Clause-by-clause explanation of AS9100 Rev D WHITE PAPER Copyright ©2017 Advisera Expert Solutions Ltd. All rights reserved. 1 Copyright © 2017 Advisera Expert Solutions Ltd. All rights reserved. Table of Contents Executive summary ....................................................................................................................................... 3 Introduction .................................................................................................................................................. 3 1. Process approach ...................................................................................................................................... 4 2. Plan-Do-Check-Act cycle ........................................................................................................................... 5 3. Terms and definitions ............................................................................................................................... 6 4. Context of the organization ...................................................................................................................... 8 5. Leadership................................................................................................................................................. 9 6. Planning .................................................................................................................................................. 10 7. Support ................................................................................................................................................... 11 8. Operations .............................................................................................................................................. 13 9. Performance evaluation ......................................................................................................................... 17 10. Improvements....................................................................................................................................... 19 Conclusion................................................................................................................................................... 20 Sample of documentation templates ......................................................................................................... 20 References .................................................................................................................................................. 20 Copyright © 2017 Advisera Expert Solutions Ltd. All rights reserved. 2 Executive summary Providing products and services that meet customer needs and enhance customer satisfaction is the goal of any Quality Management System (QMS), and AS9100 Rev D provides a framework to do this in the aviation, space, and defense industry (often called the aerospace industry). This white paper is designed to help you in the first step of implementation—understanding what the requirements of the standard mean—and to clear up any misconceptions regarding the standard’s requirements. In this document, you will find each clause of AS9100 Rev D explained in plain English to help you better understand the requirements of the standard. To make this easy, the clauses will be laid out in the same order and assigned the same numbering designation as the clauses in AS9100 Rev D, and there will be links to additional learning materials included as well. Introduction Some people see a management system as an administrative burden with limited benefit to the company, but why is this the case? This could be due to the thinking of some individuals that the management system is something separate from the way they do their “business,” but this line of thinking limits their ability to go beyond simply documenting everything in the management system to the point where they can benefit from the improvements that a management system can bring. Please note that this white paper is not a replacement for the AS9100 Rev D requirements. You can get the requirements from the http://standards.sae.org/as9100d/ website. Copyright © 2017 Advisera Expert Solutions Ltd. All rights reserved. 3 1. Process approach Using the process approach is a key step in implementing an effective Quality Management System. When you identify all of the processes within your system, including details of all the necessary inputs, resources, activities, documents, and outputs of each, you can then see how they interact—with the outputs of some processes becoming the inputs for others. This allows you to monitor and measure the important indicators of your processes so that you know they are functioning correctly. This is why the standard explains the process approach before going into the requirements for a Quality Management System. The basic concept of the process approach is that you look at the activities in your entire organization as a series of processes—activities that take inputs and perform actions to make outputs. You can then determine the sequence and interactions of your processes, which allows you to determine what processes need to happen before others can start, what resources you need for each process, and what results are expected and needed from each process. In addition, identifying the interactions between processes can give you insight into potential problems and waste, where outputs are not adequate or remain unused. The best approach is to start your implementation by creating a process map that includes all of your processes and how they are interconnected. For instance, your purchasing process needs input from your contract process to determine what to buy, so it cannot start until your contract process has created this output. Likewise, your production process cannot start until your purchasing process has acquired the correct raw materials. Your global process map, which identifies all of the processes and how they link together, will then allow you to define the processes in terms of inputs needed, controls to be applied, and outputs expected. This process map can then be reviewed and updated throughout the implementation process. Copyright © 2017 Advisera Expert Solutions Ltd. All rights reserved. 4 2. Plan-Do-Check-Act cycle The Plan-Do-Check-Act cycle has been an integral part of quality assurance for many years, and it is a core concept in this standard. In order to ensure the effectiveness of the Quality Management System, it is important to make sure that the first step is Planning. This step includes defining polices, objectives, procedures and processes, controls, and necessary monitoring and measurement. The next step is the Do phase when the plans are realized, policies and procedures are communicated and applied, processes are performed, and records of activities are produced. The Check phase comes next, where the monitoring and measurement results captured in the Do phase are analyzed and assessed for acceptable results against the planned arrangements. This phase includes audits and management review in the assessment. Finally, the Act phase occurs, where the organization will take action on any problems found or needed improvements identified in the Check phase. This PDCA cycle becomes an ongoing process that is used to drive continual improvement in the organization. To find out more, see this article: PDCA cycle in AS9100 Rev D. Quality Management System Organization and its context Support and Operation (4) Plan (7,8) Customer satisfaction Do Customer requirements Planning Leadership (6) (5) Act Needs and expectations of interested parties Performance Evaluation (9) Check Improvement Products and services (10) (4) Copyright © 2017 Advisera Expert Solutions Ltd. All rights reserved. 5 3. Terms and definitions Apart from five aerospace-specific terms, the main terms and definitions used in AS9100 Rev D can be found in a related document, ISO 9000:2015, but this involves purchasing yet another standard just to understand what the terms mean. Understanding the terms is important before you start implementing, so that you can ensure that you apply the requirements to the correct areas of your organization. Here are some of the most important terms and definitions used throughout AS9100 Rev D: Top Management – The individual or group who controls and coordinates the organization at the highest level. When the scope of the management system covers only part of an organization, this term refers to the individuals who direct that part of the organization. Organization – A person or group who has their own functions with responsibility and authority to achieve objectives. Context of the organization – The combination of internal and external factors that affect the ability of the organization to achieve their stated purpose, objectives, performance, and sustainability with respect to the management system. This can include internal factors such as values and knowledge, as well as external factors such as competitiveness and economic environment. Interested party – A person or organization who is involved in, or perceives itself to be affected by, the activities of the organization. Interested parties can include customers, suppliers, government, local communities, employees, etc. Process – Any set of activities that takes inputs to deliver an intended result, or output. For example: the production process takes inputs (raw materials, work instructions, product specifications, etc.) and performs several steps in an appropriate sequence. The outputs are the product, quality check reports, etc. Procedure – A defined way to perform a process or activity. Procedures can be documented or undocumented. Quality – Quality is the difference between a customer’s expectations and the perception of how well these expectations were met upon receipt of the products and services. Nonconformity – Failure to meet a requirement. Risk – Risk is “the effect of uncertainty on objectives,” and is seen as a positive or negative deviation from what is expected. In the aerospace community, risk is generally expressed in terms of the likelihood of occurrence and the severity of the consequences. Copyright © 2017 Advisera Expert Solutions Ltd. All rights reserved. 6 Effectiveness – The level of success in achieving a desired result. For example: the purchasing process is effective if the required products and services that are procured arrive on time and conforming to requirements. Documented information – The information that is required to be maintained by an organization, for example, the documented policies, procedures, and records required to achieve results within the organization. Five aerospace-specific terms are defined within AS9100 Rev D: counterfeit part, critical items, key characteristic, product safety, and special requirements. For more information on these aerospacespecific terms, see this article: Five special aerospace terms in AS9100 Rev D. Copyright © 2017 Advisera Expert Solutions Ltd. All rights reserved. 7 4. Context of the organization 4.1 Understanding the organization and its context This clause includes a new requirement for the organization to identify the internal and external issues that are relevant for the organization to meet the objectives of the QMS. These issues need to include all elements that are, or may be, capable of effecting the QMS objectives and future outcomes. Tip: For more information, see this article: AS9100: Understanding the requirements of context of the organization. 4.2 Understanding needs and expectations of interested parties Because interested parties can affect the organization’s products and services, customer satisfaction, and statutory and regulatory requirements, it is critical to determine who the relevant interested parties are and what their needs and expectations include. Tip: For more information, see this article: Identifying interesting parties and their requirements according to AS9100 Rev D. 4.3 Determining the scope of the Quality Management System The scope of the QMS defines what is included within the QMS and, as such, is the first critical milestone in implementation. The scope is defined considering the organizational context, the needs and expectations of interested parties, and applicable legal and regulatory compliance obligations. Additional factors to consider are the products, services, organizational size, and complexity. The scope and any justified exclusions must be maintained as documented information. For more information, see this 9001Academy article: How to define the scope of the QMS according to ISO 9001:2015. 4.4 The Quality Management System and its processes As an organization you need to establish, implement, maintain, and continually improve your QMS, including the definition of the processes needed and their interactions, in accordance with the requirements of AS9100 Rev D. This is where you will use the process approach to determine the inputs and outputs of your processes, the sequence and interactions between them, the resources needed, and the responsibilities required to ensure that the processes are effective. Additionally, you will need to maintain any necessary documented information to support the processes you have identified and to provide evidence that the processes were carried out as planned. The necessary descriptions of the QMS and its processes, as well as other information gathered, can be collected into a single document and called a quality manual. Tip: For more information, see this article: The future of the quality manual in AS9100. Copyright © 2017 Advisera Expert Solutions Ltd. All rights reserved. 8 5. Leadership 5.1 Leadership and commitment In order for a QMS to be efficient and effective, it is important that top management is committed to the outcome of the QMS. The commitment must be demonstrated through communicating the importance of meeting customer requirements, compliance with legal and other requirements, establishing and communicating the quality policy and objectives, conducting management reviews, and addressing resource needs. A focus on customers, including measuring product and service conformity and on-time delivery, demonstrates this commitment in a concrete way when action is taken in the event planned results are not achieved. 5.2 Policy The quality policy is the overall goal and commitment that top management intends to be met by the QMS—the high-level document stating the QMS direction, including commitment to quality and customer satisfaction. Some key factors include providing a framework for quality objectives, meeting compliance and regulatory obligations, and providing a commitment to the continual improvement of the QMS. Critically, the quality policy must be maintained as documented information (possibly in the quality manual mentioned above), be communicated and understood throughout the organization, and available to interested parties. 5.3 Organizational roles, responsibilities, and authorities For the QMS to work, it is necessary to define the roles, responsibilities, and authorities for all activities: who needs to do what, and who can authorize which activities. This becomes critical in specific situations, such as emergency plans, and especially the responsibilities of temporarily employed workers. There is also a requirement for a management representative who is responsible for the QMS and has the organizational freedom to resolve quality issues. Tip: For more information, see this article: Is the management representative still required in AS9100 Rev D? Copyright © 2017 Advisera Expert Solutions Ltd. All rights reserved. 9 6. Planning 6.1 Action to address risks and opportunities When planning the QMS, it is critical that you understand the risks and opportunities that exist and could affect the QMS. This is done by considering the context of the organization and the needs and expectations of interested parties in order to determine the risks that need to be addressed. The purpose for identifying and addressing risks and opportunities is to ensure that the QMS will achieve the expected results and achieve improvements, and that desirable effects will be enhanced. These planned actions will later be evaluated for effectiveness. 6.2 Quality objectives and planning to achieve them In line with the quality policy, top management is expected to establish quality objectives—measurable, quantitative, and time-based objectives to promote improvement in the QMS. These objectives need to be implemented at appropriate functions in the organization and plans made to achieve the objectives, including activities to review progress and react to objectives that are not met. Tip: For more information, see this article: How to define quality objectives in AS9100. 6.3 Planning changes When you determine that a change is needed in your QMS, you don’t just make the change and hope it will be ok—you need to plan the change. Do this by considering the purpose of the change, consequences of the change, integrity of the QMS, necessary resources, and allocation of responsibilities and authorities. Copyright © 2017 Advisera Expert Solutions Ltd. All rights reserved. 10 7. Support 7.1 Resources In order to establish, implement, maintain, and continually improve your QMS, you will need to assign and manage the resources required to do so. This includes the people, infrastructure, environment for operating processes, monitoring and measurement resources, and organizational knowledge that is necessary to ensure that your processes are performed correctly. You will need to take into account the capabilities and constraints of your existing internal resources, as well as the need to obtain additional resources from external providers. 7.2 Competence You will need to identify the competence required to properly perform the processes of the QMS such that adequate outputs are obtained. This competence can be based on appropriate education, training, or experience, and you must then ensure that employees performing the processes have the necessary competence. This means your process will need to not only identify what competence is required, but also what competence is missing for employees and how you will ensure that they obtain this competence for the work to be performed. 7.3 Awareness Awareness is closely associated with competence; however, it deals with what the employees must understand to perform their work. Employees must be aware of the quality policy and objectives, current and future impacts that affect the tasks they perform, and what their personal performance means in the QMS, including how bad performance could affect the QMS. The information on personal performance needs to include how they affect product and service conformity, product safety, and the importance of ethical behavior. 7.4 Communication In order for your QMS to be effectively relayed to your employees, you will need to establish processes for internal and external communication. What do you need to communicate? When do you need to communicate? How will you communicate? Who will you communicate to? Who will do the communication? You will need to have some communication plans in place for when something happens in your QMS that you need to relay to interested parties. 7.5 Documented information QMS documentation includes all of the procedures and records required by the AS9100 Rev D standard, as well as any documents that you have identified as necessary to ensure and demonstrate that your QMS processes are correctly performed. Many factors affect documentation, including complexity of Copyright © 2017 Advisera Expert Solutions Ltd. All rights reserved. 11 the processes, size of the organization, media used for the information, and the competence of employees. The standard requires that the documented information you need for your QMS is properly identified and described, adequately protected, stored and preserved to maintain legibility, distributed and retrieved to ensure appropriate use, and controlled when changes are made. Documented information must be adequately reviewed and approved prior to use to ensure that the information is fit for the intended purpose. Another important note is that you must have controls in place to prevent the unintended use of obsolete information. Tip: For more information, see this article: A new approach to document and record control in AS9100. Copyright © 2017 Advisera Expert Solutions Ltd. All rights reserved. 12 8. Operations 8.1 Operational planning and control In order to meet the requirements that are set out for your products and services, your organization will need to plan, implement, and control the processes necessary to deliver on these requirements. You will first need to determine which requirements are applicable to your products and services so that you can identify what features you will need to include to meet these requirements. You will then need to define the processes needed to produce the necessary product and service features, as well as what criteria the products and services need to meet to be accepted for release. You will then need to identify the resources required in order to ensure that these processes function, as well as the records needed to show that they were carried out as planned. For adequate planning of operational control, you will also need to put in place the processes needed to address operational risk management, configuration management, product safety, and the prevention of counterfeit parts. Tip: For more information, see these articles: 5 key elements of risk management in AS9100 Rev D and Understanding configuration management in AS9100 Rev D. 8.2 Requirements for products and services In order to determine the requirements necessary for your products and services, you will need to ensure good customer communication. You will need to have processes in place for collecting information about customer needs for your products and services, handling inquiries, contracts and orders, customer feedback, handling and controlling customer property and, if necessary, establishing requirements for contingency actions. There are certain activities that need to happen before offering your products and services to the customer; requirements need to be defined, such as applicable legal requirements and those your organization deems necessary, and you will need to ensure that you can deliver to these requirements. After you receive the order, and prior to delivery, your organization must review the requirements related to the products and services and keep records of this review. When a customer changes the requirements, you must ensure that all necessary documented information is amended with the new information and all relevant persons are aware of the change. In addition, special requirements of the products and services need to be determined and any operational risks need to be identified. Copyright © 2017 Advisera Expert Solutions Ltd. All rights reserved. 13 8.3 Design and development of products and services Design and development is the process that takes you from the initial idea for a product or service to the final acceptance of the product or service for production. Although the terms ‘”design” and “development” are often used interchangeably, they define different parts of the same process and therefore must be used together. The first step in design and development is planning, where all phases must be defined with appropriate activities including review, verification, and validation for each phase. Design and development inputs related to products and services include: Functional requirements and performance requirements Legal and regulatory requirements Information from previous related designs Other requirements that are deemed relevant to the design and development, such as customer requirements, market information, etc. Design and development outputs are to be in a format suitable for verifying that they meet the design inputs. They must be approved before acceptance, and can be in any form necessary for the product or service, such as drawings, parts lists, plans, packaging information, etc. Review is an important part of design and development, and review activities must be defined and controlled to ensure that the process proceeds in the intended direction. The review can identify problems during design and development and suggest actions to resolve these problems, and the review must be documented. When tests are necessary for the purpose of verification and validation, these tests must be planned, controlled, reviewed, and documented. The last step in design and development is to identify, review, and control changes during the design and development of products and services. Documented information is required regarding these changes, the results of reviews, authorization for change, and actions taken to prevent adverse effects. 8.4 Control of externally provided processes, products and services This long title refers to purchasing, including outsourced processes as well as products and services you acquire from suppliers. Your organization will need to establish and document the criteria for selecting suppliers, which will include an assessment of how critical the outsourced product or service is to the quality of your product or service. Records of this evaluation must be kept, including a register of external providers. You will also need to establish controls to ensure that externally provided processes, products, and services do not adversely affect your products and services. These controls need to be communicated to external providers, and may include: Copyright © 2017 Advisera Expert Solutions Ltd. All rights reserved. 14 Approval of methods, processes, and equipment Processes, products, and services to be provided Competence requirements to be met What verification or validation activities you intend to perform Special requirements, critical items, or key characteristics Provider contribution to product and service conformity, product safety, and the importance of ethical behavior Your organization retains responsibility for the conformity of all externally provided processes, products, and services, and must manage the risks identified for external providers. 8.5 Production and service provision Provision of products and services must be performed under controlled conditions such that the conformity of products and services is maintained. This can include documented information to maintain the processes, work instructions, monitoring and measurement equipment, infrastructure, etc. Criteria for acceptance must be maintained, including criteria for workmanship, and provisions included for the prevention, detection, and removal of foreign objects. Control must be maintained of equipment, tools, and software programs, and special processes must be validated and controlled. Outputs must be identified by suitable means to ensure product and service conformance is identifiable. When traceability is required, your organization needs to control the outputs by unique identification and, where necessary, maintain documented information. When property belonging to customers or external providers is used, the organization must identify, verify, protect, and safeguard this property, including reporting on lost or damaged property. Outputs must be preserved to maintain product and service conformity, and post-delivery activities that are required for the products and services must be identified and planned. These post-delivery activities may be determined through statutory and regulatory requirements, customer requirements, customer feedback, analysis of in-service data, etc. When changes in the product and service provision processes are required, they must be reviewed and controlled in order to ensure conformity to requirements. Persons authorized to approve product or service provision changes shall be identified. 8.6 Release of products and services Products and services must not be released until they are determined to meet all requirements, and all planned arrangements have been met. This can be done by documenting evidence of product and service conformance, including the criteria for acceptance and information about who authorized the release of the product or service. At the delivery of the product or service, the organization must ensure that all required documented information is present to accompany the products and services. Copyright © 2017 Advisera Expert Solutions Ltd. All rights reserved. 15 8.7 Control of nonconforming outputs The requirements state that nonconforming outputs must be prevented from unintended use or delivery, so your organization must identify and control any nonconforming outputs that derive from your processes during any phase of the product and service provision. Depending on the nature of the nonconformity, one of the following actions can be taken: Correction Segregation, containment, return, or suspension Informing the customer Obtaining authorized acceptance by relevant authority, and when acceptable to the customer When you disposition nonconforming products as use-as-is or repair, you can only implement the disposition after approval by an authorized design authority, and customer approval when the nonconformity results in a departure from contract requirements. Product that is scrap must be marked or controlled until physically rendered unusable, and counterfeit or suspected counterfeit parts must be controlled to prevent unintended use. When a nonconformity is corrected, the conformity to requirements must be verified prior to use. Documented information must be kept that describes the nonconformity, actions taken, concessions obtained, and the authority deciding on the actions to be taken. Copyright © 2017 Advisera Expert Solutions Ltd. All rights reserved. 16 9. Performance evaluation 9.1 Monitoring, measurement, analysis and evaluation This requirement should not be confused with clause 7.1.5, which deals with managing the equipment necessary for monitoring and measurement—this is about a wider aspect of monitoring and measurement within your QMS. The information you derive from monitoring and measurement will become an important input to your processes for improvement and management review. The first step is to determine what needs to be monitored and measured, how, and when, as well as when data will be evaluated and analyzed. Monitoring and measurement should include effectiveness of the QMS as well as how well you met customer requirements (including on-time delivery) and how satisfied customers are. This can be done by many forms including interviews, questionnaires, direct contact, etc. Data analysis is to be performed to evaluate: Product and service conformity Degree of customer satisfaction QMS performance and effectiveness Effectiveness of planning implementation Effectiveness of actions taken for risks and opportunities Performance of external providers Need for QMS improvements 9.2 Internal audit The goal of the internal audit is to verify conformity by checking if your QMS: Complies with the AS9100 Rev D requirements Is effectively implemented and maintained At the conclusion of an audit you will present audit results collected from the review of data during the audit. These results will include observations of positive outcomes, opportunities for improvement, and non-conformities to the processes. When corrective action is taken for a non-conformity, and verification of the action is needed, a follow-up audit may be necessary. Tip: For more information, see these articles: 6 Main steps in the internal audit according to AS9100 Rev D and Developing an internal audit checklist for AS9100 Rev D. Copyright © 2017 Advisera Expert Solutions Ltd. All rights reserved. 17 9.3 Management review Top management must review the QMS on a routine basis to assess: How appropriate the QMS is to its purpose How adequate the QMS is for meeting standard requirements How applicable the QMS is to the business needs How effective the QMS is towards achieving planned results The review must evaluate the status of previous actions, changes in internal and external issues, customer satisfaction, quality policy and objectives, process performance, nonconformities and corrective actions, monitoring and measurement results, audit results, external provider performance, on-time delivery performance, adequacy of resources, effectiveness of actions for risks and opportunities, and opportunities for improvement. The output of the management review includes decisions on opportunities for improvement, changes to the QMS, resource needs,and risks identified. Results of the management review must be maintained as documented information. Copyright © 2017 Advisera Expert Solutions Ltd. All rights reserved. 18 10. Improvements 10.1 General One goal of a QMS is continual improvement, and to this end your organization must determine and select opportunities for improvement for which you will plan actions to achieve. This activity is necessary to meet customer requirements and enhance customer satisfaction, and can be in the form of corrective action, innovation, training, reducing undesired effects, etc. 10.2 Nonconformity and corrective action Any nonconformity identified in the system must be corrected to deal with the consequences of the problem. Once the correction for the problem has been addressed, an assessment of the need for corrective action to find and correct the root cause of the nonconformity is triggered, and when necessary, the root cause is addressed to prevent recurrence. Actions taken for corrective action must be documented and evaluated for effectiveness. When necessary, corrective actions must also be flowed down to external providers when it is determined that the responsibility lies with them. Specific actions must be taken when timely and effective corrective actions are not achieved. Tip: For more information, see this article: Corrective actions vs. continual improvement in AS9100. 10.3 Continual improvement Continual improvement is a key guiding principle of the QMS, so it is critical that this occurs to achieve and maintain the suitability, adequacy, and effectiveness of the QMS regarding the organization’s objectives. Copyright © 2017 Advisera Expert Solutions Ltd. All rights reserved. 19 Conclusion The AS9100 Rev D standard provides your organization with guidance on implementing a QMS that will focus on providing products and services that will meet customer requirements and enhance customer satisfaction. Successfully understanding and implementing all requirements of the standard can provide benefits for your company, and start you on the road to sustained continual improvement. Certification to the standard can be a successful marketing tool that brings improved reputation and motivation to your company through better efficiency, increased quality of products and services, and improvement in your supply chain. All of the elements of AS9100 Rev D are closely related to the ability of your organization to deliver satisfaction to your customers and satisfy the needs and expectations of your stakeholders. With this in mind, can you afford NOT to implement AS9100 Rev S within your organization? Tip: For more information, see these articles: 7 Key benefits of AS9100 implementation and 13 Implementation steps for AS9100 Rev D. Sample of documentation templates You can also download a free preview of the AS9100 Rev D Documentation toolkit. This will allow you to see samples of policies and procedures used in the implementation of AS9100 Rev D. References 9100Academy AS9100 Rev D, SAE International: http://standards.sae.org/as9100d/ Copyright © 2017 Advisera Expert Solutions Ltd. All rights reserved. 20 Advisera Expert Solutions Ltd for electronic business and business consulting Zavizanska 12, 10000 Zagreb Croatia, European Union Email: support@advisera.com U.S. (international): +1 (646) 759 9933 United Kingdom (international): +44 1502 449001 Toll-Free (U.S. and Canada): 1-888-553-2256 Toll-Free (United Kingdom): 0800 808 5485 Australia: +61 3 4000 0020 Copyright © 2017 Advisera Expert Solutions Ltd. All rights reserved. 21