-
Bureau Veritas Certification Interpretations of The Standard.
Guidance for Quality Management System Auditors. Expectations for
Companies Certifying to AS9100.
1 OF 61 AS Interpretation Rev. 0 - May 9, 2007
Bureau Veritas Certification has established certain minimum
expectations for companies who wish to register their Aerospace
Quality Management Systems (AQMS) to AS9100. These expectations are
based upon our understanding of the requirements of the standard
and the requirements for third party registration/certification to
the standard gained through our collective experience in auditing
quality management systems of many varied applications.
Additionally, The ISO Technical Committee (TC) has developed
several guidance documents for various requirements of ISO9001:2000
that are applicable to the requirements of AS9100. These documents
are available to the public via Internet website
http://www.bsi.org.uk/iso-tc176-sc2. These documents are referred
to throughout this document.
Auditor Notes:
This document is not intended to add to, minimize, or in any way
modify the requirements of the standard and the requirements for
accredited certification to the standard. It is meant to be a
guidance tool for Bureau Veritas Certification auditors providing
common understanding on the intent of the standard and
certification requirements in addition to providing clarification
of the text. For organizations seeking registration/certification,
this document provides insight as to the expectations of Bureau
Veritas Certification auditors.
In order to claim conformity with AS9100, the organization has
to be able to provide objective evidence of the effectiveness of
its processes and its quality management system. Clause 3.8.1 of
ISO 9000:2000 defines Objective evidence as Data supporting the
existence or verity of something and notes that Objective evidence
may be obtained through observation, measurement, test or other
means. Objective evidence does not necessarily depend on the
existence of documented procedures, records or other documents,
except where specifically mentioned in AS9100. In some cases, (for
example, in clause 7.1{d} Planning of product realization, and
clause 8.4 Monitoring and measurement of product), it is up to the
organization to determine what records are necessary in order to
provide objective evidence.
-
Bureau Veritas Certification Interpretations of The Standard.
Guidance for Quality Management System Auditors. Expectations for
Companies Certifying to AS9100.
2 OF 61 AS Interpretation Rev. 0 - May 9, 2007
AS9100 Interpretations
Element 4: Quality Management System
4.1: General
Section 4.1 includes the general requirements that must be met
in order to establish, implement and continually improve the
effectiveness of a quality management system meeting the
requirements of the standard. These requirements are referenced to
and/or further defined in subsequent clauses of the standard. Table
A, shown below, contains the cross-linked references.
Continual improvement of the effectiveness of the quality
management system may be reflected in a number of different areas.
These may include:
Quality objectives; Corrective and preventive actions; Internal
audits; External audits; Review of customer satisfaction surveys
and associated action items; Operation meetings producing
improvement actions; Actions initiated by suggestion programs;
Process Changes; Infrastructure and environment changes; Management
Reviews
If continual improvement has become a way of life for a company,
it is unlikely that a demonstration of company wide continual
improvement will come from only a few sources.
System deterioration would not necessarily lead to
non-conformity if all actions were positive and the improvement
path is still evident and logical. The system would be questionable
if the company did not recognize it or had not reacted to the
issues appropriately.
Note: It is the responsibility of the company to demonstrate
improvement rather than the auditor to look for it. Accordingly, it
is useful audit practice to ask management to identify any
improvement initiatives taken since the previous visit, and any
planned for the future.
4.1 a) Process identification Bureau Veritas Certification
auditors will expect to see a process model that explains the key
processes of the business and how each relates and links to the
others. The depth of process explanation may be as detailed as the
company chooses, but should
-
Bureau Veritas Certification Interpretations of The Standard.
Guidance for Quality Management System Auditors. Expectations for
Companies Certifying to AS9100.
3 OF 61 AS Interpretation Rev. 0 - May 9, 2007
be based on its customer and applicable regulations or statutory
requirements, the nature of its activities and its overall
corporate strategy. In determining which processes should be
documented the organization may wish to consider factors such
as:
Effect on quality Risk of customer dissatisfaction Statutory
and/or regulatory requirements Economic risk Effectiveness and
efficiency Competence of personnel Complexity of processes
Bureau Veritas Certification promotes the identification of
Customer Oriented Processes (COPS), Support Oriented Processes
(SOPS) and Management Oriented Processes (MOPS) while defining
processes however, this is not a requirement. The auditor must see
evidence that the organization has identified and defined their
processes.
The ISO TC document - ISO/TC 176/SC 2/N 544R - ISO 9000
Introduction and Support Package: Guidance on the Concept and Use
of the Process Approach for Management Systems, provides basic
information for understanding application of the process approach.
The bulletin defines a process as: A Process can be defined as a
Set of interrelated or interacting activities, which transforms
inputs into outputs. These activities require allocation of
resources such as people and materials
(http://www.bsi.org.uk/iso-tc176-sc2).
4.1 b) Sequence and interaction of these processes The
interactions of the processes must somehow be described in the
quality manual (4.2.2 c). The organization is not required to
produce system maps, flow charts, lists of processes etc. as
evidence to demonstrate that the processes and their sequence and
interactions were identified. Such documents may be used by
organizations should they deem them useful, but are not mandatory.
Graphical representation such as flow-charting is perhaps the most
easily understandable method for describing interactions between
processes. Other possible methods may include: documentation
prepared for implementation of the product management system (SAP,
SYMIX, MRP, etc); deployment flowcharts; and pictorial
diagrams.
The Completion of the Bureau Veritas Certification process
matrix provides the relationship between the organizations
processes and the requirements of ISO9001:2000 however does not
show the interaction between the identified processes. If the
organization chooses to use the process matrix to show interaction,
it must be supplemented with another method to show process
interaction. The Bureau Veritas Certification process matrix must
be completed in order to assist in the scheduling of the
organizations audits.
-
Bureau Veritas Certification Interpretations of The Standard.
Guidance for Quality Management System Auditors. Expectations for
Companies Certifying to AS9100.
4 OF 61 AS Interpretation Rev. 0 - May 9, 2007
4.1 c) Criteria and methods needed to ensure that both the
operation and control of these processes are effective. This could
be demonstrated with stated objectives, instructions and or
procedures as required for consistent output of the processes.
4.1 d) Ensure the availability of resources and information
necessary to support the operation and monitoring of these
processes. This may be through Management Review or other methods
for defining and determining resources.
4.1 e) Monitor, measure and analyze these processes - All
identified processes are subject to requirements for monitoring,
measurement, and analysis for needed improvement. The methods
employed and the timing of such analysis should be based upon
priorities established by the organization. Auditor expects to see
measurable objectives established for each process. These
objectives should support the organizations overall objectives.
4.1 f) Implement actions necessary to achieve planned results
and continual improvement of these processes Same as described
above. Auditor expects to see corrective action taken when
measurable objectives fall below target or defined action
level.
Outsourced Processes: Outsourced processes must be controlled by
the organization and these controls must be defined/described
within their system. Organizations are required to identify the
controls they apply for any outsourced processes. The facility
quality manual must identify if outsource processes are applicable.
In addition, the client shall have written documentation on the
methods used to control the outsourced process(es). Examples of
some outsourced processes are:
Process completed wholly or partially by a sister facility
outside the scope of registration. Such as corporate performing
design, purchasing or customer related processes. This may include
the entire element or a subsection i.e. corporate completes
supplier evaluation and re-evaluation of suppliers and the
registered site initiates purchase orders.
Processes completed by an outside vendor or subcontractor such
as heat treating, plating, calibration, painting, powder coating,
etc.
Documented objective evidence must be ascertained to ensure that
these processes are being controlled beyond the basic purchasing
requirements, which are focused on controlling products not
processes. The organization is responsible to ensure that the
outsourced process is meeting applicable requirements to
ISO9001:2000. Outsourced processes may be controlled through such
methods as (not limited to):
Internal Audits Internal Agreements between two sites where only
the audited site is under the scope of
registration (Interface Agreements Bureau Veritas Certification
terminology)
-
Bureau Veritas Certification Interpretations of The Standard.
Guidance for Quality Management System Auditors. Expectations for
Companies Certifying to AS9100.
5 OF 61 AS Interpretation Rev. 0 - May 9, 2007
Process performance data Purchasing Process
ISO/TC 176/SC 2/N 630R2 ISO 9000 Introduction and Support
Package: Guidance on 'Outsourced Processes: An outsourced process
can be performed by a supplier that is totally independent from the
organization, or which is part of the same parent organization
(i.e. a separate department or division that is not subject to the
same quality management system). It may be provided within the
physical premises or work environment of the organization, at an
independent site, or in some other manner The organization has to
demonstrate that it exercises sufficient control to ensure that
this process is performed according to the relevant requirements of
ISO 9001:2000, and any other requirements of the organizations
quality management system. The nature of this control will depend,
among other things, on the importance of the outsourced process,
the risk involved, and the competence of the supplier to meet the
process requirements (http://www.bsi.org.uk/iso-tc176-sc2).
TABLE A: Cross-linked references 4.1 General requirements
Relevant further clauses a) Identify the processes, including
outsourcing, needed for the quality management system and their
application throughout the organization (see 1.2),
5.4.2 QMS planning 7.1 Planning of product realization 8.1
General
b) Determine the sequence and interaction of these
processes,
5.4.2 QMS planning 7.1 Planning of product realization 4.2.2
(c)
c) Determine criteria and methods needed to ensure that both the
operation and control of these processes are effective,
7.1 (c) 7.3.3 (c) 7.4.1 (Criteria for selection) 7.5.2
d) Ensure the availability of resources and information
necessary to support the operation and monitoring of these
processes,
Whole of 6
e) Monitor, measure, and analyze these processes, and,
Whole of 8.2
f) Implement actions necessary to achieve planned results and
continual improvement of these processes.
These processes shall be managed by the
Whole of 5, 6, 7 and 8
-
Bureau Veritas Certification Interpretations of The Standard.
Guidance for Quality Management System Auditors. Expectations for
Companies Certifying to AS9100.
6 OF 61 AS Interpretation Rev. 0 - May 9, 2007
organization in accordance with the requirements of this
International Standard.
Where an organization chooses to outsource any process that
affects product conformity with requirements, the organization
shall ensure control over such processes. Control of such
outsourced processes shall be identified within the quality
management system.
4.2: Documentation Requirements
4.2.1: General
The Quality Management System (QMS) documentation shall
include:
4.2.1 a) Statements showing the organizations quality policy
(see 5.3) and quality objectives (see 5.4.1).
4.2.1 b) A quality manual (see 4.2.2).
4.2.1 c) Procedures that this standard requires (see 4.2.3,
4.2.4, 8.2.2, 8.3, 8.5.2, 8.5.3).
4.2.1 d) Documents that the organization will need to ensure
that the planning, operation, and control of their processes is
effective.
4.2.1 e) Records that this standard requires (see 5.6.1, 6.2.2,
7.1, 7.2.2, 7.3.2, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.4.1, 7.5.2, 7.5.3,
7.5.4, 7.6, 8.2.2, 8.2.4, 8.3, 8.5.2, and 8.5.3).
4.2.1 f) quality system requirements imposed by the applicable
regulatory authorities.
BV Certification: This requirements effectively invokes all
pertinent requirements of the industry-applicable regulatory
agencies (e.g. FAA, CAA, JAA, etc.) such as those included in FAR
Part 21, 145, etc. While the BV Certification auditor may not look
for conformance to those specific regulatory requirements a
nonconformance against a closely related requirement in Standard
AS9100 may be cited.
The organization shall ensure that personnel have access to
quality management system documentation and are aware of relevant
procedures. Customer and/or regulatory authorities representatives
shall have access to quality management system documentation.
-
Bureau Veritas Certification Interpretations of The Standard.
Guidance for Quality Management System Auditors. Expectations for
Companies Certifying to AS9100.
7 OF 61 AS Interpretation Rev. 0 - May 9, 2007
BV Certification: It is expected that all personnel have access
to relevant documentation, in any appropriate format. Documentation
can include procedures, work instructions, forms, travelers,
drawings and work standards. For complex operations, job packages
should be at the workstation. In other situations, it is sufficient
for the co-worker to demonstrate knowledge of where the relevant
documentation is located. The right of access by customer and/or
regulatory authorities appears in several clauses throughout the
standard. A broad statement permitting right of access to quality
documentation at the organizations facilities, coupled with flow
down to suppliers and sub-tier suppliers (see section 7.4) is
sufficient to satisfy this requirement. See also the Interpretation
comments under section 4.2.4, below.
4.2.2: Quality Manual
Exclusions from the quality management system must be described
and justified within the quality manual (see 4.2.2 a). The
documented procedures established for the quality management system
must be included or cross-referenced in the quality manual (see
4.2.2 b). A description of the interaction between the
organizations processes needs to be identified in the quality
manual (see 4.2.2 c).
The applicable processes might include those relating to four
general categories: 1) Management Activities, 2) Resource
Management, 3) Product Realization, and 4) Measurement and
Monitoring. Most companies will prefer to focus on their own COPS,
MOPS, and SOPS.
Manual content and design - There are many ways of documenting
the quality management system and organizations should adopt the
approach that is most useful for effective operation of their
system.
Examples include:
Flowcharts; Written text; Diagrams; System maps; Process maps;
Process Turtles.
-
Bureau Veritas Certification Interpretations of The Standard.
Guidance for Quality Management System Auditors. Expectations for
Companies Certifying to AS9100.
8 OF 61 AS Interpretation Rev. 0 - May 9, 2007
The quality manual may have many forms. Although many
organizations structure their documentation in a typical pyramid,
it is not the only, and not always the most suitable, way. A
quality manual doesn't have to exist as a separate document. The
quality manual may:
Be a direct collection of QMS documents including procedures; Be
a grouping or a section of QMS documentation; Be more than one
document or level; Be in one or more volumes; Be a stand alone
document or otherwise; Be a collection of separate documents.
The ISO 9001:2000 standard offers companies a possibility to
establish effective, user-friendly systems. This edition offers the
current users a unique opportunity to streamline their quality
management system documentation.
A separate document "addressing" all the clauses of the standard
is not required by the standard - neither does the standard require
the quality manual to "address" or "cover" the requirements of the
standard. The manual may be documented specifically to the
organizations processes.
4.2.2 a) Scope The organization may exclude portions of the
standard that do not apply to their quality management system due
to the nature of the product or service that they supply. ISO
9001:2000 clearly limits and identifies which activities may be
excluded. The justification for exclusion and those considered not
applicable must be clearly documented in the quality manual. If,
for example, design does not apply to the quality management
system, the standard stipulates (in section 1.2 Application) how a
reduction in scope of the standard may be justified and documented
within the quality manual. Bureau Veritas Certification has defined
exclusion applicability to be within the clause Design and
Development (7.3) only. All other potential exclusions within
section 7 must be identified as not applicable or not applicable at
this time.
ISO TC Guidance - Document: ISO/TC 176/SC 2/N 524R3 ISO 9000
Introduction and Support Package: Guidance on ISO 9001:2000 clause
1.2 'Application: ISO 9001:2000 clause 1, Scope, defines the scope
of the standard itself. This should not be confused with the scope
of the QMS, which is a term commonly used within the context of QMS
certification/registration to describe the organization and
products to which the QMS applies
(http://www.bsi.org.uk/iso-tc176-sc2).
Auditor should discuss the difference between the scope of
certification and the scope of the QMS (i.e. what is on or will be
on the organizations certificate).
The scope of the QMS should be based on the nature of the
organization's products and their realization processes, the result
of risk assessment, commercial considerations, and contractual,
statutory and regulatory requirements.
-
Bureau Veritas Certification Interpretations of The Standard.
Guidance for Quality Management System Auditors. Expectations for
Companies Certifying to AS9100.
9 OF 61 AS Interpretation Rev. 0 - May 9, 2007
If an organization chooses to implement a quality management
system with a limited scope, this should be clearly defined in the
organization's Quality Manual and any other publicly available
documents to avoid confusing or misleading customers and end users
(this includes, for example, certification/registration documents
and marketing material).
Note: For multi-site/corporate certifications the auditor will
expect to see that one quality manual is applicable for all sites
and that any changes are centrally controlled (see 4.2.3)
4.2.2 b) Documented Procedures The manual must include reference
to, at a minimum the six required documented procedures (see 4.2.3,
4.2.4, 8.2.2, 8.3, 8.5.2, 8.5.3). The manual may reference other
documentation but must list those required documents in some
format. This may be in the form of a link or other such
reference.
The notes after sub clause 4.2.1 in ISO9001: 2000 make it clear
that where the standard specifically requires a documented
procedure, the procedure has to be established, documented,
implemented and maintained. It also emphasizes that the extent of
the QMS documentation may differ from one organization to another
due to:
The size of the organization and the type of activities; The
complexity of processes and their interactions and The competence
of personnel
- when referencing the documented procedures, the relationship
between the requirements of this International Standard [AS9100]
and the documented procedures shall be clearly shown.
BV Certification: Points of reference may be throughout the
manual when discussing pertinent subjects (imbedded in the text).
All of the referenced procedures may be listed together in an
appendix / attachment to the manual. Or, the pertinent procedure(s)
may be called out at the beginning or end of each major section of
the manual. A cross reference matrix is especially effective -
linking specific clauses in the Standard to corresponding
paragraphs in the quality manual down to specific paragraphs in the
detailed procedure (or W/I as appropriate). Regardless of the
approach, the intent of the Standard is that there be a clear,
unbroken, definitive trail from a particular requirement in the
Standard, into and through the quality manual, down to the
procedural (and or work instruction) level such that users of the
documentation can clearly and readily arrive at a description of
how that requirement in the Standard is satisfied / fulfilled in
the organizations system documentation.
4.2.2 c) Interaction between processes This requirement ties
closely to section 4.1 b), which is discussed in the previous
paragraphs. The interactions between the quality management system
processes do not have to be separately described, or illustrated,
by charts, tables or maps. If an organization chooses to use a
process map to show interaction, just using arrows is not
sufficient
-
Bureau Veritas Certification Interpretations of The Standard.
Guidance for Quality Management System Auditors. Expectations for
Companies Certifying to AS9100.
10 OF 61 AS Interpretation Rev. 0 - May 9, 2007
a description or other depiction is required for interactions.
An example might be an interaction matrix listing COPS across the
top and SOP & MOP down the side. Although many organizations
may choose such a form, it is not a mandatory method. Interaction
between processes may be described, for instance, by way of
references and/or cross-references within the procedures, where the
procedures form part of the Quality Manual. If the procedures are
not part of the Quality Manual, then the manual can not be consider
acceptable to the standard requirements, they can be in an
appendix, addendum or hyper linked to the manual if the system is
electronic.
4.2.3: Control of Documents
A documented procedure is required for control of documents.
Guidance is given for documents and records in ISO/TC 176/SC 2/N
525R ISO 9000 Introduction and Support Package: Guidance on the
Documentation Requirements of ISO 9001:2000
(http://www.bsi.org.uk/iso-tc176-sc2).
4.2.3 a) Approve documents procedure must identify the approval
process.
4.2.3 b) Review and update All management system documentation
must be covered by some review strategy. The procedure must
identify a period of time in which all documents are reviewed on an
ongoing basis. Different types / levels of documents may be
reviewed at different intervals / criteria and / or by different
methods (i.e. at each use, through internal audits, via formal
recalls and reviews, etc.), review should be conducted by personnel
competent to do so. Bureau Veritas auditors should assess whether
review methodology demonstrates effective document controls. Note
statutory / regulatory and customer / industry requirements may
also impact review methodology. A method must be in place to show
review was completed where there were no changes. Those documents
that are updated must be put back through the organizations
required approval process (4.2.3 a).
4.2.3 c) Changes and current revision status The procedure must
identify how changes and revisions to documents are identified.
These must be identifiable for each document. How does the user
know what the changes are?
4.2.3 d) Availability of documents procedure must identify how
documents are made available to employees. Auditor will expect to
see that documents are readily available to employees through out
the facility at their points of use.
4.2.3 e) Documents are legible and readily identifiable auditor
will expect to see that documents are maintained and remain legible
and easily identifiable.
-
Bureau Veritas Certification Interpretations of The Standard.
Guidance for Quality Management System Auditors. Expectations for
Companies Certifying to AS9100.
11 OF 61 AS Interpretation Rev. 0 - May 9, 2007
4.2.3 f) Documents of external origin Documents of external
origin are those that are produced from outside the organization
that are used by the organization in support of the quality
management system processes. The procedure must address if
documents of external origin are applicable and if so how these
documents are controlled by the facility. The auditor expects to
see that controls are in place to ensure current versions are used
and documents are controlled within the facility.
4.2.3 g) Obsolete documents Procedure must address how obsolete
documents are controlled to prevent unintended use and if retained
how these documents are identified.
The organization shall coordinate document changes with
customers and/or regulatory authorities in accordance with contract
or regulatory requirements.
BV Certification: The degree and type of documentation change
coordination (if required at all) will be defined by the customer
and/or regulator agency. Additionally, the organization may add to
(but not contradict) details. Coordination may be as little as mere
notification, to distributing approved copies, up to and including
formal approval by the customer / agency) prior to implementation.
Documents typically subject to this requirement include
pre-approved contracts, statements of work, inspection/test plans,
frozen or fixed process plans and routings. The BV Certification
auditor will seek documented, objective evidence that such
coordination has taken place (as appropriate) and as prescribed in
the organizations documented procedure.
Note: For multi-site/corporate certifications the auditor will
expect to see that System documentation and changes are centrally
managed (usually performed at the headquarters location).
4.2.4: Control of Records
Records required by the organization may be in any format deemed
suitable for the organizations method of operation. A documented
procedure must be in place and define the controls needed for:
Identification the procedure must identify the system/process is
in place to identify records. Have all required records been
identified. Refer to Annex B of the ISO/TC 176/SC 2/N 525R - ISO
9000 Introduction and Support Package: Guidance on the
Documentation Requirements of ISO 9001:2000.
Storage where records are stored specific location i.e. Quality
filing cabinet in the QC Laboratory.
Protection how individual records are protected i.e. tape back
up every 24 hours (for electronic records), fireproof safe, filing
cabinet etc.
-
Bureau Veritas Certification Interpretations of The Standard.
Guidance for Quality Management System Auditors. Expectations for
Companies Certifying to AS9100.
12 OF 61 AS Interpretation Rev. 0 - May 9, 2007
Retrieval any special requirements for retrieval. Generally
dependant on location and protection. May be a request process.
Retention time identification of how long each record will be
maintained. Disposition of records method for disposing of records
i.e. shredding, burned, trash
A spreadsheet or other document may be used to identify the
above requirements.
The documented procedure shall define the method for controlling
records that are created by and/or retained by suppliers.
BV Certification: The organization is ultimately responsible for
all pertinent quality records that apply to a given contract or
order. Most such quality records are produced by the organization
themselves but many are also created at the lower levels in the
supply chain at the organizations supplier(s) and at the suppliers
sub-tier sources. It is not uncommon for pertinent quality records
to exist at three or four levels down in the supply base.
Typically, only the most significant records make their way back to
the organization. Those records that typically bubble up are
certifications and inspection / test reports, nonconforming product
concessions / waivers, etc. The majority of records relating to the
order / contract continue to reside at a level lower in the supply
chain. Those records retained by lower-level sources must still be
subject to the organizations control. This control is often managed
and asserted by / through purchase order flowdown requirements from
the organization to the lowest level supplier / subcontractor
involved. Such flowdown requirements may specify record retention
periods, protection, disposition, disposal and may describe the
conditions under which the record holder must forward the records
to the organization.
Records shall be available for review by the customer and
regulatory authorities in accordance with contract or regulatory
requirements.
BV Certification: This requirement most obviously applies to
records maintained by the organization. It equally applies to
pertinent quality records retained by the organizations suppliers
and by the suppliers sub-tier sources. Pertinent records (at any
level in the supply chain) may be kept on-site, or at an off-site
repository or by a remote records management service. In any event,
retrieval of such records should be relatively convenient and
timely so as not to impede availability to customers and regulatory
authorities. Compliance to this requirement is often managed and
assured by / through purchase order flowdown requirements from the
organization to the lowest level supplier / subcontractor involved.
Such flowdown typically invokes the right of access to all
pertinent quality records that may exist at any/all levels in the
supply chain.
4.3 Configuration Management: The organization shall establish,
document and maintain a configuration management process
appropriate to the product. NOTE: Guidance on configuration
management is given in ISO 10007.
-
Bureau Veritas Certification Interpretations of The Standard.
Guidance for Quality Management System Auditors. Expectations for
Companies Certifying to AS9100.
13 OF 61 AS Interpretation Rev. 0 - May 9, 2007
BV Certification: Requirements for a Configuration Management
(CM) process apply to virtually all companies and products /
services and especially to those organizations performing Design
and Development activity and to those responsible for the design of
the product / deliverable. The formality and complexity of the CM
process will vary depending on the product. CM can be applied to
products, processes and processed materials (including individual
components as well as assemblies). A configuration is most often
described in terms of its integral configuration items. Fundamental
building blocks of a CM process typically include: design change
control, document change control, process change control, product
identification and traceability. Changes in any of those
disciplines might translate into configuration change.
Documentation that helps define a specific configuration might
include drawings, specifications, bills of materials,
routings/travellers, change requests, First Article Inspection
Reports, nonconforming product documents (including deviations and
waivers), where used listings, etc. Configuration baselines must be
established, and any subsequent changes must be identified and
controlled. After a significant number of changes, a new baseline
(model, part number, etc.) may be established.
Element 5: Management Responsibility
Note that this section has nine references to top management.
This is defined in ISO 9000:2000, 3.2.7 as person or group of
people who directs or controls an organization at the highest
level. It is therefore essential to examine top managements
commitment to, and support for, the QMS (and to record objective
evidence to support any conclusions reached).
5.1: Management Commitment
It is necessary for auditors to obtain (and record) objective
evidence of management commitment.
This would include:
5.1 a) Evidence that top management has communicated to the
organization the importance of meeting customer requirements as
well as statutory and regulatory requirements. This can be achieved
through meetings, newsletters, bulletin boards, training records
etc.
NOTE - statutory and regulatory requirements are broad based and
include all applicable requirements for processes, products and
activities.
5.1 b) Top Managements establishment of and input into, and
commitment to, the quality policy (its definition, delivery and
maintenance) through management review or other meetings.
5.1 c) Documented quality objectives (for all processes).
-
Bureau Veritas Certification Interpretations of The Standard.
Guidance for Quality Management System Auditors. Expectations for
Companies Certifying to AS9100.
14 OF 61 AS Interpretation Rev. 0 - May 9, 2007
5.1 d) Top Managements active participation in management review
meetings.
5.1 e) Evidence of a process for defining resource requirements
and ensuring that adequate resources are available.
In short, how well they address requirements 5.2 through
5.6.
5.2: Customer Focus
Customer requirements and customer satisfaction are directly
linked with the process approach concept in the standard. Auditors
will seek objective evidence to demonstrate that the customer
requirements are indeed being met, whether the satisfaction is
revealed in customer survey results, repeat sales or any other type
of mechanism that would reveal trends and lead to improved customer
satisfaction. Management review minutes might be a record where
Customer Focus is addressed. You might also look at Quality plans
and or product plans that include customer related
requirements.
5.3: Quality Policy
It is expected that there is evidence that Top Management fully
back the quality policy. The standard identifies five specific
points which requires that top management ensures that the
policy;
5.3 a) Is appropriate to the purpose of the organization
5.3 b) Includes a commitment to meeting requirements and to
continual improvement of the quality system
5.3 c) Provides framework for establishing and reviewing quality
objectives
5.3 d) Is communicated and understood at appropriate levels in
the organization
5.3 e) Is reviewed for continuing suitability.
Auditors must determine if the Quality Policy meets the intent
and is understood, by interviewing personnel at all levels.
Although the exact policy does not need to be recited by
interviewees, the awareness of the quality policy and how their job
affects the company objectives should be determined. If personnel
interviewed do not know what their measurable objectives are and/or
do not know what the organizational objectives are that they have a
direct
-
Bureau Veritas Certification Interpretations of The Standard.
Guidance for Quality Management System Auditors. Expectations for
Companies Certifying to AS9100.
15 OF 61 AS Interpretation Rev. 0 - May 9, 2007
effect on, the auditor would be further directed to evaluate
managements communication of the policy and objectives.
The Quality Policy must be documented (typically in the quality
manual because it must be controlled). The Quality Policy does not
have to include objectives but should create a framework for
establishing them. The Quality Policy should be stated in such a
way that it aims toward continual improvement. It should be
reviewed and possibly revised to meet higher aspirations.
Bureau Veritas Certification does not require that the policy
include the words continual improvement in the written policy,
however it must be ascertained that it is implied and known through
out the organization.
To meet the intent of this clause, the auditor would be looking
for a clearly defined Quality Policy that is sufficiently detailed
to provide a framework for quality objectives that can be monitored
for continual improvement. An auditor would not want to see a vague
policy, such as Our Policy is to Maintain Status Quo.
When interviewing top management, their input into, and
commitment to, the quality policy needs to be determined. Is it
theirs, or have they clearly just signed something written for them
by the management representative?
Note: For multi-site/corporate certifications the quality policy
must be applicable for all sites.
5.4: Planning
5.4.1 Quality Objectives
Auditor must determine that the organization has developed
measurable quality objectives for relevant functions and levels of
the organization. Bureau Veritas Certification expects overall
objectives to be established at the facility/corporate level and
objectives established for each identified process. Process
objectives shall support the organizations overall objectives.
The organization must establish what the relevant functions of
the organization are, however at a minimum this will include all
defined processes (reference 4.1 a, c, e). Sub-processes, projects,
or individual objectives would be at the discretion of
organization. The auditor may want to ask what criteria were used
to determine if functions are relevant or not. It would be left up
to the company to determine if a cost or added value benefit would
result from including or not including functions of the operation
when establishing quality objectives.
-
Bureau Veritas Certification Interpretations of The Standard.
Guidance for Quality Management System Auditors. Expectations for
Companies Certifying to AS9100.
16 OF 61 AS Interpretation Rev. 0 - May 9, 2007
If some functions or levels have been excluded, it may be
necessary to explore, evaluate (and record) the reasons for such
omissions (which might be quite acceptable at that particular stage
in the continual improvement process).
The organization must identify quality objectives that can be
measurable, such as vendor on-time rating, on-time delivery, all
employees will have completed an ISO 9001 awareness class and all
machines will have clearly defined procedures on their usage. If
the objectives were not measurable (including a time-based element
where appropriate), they would not meet the intent of the
standard.
The objectives do not have to be defined in a specific document
although the objectives are required to be documented (see 4.2.1
a). Objectives can either be defined in associated procedures or
instructions, or could be recorded in meeting minutes such as
management review records. The organization must have a process
that ensures that all the objectives are clear and communicated to
all employees who can influence the defined objective(s). The
organization should be able to demonstrate that the objectives are
being measured and reviewed (see 4.2.4 and 8.5.1).
5.4.2: Quality Planning
Auditors have to use their judgment in evaluating the entire
collected audit evidence in order to assess effectiveness of
planning activities. The auditor may also satisfy him/herself that
planning was done, by interviewing the personnel involved in
establishing or achieving specific quality objectives.
Auditors are recommended to attribute such QMS deficiencies to
relevant clause, requirements of which were contravened, rather
than to clause 5.4.2.
Determining effective and efficient planning may be found by
evidence of:
All those planning activities undertaken to establish the QMS in
accordance with clause 4.1.
The existence of an effective, documented, and implemented QMS
that provides collective evidence demonstrating that these planning
activities have been performed effectively.
Deficiencies in the quality system that may indicate that these
planning activities were not quite effective.
The evidence and use of Strategic Plans, Business Plans,
Management Review results, Contingency Plans, Quality Objectives,
any programs or plans, documented or not, such as Minutes of
meetings, Memos, Internal communications.
-
Bureau Veritas Certification Interpretations of The Standard.
Guidance for Quality Management System Auditors. Expectations for
Companies Certifying to AS9100.
17 OF 61 AS Interpretation Rev. 0 - May 9, 2007
Where there is lack of documented evidence, an auditor may
satisfy him/herself through interviewing the personnel at those
levels and functions involved in achieving particular objectives to
determine the level of planning.
Another methodology allowing audit of effective planning
involves review of the progress in implementation of such plans
aimed at adhering to individual objectives.
5.5: Responsibility, Authority and Communication
5.5.1: Responsibility and authority
In order for the auditor to be satisfied that the intent of this
element has been met, he/she may review organization charts, job
descriptions or a responsibility matrix. Identification of
responsibility and authority could be written into procedures
and/or work instructions, as well. The auditor may also use
interviews of individuals to determine if responsibility and
authority has been communicated effectively.
5.5.2: Management Representative
Responsibilities to include:
5.5.2 a) Ensuring that the processes needed for the quality
management system are established, implemented and maintained.
5.5.2 b) Reporting on the performance of the system to top
management.
5.5.2 c) ensuring the promotion of awareness of customer
requirements, and
5.5.2 d) the organizational freedom to resolve matters
pertaining to quality.
BV Certification: The Management Representative (MR) need not be
a member of the Quality organization, though this is most often the
case. Any management-level individual from any organization /
discipline is acceptable. Of utmost importance is that the MR has
freedom within the companys organizational, political, cultural and
communication arenas. This freedom necessitates that the MR have
access mobility, both vertically and horizontally, and especially
across departmental boundaries. It is expected that the MR have at
least a dotted-line relationship with executive management that may
be exercised on an exception basis if/when internal influences
impede the MRs normal freedom. It is sometimes difficult to observe
/ demonstrate the MRs organizational freedom. More apparent are
situations where this freedom is limited, restricted or even
nonexistent. This problem may be evident in cases of unresolved
Quality problems, recurring problems,
-
Bureau Veritas Certification Interpretations of The Standard.
Guidance for Quality Management System Auditors. Expectations for
Companies Certifying to AS9100.
18 OF 61 AS Interpretation Rev. 0 - May 9, 2007
ineffective/untimely corrective action responses, low customer
satisfaction and perception, ineffective internal audits, lack of
system/process improvement, etc.
Promotion of customer awareness might include news releases,
meetings, training, photographs, models; examples of products
demonstrating required visual attributes. We look for one
individual to be the management representative in terms of defined
responsibility. However, implementation of those responsibilities
may be in the form of a defined and delegated team.
Note: The management representative is responsible for ensuring
it happens not making it happen, which is the job of line
management.
Note: For multi-site/corporate certifications the auditor will
expect to see that there is a management representative with
overall responsibility across all sites for ensuring that
requirements are established, implemented, maintained, and for
reporting on performance.
5.5.3: Internal Communication
Although there is no mandate for documenting methods for
communication, the auditor will expect to find evidence of
communication through interviews with employees. Evidence could
possibly include the employees understanding of process linkage and
effectiveness, customer satisfaction levels, preventive and
corrective action information, on time delivery, quality costs,
returned material, non-conformances. This could be communicated by
access to the computer network, an information board, newsletters,
or even process routers, checklists, and multifunctional meetings
(see 6.2.2 d). The type and extent of the documentation will depend
on the nature of the organizations products and processes, the
degree of formality of communication systems and the level of
communication skills within the organization and the organization
culture.
5.6: Management Review
5.6.1: Management Review - General
IMPORTANT INITIAL CERTIFICATION REQUIREMENT: For a new/first
time registration/certification, a full round of Management Review
meeting(s), including documented evidence of all required inputs
and outputs, must be completed prior to the
registration/certification audit (note a full internal audit cycle
must be completed prior to this review see 8.2.2 Internal Audit).
For multi-site/corporate certifications the review must include
inputs (as appropriate) from each site (see the standard 5.6.2 a
g). Normally, the review process is conducted at the headquarters
location. Top management shall review the quality management system
at planned intervals not only for continuing suitability and
effectiveness, but also adequacy. Additionally, this review
shall
-
Bureau Veritas Certification Interpretations of The Standard.
Guidance for Quality Management System Auditors. Expectations for
Companies Certifying to AS9100.
19 OF 61 AS Interpretation Rev. 0 - May 9, 2007
include assessing opportunities for improvement, the need for
changes to the system, the quality policy, and quality
objectives.
These words are more prescriptive which cause a more proactive
expectation and approach to keeping the system current and useful
and maintaining improvement activities. The auditor cannot
prescribe the intervals for reviews to occur, but can look for
evidence that the frequency is sufficient to accomplish the
requirements of the standard. Although the dictionary would suggest
that suitable and adequate are the same, the standard seeks to
distinguish both the system from a global perspective of adequacy
as well as the detailed suitability of the many processes that
comprise the system.
5.6.2: Management review input
The auditor will expect to see documented evidence that the (7)
required inputs are discussed during the review. Although a
documented procedure for management review is not required, records
of such reviews are required (see the standard - 5.6.1 General).
The minimum (7) inputs are required in those records (see the
standard 5.6.2 a g). Evidence of cross functional input is also
expected, which means one person alone could do the review, but
there would need to be evidence of multifunctional input in the
evaluation of the system and its status and actions concluded.
5.6.3: Management review output
Output should focus on decisions and actions related to system
improvement (5.6.3 a), product improvement for customer
requirements (5.6.3 b), and resource needs (5.6.3 c). Auditors
expect to see that some documented conclusions have been developed.
The output record must include evidence of action and progress for
system improvement, customer requirements, resource needs as it all
relates to system health. It is important to note that a documented
procedure may or may not exist. It should also be noted that formal
meetings for review may or may not happen and still be complaint -
such as in the case of being accomplished in stages; on going
process review; or by circulated documentation covering the system
incrementally.
Element 6: Resource Management
6.1: Provision of Resources
The intent of this section is to ensure that adequate resources
are provided to continually improve the effectiveness of the
quality management system (6.1 a) and to enhance customer
satisfaction by meeting customer requirements (6.1 b). Auditor
would expect to see a process for evaluating
-
Bureau Veritas Certification Interpretations of The Standard.
Guidance for Quality Management System Auditors. Expectations for
Companies Certifying to AS9100.
20 OF 61 AS Interpretation Rev. 0 - May 9, 2007
and determining resource needs. This may be through management
review, production planning, budget review, long range planning
etc.
The auditor should determine that process activities are not
prevented by a lack of resources. Auditors may review instances
where customer requirements were not met and determine if a lack,
or insufficiency, of any resources was causation factors of these
instances. This requirement also ties to paragraphs 5.1 and 5.6.3,
which address managements responsibility to determine and provide
necessary resources. Additionally, any clear evidence of resource
problems links directly to this section.
6.2: Human Resources
6.2.1: General
The standard requires that personnel be competent. This could be
demonstrated by a person being qualified. Competence may be based
on appropriate education, training, skills, experience, and/or
demonstrated performance.
6.2.2: Competence, awareness and training
The intent of this section is to ensure that suitably competent
people are performing the activities as defined in the quality
system. Evidence of the effectiveness of the training or other
means of providing competent employees must be available. Employees
must be aware of the impact that they have on the overall quality
system. The auditor would expect employees to be able to verbalize
how their job activities contribute to the achievement of the
quality objectives.
6.2.2 a) Determine the necessary competence - The requirement is
in emphasis toward validating training and other activities aimed
at ensuring employee competence. Identification of competency is
essentially a precursor to identification of training needs. The
organization should determine knowledge and/or skills an employee
would need to be considered competent, in their opinion, to perform
a particular job. The company could then determine if the employee
performing the job possesses that knowledge or skill and, if not,
consider it a training need. Changes in the business and its
environment may necessitate new competencies, which may not be
available. Therefore the identification of competencies may need to
be revisited. There is no requirement for any particular frequency
of such re-review. Competency may be defined in a job description,
position profile, or by any other method or associated documents
such as specific instructions or procedures. Usually competency is
determined during performance reviews, if the organization does not
perform reviews of this nature, other methods for determining
personnel competence would need to be defined and records
verified.
-
Bureau Veritas Certification Interpretations of The Standard.
Guidance for Quality Management System Auditors. Expectations for
Companies Certifying to AS9100.
21 OF 61 AS Interpretation Rev. 0 - May 9, 2007
6.2.2 b) Provide training or take other actions - The
requirement allows for options other than training to obtain
competent personnel. Training includes all those activities where a
learning opportunity needs to be satisfied. It may take a number of
forms:
Classroom style, tutor led training; Hands on experience
training; Shadowing Individual or group coaching; Mentoring;
Briefings; Distance learning; Technology based training (CD ROMS,
web based etc); Workshops.
Organizations will choose whichever form best suits their needs
at any particular moment. Other actions to bridge competence gaps
might include:
Recruitment; Outsourcing; Acquisitions; Use of experts and/or
consultants. Documented procedures or work instructions
All such means are acceptable as long as an organization has
ensured the availability of the competencies needed.
6.2.2 c) Evaluate the effectiveness of the actions taken - The
requirement is aimed at ensuring that the training or other
activity has produced the desired result. This requirement could be
met in a variety of ways, including, but are not limited to:
Observation of personnel performing their duties; Written or
oral exams; Assessment of employee in achieving learning objectives
during the course of the
training program; Audit of performance at work focusing, for
example, on: Productivity; Reduction of rejects; Efficiency;
Interviews with the persons; Annual appraisal. Performance
reviews;
-
Bureau Veritas Certification Interpretations of The Standard.
Guidance for Quality Management System Auditors. Expectations for
Companies Certifying to AS9100.
22 OF 61 AS Interpretation Rev. 0 - May 9, 2007
Discussions; Evaluation of performance, quality or other
indicators; Cost reviews; Customer satisfaction assessment (see
8.2.1).
6.2.2 d) Ensure that its personnel are aware of the relevance
and importance of their activities (perhaps by internal
communication see 5.5.3) and how they contribute to the achievement
of the quality objectives - The requirement could be met in a
variety of ways. Options include:
Training; Memos, and/or meetings regarding the impact of various
individual or departmental goals
on quality objectives; Plant tours or briefings where an
individuals work and goals are shown as an integral
part of the larger processes; Cross functional teams working
towards quality objectives and reporting their progress to
their departments.
Any activity that allows individuals to understand how their
efforts affect quality objectives may satisfy this requirement. All
personnel need to know the specific measurable objective(s) for the
process that they work in; they should also know what
organizational objective their process effects. They should be able
to demonstrate that they know what the actual measurable is, their
progress towards that goal, what the plan is to achieve the goal.
If they do not know the actual numbers, they should be able to
communicate the topics of the measurable and know where the actual
measurements are maintained or posted.
6.2.2 e) Maintain appropriate records - The requirement expands
record keeping requirements to include education, skills and
experience, in addition to training, where appropriate. There are a
great variety of ways to record and provide evidence of training,
education, skills and experience. Records may include:
Diplomas; Certificates; Training log; Annotations in shift logs;
Toolbox meeting notes; Attendance lists; Resumes; Employment
history; Test results.
Such records may be filed in any location as long as the
requirements of 4.2.4 are observed.
-
Bureau Veritas Certification Interpretations of The Standard.
Guidance for Quality Management System Auditors. Expectations for
Companies Certifying to AS9100.
23 OF 61 AS Interpretation Rev. 0 - May 9, 2007
6.3: Infrastructure
It is the organizations management who determines the adequacy
of the infrastructure provided by the organization. Auditors will
seek objective evidence to demonstrate that the necessary
infrastructure exists for the quality management system to be
effectively implemented, for improvement of its effectiveness, and
for fulfilment of customer requirements. Auditor would expect to
see a process in place for maintenance of the building(s),
equipment and any other supporting services. This is generally the
responsibility of the maintence and IT departments.
6.4: Work Environment
The organization must identify and manage all those factors of
the work environment that are needed to supply a conforming
product. These factors may include among others:
Human Factors Creative work methods; Opportunities for greater
involvement of personnel; Safety rules and guidance; Ergonomics;
Special facilities for people.
Physical Factors Heat; Noise; Light; Hygiene; Humidity;
Cleanliness; Vibration; Pollution; Airflow.
Different types of businesses and industry sectors may vary
dramatically with regard to an acceptable work environment, so it
is the organizations management who determines the adequacy of the
work environment provided by the organization.
For instance;
A training provider may need to ensure the training area is
adequately lighted and contains appropriate seating and visual aid
capabilities.
Some manufacturing facilities may require clean rooms or
humidity-controlled areas.
-
Bureau Veritas Certification Interpretations of The Standard.
Guidance for Quality Management System Auditors. Expectations for
Companies Certifying to AS9100.
24 OF 61 AS Interpretation Rev. 0 - May 9, 2007
Companies handling items easily damaged by electrostatic
discharge may require special flooring or equipment, and chemical
storage areas may require special protective barriers.
As an additional example, an employee might perform a particular
function that requires repetitive wrist movements (i.e., tightening
a screw). As the day wears on, it is possible that the overuse of
the wrist could result in poorly torqued screws resulting in a
possible quality defect. The company should identify such a
situation and provide a means of eliminating the potential defect
(i.e., air-driven screwdrivers). Evidence could consist of records
of decreased quality defects and/or medical problems related to
that activity.
Element 7: Product Realization
Exclusions/non-applicability can be claimed with in element 7
only. Exclusion should only be taken for clause 7.3 Design and
Development and must be fully justified in the quality manual.
Other sections within element 7 may be claimed as not applicable or
not applicable at this time.
7.1: Planning of product realization
An organization needs to plan in advance for how they will
manufacture their product or deliver their service. The plans need
to take into account the product requirements and any quality
objectives (7.1 a) that might be appropriate, resources and
documents that may be necessary (7.1 b), what type of monitoring
and/or inspection activities should be put in place to ensure the
product or service will meet the requirements (7.1 c), and what
types of records should be kept (7.1 d). While the sub-clause does
not state that the output of this planning must be documented, it
does state that it must be in a form suitable for the organizations
method of operations.
7.1 e) the identification of resources to support operation and
maintenance of the product.
BV Certification: The resources to support operation and
maintenance of the product may include tech manuals, tooling,
fixtures, lubricants, etc. This requirement is aimed at operational
and maintenance organizations, not at manufacturing organizations.
The intent is for the operational and maintenance organizations to
positively identify the resources that they require to perform the
operational and maintenance activities related to the product in
the field.
7.2: Customer Related Processes
7.2.1: Determination of requirements related to the product
This clause promotes an up-front determination of all
requirements related to the product.
-
Bureau Veritas Certification Interpretations of The Standard.
Guidance for Quality Management System Auditors. Expectations for
Companies Certifying to AS9100.
25 OF 61 AS Interpretation Rev. 0 - May 9, 2007
This includes requirements for servicing which are now included
as post-delivery activities, which implies anything that is
provided after the customer has received the product (i.e. repair
and/or warranty work, installation, maintenance, etc.).
Specific to 7.2.1 (a)
Post delivery activities may include among others: Product
support Servicing where applicable
Specific to 7.2.1 (b)
Auditors should determine how the organization was proactive in
evaluating if there were any additional requirements for the
product or services intended use. If the organization determined
there were not any additional requirements this should be evident
in associated records, if there were additional requirements then
evidence should be present how they were addressed in the affected
process i.e. design, purchasing, manufacturing.
The analogy that can be used here is a screwdriver, everyone
knows the intended use of a screwdriver, put in and take out
screws. However with a screwdriver, there are requirements that are
not stated but are intended for use, such as using a screw driver
to open paint cans, could be used as a chisel, pry bar,
magnetization might be an issue, also if used around electricity
the handle should be nonconductive, but none of these requirements
might be stated by the customer, but the manufacturing organization
would need to address these non-stated requirements for the
screwdrivers intended use.
Specific to 7.2.1 (c)
The organization shall determine applicable Statutory and
regulatory requirements related to the product (i.e., taking these
requirements into account when designing a product or service).
This includes ensuring process control (i.e., ensuring that these
requirements were met).
Statutory requirements are those that are stipulated by
local/national governments that form part of regional, national and
international legislation.
Regulatory requirements are those imposed by regulatory bodies.
In the UK the HSE (Health & Safety Executive) and in the USA,
the EPA (Environmental Protection Agency) are examples of these.
These requirements are not necessarily part of national
legislation.
-
Bureau Veritas Certification Interpretations of The Standard.
Guidance for Quality Management System Auditors. Expectations for
Companies Certifying to AS9100.
26 OF 61 AS Interpretation Rev. 0 - May 9, 2007
Compliance with regulatory requirements issued by national
regulators (i.e. by The Rail Authority) may be mandatory for those
organizations to which they apply if a statutory instrument
requires so.
Organizations are required to comply with a number of legal
requirements to be allowed to operate. Management must be aware of
the requirements that apply to its products, processes and
activities and should include these requirements as part of the
quality management system (ISO 9004:2000 5.2.3). Auditor must
verify that these requirements are identified.
Auditors have to be aware that as the national legislation may
apply to product intended for the domestic market, in the case of
export sales, organizations will be required to consider the
statutory and/or regulatory requirements in the target country that
may apply to (a) product(s) supplied.
Organizations are not required to maintain the lists of
applicable statutory and/or regulatory requirements, nor need they
maintain copies of these documents except as required by clause
7.3.2(b). Organizations must ensure that they have adequate access
to / or knowledge of applicable statutory and regulatory
requirements.
7.2.2: Review of requirements related to the product
The sub-clause mandates that the organization shall not issue a
quotation or accept an order until it has been reviewed to ensure
requirements are defined and the organization has the capability to
meet the defined requirements. It goes on to require that records
of the review and any subsequent actions be maintained. If the
customer does not provide their requirements in writing (i.e.,
telephone call), the requirements must be confirmed before they are
accepted. If the requirements are changed, all documents must be
amended and relevant persons must be notified. A note is included
that covers situations such as internet sales where a formal review
of each order is impractical, stating, instead, that the review
could cover the product information provided in catalogs and
advertising material.
d) risks (e.g. new technology, short delivery time scale) have
been evaluated.
BV Certification: The potential for risks exists in virtually
every contract or order. The Standard mentions only two of the most
obvious examples (i.e. new technology and short delivery time
scales). Types of potential risks vary greatly depending upon
contractual requirements, requirements of regulatory authorities,
design responsibility, product requirements, safety and
airworthiness considerations, production processes, operational
constraints, business conditions / limitations, materials,
procurement sources, outsourcing, etc., etc. Just a few extreme
examples that may pose risk include: potential labor strikes,
facilities relocations or
-
Bureau Veritas Certification Interpretations of The Standard.
Guidance for Quality Management System Auditors. Expectations for
Companies Certifying to AS9100.
27 OF 61 AS Interpretation Rev. 0 - May 9, 2007
shutdowns, environmental or climatic factors, production
capacity limitations, availability of materials, adequacy of
procurement sources, absence of key personnel, outage of vital
equipment, etc. To a reasonable and practical extent, any and all
such potential risks should be identified and their impact
evaluated before accepting the contract or order. Records of
contract reviews should demonstrate / document some level of
deliberate, thoughtful risk evaluation activity, delineation of
identified risks (if any), and resultant actions taken to mitigate
or eliminate the risks.
7.2.3: Customer communication
The organization must establish effective arrangements for
providing the customer with product information (i.e., catalogs or
advertising that adequately describe the product or service), means
of handling inquiries and orders, and a method for handling
customer comments (both compliments and complaints).
There is no potential for excluding section 7.2, as every
organization has external customers. Where an organization with a
stand-alone QMS is part of a larger group or corporation, and is
taking orders solely from a central Group or Corporate Sales
Organization outside its certified scope and delivering them to a
central Group or Corporate Distributor outside its certified scope,
then the Sales and Distribution organizations are technically
external customers, invoking 7.2 routines.
7.3: Design and development
This clause addresses product/service development as well as
(conceptual) design, so organizations involved in product/service
development will have to address some or all of section 7.3 of ISO
9001:2000.
Many companies perform some enhancements or minor
reconfiguration of mature designs, and are able to use the guidance
of ISO 9004:2000 in order to address some or all of section 7.3 of
ISO 9001:2000.
Some organizations subcontract design and have managed this via
sections 4.1 and 7.4 of ISO 9001:2000. Such organizations may have
to introduce a comprehensive design system or process, however may
have to address design and development as it is applicable to the
organization. They may have to address some or all sections of 7.3
to the extent that they apply.
Document: ISO/TC 176/SC 2/N 524R3 ISO 9000 Introduction and
Support Package: Guidance on ISO 9001:2000 clause 1.2 'Application'
provides excellent guidance and examples on this topic
(http://www.bsi.org.uk/iso-tc176-sc2).
-
Bureau Veritas Certification Interpretations of The Standard.
Guidance for Quality Management System Auditors. Expectations for
Companies Certifying to AS9100.
28 OF 61 AS Interpretation Rev. 0 - May 9, 2007
7.3.1 Design and development planning
Although the standard does not require a documented procedure,
the design process needs to demonstrate how the process is
controlled and planned. The organization, however, will need to
provide some type of objective evidence as to what the planning
activities include. This can be accomplished with the use of
time-lines, gant charts or any other planning method such as
Microsoft project manager. In addition the auditor should see
objective evidence of how the interfaces between other processes
are managed, either through statements in associated procedures,
process mapping, matrix approach or in the time line planning.
- in respect of organization, task sequence, mandatory steps,
significant stages and method of configuration control
BV Certification: The organization is responsible for the
identification the design and development stages. AS9100 imposes
some additional and specific clarification of the information
required: which elements of the organization are involved, where in
the task sequence the stages begin/terminate, significant stages
and configuration control. These additional requirements may be
recorded in formal project plans, Gantt charts, checklists or in
similar documentation.
Where appropriate, due to complexity, the organization shall
give consideration to the following activities:
- structuring the design effort into significant elements; - for
each element, analyzing the tasks and the necessary resources for
its design and development. This analysis shall consider an
identified responsible person, design content, input data, planning
constraints, and performance conditions. The input data specific to
each element shall be reviewed to ensure consistency with
requirements.
BV Certification: Even though this section begins where
appropriate, all except the very smallest design and development
projects will have defined stages and the stages usually will
contain multiple tasks. It is clear that the records need to
demonstrate some level of planning. It is important that the
process owners are identified and that the required technical
personnel are indeed available to work on the project. Although not
specifically required, a table of engineering manpower allocation
(projects with associated engineering hours) would be helpful to
ensure that sufficient technical manpower is available. It is
important to note that should be evidence of a review of input data
to ensure consistency of requirements.
The different design and development tasks to be carried out
shall be defined according to specified safety or functional
objectives of the product in accordance with customer and/or
regulatory authority requirements.
-
Bureau Veritas Certification Interpretations of The Standard.
Guidance for Quality Management System Auditors. Expectations for
Companies Certifying to AS9100.
29 OF 61 AS Interpretation Rev. 0 - May 9, 2007
BV Certification: This is a check at the planning stage to
ensure that the design and development activity actually will
address all customer and regulatory requirements. The auditor will
expect to see evidence of this check. Refer also to Interpretation
for section 4.2.1f, above, for a discussion of regulatory
requirements.
7.3.2 Design and development inputs
The auditor will need to review evidence that the inputs (7.3.2
a d) have been addressed based on the nature of the product being
produced, that they have been reviewed for adequacy and that
records are maintained of the activity.
7.3.3 Design and development outputs
The auditor should expect to see objective evidence that the
outputs (7.3.3 a d) have been verified against the design inputs.
This can be accomplished by reviewing documents, plans, etc.
interfacing with the customer or internal processes and by
comparison with past proven designs.
e) identify key characteristics, when applicable, in accordance
with design or contract requirements.
BV Certification: As noted in Definitions (section 3, above),
key characteristics may be identified by the customer (and/or
regulatory authorities), as well as by the organization. Once key
characteristics have been identified, usually at the Planning
and/or Design and Development (D&D) Input stage, they must be
then addressed also as part of D&D Output. The organization
must show that the developed product specifically satisfies the
input requirements for key characteristics.
All pertinent data required to allow the product to be
identified, manufactured, inspected, used and maintained shall be
defined by the organization; for example:
- drawings, part lists, specifications; - a listing of those
drawings, part lists, and specifications necessary to define the
configuration and the design features of the product; - information
on material, processes, type of manufacturing and assembly of the
product necessary to ensure the conformity of the product.
BV Certification: The standard is clear; all documentation
relating to the developed product must be identified as part of the
D&D output. These may be included in a summary report or as
part of a design review.
7.3.4 Design and development reviews
-
Bureau Veritas Certification Interpretations of The Standard.
Guidance for Quality Management System Auditors. Expectations for
Companies Certifying to AS9100.
30 OF 61 AS Interpretation Rev. 0 - May 9, 2007
Reviews shall be conducted in accordance to the time line or
plan established at the beginning of the design activity. Reviews
shall show evidence that all activities required in each phase of
the design have been addressed or adjustments made. Records should
show who attended the reviews and that all concerned parties were
present and that all actions were satisfied before proceeding
forward with the design process.
c) to authorize progression to the next stage.
BV Certification: Design and development (D&D) reviews may
vary in terms of purpose, frequency, complexity, formality,
attendance and associated output documentation / review records.
Regardless, there must be clearly documented evidence that an
authorized individual(s) has reviewed the results / progress /
status of each prescribed D&D stage / activity. Before the
D&D plan can proceed to the next stage a responsible/authorized
person (or personnel) must provide documented, objective evidence
of progression approval (signatures being preferred). Progression
authorization may appear as a specific signoff on a review
checklist, in review minutes, in evaluation reports, on D&D
plans, timeline charts, etc. An undocumented, passive agreement or
consensus of opinion will not sufficiently meet the intent of this
requirement.
7.3.5 Design and development verification
Design verification basically means that the product can be
produced as designed and that output meets the intended inputs.
Additionally it should show that the organization has the
capability to produce the product with existing equipment and has
the personnel competencies or has the ability to train or
subcontract the required capabilities.
NOTE: Design and/or development verification may include
activities such as: - performing alternative calculations, -
comparing the new design with a similar proven design, if
available, - undertaking tests and demonstrations, and - reviewing
the design stage documents before release.
BV Certification: No interpretation necessary.
7.3.6 Design and development validation
Validation has to ensure capability of meeting intended use
where known as well as specified requirements, and has been
completed prior to delivery and implementation wherever practicable
(typically as a prototype or first article). In most organizations
they cant rely on the customer to
-
Bureau Veritas Certification Interpretations of The Standard.
Guidance for Quality Management System Auditors. Expectations for
Companies Certifying to AS9100.
31 OF 61 AS Interpretation Rev. 0 - May 9, 2007
perform the validation, the lack of a negative response from the
customer does not meet the intent of this clause. The organization
should have records that the product designed will meet defined
user needs prior to delivery of the product to the customer.
Methods of validation could include simulation techniques,
proto-type build and evaluation, comparison to similar proven
designs, beta testing, field evaluations, etc. Irrespective of the
methods used, the validation activity should be planned, executed
with records maintained as defined in the planning activity in
7.3.1.
NOTES: - Design and/or development validation follows successful
design and/or development verification. - Validation is normally
performed under defined operating conditions. - Validation is
normally performed on the final product, but may be necessary in
earlier stages prior to product completion. - Multiple validations
may be performed if there are different intended uses.
BV Certification: No interpretation necessary.
7.3.6.1 Documentation of Design and/or Development Verification
and Validation: At the completion of design and/or development, the
organization shall ensure that reports, calculations, test results,
etc., demonstrate that the product definition meets the
specification requirements for all identified operational
conditions.
BV Certification: This is added check to ensure, at the
conclusion of the D&D effort that documentation and supporting
data that was generated during the design and subsequent
verification/validation does in fact meet all the input
requirements. This clause supports the conclusions that should have
been reached at Design Review. The auditor would expect to see
evidence that verification and validation satisfy the input
requirements.
7.3.6.2 Design and/or Development Verification and Validation
Testing: Where tests are necessary for verification and validation,
these tests shall be planned, controlled, reviewed, and documented
to ensure and prove the following:
a) test plans or specifications identify the product being
tested and the resources being used, define test objectives and
conditions, parameters to be recorded, and relevant acceptance
criteria; b) test procedures describe the method of operation, the
performance of the test, and the recording of the results; c) the
correct configuration standard of the product is submitted for the
test; d) the requirements of the test plan and the test procedures
are observed;
-
Bureau Veritas Certification Interpretations of The Standard.
Guidance for Quality Management System Auditors. Expectations for
Companies Certifying to AS9100.
32 OF 61 AS Interpretation Rev. 0 - May 9, 2007
e) the acceptance criteria are met.
BV Certification: When testing is used to support verification
and validation, the test results must meet the requirements
presented in this clause.
7.3.7 Design and development changes
Design and development changes (after the original verification
and validation) have to be verified and validated as appropriate
(as well as reviewed) and to include evaluation of the effect of
changes on constituent parts and products already delivered. If the
organization chooses not to perform re-verification and
re-validation on every design change, then the auditor should
expect to see some very well defined criteria as to when the
activity needs to occur. This includes any changes that do not
affect fit, form or function.
The organizations change control process shall provide for
customer and/or regulatory authority approval of changes, when
required by contract or regulatory requirement.
BV Certification: The degree and type of the D&D change will
often dictate the degree of approval required. Other conditions for
approval will be defined by the customer and/or regulator agency.
Additionally, the organization may add to (but not contradict)
details. Approval may be as little as mere notification, to
distributing approved copies, up to and including formal approval
by the customer / agency) prior to implementation of the change.
Documents typically subject to this requirement include
pre-approved drawings. The BV Certification auditor will seek
documented, objective evidence that such coordination has taken
place (as appropriate) and as prescribed in the organizations
documented procedure.
7.4: Purchasing
7.4.1 Purchasing Process
It would be extremely uncommon for purchasing to be excluded
from the quality management system (i.e., perhaps applying to such
situations as small consultancies using no subcontractors, and
using proprietary office materials and equipment that do not
directly impact on product or service performance but not to many
other situations).
Where procurement is centrally controlled by a corporate
procurement organization outside the scope of the QMS of the
auditee organization, this is not justification for exclusion of
7.4 in its entirety. The audited organization is certainly
responsible for providing purchasing information (7.4.2) to the
corporate procurement organization, and for verification of
purchased product (7.4.3) and perhaps participating in the
re-evaluation process. In the event that a corporate office or
other entity, outside the scope of registration, performs any
sections of purchasing this
-
Bureau Veritas Certification Interpretations of The Standard.
Guidance for Quality Management System Auditors. Expectations for
Companies Certifying to AS9100.
33 OF 61 AS Interpretation Rev. 0 - May 9, 2007
shall be considered an outsourced process per requirements
identified in section 4.1. Bureau Veritas Certification auditors
would expect to see a documented agreement in place (i.e. an
Interface Agreement) between the organization and the supplier.
Auditor will expect to see a process is in place for evaluating and
selecting suppliers as well as a process for ongoing re-evaluation
of suppliers. While a written procedure for purchasing is not
required, records of evaluation and actions arising from the
evaluation are required to be maintained.
The organization shall be responsible for the quality of all
products purchased from suppliers, including customer-designated
sources.
BV Certification: In the context of this and other requirements
of the Standard, product includes parts, materials, process
services, etc. It is readily apparent that an organization is
ultimately responsible for the quality of product purchased from
its own suppliers / subcontractors. This requirement extends the
scope of the organizations responsibility to include that for
product purchased from customer-designated and/or
customer-designated sources. The type and extent of control
exercised over customer-designated or customer-approved sources may
be justifiably different than that exercised over sources chosen /
approved by the organization themselves. Regardless,
customer-approval and/or customer-designation of sources does not
relieve the organization of the responsibility to procure
conforming product.
The organization shall a) maintain a register of approved
suppliers that includes the scope of the approval.
BV Certification: A register could be in most any format and
media hardcopy, electronic, a paper listing, an electronic file as
part of a procurement software program, or even a manual card file.
The register must be a complete, finite compilation of all approved
suppliers / vendors / subcontractors - including those that are
customer-designated / approved. The register must include sources
that provide goods, products and services that relate to the
organizations products, processes and Quality management system.
Compiling the register(s) is a relatively simple and direct task.
The second part of this requirement . . . that includes the scope
of the approval. involves more thought. The scope of approval
should describe the extent (or limitation) on what the source can
(or cant) provide or perform. The description of the scope can be
narrative or coded. Some examples:
Acme Machining conventional metal machining except for chemical
milling and wire EDM. Acme Hardware Distributors all metal,
mechanical fasteners except for rivets. Acme Metal Distributors all
ferrous and non-ferrous metals except for titanium and inconel.
Acme Heat Treating heat treating processes
.
-
Bureau Veritas Certification Interpretations of The Standard.
Guidance for Quality Management System Auditors. Expectations for
Companies Certifying to AS9100.
34 OF 61 AS Interpretation Rev. 0 - May 9, 2007
b) periodically review supplier performance; records [results]
of these reviews shall be used as the basis for establishing the
level of controls to be implemented.
BV Certification: The periodicity of supplier performance
reviews may vary across the organizations supply base. That is, all
suppliers may not have the same review frequency. Also, the type
and extent / scrutiny of the review may vary from one supplier to
another. These performance reviews should be planned and meaningful
- often involving cross-functional involvement (i.e. Quality,
Purchasing, Manufacturing, Engineering). The reviews must be based
on factual input data. Recorded results are to be used to determine
ongoing / future levels or control over the supplier. Favorable
performance results might justify relaxing / reducing the
type/extent of control while unfavorable results would suggest the
need to tighten-up on the supplier.
c) define the necessary actions to take when dealing with
suppliers that do not meet requirements.
BV Certification: This requirement relates closely to the
requirement above (7.4.1 b) regarding supplier performance reviews.
Conditions / events that indicate that a supplier is not meeting
requirements might include: poor results from performance reviews,
occurrences and repetition of nonconformances, corrective action
inadequacy and lateness, incoming inspection failures, untimely
delivery performance, etc. The organization needs to define /
describe specific actions they will take if the supplier is not
meeting expectations / requirements. This usually includes an
escalation process beginning with simple documented notification,
followed by corrective action requests, then possibly special
on-site audits and increased controls up to and including re