In manufactuting shops, product identification is often simple, and typically already well-implemented. Hav ing said that, the second most common AS9100 audit nonconformity is related to discovering the “strays” these ate single parts or batches which are sitting around without identification. This is usually the case when employees put product aside, throwing them in a corner or top shelf, only to forget about them later. You must check, re-check, and then triple-check your facilities for unidentified product, because any single stray will get caught by the auditor, and lead to audit nonconformities. . Step ‘TASK 31: Identification and Traceability a 31.1. | If there are no current product identification methods underway, determine ways to iden- tify products (part numbers, model numbers, ete) 31.2. | If the product is software, or contains embedded software, ensure version controls are implemented Develop methods for physically identifying product while iris being worked, as well as for n physically identifying later identification while in inventory or while in use by the customer, This may involve | : y y , Jabeling, marking, barcoding, etc. Develop methods to identify product as to its inspection starus (good, bad, awaiting 31.4 | disposition, etc). Consider a policy that indicates all product is good unless otherwise | marked, to avoid having to identify inspection status on everything 31,5. | Implement the product identification methods you have developed. There should be no 1.5 [Imp P a unidentified product anywhere within the facilities in scope of your QMS. rs 31,6. | Review your customer requirements to sce if individual product serialization (traceability) is required. Review your own internal requirements to see if individual product sera guited, this includes lot and batch numbering or date coding, as well as seriaizing TF no requirements for serialization are required by either you or your customer, do noth 318. | ing TF itts tequted, develop methods to uniquely identify exch part, batch or lo; include | | any customer-mandated serialization requirements as well. Develop a means ro maintain records of the serial numbers, batch numbers et 31.9 | records must be able to track back to production information if, in the future, a pa Teechig returned and only the serial number or batch number is known. For configuration management considerations, be sur all producti identified with some san | thing that tees back tthe part number and revision of that pat his ma be by 10 | efing te part number and revision on the partitslf, or making ajob number that wil | trace back to that paperwork. 7 assemblies, be sure that all component parts are clearly identified with their part and For at weil as any fusished asscnblics, th their part and ation is ee | cor} O revision, “Wire a procedure on Product Identification and define the conwok you have developed | > Wane # [ample procedure is available on the Onebridge webete nn Seer Ensure the procedure is reviewed, approved and published. a J Search all the facilities within your QMS ag; 31.14 | gs needed. be ain, looking for unidentified product. Correct, o | 257Surviving AS9100 Rex. D Tf you have a company “trophy roomy” featuring sample products, ensure each product is, 31.15 | identified as a “sample,” or if this is impractical, ensure some signage is used in the area to indicate the products are samples, and not to be used, 31.16 | Don’t forget the identification of third-party property, per Task 17. o 31.17 | IF your company utilizes inspection or other “Acceptance Authority Media” (AAM), cre- ate a Stamp Control Log to capture the types of stamps used. A sample form is in the| Oxebridge kit 31.18 | Carefully get a sample impression of each stamp TYPE (not each individual stamp); eg: QC stamps, Manufacturing Engineering stamps, Receiving Inspection stamps, etc) Get a] clean impression of a sample of each stamp type. 31.19 | Write a Stamp Control Procedure that includes a table with the sample image of each py stamp type, and a description of its intended use. 31.20 | Add to the procedure language on the intended controls for each stamp type, as well as generic controls such as prohibiting stamp sharing, stamp swapping, stamp ahead, stamp | 1 behind, illegible stamp impressions, etc. 31.21 | Review customer requirements per Task 22 to see if any additional AAM requirements are | Fy flowed down to you. If so, incorporate these into your procedure and implement them. 31.22, | Using the Stamp Control Log form, have every employee who has been assigned a stamp | py make an entry of their stamp impression, their name, and the date the stamp was issued. Ensure all stamp types and all stamp-holding employees are covered on the Stamp Con-| wol Log, Consider having employees provide a sample signature and sample initials on the Stamp Control Log, as well, if you allow them to sign off operations with either signatures or | 0 initials. 31.25 | Be sure the Stamp Control procedure addresses what to do with stamps of terminated or| 7 retired employees, as well as how to re-issue stamps after a given quarantine period. 31.26 | Be sure to define how employees can report lost stamps. o 31.27 | Train all stamp-holding employees on the need to control their stamps at all times, and the | Py rules for stamp use and control, per the procedure. 31.28 oO Ensure the procedure is reviewed, approved and published. 258Surviving AS9100 Rev. D ask 32: FOD Control Chane addressed: 8.5.4 Preservation Despite the AS9100 standard only mentioning “foreign objects” in passing, you will be expected to roll out a full-fledged FOD program. You'll want to read the guidance on FOD programs in the chapter related to clause 8.5.4. Step ‘TASK 32: Identification and Traceability [a 1 321 | Make alist of the types of FOD your company is concerned with, This will be dependent 1 | on the nature of your product and the manufacturing processes. a 322, | Obtain a map of your production facilities, and mark off the areas where FOD controls [cy critical, and where FOD controls are not applicable. Based on this, decide how many “FOD Zones” you will need. The minimum will be wo 32.3. | (area with FOD concerns, everything else), bur you may have up to four (no control, FOD | Awareness Zone, FOD Control Zone and FOD Critical Zone.) Develop a FOD Zone Risk Assessment form, to determine which de: 324 | each area in your company: A template for this risk a Oo bridge site. Perform a tisk assessment of each area you indicated on your map that has some level 325 | of FOD control need. You can skip the areas where FOD is not a concern (office areas, | O lunchroom, etc) Based on the risk assessment scores, mark the areas on your floor map with the fi 326 a Zone designation, Design or purchase FOD Zone signs, for each of the Zone designation types, One source 32.7. | for such signage is at www.fodprevention.com. Purchase enough signs of each Zone | O designation to thoroughly mark the areas. Tnstall the signage in the areas, so that it is always clearly evident what FOD Zone desig- 32.8 | nation applies to what area. A person should always be able to quickly determine whieh | O FOD Zone they are in. 329._| Develop the rules you intend on requiring for each FOD Zone. The Oxebridge template | 9 | FOD procedure will give some guidance on this, but you will want to customize this. Begin writing a procedure on FOD Control that includes your definitions of the applica 32.10 | ble Zones, and each Zone designation’s particularly FOD controls. A sample procedure | O can be found in the Oxebridge kit. a Tmplement the controls you have deemed necessary for each FOD zone, This may include 211 | hadowboarding tools restricting access, requiring special clothing, etc Review your router / traveler development or manufacturing work instruction activities 32.12 | for places where you can add FOD inspections, and do so. “Ensure that the manufacturing operations are in a proper sequence to remove oF prevent 32:13 | FOD, and that FOD removal steps are included after any FOD generating step, Qa Tf you have design authority, ensure that your engineers know to design product ina man= 32.14 | ner that will reduce the likelihood of FOD, and to design for manufacturing methods in} O ways that will allow for FOD detection and FOD removal. 259Surviving AS9100 Rev. D Review your customer requirements per Task 22 for any specific or additional FOD re- 32.15. | quirements, including requirements to comply with customer FOD procedures. Incorpo- rate these into both practice and your draft FOD procedure. Consider purchasing AS9146, the aerospace FOD standard, and implementing any addi- 32.16 | tional controls you find useful from that. Incorporate these into both practice and your| O draft FOD procedure. Develop a one-page Visitor FOD Training Guide to hand to visitors who receive “escort 32.17 | nor required” status upon entry. Require that all such visitors read and sign the FOD| Q Training Guide. 32.19 | Develop FOD training for all employees, based on your FOD Zone rules, types of FOD. pertinent to your company, the risks of FOD damage, ete. a 32.19 | Conduct this training with all hands and keep a record of the training, a 32.29 | Add the training requirements for employees and guests into your draft FOD Control 20 | procedure. a 32.21 | Ensure your work environment is suitable for FOD controls and make adjustments as [py needed. 32.22 | Implement a Clean-As-You-Go program to reduce FOD risks. a 32.23 | If you'te really overcaffeinated, implement a 58/6S program, but don’t halfass it. f you] : aren't going all-in, then skip this step entirely. | 22 .24 | Implement a system to report and manage lost tools or equipment. a 32.25 | Implement sponge logs where access to aircraft/spacecraft is performed, if applicable. | O1 32.26 | Implement shadowboarding of shop tools if appropriate. Include a chit system for track-| ing of tools. 32.27 | Implement product protection (covers, FOD barriers, mats, shields, etc) as appropsiate. | O 32.28 | Purchase and implement FOD containers to distinguish them from ordinary trash. a | 32.29 | For clean rooms, implement gowning protocols. ao 32.30 | For dean tooms, implement environmental controls (particle counters, filters, eemperz-| ture and humidity controls, etc.) {—4 32.31 | Implement a system for employees to report FOD tisks or escapes. a 32.32 | Finalize your FOD Control procedure to capture all the various aspects of FOD control | py * | you have implemented. Eo 32.33. | Ensure the procedure is reviewed, approved and published. Q __|— 260Surviving AS9100 Rev. D Task 34: Product Preservation & Handling Chace addressed: 8.5.4 Preservation ‘The preservation clause in AS9100 has been diluted to almost patods, so its important to remember what the clause used to be about (and which is still hinted atin the Note): handling, storage, packaging and pres- ecvation. This won't just apply to your “hard” products, but to customer intellectual property as well ‘TASK 34: Preservation Develop methods to properly handle products while under your control; this shoul clude raw materials, WIP and finished product. 344 Develop methods to properly store products to limit risks of damage, deterioration, loss or theft. 343. | Develop methods to properly package products; this should include any packaging meth- “| ods you use while product is stored within your facility, as well as packaging for delivery. Develop methods to preserve product, if special preservation steps are required beyond 34.4 | simple handling, packaging and storage. This may include special storage environments | C] (refrigeration, inert gas, immersion in oil, etc) Develop methods to prevent contamination of product, whether by local contaminants 345. | Gust, dirt, germs, etc, as applicable) or cross-contamination between different products, | 1 materials or processing chemicals (cleaners, cleaning media, etc) Develop methods to handle shelf-life products that have expiration dates. The methods 34.6. | should include how to determine shelf-life, what to do if the shelf-life is expired, and how | 10 utilize first in/first out (FIFO) storage practices. For any manufacturer’ expiration dates that appear unrealistic, develop internal methods 34.7 | to requalify expire product to more realistic dates, Such methods must be technically jus- | tified, by way of data 34.2 34.8 | Ensure you've implemented the FOD program per Task 32, oO Tinsure any invellecroal property you deliver as a product (reports, data, etc) is properly 34.9. | stored and protected from alteration, loss or theft. This must include preservation during | C) |_| eansmission of he data a wel “Ensure any software you provide as a product is not exposed to the injection of malicious 34, y x $10 | code, malware, viruses ce a Tnsure packaging of electronic media, if sold as a product or part of a service, preserves 2411 | aye data according to requirements a vic procedure on Preservation of Product and define the controls you have develoy 34.12 | Wete a Proc ie procedures available on the Oxebridge website Ped) 34.13 | Enyure the procedure is reviewed, approved and published. . Search the feclltics within your QMS scope for any product that is expired, exposed scares ination, orn any other way in violation of your methods and procedure [esSurv ing AS9100 Rex. D Task 35: Inspection and Testing Clauses addressed: 8.6 Release of products and services 8.5.1.3 Production Process Verification As I mentioned, the clause 8.6 “Release of Products and Services” is not about delivery, which one might assume from the title, but about inspection and testing activities which are used in order to release the product. At the same time, we can tackle the requitements for First Article Inspection from clause 8.5.1.3. Step ‘TASK 35: Inspection and Testing a 35.1. | Obsin and review the acceptance criteria for products and services that you developed | 5 as part of Task 18. Determine what inspection and test methods you will utilize to confirm the product 35.2 | meets requirements, both while in-process and prior to final packaging for delivery or] O placement into inventory Implement the necessary inspection and testing activities, using (as necessary) calibrated tools per Task 21. Incorporate inspection and test steps into the work planning tools you developed as part ojo;o;jo 35-4 | of Task 28 (travelers, etc) 35.5. | Maintain records of inspection and test results. 356 | Determine your level of responsibilty for First Article inspections from the customer’ 299 | requirements. 35.7. | Develop an AS9101-compliant First Article form, or just use AS9101 itself. a 35,8. | Implement First Article Inspections per the customer's requirements. o 35.9 [JF appropriate, ensure thar work travelers / routers call out when an FAT is to be con-| [y Pr? | ducted. 310 | Review your internal capabilities and processes, and implement additional First Article| 7 35.10 | Inspections accordingly 35.11 | Ensure product labeling includes the status of inspections and tests, as per Task 31. a ——] Develop procedures and/or work instructions on how to conduet inspections and tests, | 35.12 | if deemed necessary. f 35.13 | Ensure such procedures and work instructions are reviewed, approved and published. a cl i attach Spaure that your shipping and packaging methods or procedures include steps to attacl 35.14 a i Fe jude all necessary inspection or test records with the shipments, as required by the Oo LE 14 | Clstomer. This may also include certificate of conformity, ete.Surviving AS9100 Rev: D Task 36: Delivery and Post-Delivery Activities Cans addressed: 8.5.5 Pos. delivery activites You may recall that AS9100 largely forgot any requirements related to delivery (shipping), and jumped right to post-delivery. So we have to put “shipping” back in, and it may was well go here. This task addresses deliv- cexy activities, as well as the post-delivery work you may do, through servicing, repairs or rework. One important reminder: if you do repair or rework on products returned to you, the produet techni- cally remains the property of the customer, so you would therefore be considered “servicing” even if you employ the exact same production methods on returned product as you do new product. This also invokes your need to protect the returned product under the third-party property rules discussed in Task 17. If, on the other hand, you simply ship replacement product to the customer, and then repair the returned product for later resale, this would not be considered post-delivery activities per this clause, since the customer dloes not own the product you are repairing, Step "TASK 36: Delivery and Post-Delivery Activities ule Develop standard methods for shipping of products or delivery of services. Ensure such 36.1 | methods adhere to any customer-mandated requirements (caerer, delivery method, delix- | ery schedules, ete) 36.2 | Implement packaging requirements for shipped product per Task 26 above. a Develop a Delivery procedure defining the methods you have adopted above. sample 36.3. | procedure is available on the Oxebridge website, but expect this will need to be heavily | O customized. 36.4 | Ensure the Delivery procedure is reviewed, approved and published. a Determine the level of post delivery activity you are responsible for. This will include fick 365 | ccrvice work, in-house repair or rework of returned product, ot re-delivery of services. a 36.6 | Develop necessary procedures or work instructions for service work, a Taare the senicing procedures or work instructions are reviewed, approved and pubs 367 | ished a Develop appropdate records to eaprre the post-delivery work conducted, the results, and 368 | verification methods. aSurviving AS9100 Rev; D Task 37: Nonconforming Product Clause essed: 8.7 Control of nonconforming ontpnts AS9100's overall spirit here is simple: you must control the bad product so that it isn’t accidentally shipped, and then analyze what went wrong and take corrective action so it never recurs. While under the ISO 9001 scheme this is important, under AS9100 it’s absolutely critical: auditors and customers will assume that nonconforming product has a tendency to leak out of your company, if it hasn't already, causing airplanes to crash and rockets to blow up prematurely. In fact, under the AS9100 auditing scheme, it’s an automatic major nonconformity if an auditor finds evidence of nonconforming product having been shipped, ot has a reasonable expectation that it could ship. This Task assumes you do not have special third-party QMS software for recording and dispositioning nonconforming product; you do, adjust the implementation steps to align with yout software, and ignore the suggestions for a special form herein. Step TASK 37: Nonconforming Product Develop methods for identifying product that has failed inspections or tests, or other- 1 | wise determined to be nonconforming, so that it cannot be confused with conforming} O product. (See also Task 31.) 37.2 | Develop methods for segregating nonconforming product. o If your company is large, consider implementing a full-blown Material Review Board 37.3 | (MRB) for processing and dispositioning product nonconformities. If you're small, skip | this step. Develop a Nonconformance Report (NCR) ot similar form which will record the na- 37.4 | ture of a particular nonconformance, a cause analysis, a description of the dispositions | and actions taken, and the name of the person authorizing the disposition. 37.5. | Ensure the NCR form (or equivalent) is reviewed, approved and published. a If necessary, create separate quarantine areas for nonconforming product. In most in- 37,6 _ | dustries an “MRB cage" isn't required, but in aerospace this is highly recommended, | and some of your customer contractual requirements may outright require it. If your products are small, this may not be a cage, but a locked cabinet. Implement a method to secure scrap in the cage of locked areas before either Option A. 37.7. | or Option B below. This will only apply to product officially dispositioned as “scrap,” | 0 and not anything awaiting disposition, | Option A: contract with a certified scrap hauler to periodically take your scrap and 37.8(A) | destroy it. Ensure they are bonded and that they provide a certificate of destruction. | Institute logs of what material was put sent to such haulers, for traceability. Option B: implement in-house product mutilation activities for scrap. Whatever meth- 37.8(B) | ods you use must prohibit the product from every being used for its original intent. Keep records when such scrap is mutilated. 37.9 _| Unless your company is a certified repair station, ensure that you prohibit all repair of 9 | product without customer approval, 37.10 | In all cases, prohibit “use as is” dispositions without customer approval oO 264Surviving AS9100 Rev. D Implement policies to prevent counterfeit or suspect counterfeit product from being returned to suppliers oF re-introduced into the supply chain; see Task Develop a Control of Nonconforming Product procedure defining the methods you have adopted above. A sample procedute is available on the Oxebridge website Ensure the Control of Nonconforming Product procedure is reviewed, approved and [Py published. Go back, if possible, and gather data on product nonconformities from the last 6-12 months. Analyze this data to determine common errors or defects, and file CARs to] 1 correct any trends discovered 265Surviving AS9100 Rev D Task 38: Customer Satisfaction Clauses addressed Castomer fous Customer satigaction As I mentioned in Part One, you should rely on more than just surveys to gather customer satisfaction data, The level of your ability to do so will be entirely dependent on the unique characteristics of your organiza. tion, your industry and your customers, so do the best you can. Step ‘TASK 38: Customer Satisfaction a] 35.1. | Assess the current methods by which you determine your customer's perception of your| 38.1 _| ability to satis theic requirements. Make a list of these methods Tf you determine your list from Step 38.1 isn’t sufficient — and it typically isn’t — consider 38.2 | additonal “passive” methods of gathering customer satisfaction data, per my suggestions | O) in chapter 9.1.2 393, | Determine if theze are any additional “active” methods of gathering customer satisfac-| 2° _| tion data that you can add to your arsenal, IF your customers provide them, collect any supplier “scorecards” or other quality and/ jag [of ontime delivery information they send you. This may require logging into your cus-| °° | tomer's supplier portal and obtaining it that way, if they do not send it automatically. Try 10 collect at least 6-12 months of this data, and prepare a trend report. ‘our own order data and develop an internal on-time delivery metric, based on when jobs were promised and when they were delivered. Factor in adjustments to dates | when agreed to with the customer. Collect this data for the prior 6-12 months, as well. Now analyze your own quality data, based on defect data, scrap rates, first-pass yields, etc. 38.6 | (How you do this will be unique, so the exact methods are up to you. Collect this data for | 0 the prior 6-12 months, as well. Write a procedure on Customer Satisfaction, defining the methods you've adopted above. ja7_ | A sample procedure is available on the Oxebridge website. Alternatively if the procedure | py “7 | is particularly short, you may want to put this language in the Quality Manual instead of a standalone procedure. 388 | Jf you intend to use a survey, create a formal Customer Satisfaction Survey form. a 38,9 | Ensure the procedure and any related forms are reviewed, approve: Begin gathering the data as dictated by your procedure, and collect the data for eventual ‘Management Review in Task 47. 266Surviving AS9100 Rex: D Task 39: Analysis and Evaluation Clauses addressed: 9.1.1 Monitoring, measurement, analysis and evaluation: General 9.1.3 Analysis and evaluation During this Task, you will go back and verify that data has been gathered, as indicated in many of the pre- vious Tasks, and then ensure you are analyzing the data to identify teends of nonconformity, or to gencrate opportunities for improvement. ‘The final analysis of the data will occur during Management Review (Task 47), the data should be being analyzed regulatly outside of the periodic Management Review; you should resist the urge to leave the anal- ysis only during the Management Review activities Step "TASK 39: Analysis and Evaluation a Ensure you are on track gathering data related to process objectives (from Task 2). You 39.1 | will be formally analyzing this data during management review i so this is your | Q last chance to ensure the data on process performance is being collected for analysis, Ensure you are on track gathering data related 0 product and service nonconformities 39.2 | (from Task 37). You will be formally analyzing this data during management review in] O Task 47. 39.3 | Ensure you are on track gathering data related to customer satisfaction (from Task 38). | 39.4 Ensure you are on track gathering data related to risks and opportunities (from ‘Task 9). | O ¥ & 39,5, | Ensure you are on uack gathering data related to the performance of suppliers (fom | — Tasks 26 and 27). Develop methods to ensure analysis of the data occurs on a regular basis, and not solely 39. | during the Management Reviews in Task 47; this should be a responsibility given to the “6 | process owners, with instructions that they must file CARs when deviations or downwaed trends are spotted. 30.7. | Ensure any statistical techniques used are statistically vali. If required, write procedures or work instructions on the use Of statistical techniques in 398 | pathering nd analysing data nig 399. | sure any such procedures of work instructions ate reviewed, approved and published,Surviving AS9100 Rex. D Task 40: Develop Quality Manual 1 Decumented Information - General “As we discussed, ISO 9001 no longer requires a “Quality Manual.” AS9100 adds a few things to collect together into something called a “Quality Manual,” but this book takes the position that a more robust Quality Manoa! still has value, whether for your internal staff or for external parties such as customers ot auditors, and so presents guidance on how to create one. In the aerospace industry especially, yout customers ‘will expect you to have a large QM. ‘As you will see, pushing this Task to neatly the end makes ita lot easier; now you are merely capturing the information you've already developed, and referencing procedures you've already created, rather than writing the Quality Manual first and guessing as to what you might think of in the future. "TASK 40: Develop Quality Manual ml Confirm your decision ona format for your Quality Manual, per the options I presented | py | | Write the Quality ‘Manual, being sure to pull in the information you noted and set aside d 40.2. | Incorporate the high-level process interaction map you developed as per Task 2. o | 40.3. | Include the Scope Statement you developed as per Task 4. Oo 40.4, | Include the Quality Policy you developed as per Task 5. o “405. | Include, or make reference to, the Org Chart developed as per Task 7. o 140. | Include the language on the Management System Representative as per Task 7. o > | Include any language on “leadership and commitment” you developed as per Task 11. | Include any language regarding Organizational Knowledge you developed as per Task 13.| qq go | clude any language regarding internal and external communication you developed as | perTask : “o.t0 | Include any language you developed regarding management “providing necessary people” | . as per Task 15, _ Include your disclaimer language regarding the “work environment” as per Task 16. a Include language on your interpretation and application of clause 8.38 design and devel- |p 40-12 | opment, as per Task 24 a | Bh) 40.13 | Hf you haven't created a separate procedure for it, include any language you developed ao | 40-13 | regarding customer satisfaction as per Task 38 40.14 | Instude any language you developed regarding continual improvement as per Task 45. o oo You may have to jump. ahead for this. 40.15 | Reference all documented procedures you created herein; don’t reference lower-level D O-19 | work instructions. ee 268Surviving AS9100 Rev. D Tnclude the table you created in Task 2 showing the cross-reference of all top-level pro- 4016 | cesses and their applicable AS9100 clauses. srence of all top-level pro: Toi? | Ensure the Quality Manual is reviewed, approved and published, || submit the Quality Manual to any third parties who may be interested in it (customers, auditors, etc.) Consider publishing the Quality Policy developed during Task 5 as a separate, controlled document. If so, this must match the language appearing in the Quality Manual exactly. 405 406. | Ensure the standalone Quality Policy is reviewed, approved and published. 269 eee eeSurviving AS9100 Rev. D Task 41: Conduct QMS Training Clauses addressed: 7.1.1 Resources 7.2 Competence 73 Awareness Now that your implementation is fairly far along, it’s time to pull the curtain away from the big, smoky, bellowing Oz-machine and reveal the steam-belching workings behind the scenes. This means telling the employees about the AS9100 program that they've likely heard mutterings about for the past few months. 1 recommend giving a brief, one-hour overview training to all employees. Each subject (listed below) is covered under only a handful of slides, ina typical presentation. You are just alerting employees to the exis- tence of AS9100 and the QMS, and then pointing them to the documentation where they will really begin to learn about the QMS and how it applies to their jobs. Finally, this is an opportuni “awareness” expectations of AS9100. Beyond simple all-hands training, you must ensure you grant your employees the time necessary to read the new QMS documents, and raise questions (or CARs) when they don’t understand something, I can’t tell you how many times I see a Quality Manager write and publish QMS documents, only to never tell anyone about them, as if they are a secret set of tomes only to be read by the elite village wizards. Bosses, likewise, recoil at granting line operators time away from their salt mines to “read shit” when they could be wor this attitude must be fought aggressively since the point of QMS documents isn’t to satisfy auditors, it’s to train your employees and ensure they all work consistently, per the text you've written. to capture some of the Sap AC OS Develop training materials (presentation, handouts, etc.) aimed at training your staff on the new ISO 9001 quality system. This should include: © Whar is AS9100 © Wharisa QMS ‘+ How your organization implemented a QMS based on ISO 9001 * Location of Quality Manual and related procedures * How to file a CAR when reporting a problem or offering a suggestion ¢ Awareness of quality objectives © Quality Policy aia |* How each staff member’ role impacts on the QMS and the quality of products and | py services ‘+ The ramifications of not complying with procedures and As9100 © Minimum ethics requirements * Controlled stamp usage © Counterfeit part awareness * FOD awareness * How employees can impact on product safety © Whar to expect during internal and external audits ‘The training presentation should be able to cover these bullet items in less than one hour A template training presentation is available on the Oxebridge website, 270M2 M4 NS 416 Surviving AS9100 Rey. D Perform the training for all employees. Classroom sessions are best, but if employees cannot physically attend for some reason, have them read the material and return an ac- knowledgment. There’s no need for a “test” afterward; tell them the “final exam” will be how well they survive the audits, Keep records of the training, Don’t forget to place any training presentation or materials under revision control and] py document control. Tnclude this training in the orientation taining of all future employees as well. If appro- priate, add a requirement to do so in the Hiring and Training presentation suggested in Task 15. Ensure that employees are given time to read, and access to, the QMS documents af- fecting them. If you deny them this, they can't be held accountable if they hose up your |] audits, or produce defective products later. mnSurviving AS9100 Rev: D Task 42: Control Your Records Clause addressed: 7.5 Documented information Records are a tangle, no matter what you do. There are often a thousand of them floating around, many of which you never knew existed, and inevitably some auditor will find them. AS9100 clause 7.5 ~ comprising its many confusing sub-clauses ~ confuses “records” and “documents,” so you will want to review my advice relative to these clauses to decipher it. If you remain confused prior to any third-party audit, it could result in nonconformities. Tve intentionally left the development of your records controls to the end, because any attempt to do it carlier will just force you to revise it over and over, as you find more and more records are kept by more and more people. Doing it last helps save some trouble, but expect this to be a confusing mess anyway. ‘TASK 42: Control Your Records Send an email to all managers and process owners asking them to respond back with the following: © What records they currently keep 421 [© Their format (hardcopy or electronic) a © Where they are stored * How long they keep them form (retention time) ___| Give them one week to reply; no more than that. 422. | Collate all the responses to the above email into a single table. a A few employees didn't respond to your email, go harass them physically. Make sure you | ct the datal 424. | Update your table with the latest records. Be sure it’s as complete as can possibly be. o Review your customer's contractual requirements per Task 22, specifically for any record 42.5 | retention requirements. Incorporate those into your table. Where there’s a conflict be- | 01 thween your retention requirements and the customer's, choose the longest. ‘Assess the table for which records might be outside of the scope of the QMS; for ex- ample, accounting records, legal records, ete. Remove these from the table. (Alternatively, |p keeping them there might be OK, but be aware that this opens the records up for auditing by your QMS auditors) Review with top management as to whether the format, storage and retentions indicated in the table are adequate and acceptable; if not, revise the table with management's re- ‘quirements for these criteria. (For example, a department may be keeping some records in hard copy for 10 years, and senior management may want to convert those to electronic format and only keep for 3 years) Only when the records table reflects top management's requirements, proceed. 7 Write a procedure on Control of Records, defining the methods you've adopted for cre- ating, using, correcting, storing, protecting, retaining and dispositioning the records. In- clude a formalized copy of the table you created. A sample procedure is available on the website. 42.7 Ensure the procedure is reviewed, approved and published. 272Surviving AS9100 Rev. D Ensure the records holders you polled in Step | are aware of the new procedure and any 42.10 | updated requirements in the table, so that they can adjust their practices and retention times accordingly: 42.11 | Ensure electronic records are subject to server backups; if not, implement these. a OPTIONAL: If deemed necessary, write work instructions on electronic backup pro- 4242 | tocols. This is sometimes useful if the backups and schedules are complicated, and not | CJ otherwise automated by your IT people. 42.13 | Ensure any such backup work instructions are reviewed, approved and published, a 42.14 | Hf you have a server room in-house, ensure its properly secured and air-conditioned, to | py ensure the proper functioning of the servers and thus the protection of data. 23Surviving AS9100 Rey. D Task 43: Conduct Internal Audits Chence essed: 9.2 Internal andit If you remember Task 1, I told you a gap analysis audit is a waste of time. Now that you've got nearly all of your shiny new QMS implemented ~ even if the paint is still drying on it— you can accomplish two key milestones at once: (1) check the mandatory bos on conducting a fall internal audit and (2) identify remain- ing gaps If, a¢ | assume, your goal is third-party certification, then this is an obligatory step; if you're not pursuing registration, you can conceivably do these audits whenever you like This step assumes you have mot purchased QMS software with an internal audit module already included; if you have, follow the requirements of that software rather than my suggested methods below. Be sure any procedure you write reflects that QMS software approach, too. Step TASK 43: Conduct Internal Audits 451 | Gobackand gec that table of processes vs. AS9100 clauses I had you make in Task 2 (and P| which you later put in vour Quality Manual as per Task 40) “452, | Developan Internal Audit Report form to record the results of each internal audit. A free template form is available on the Oxebridge website Develop an Internal Audit Log form, which will not only capture the internal audit sched- ule, but also summarize the results of audits after they are completed, allowing for trend analysis. A free template form is available on the Oxebridge web: “15.4. | Ensure the Internal Audit Report and Internal Audit Log forms are reviewed, approved 28 | and published. Write a procedure on Internal Auditing, defining the methods you've adopted for sched- uling, conducting and reporting audits. A sample procedure is available on the Oxebridge | 01 website 43.6. | Ensure the procedure is reviewed, approved and published. Determine who, among your staff, will be assigned the role of internal auditor. Always ! free to train extra staff on auditing, even if you don’t anticipate they will audit; you want to include any key process owners, just to give them more in-depth AS9100 training that the general overview discussed in Task 42, Jop internal auditor training materials; see my guidance in the section on clause 9.2. ‘This isn’t an easy task, and Oxebridge can’t provide a generic set of training materials, 433 | ince irs a dedicated service we offer. Alternatively, you can attend a third-party auditor training class 43.9 | Conduct internal auditor training, Keep records. o Populate your internal audit schedule; for the first set of audits you will merely audit ev- aso | thing during a singe calendar event (over a week, etc) Later, you can schedule furure audits based on the results of the first round, but that’s moot for the first round itself. Assign a Lead Auditor for each planned audit Notify the Lead Auditors of the audits that have been assigned to them, and the dates 43,11 | you'd like the audits conducted, Reschedule audits — within reason — if the audit team or auditees have a scheduling conflict. 274Surviving AS9100 Rex: D 43.12 43.13 43.14 ~ [Conduct the internal audits. For each complete the Internal Audit Report Ault against you inteenal requirements and the AS9100 clans appli thao 39100 clauses applicable to that pro- cess, as identified in Step 43.1 above. '¢ AS9100 clauses applicable to that p Write a list of the findings you want to be written up within the CAR system for the in ternal audit nonconformities or opportunites for improvement. (We'll do this in Task 4.) Review the internal audits to make sure the forms were filled out correctly, that objective evidence was recorded to support all findings (positive and negative) and that any non. conformities were clearly described. 43.15 43.16 > | for reporting to Management Review as part of Task 47 Update the Internal iit Log with the results of the audits, and prepare any trend data Update the Internal Audit Log to schedule the next round of audits: again, you should do this based on the results of the first round, scheduling problem areas more frequently than those with fewer audit findings. Use your best judgment. Irs only necessary to sched ule the next round of audits, not all possible audits for the next 100 years.Surviving AS9100 Rev. D Task 44: Write Up CARs Clause adaressed: 10.2 Nonconformity and corrective action After your internal audits are complete, you need to process the audit nonconformities through your formal CAR system. This assumes the auditors haven't written the CARs up already, as part of the audit itself (some companies have that step embedded in their audit activities) I also recommend writing up CARs for any auditor suggestions or opportunities for improvement; but at the least, you must write CARs up for nonconformities. ‘TASK 44: Write Up CARs Get the list of internal audit nonconformities and opportunities for improvement from 44.1 | Task 43 and write each up as an individual CAR within your corrective and preventive action system. Process CARs according to Task 10. Be sure each CAR has a desired completion date 44.2. | assigned to it, so that you can measure if the CARs are being processed “‘ithout undue thlay." per AS9100 clause 9.2. That’ it for this Task; we will revisit the closing of these CARs in Task 46. 276Surviving AS9100 Rev. D qask 45: Continual Improvement Chanses addressed: 10.1 Continnal Improvement: General 10.3 Continnal improvement As 1 mentioned in chapter 10, ISO probably has no business advising anyone on “continual improvement," and it’s a freebie anyway — technically, if you've engaged in Jess human trafficking than last year, you're improving, and no auditor can argue otherwise. If you've done anything at all that could, in the least bit, be imerpreted as “improvement,” you've met the literal requirements of clauses 10.1 and 10.3. Naturally, that’s not the intended spirit of AS9100, even if we could argue interpretations of “spirit” all day long, and then form an entire organized religion around it later to keep up the fan for centuries. But I think we can all agree that continual improvement is a good thing, and you should strive for it. I'm going to make some suggestions here, and you have to understand that they are only suggestions, ‘This is because of the lack of firm requirements in clauses 10.1 and 10.3 (which, as I argued previously, should be a single clause, and not split up.) Still, these steps are based on years of successful implementa- tions, and auditors love them, so I hope you'll consider adopting them. TASK 45: Continual Improvement a ‘Remember I said destroy the suggestion box in the lunch room? You ignored that advice, didn’t you? I knew it. Now go back, and take an ax to the damn thing already. Your CAR | system replaces this, and your employees think the suggestion box is stupid anyway. Do it now. wvelop som re about your organization’s approach to continual improvement, ad ietarcurrentmathods yu have in place to purr Put easide, ae we wl dd this to the Quality Manual later. You should be sure to include the following: © Your work with the COTO Log, and specifically the Opportunities Register, if you've 1 Rene soho pro 3 (There is no need for a separate procedure on continual improvement, and writing one is often overkill) Review the CAR log (0 ensure that staff are submitting opportunities for improvement (OFI®), and not just reporting problems. 1f you have had little patticipaton in the CAR | System, and have few OFs on record, make a renewed push for these, perhaps through a Rare visible campaign. In short, try to populate the CAR system with more OF ls, “Send an email alert to top management that during the upcoming Management Review activities, they will be polled for ideas on how to improve the organization, the QMS, its rocesses, and the products and services you offer. (That will then be addressed in task | Ol 59, during Management Review itself) ‘ anSurviving AS9100 Rex, D Gopied the COTO Logs Opportunity Register, refer to it for some additional ger of abione hy the register You can start using this as rudi- xg improvement actions, Se other opportunities to develop improvement plans, file CARS the Opportunity Log: 27kSurviving $9100 Rev. D Task 46: Close CARs Clanse addressed: 10.2 Nonconformity and corrective ation Just prior to management review, it's a good idea to close as many CARS asi {ast requirement, though; it’s just a good idea. You may have some CARs that are open for entiely legitimate reasons, and that’s fine. You just want to use this opportunity to formally check and close on any CARS that might be finished, or to light a fire under any CARs that are overdue for no good reason. Again, this Task assumes you are using the Oxebridge format CAR system, and nota third-party sot ware solution; if the latter, adjust this ‘Task to suit your software’: methods and requirements. sible. This is nota hard and TASK 46: Close CARs a a Check your CAR log for CARS that are overdue needlessly, and contact the assignee to 46.1 | remind them to take action or update the CAR. 46.2 | Update the CAR Log as needed to reflect any CARs that were closed and ventied. 46.3 Generate CAR system trend data to present at management review: 2»Surviving AS9100 Rev. D Task 47: Management Review Clause addressed: 9.3 Managentent review Conducting a formal management review, ensuring that it covers all the required inputs of AS9100 clause 49,3, is the last mandatory step before you can submit to a third-party certification audit. Having conducted at least one full round of internal audits and at least one management review is a de facto requirement before any registrar will set foot in your organizz ‘The means by which you conduct management review can vary, as I mentioned in the guidance on this clause elsewhere. This chechlist below assumes you are holding a meeting of some sort, but the steps can be ion, casily modified if you're doing this in some other format. Feel free to be flexible. Step ‘TASK 47: Management Review Send a notice to all process owners to gather the objectives data related to their processes, and have it ready to report during the management review: If it helps, send around the Objectives Table I suggested previously and have them update their entries and data Determine your methods of conducting management review(s) — this may be through meetings, email swaps, etc. Write a procedure on Management Review, defining the methods you've adopted for scheduling and conducting the reviews, as well as the required attendance and topics to discuss. A sample procedure is available on the Oxebridge website. Ensure the procedure is reviewed, approved and published. Develo meetin, 2 form to use to capture Management Review records, if you are conducting tyle reviews. This will act as minutes for each such meeting, A sample form is ble on the Oxebridge website, and I urge you to use that since it ensures you capture every required “input.” Alternatively, you can use it to design your own form, as a helper document. Ensure the management review records form is reviewed, approved and published. Conduct the management review per your procedure, being sure to address all the “input” requirements of 439100 clause 9.3. Complete the records of the management review once complete. Ensure that process objectives have been updated with goals set by top management. Ensure that the Strategic Direction is updated by top management. Review the COTO Log Risk Register and update accordingly; add new risks as appropri ate. Adjust prior risk ratings to suit new changes and updated information. Update any risk plans. Review the COTO Log Opportunity Register and update accordingly; add new opportu- nities as appropriate, and adjust entries for prior opportunities. A712 Save a copy of the updated COTO Log ipshot” of its state as of the date of this Manayement Review: ‘Then you can compare it later to future snapshots to show what has changed. 4713 Fnnsure that a CAR js written for any suggestion for improvement or management review action item that comes from the review itself. 280 a Oo jo/o|} aSurviving AS9100 Rex: D Ensure that a CAR is written for any process objective that has not met is goal. Reference this CAR in your management review record. . Be sure to officially schedule the next management review, intend on doing more such reviews in the future. prove that you Consider publishing the minutes of the management review so that affected managers and process owners can see the decisions made, adjustments to objectives, ete. IF dect sions are made in a smoke-flled room and no one is aware of them, the decisions are pointless. 281Surviving AS9100 Rey. D Task 48: AS9100 Certification Audit Clause addressed: none, oral, depending on your point of ea Because the night is dark and full of terrors, now is the time to submit yourself to the process of third-party certification audits, an experience very much like a college fraternity hazing, but with less beer and a lot more permanent psychological damage. If you like Nicholas Cage movies or attending Amway sales conventions, this is definitely your cup of tea. Three Main Steps ‘This Task is split into three major activities: 1. Selecting a registrar. Like choosing your preferred executioner (“ob, I hear Samm is nic, be very gentle sith the ax, and even though it will be in a basket when he's done with it, your bead will look faaaabulous!”), selecting a registrar is no fun. You have to wade through a forest of three-letter-named company names, which all start to sound the same after five minutes, and then suffer through their aggressive and maddening sales pitches. Then you'll have to fill out a million forms requiring information you never thought was necessary, and may have to follow up with days and days of phone calls to get them to actually provide you a quote. Finally, when they do, it's likely going to be rife with errots, forcing a whole set of second phone calls and a revised quote. Then when you sign the contract, you'll feel you just donated both kidneys... without anesthesia. Through it all, though, they will promise to be “adding value,” even as you snort milk out your nose every time they say it. 2. Undergoing the audit. Once you've chosen your registrar, you'll schedule and undergo a two- stage audit that is very much like medieval dentistry, but if you imagine the medieval dentist wasn't, in fact, from the medieval age, but instead had traveled from the past, and was actually a Nean- derthal dentist. ‘The two-stage approach is required by accreditation rules, so you can expect to undergo a I-day “Stage One” audit, designed to assess your readiness and ensure that the CB isn't potentially losing money by scheduling the next Stage Two if your QMS is a mess. Stage Two is the real audit, where the auditor will assess your QMS and processes and eat your donuts. 3. Post-audit activities. Aside from sweeping up the donut crumbs, after the audit you will need to review the registrar's report and respond to any nonconformities the auditor has issued. Then, you will need to write internal CARs for each audit nonconformity, whether you agree to them or not. Use your CAR process to close the issues, and/or to clearly describe why you think any particulat finding is invalid, In the latter case, be sure to clearly make your argument against the nonconfor- ity by relying on data and evidence, since the only way to get a CB nonconformity thrown out is to justify it being voided on the basis of evidence. If you want to be incredibly well-prepared, purchase an official copy of ISO 17021-1 Conformity “Assessment ~ Requirements for Bodies Providing Audit and Certification of Management Systems — Part One: Requirements and AS9101 Quality System Assessment. These standards apply to your registrar, and with them in hand you will have access to “the other team’s playbook.” You can thus be on alert for viola- tions of these standards by your CB during the audit. You will want to focus especially on clauses 4 and 9 of ISO 17021-1. 282Surviving AS9100 Rev. D st ‘Your Auditor preparation for the audit can’t be taught ~ you have to experencet first-hand — but you can ake some com. fort in knowing a few things ahead of time. Fist, there are only two types of CB auditors: Passive aggressive assholes: these are the under-accomplished, previously fied, and otherwise unsuccessful failed consultants who couldn't find work in any other industry, and so took up work asa CB auditor. Being granted authority over you and other clients gives them an erroncous sense of justification, and — to them — rewards their psychological defects. a result, they use their clients to beat home any personal gripe and prior problem they had in theie lives in an attempt to later say “look how many clients agree with me, I was right all long, despite what my last boss said before firing me.” To work with them, just er them write up whatever they want, and then use your CAR system to process their nonconformities in a sterile manner, after they have left. People-pleasing toadies: these are equally unaccomplished losers, but instead of taking a pas- sive-aggressive tack to prove their self-worth, the toadies try to make you happy by ageecing with ‘whatever you say, and rarely issuing nonconformities of any heft. With these auditors, it a near guarantee you will get your certificate with litle problem, but it also means you could be selling radioactivity to kindergarten children, and they woulda’ care. In both cases, because of the current IAF/IAQG scheme conflicts of interest and corruption, i's about 290% likelihood that they are going to grant you your certification no matter what, since if they don't, they know you are likely to just switch to a registrar who does. The only difference is the measure of hassle they make you go through before printing the certificate. Some auditors will try to milk you for a few additional days of “nonconformity review” audits, if your nonconformities were particularly severe, and sometimes this will be entirely bogus; unfortunately, there's lite you can do about it, unless you cut your losses and ‘switch registrars In all cases, your auditor will bea frustrated consultant, and is likely to even hand you his consulting busi ness card; this is a conflict in itself - the auditor shouldn't be promoting his consulting services — but since 50 many CBs are too cheap to print business cards, you're going to encounter this. Knowing your auditor is a frustrated consultant allows you to manage him or her ahead of time; if you absolutely must, you can nod your head every time the auditor makes a suggestion. Yes, they're not supposed to suggest anything, but you can keep that knowledge to yourself and just wait out the clock for the end of the day. L emphasize that you should not agree with everything the auditor says, especially their so-called “advice” or “opportunities for improvement,” doing so just stengthens ther belief that this abhorrent practice is acceptable, and it cuts your legs out from under you if you later decide the advice was absolute bullshit, which it likely willbe. Instead, you can nod, but don’t verbally agree. Tell the auditor “we will think about it,” and later use your CAR system to process all ndings formally outside ofthe audit experience, when smarter people age in the toom, But understanding that your auditor is a frustrated consultant means they will be looking for emotional validation for their advice; that’s why I say “nod your head” and say “We'll think about it,” rather than dis gree with them on the spot If you disagree, you run the risk of shattering the fragile membrane of self ears ahey have and then the whole audi urns ugly fast Auditors vs, Consult vee wniven for ents about what I cll the “Unnecessary road Tused to preach peace beween the sides It proved Conflict” between CB auditors and consultants, 2 fool's errand, as one can only hold out an oliveSurviving AS9100 Rev. D branch for so long before one’s arm starts to drop. ‘To the CBs, if a consultant is not offering free referrals, then they have no use for them. Furthermore, knowing that your CB auditor will be a frustrated consultant, keep in mind that the last thing they want in the room is someone rubbing their nose in that fact; that means they never, ever want to see a non-frustrated consultant. If you announce ahead of time that your consultant may be present during the audit, put on your safety lasses and watch the fireworks. The auditor will invent all sorts of sudden rules and regulations saying that the auditor may not be present, and will even threaten to eject your consultant if they show up. Can they? OF course not. Ler look at the actual rules. ISO 17021-1 specifically allows consultants to be present during the ISO 9001 audits: 9.2.2.2 Observers, technical experts and guides 9.2.2.2.1 Observers: The presence and justification of observers daring an audit activity shall be agreed 0 by the certification body and client prior to the conduct of the audit. The audit team shall ensure that observers do not unduly influence or interfere in the audit process or outcome of the audit NOTE Observers can be members of the clients organization, consultants, witnessing accreditation body personnel, regulators or other justified persons. While the rules technically say the client must have agreement by the CB, there is no legal justification 4 CB can give denying such presence. In short, a CB has no legal authority whatsoever to tell you who can, or cannot, be present in your facility during a given moment in time. Furthermore, the term “consultant” cannot be arbitrarily defined by your CB. In most modern hiring scenarios, a large portion of the workforce — if not the entirety of it~ may be contract personnel who actu- ally work for a third-party “personnel management firm” or staffing agency, and not for the company itself at all. This means everyone is, technically, a “consultant.” Furthermore still, a CB cannot interrupt the work and responsibilities of your staff during the audit, except to the extent of asking them to answer questions and provide evidence. Ejecting someone from the room or worse, the building, is beyond their legal powers, and not supported by either ISO 17021-1 or any known law: They'd essentially be inhibiting that person from doing any work that day, and they simply do not have such authority Finally, ISO 17021-1 gives the CB no rights whatsoever to eject anyone other than themselves. As we see in clause 9.2,2.2.1 above, the CB may only “ensure” that undue influence in the audit doesn’t happen. Nowhere in that clause does it grant them the power of ejecting anyone. Instead, if a CB feels the audit cannot be conducted because of interference, they can leave. That's it. After that, you can fight it out with the CB management. If you do intend to have your consultant present, the best practice is to have them attend but do so under a different title (“Quality System Assistant") and thereby dodge the entire argument. CBs reading this are recoiling right now, but doing so is for their benefit as much as for yours; they won't be inclined to inject themselves into a fight they will inevitably ose, and risk possible ligation, Then, be sure to counsel your consultant to only answer questions directed to him or her, and not to answer questions for other people, nor otherwise interfere. For example, often the consultant has done the first round of internal audits, and so may be called on to answer audit-elated questions; they should be limited to that, and nothing else. If 284Surviving AS9100 Rev. D sour consultant is an aggressive jackwad who just wants to fight withthe CB audios, even when the auditor hasnt done anything wrong, you need to fire that consultant, and let them take their place as a “frustrated consultant” CB auditor, where they belong. Readying Your People Prior to audit, you will want to ready your staff, since they will be the ones interviewed by the auditor and asked to present evidence. It is worthwhile to hold a short training session with all hands to remind them of some key points: * The AS9100 audit is more like a conversation, an interview, and nothing like any other kind of “audit” they may be familiar with, such as a tax audit. Tell them its just a poor choice of words. + The auditor will be auditing the processes, not the people. To do this, the auditor must speak with people, but remind them that they are not the subject of the audit; the processes are. Their names are unlikely to even show up in any audit report. + If they don’t understand a question, say so. Auditors tend to talk in ISOspeak, and if any employee doesn’t understand a question, they should ask the auditor to rephrase it. + If it’s not theie job, say so. Sometimes the auditors ask the wrong people a question; if the auditor is asking something that isn’t part of a person's responsibility, they should say so, and then indicate who the auditor should ask. * Don’t get diarrhea of the mouth. Keep all answers short, and only answer the question asked. Don't start rambling, don’t offer too much information, and don't go off-track. Use this as a time to identify anyone in your company with severe nervousness, shyness, or some other social disorder that might make them a poor fit for being audited. At one client, I was advised never to talk to 4 certain line worker because she would faint whenever anyone would talk to her; I mean it, she would drop to the floor, unconscious. She was very good at her job — which required no social interaction — but other than that, she was off limits. This is entirely acceptable, as companies are collections of human beings, and hhuman beings sometimes have disorders. You can communicate this to the CB auditor in advance (“please don’t audit Mike, he has severe PTSD and ansiety disorder") and they should honor that. Avoid the Saboteurs Somewhere in your company is that one guy who' pissed off; he's the disgruntled employee who probably thinks he ean make his ease about how terrible the company is fhe single-handedly “sinks” the audit. Every company has this person, and they must be avoided. In most official CB auditor waining classes, they teach odor to iden tis person and then discount whatever they say, but its not always success. Tf youlave sacha peson nyo staf be sue o que dens him or er, and then work ep the auditor aay fom that peion. IF necessary, you can even tll the auditor ‘Joe has some aves vo pring’ aah ‘ill ikely understand, Normally the CB auditor doesn’t want to be drawn into any melodrarne cites only problem sf this person is a member of the key management staff,a process owner of - an ‘The only Phan ~ the Quality Manager. In such car eemoenen 2 ee ann ni ft 4 case, you must counsel that person ahead of time and be sure they understand that attempting to sabotage the audit will not work, and will only harm their vepuration in we company, nothing more, yy Pir the saboteur is the company CEO or President, they then having your resume ready is probably a good idea. 285,Surviving AS9100 Rev. D Task Steps Now we can finish up by going through a final checklist of steps to manage your AS9100 audit. 48.1 Step ‘TASK 48: AS9100 Certification Audit Research possible accredited registrars; this is a two-step process. First, check the LAF website (wiwwiaf nu) for the national accreditation bodies in your country ot region, Now, go to the website of the accreditation body you have identified in Step 48.1 and check for certification bodies that might serve yout area of your country. Submit requests for a quote for AS9100 certification to a handful of the certification bodies (registrars) you have selected. You may be prompted to fill out application forms; do so. Review the proposals and draft contracts from the registrars that respond. Look for wie | den fees (“per diem” expenses), ridiculous expenses, unnecessary “application fees” (you can always get these dismissed if you ask), etc. Use these factors to down-select to a single registrar. o]o]a fe a 48.5 48.6 points of contact etc. ‘Once your registrar is selected, have them create an entry for you in OASIS. They have to do the first step. They will provide you with the OASIS “OIN” number and some “| login instructions. Create your account in OASIS, and add the necessary information about your company, You will have to grant login access to a few other employees in your company as alternate _| contacts. Do so. 48.7 Work with your selected registrar to schedule your Stage 1 and Stage 2 audits. Resist any urge by the registrar to put more than one month between Stages 1 and 2; try to keep them as close together as possible, unless you have serious concerns about the readiness of your QMS. Do not hire the registrar for any pre-assessment audits, you do not need this, if you have followed the steps in this book. 48.8 ‘One month prior to your scheduled Stage 1, obtain an official audit schedule from the registrar. You will have to harass them for this! Routinely, CBs do not send this as re- quired, so be prepared to get it from them. The schedule should include the daily timetable imended for both the Stage 1 and Stage 2 audit events. 48.9 Review the schedule for any obvious conflicts with your staff's schedule, You have two choices * Reschedule the dates for the audit. Avoid this whenever possible, as the registrar may force you to incur a “rescheduling fee” if you reschedule without allowing them suf- ficient time to place another client into the slot you force them to vacate. © Reschedule the times of certain audit activities. This you can do, provided you don’t impact on the auditor's ability to conduct a thorough audit. For example, if the au- ditor has scheduled Sales for the first day, but you'd prefer to have Sales audited on the second day, modify the schedule accordingly. ‘The auditor will be flexible on this, provided the overall length of the audit is not impacted. + Send any revised audit schedule to the auditor for their approval. 48.11 ‘ap.10 | Onee You have received a final audit schedule from the CB, circulate this berween your sets and process owners, Consider holding an all-hands meeting lasting only 15 audi ninutes to alert them of the coming cl 10 remind them of the key points I presented above, 286Surviving AS9100 Rex: D [ake one final lap through this entite checklist From Task | through 47) to ensure ewerr> 4812 | ching is complete and ready for thied-party audit. “we a |-——T ie suggested above, consider purchasing a cops of ISO I702I-1 soyoucan monlorvour [212 [css compliance with accreditation rules throughout the audit. a “The day prior to the Stage 1 audit, print one uncontrolled copy of your Quality Manwal 4g14 | and top-level procedures for the sole use by the auditor, despite claims otherwise, auditors | CT tend to prefer old school hardcopy documents. Undergo Stage 1. This will be mostly confined to the conference room, and will nt be particularly in-depth. The auditor is assessing your overall readiness forthe Stage 2 alt, 4815 | by verifying that the necessary documentation, processes and controls are present. The | © auditor will also verify that you have completed at least one round of internal audits and tone management review: For each nonconformity written during Stage 1, write an internal CAR. You will simulta- y have to fill in your responses, root causes, ete. in OASIS. Do nor do one or the | 48.16 ‘and your internal other: it may be double entey, but caprure your responses in both OAS CAR system, 48.17 | Process and close all CARs from the Stage 1; update any related OASIS entries, a “The day prior to the Stage 2 audit, print one uncontrolled copy of your Quality Namal] 48.18 | and top-level procedures for the sole use by the auditor, Mark it “sncontroled for audit use| O ee onhy” with the dates of the audit. Undergo Stage 2. This will be the multi-day, on-site audit comprised of interviews with] py staff and employees, examination of records, documents and evidence. During the Stage 2, make notes of the auditors comments and findings, but resist the urge to agree with them, even if prompted to do so by the auditor, You may disagree, but do so politely and provide evidence for your rationale; a better approach is to not agece | or disagree af aif in the presence of the auditor. When asked to sign nonconformites, understand you are signing for the receipt of the nonconformities, not acceptance oF agreement with them. For each nonconformity received, write up an internal CAR. You may also be required to 48.21 | process these on the CBS papenork, and if so you will have to do double entry, writing | tiem up on both your CAR form and che form of the rexistrar. “Address cach NCR writen by the auditor in OASIS, completing root causes, actions, te. ‘he autor wl approver dopo your actions, so expec that afew go-round wl 48.22 vseary If the auditor artempts to negotiate your responses over the phone. refuse, tnd pote I that he/she se the commenting feature in OASIS, (Auditors lke weaces | ao ring by telling you what they want t0 see over the phone) cose all CARs from the Stage 1. If you disagree with any nonconformiee 48.19 Process and Iedeate this in your CAR and OASIS, and provide evidence as to why the noaconformicg ieqwaid;in such ea8es you may close the CAR “without action” but you must have rouy 48.23 justification well-documented and based on significant evid Qo reasons 2 i icant evidence, or the reg xy deny you certification. In the AS9100 scheme this is possible, but you'll han’ ire ie of it than you would in vanilla ISO 9001, Possible, but you'll have a 287Surviving AS9100 Rev. D (Once all issues are resolved and your CAR closures are accepted and closed in OASIS, you should receive your final AS9100 certificate. Review the certificate to ensure the basic information is correct: © Company name (exactly as it should appear) 48.24 }* Scope of the QMS © Location(s) and address(es) Industry codes ‘* Date of certificate and expiration date (should be three years after date of certificate) If there are any problems, request a corrected certificate from the CB home office. 48.25 | Publish press releases announcing your certification, and post a copy of the certificate on. your company website. 48.26 | Turdle!pe AS9110, or IAQG Makes REPARATIONS