as9100 interpretations

61
Bureau Veritas Certification Interpretations of The Standard. Guidance for Quality Management System Auditors. Expectations for Companies Certifying to AS9100. 1 OF 61 AS Interpretation Rev. 0 - May 9, 2007 Bureau Veritas Certification has established certain minimum expectations for companies who wish to register their Aerospace Quality Management Systems (AQMS) to AS9100. These expectations are based upon our understanding of the requirements of the standard and the requirements for third party registration/certification to the standard gained through our collective experience in auditing quality management systems of many varied applications. Additionally, The ISO Technical Committee (TC) has developed several guidance documents for various requirements of ISO9001:2000 that are applicable to the requirements of AS9100. These documents are available to the public via Internet website http://www.bsi.org.uk/iso-tc176-sc2. These documents are referred to throughout this document. Auditor Notes: This document is not intended to add to, minimize, or in any way modify the requirements of the standard and the requirements for accredited certification to the standard. It is meant to be a guidance tool for Bureau Veritas Certification auditors providing common understanding on the intent of the standard and certification requirements in addition to providing clarification of the text. For organizations seeking registration/certification, this document provides insight as to the expectations of Bureau Veritas Certification auditors. In order to claim conformity with AS9100, the organization has to be able to provide objective evidence of the effectiveness of its processes and its quality management system. Clause 3.8.1 of ISO 9000:2000 defines ‘Objective evidence’ as ‘Data supporting the existence or verity of something’ and notes that ‘Objective evidence may be obtained through observation, measurement, test or other means’. Objective evidence does not necessarily depend on the existence of documented procedures, records or other documents, except where specifically mentioned in AS9100. In some cases, (for example, in clause 7.1{d} Planning of product realization, and clause 8.4 Monitoring and measurement of product), it is up to the organization to determine what records are necessary in order to provide objective evidence.

Upload: nestor-czerwacki

Post on 10-Nov-2015

72 views

Category:

Documents


6 download

DESCRIPTION

Interpretations

TRANSCRIPT

  • Bureau Veritas Certification Interpretations of The Standard. Guidance for Quality Management System Auditors. Expectations for Companies Certifying to AS9100.

    1 OF 61 AS Interpretation Rev. 0 - May 9, 2007

    Bureau Veritas Certification has established certain minimum expectations for companies who wish to register their Aerospace Quality Management Systems (AQMS) to AS9100. These expectations are based upon our understanding of the requirements of the standard and the requirements for third party registration/certification to the standard gained through our collective experience in auditing quality management systems of many varied applications.

    Additionally, The ISO Technical Committee (TC) has developed several guidance documents for various requirements of ISO9001:2000 that are applicable to the requirements of AS9100. These documents are available to the public via Internet website http://www.bsi.org.uk/iso-tc176-sc2. These documents are referred to throughout this document.

    Auditor Notes:

    This document is not intended to add to, minimize, or in any way modify the requirements of the standard and the requirements for accredited certification to the standard. It is meant to be a guidance tool for Bureau Veritas Certification auditors providing common understanding on the intent of the standard and certification requirements in addition to providing clarification of the text. For organizations seeking registration/certification, this document provides insight as to the expectations of Bureau Veritas Certification auditors.

    In order to claim conformity with AS9100, the organization has to be able to provide objective evidence of the effectiveness of its processes and its quality management system. Clause 3.8.1 of ISO 9000:2000 defines Objective evidence as Data supporting the existence or verity of something and notes that Objective evidence may be obtained through observation, measurement, test or other means. Objective evidence does not necessarily depend on the existence of documented procedures, records or other documents, except where specifically mentioned in AS9100. In some cases, (for example, in clause 7.1{d} Planning of product realization, and clause 8.4 Monitoring and measurement of product), it is up to the organization to determine what records are necessary in order to provide objective evidence.

  • Bureau Veritas Certification Interpretations of The Standard. Guidance for Quality Management System Auditors. Expectations for Companies Certifying to AS9100.

    2 OF 61 AS Interpretation Rev. 0 - May 9, 2007

    AS9100 Interpretations

    Element 4: Quality Management System

    4.1: General

    Section 4.1 includes the general requirements that must be met in order to establish, implement and continually improve the effectiveness of a quality management system meeting the requirements of the standard. These requirements are referenced to and/or further defined in subsequent clauses of the standard. Table A, shown below, contains the cross-linked references.

    Continual improvement of the effectiveness of the quality management system may be reflected in a number of different areas. These may include:

    Quality objectives; Corrective and preventive actions; Internal audits; External audits; Review of customer satisfaction surveys and associated action items; Operation meetings producing improvement actions; Actions initiated by suggestion programs; Process Changes; Infrastructure and environment changes; Management Reviews

    If continual improvement has become a way of life for a company, it is unlikely that a demonstration of company wide continual improvement will come from only a few sources.

    System deterioration would not necessarily lead to non-conformity if all actions were positive and the improvement path is still evident and logical. The system would be questionable if the company did not recognize it or had not reacted to the issues appropriately.

    Note: It is the responsibility of the company to demonstrate improvement rather than the auditor to look for it. Accordingly, it is useful audit practice to ask management to identify any improvement initiatives taken since the previous visit, and any planned for the future.

    4.1 a) Process identification Bureau Veritas Certification auditors will expect to see a process model that explains the key processes of the business and how each relates and links to the others. The depth of process explanation may be as detailed as the company chooses, but should

  • Bureau Veritas Certification Interpretations of The Standard. Guidance for Quality Management System Auditors. Expectations for Companies Certifying to AS9100.

    3 OF 61 AS Interpretation Rev. 0 - May 9, 2007

    be based on its customer and applicable regulations or statutory requirements, the nature of its activities and its overall corporate strategy. In determining which processes should be documented the organization may wish to consider factors such as:

    Effect on quality Risk of customer dissatisfaction Statutory and/or regulatory requirements Economic risk Effectiveness and efficiency Competence of personnel Complexity of processes

    Bureau Veritas Certification promotes the identification of Customer Oriented Processes (COPS), Support Oriented Processes (SOPS) and Management Oriented Processes (MOPS) while defining processes however, this is not a requirement. The auditor must see evidence that the organization has identified and defined their processes.

    The ISO TC document - ISO/TC 176/SC 2/N 544R - ISO 9000 Introduction and Support Package: Guidance on the Concept and Use of the Process Approach for Management Systems, provides basic information for understanding application of the process approach. The bulletin defines a process as: A Process can be defined as a Set of interrelated or interacting activities, which transforms inputs into outputs. These activities require allocation of resources such as people and materials (http://www.bsi.org.uk/iso-tc176-sc2).

    4.1 b) Sequence and interaction of these processes The interactions of the processes must somehow be described in the quality manual (4.2.2 c). The organization is not required to produce system maps, flow charts, lists of processes etc. as evidence to demonstrate that the processes and their sequence and interactions were identified. Such documents may be used by organizations should they deem them useful, but are not mandatory. Graphical representation such as flow-charting is perhaps the most easily understandable method for describing interactions between processes. Other possible methods may include: documentation prepared for implementation of the product management system (SAP, SYMIX, MRP, etc); deployment flowcharts; and pictorial diagrams.

    The Completion of the Bureau Veritas Certification process matrix provides the relationship between the organizations processes and the requirements of ISO9001:2000 however does not show the interaction between the identified processes. If the organization chooses to use the process matrix to show interaction, it must be supplemented with another method to show process interaction. The Bureau Veritas Certification process matrix must be completed in order to assist in the scheduling of the organizations audits.

  • Bureau Veritas Certification Interpretations of The Standard. Guidance for Quality Management System Auditors. Expectations for Companies Certifying to AS9100.

    4 OF 61 AS Interpretation Rev. 0 - May 9, 2007

    4.1 c) Criteria and methods needed to ensure that both the operation and control of these processes are effective. This could be demonstrated with stated objectives, instructions and or procedures as required for consistent output of the processes.

    4.1 d) Ensure the availability of resources and information necessary to support the operation and monitoring of these processes. This may be through Management Review or other methods for defining and determining resources.

    4.1 e) Monitor, measure and analyze these processes - All identified processes are subject to requirements for monitoring, measurement, and analysis for needed improvement. The methods employed and the timing of such analysis should be based upon priorities established by the organization. Auditor expects to see measurable objectives established for each process. These objectives should support the organizations overall objectives.

    4.1 f) Implement actions necessary to achieve planned results and continual improvement of these processes Same as described above. Auditor expects to see corrective action taken when measurable objectives fall below target or defined action level.

    Outsourced Processes: Outsourced processes must be controlled by the organization and these controls must be defined/described within their system. Organizations are required to identify the controls they apply for any outsourced processes. The facility quality manual must identify if outsource processes are applicable. In addition, the client shall have written documentation on the methods used to control the outsourced process(es). Examples of some outsourced processes are:

    Process completed wholly or partially by a sister facility outside the scope of registration. Such as corporate performing design, purchasing or customer related processes. This may include the entire element or a subsection i.e. corporate completes supplier evaluation and re-evaluation of suppliers and the registered site initiates purchase orders.

    Processes completed by an outside vendor or subcontractor such as heat treating, plating, calibration, painting, powder coating, etc.

    Documented objective evidence must be ascertained to ensure that these processes are being controlled beyond the basic purchasing requirements, which are focused on controlling products not processes. The organization is responsible to ensure that the outsourced process is meeting applicable requirements to ISO9001:2000. Outsourced processes may be controlled through such methods as (not limited to):

    Internal Audits Internal Agreements between two sites where only the audited site is under the scope of

    registration (Interface Agreements Bureau Veritas Certification terminology)

  • Bureau Veritas Certification Interpretations of The Standard. Guidance for Quality Management System Auditors. Expectations for Companies Certifying to AS9100.

    5 OF 61 AS Interpretation Rev. 0 - May 9, 2007

    Process performance data Purchasing Process

    ISO/TC 176/SC 2/N 630R2 ISO 9000 Introduction and Support Package: Guidance on 'Outsourced Processes: An outsourced process can be performed by a supplier that is totally independent from the organization, or which is part of the same parent organization (i.e. a separate department or division that is not subject to the same quality management system). It may be provided within the physical premises or work environment of the organization, at an independent site, or in some other manner The organization has to demonstrate that it exercises sufficient control to ensure that this process is performed according to the relevant requirements of ISO 9001:2000, and any other requirements of the organizations quality management system. The nature of this control will depend, among other things, on the importance of the outsourced process, the risk involved, and the competence of the supplier to meet the process requirements (http://www.bsi.org.uk/iso-tc176-sc2).

    TABLE A: Cross-linked references 4.1 General requirements Relevant further clauses a) Identify the processes, including

    outsourcing, needed for the quality management system and their application throughout the organization (see 1.2),

    5.4.2 QMS planning 7.1 Planning of product realization 8.1 General

    b) Determine the sequence and interaction of these processes,

    5.4.2 QMS planning 7.1 Planning of product realization 4.2.2 (c)

    c) Determine criteria and methods needed to ensure that both the operation and control of these processes are effective,

    7.1 (c) 7.3.3 (c) 7.4.1 (Criteria for selection) 7.5.2

    d) Ensure the availability of resources and information necessary to support the operation and monitoring of these processes,

    Whole of 6

    e) Monitor, measure, and analyze these processes, and,

    Whole of 8.2

    f) Implement actions necessary to achieve planned results and continual improvement of these processes.

    These processes shall be managed by the

    Whole of 5, 6, 7 and 8

  • Bureau Veritas Certification Interpretations of The Standard. Guidance for Quality Management System Auditors. Expectations for Companies Certifying to AS9100.

    6 OF 61 AS Interpretation Rev. 0 - May 9, 2007

    organization in accordance with the requirements of this International Standard.

    Where an organization chooses to outsource any process that affects product conformity with requirements, the organization shall ensure control over such processes. Control of such outsourced processes shall be identified within the quality management system.

    4.2: Documentation Requirements

    4.2.1: General

    The Quality Management System (QMS) documentation shall include:

    4.2.1 a) Statements showing the organizations quality policy (see 5.3) and quality objectives (see 5.4.1).

    4.2.1 b) A quality manual (see 4.2.2).

    4.2.1 c) Procedures that this standard requires (see 4.2.3, 4.2.4, 8.2.2, 8.3, 8.5.2, 8.5.3).

    4.2.1 d) Documents that the organization will need to ensure that the planning, operation, and control of their processes is effective.

    4.2.1 e) Records that this standard requires (see 5.6.1, 6.2.2, 7.1, 7.2.2, 7.3.2, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.4.1, 7.5.2, 7.5.3, 7.5.4, 7.6, 8.2.2, 8.2.4, 8.3, 8.5.2, and 8.5.3).

    4.2.1 f) quality system requirements imposed by the applicable regulatory authorities.

    BV Certification: This requirements effectively invokes all pertinent requirements of the industry-applicable regulatory agencies (e.g. FAA, CAA, JAA, etc.) such as those included in FAR Part 21, 145, etc. While the BV Certification auditor may not look for conformance to those specific regulatory requirements a nonconformance against a closely related requirement in Standard AS9100 may be cited.

    The organization shall ensure that personnel have access to quality management system documentation and are aware of relevant procedures. Customer and/or regulatory authorities representatives shall have access to quality management system documentation.

  • Bureau Veritas Certification Interpretations of The Standard. Guidance for Quality Management System Auditors. Expectations for Companies Certifying to AS9100.

    7 OF 61 AS Interpretation Rev. 0 - May 9, 2007

    BV Certification: It is expected that all personnel have access to relevant documentation, in any appropriate format. Documentation can include procedures, work instructions, forms, travelers, drawings and work standards. For complex operations, job packages should be at the workstation. In other situations, it is sufficient for the co-worker to demonstrate knowledge of where the relevant documentation is located. The right of access by customer and/or regulatory authorities appears in several clauses throughout the standard. A broad statement permitting right of access to quality documentation at the organizations facilities, coupled with flow down to suppliers and sub-tier suppliers (see section 7.4) is sufficient to satisfy this requirement. See also the Interpretation comments under section 4.2.4, below.

    4.2.2: Quality Manual

    Exclusions from the quality management system must be described and justified within the quality manual (see 4.2.2 a). The documented procedures established for the quality management system must be included or cross-referenced in the quality manual (see 4.2.2 b). A description of the interaction between the organizations processes needs to be identified in the quality manual (see 4.2.2 c).

    The applicable processes might include those relating to four general categories: 1) Management Activities, 2) Resource Management, 3) Product Realization, and 4) Measurement and Monitoring. Most companies will prefer to focus on their own COPS, MOPS, and SOPS.

    Manual content and design - There are many ways of documenting the quality management system and organizations should adopt the approach that is most useful for effective operation of their system.

    Examples include:

    Flowcharts; Written text; Diagrams; System maps; Process maps; Process Turtles.

  • Bureau Veritas Certification Interpretations of The Standard. Guidance for Quality Management System Auditors. Expectations for Companies Certifying to AS9100.

    8 OF 61 AS Interpretation Rev. 0 - May 9, 2007

    The quality manual may have many forms. Although many organizations structure their documentation in a typical pyramid, it is not the only, and not always the most suitable, way. A quality manual doesn't have to exist as a separate document. The quality manual may:

    Be a direct collection of QMS documents including procedures; Be a grouping or a section of QMS documentation; Be more than one document or level; Be in one or more volumes; Be a stand alone document or otherwise; Be a collection of separate documents.

    The ISO 9001:2000 standard offers companies a possibility to establish effective, user-friendly systems. This edition offers the current users a unique opportunity to streamline their quality management system documentation.

    A separate document "addressing" all the clauses of the standard is not required by the standard - neither does the standard require the quality manual to "address" or "cover" the requirements of the standard. The manual may be documented specifically to the organizations processes.

    4.2.2 a) Scope The organization may exclude portions of the standard that do not apply to their quality management system due to the nature of the product or service that they supply. ISO 9001:2000 clearly limits and identifies which activities may be excluded. The justification for exclusion and those considered not applicable must be clearly documented in the quality manual. If, for example, design does not apply to the quality management system, the standard stipulates (in section 1.2 Application) how a reduction in scope of the standard may be justified and documented within the quality manual. Bureau Veritas Certification has defined exclusion applicability to be within the clause Design and Development (7.3) only. All other potential exclusions within section 7 must be identified as not applicable or not applicable at this time.

    ISO TC Guidance - Document: ISO/TC 176/SC 2/N 524R3 ISO 9000 Introduction and Support Package: Guidance on ISO 9001:2000 clause 1.2 'Application: ISO 9001:2000 clause 1, Scope, defines the scope of the standard itself. This should not be confused with the scope of the QMS, which is a term commonly used within the context of QMS certification/registration to describe the organization and products to which the QMS applies (http://www.bsi.org.uk/iso-tc176-sc2).

    Auditor should discuss the difference between the scope of certification and the scope of the QMS (i.e. what is on or will be on the organizations certificate).

    The scope of the QMS should be based on the nature of the organization's products and their realization processes, the result of risk assessment, commercial considerations, and contractual, statutory and regulatory requirements.

  • Bureau Veritas Certification Interpretations of The Standard. Guidance for Quality Management System Auditors. Expectations for Companies Certifying to AS9100.

    9 OF 61 AS Interpretation Rev. 0 - May 9, 2007

    If an organization chooses to implement a quality management system with a limited scope, this should be clearly defined in the organization's Quality Manual and any other publicly available documents to avoid confusing or misleading customers and end users (this includes, for example, certification/registration documents and marketing material).

    Note: For multi-site/corporate certifications the auditor will expect to see that one quality manual is applicable for all sites and that any changes are centrally controlled (see 4.2.3)

    4.2.2 b) Documented Procedures The manual must include reference to, at a minimum the six required documented procedures (see 4.2.3, 4.2.4, 8.2.2, 8.3, 8.5.2, 8.5.3). The manual may reference other documentation but must list those required documents in some format. This may be in the form of a link or other such reference.

    The notes after sub clause 4.2.1 in ISO9001: 2000 make it clear that where the standard specifically requires a documented procedure, the procedure has to be established, documented, implemented and maintained. It also emphasizes that the extent of the QMS documentation may differ from one organization to another due to:

    The size of the organization and the type of activities; The complexity of processes and their interactions and The competence of personnel

    - when referencing the documented procedures, the relationship between the requirements of this International Standard [AS9100] and the documented procedures shall be clearly shown.

    BV Certification: Points of reference may be throughout the manual when discussing pertinent subjects (imbedded in the text). All of the referenced procedures may be listed together in an appendix / attachment to the manual. Or, the pertinent procedure(s) may be called out at the beginning or end of each major section of the manual. A cross reference matrix is especially effective - linking specific clauses in the Standard to corresponding paragraphs in the quality manual down to specific paragraphs in the detailed procedure (or W/I as appropriate). Regardless of the approach, the intent of the Standard is that there be a clear, unbroken, definitive trail from a particular requirement in the Standard, into and through the quality manual, down to the procedural (and or work instruction) level such that users of the documentation can clearly and readily arrive at a description of how that requirement in the Standard is satisfied / fulfilled in the organizations system documentation.

    4.2.2 c) Interaction between processes This requirement ties closely to section 4.1 b), which is discussed in the previous paragraphs. The interactions between the quality management system processes do not have to be separately described, or illustrated, by charts, tables or maps. If an organization chooses to use a process map to show interaction, just using arrows is not sufficient

  • Bureau Veritas Certification Interpretations of The Standard. Guidance for Quality Management System Auditors. Expectations for Companies Certifying to AS9100.

    10 OF 61 AS Interpretation Rev. 0 - May 9, 2007

    a description or other depiction is required for interactions. An example might be an interaction matrix listing COPS across the top and SOP & MOP down the side. Although many organizations may choose such a form, it is not a mandatory method. Interaction between processes may be described, for instance, by way of references and/or cross-references within the procedures, where the procedures form part of the Quality Manual. If the procedures are not part of the Quality Manual, then the manual can not be consider acceptable to the standard requirements, they can be in an appendix, addendum or hyper linked to the manual if the system is electronic.

    4.2.3: Control of Documents

    A documented procedure is required for control of documents.

    Guidance is given for documents and records in ISO/TC 176/SC 2/N 525R ISO 9000 Introduction and Support Package: Guidance on the Documentation Requirements of ISO 9001:2000 (http://www.bsi.org.uk/iso-tc176-sc2).

    4.2.3 a) Approve documents procedure must identify the approval process.

    4.2.3 b) Review and update All management system documentation must be covered by some review strategy. The procedure must identify a period of time in which all documents are reviewed on an ongoing basis. Different types / levels of documents may be reviewed at different intervals / criteria and / or by different methods (i.e. at each use, through internal audits, via formal recalls and reviews, etc.), review should be conducted by personnel competent to do so. Bureau Veritas auditors should assess whether review methodology demonstrates effective document controls. Note statutory / regulatory and customer / industry requirements may also impact review methodology. A method must be in place to show review was completed where there were no changes. Those documents that are updated must be put back through the organizations required approval process (4.2.3 a).

    4.2.3 c) Changes and current revision status The procedure must identify how changes and revisions to documents are identified. These must be identifiable for each document. How does the user know what the changes are?

    4.2.3 d) Availability of documents procedure must identify how documents are made available to employees. Auditor will expect to see that documents are readily available to employees through out the facility at their points of use.

    4.2.3 e) Documents are legible and readily identifiable auditor will expect to see that documents are maintained and remain legible and easily identifiable.

  • Bureau Veritas Certification Interpretations of The Standard. Guidance for Quality Management System Auditors. Expectations for Companies Certifying to AS9100.

    11 OF 61 AS Interpretation Rev. 0 - May 9, 2007

    4.2.3 f) Documents of external origin Documents of external origin are those that are produced from outside the organization that are used by the organization in support of the quality management system processes. The procedure must address if documents of external origin are applicable and if so how these documents are controlled by the facility. The auditor expects to see that controls are in place to ensure current versions are used and documents are controlled within the facility.

    4.2.3 g) Obsolete documents Procedure must address how obsolete documents are controlled to prevent unintended use and if retained how these documents are identified.

    The organization shall coordinate document changes with customers and/or regulatory authorities in accordance with contract or regulatory requirements.

    BV Certification: The degree and type of documentation change coordination (if required at all) will be defined by the customer and/or regulator agency. Additionally, the organization may add to (but not contradict) details. Coordination may be as little as mere notification, to distributing approved copies, up to and including formal approval by the customer / agency) prior to implementation. Documents typically subject to this requirement include pre-approved contracts, statements of work, inspection/test plans, frozen or fixed process plans and routings. The BV Certification auditor will seek documented, objective evidence that such coordination has taken place (as appropriate) and as prescribed in the organizations documented procedure.

    Note: For multi-site/corporate certifications the auditor will expect to see that System documentation and changes are centrally managed (usually performed at the headquarters location).

    4.2.4: Control of Records

    Records required by the organization may be in any format deemed suitable for the organizations method of operation. A documented procedure must be in place and define the controls needed for:

    Identification the procedure must identify the system/process is in place to identify records. Have all required records been identified. Refer to Annex B of the ISO/TC 176/SC 2/N 525R - ISO 9000 Introduction and Support Package: Guidance on the Documentation Requirements of ISO 9001:2000.

    Storage where records are stored specific location i.e. Quality filing cabinet in the QC Laboratory.

    Protection how individual records are protected i.e. tape back up every 24 hours (for electronic records), fireproof safe, filing cabinet etc.

  • Bureau Veritas Certification Interpretations of The Standard. Guidance for Quality Management System Auditors. Expectations for Companies Certifying to AS9100.

    12 OF 61 AS Interpretation Rev. 0 - May 9, 2007

    Retrieval any special requirements for retrieval. Generally dependant on location and protection. May be a request process.

    Retention time identification of how long each record will be maintained. Disposition of records method for disposing of records i.e. shredding, burned, trash

    A spreadsheet or other document may be used to identify the above requirements.

    The documented procedure shall define the method for controlling records that are created by and/or retained by suppliers.

    BV Certification: The organization is ultimately responsible for all pertinent quality records that apply to a given contract or order. Most such quality records are produced by the organization themselves but many are also created at the lower levels in the supply chain at the organizations supplier(s) and at the suppliers sub-tier sources. It is not uncommon for pertinent quality records to exist at three or four levels down in the supply base. Typically, only the most significant records make their way back to the organization. Those records that typically bubble up are certifications and inspection / test reports, nonconforming product concessions / waivers, etc. The majority of records relating to the order / contract continue to reside at a level lower in the supply chain. Those records retained by lower-level sources must still be subject to the organizations control. This control is often managed and asserted by / through purchase order flowdown requirements from the organization to the lowest level supplier / subcontractor involved. Such flowdown requirements may specify record retention periods, protection, disposition, disposal and may describe the conditions under which the record holder must forward the records to the organization.

    Records shall be available for review by the customer and regulatory authorities in accordance with contract or regulatory requirements.

    BV Certification: This requirement most obviously applies to records maintained by the organization. It equally applies to pertinent quality records retained by the organizations suppliers and by the suppliers sub-tier sources. Pertinent records (at any level in the supply chain) may be kept on-site, or at an off-site repository or by a remote records management service. In any event, retrieval of such records should be relatively convenient and timely so as not to impede availability to customers and regulatory authorities. Compliance to this requirement is often managed and assured by / through purchase order flowdown requirements from the organization to the lowest level supplier / subcontractor involved. Such flowdown typically invokes the right of access to all pertinent quality records that may exist at any/all levels in the supply chain.

    4.3 Configuration Management: The organization shall establish, document and maintain a configuration management process appropriate to the product. NOTE: Guidance on configuration management is given in ISO 10007.

  • Bureau Veritas Certification Interpretations of The Standard. Guidance for Quality Management System Auditors. Expectations for Companies Certifying to AS9100.

    13 OF 61 AS Interpretation Rev. 0 - May 9, 2007

    BV Certification: Requirements for a Configuration Management (CM) process apply to virtually all companies and products / services and especially to those organizations performing Design and Development activity and to those responsible for the design of the product / deliverable. The formality and complexity of the CM process will vary depending on the product. CM can be applied to products, processes and processed materials (including individual components as well as assemblies). A configuration is most often described in terms of its integral configuration items. Fundamental building blocks of a CM process typically include: design change control, document change control, process change control, product identification and traceability. Changes in any of those disciplines might translate into configuration change. Documentation that helps define a specific configuration might include drawings, specifications, bills of materials, routings/travellers, change requests, First Article Inspection Reports, nonconforming product documents (including deviations and waivers), where used listings, etc. Configuration baselines must be established, and any subsequent changes must be identified and controlled. After a significant number of changes, a new baseline (model, part number, etc.) may be established.

    Element 5: Management Responsibility

    Note that this section has nine references to top management. This is defined in ISO 9000:2000, 3.2.7 as person or group of people who directs or controls an organization at the highest level. It is therefore essential to examine top managements commitment to, and support for, the QMS (and to record objective evidence to support any conclusions reached).

    5.1: Management Commitment

    It is necessary for auditors to obtain (and record) objective evidence of management commitment.

    This would include:

    5.1 a) Evidence that top management has communicated to the organization the importance of meeting customer requirements as well as statutory and regulatory requirements. This can be achieved through meetings, newsletters, bulletin boards, training records etc.

    NOTE - statutory and regulatory requirements are broad based and include all applicable requirements for processes, products and activities.

    5.1 b) Top Managements establishment of and input into, and commitment to, the quality policy (its definition, delivery and maintenance) through management review or other meetings.

    5.1 c) Documented quality objectives (for all processes).

  • Bureau Veritas Certification Interpretations of The Standard. Guidance for Quality Management System Auditors. Expectations for Companies Certifying to AS9100.

    14 OF 61 AS Interpretation Rev. 0 - May 9, 2007

    5.1 d) Top Managements active participation in management review meetings.

    5.1 e) Evidence of a process for defining resource requirements and ensuring that adequate resources are available.

    In short, how well they address requirements 5.2 through 5.6.

    5.2: Customer Focus

    Customer requirements and customer satisfaction are directly linked with the process approach concept in the standard. Auditors will seek objective evidence to demonstrate that the customer requirements are indeed being met, whether the satisfaction is revealed in customer survey results, repeat sales or any other type of mechanism that would reveal trends and lead to improved customer satisfaction. Management review minutes might be a record where Customer Focus is addressed. You might also look at Quality plans and or product plans that include customer related requirements.

    5.3: Quality Policy

    It is expected that there is evidence that Top Management fully back the quality policy. The standard identifies five specific points which requires that top management ensures that the policy;

    5.3 a) Is appropriate to the purpose of the organization

    5.3 b) Includes a commitment to meeting requirements and to continual improvement of the quality system

    5.3 c) Provides framework for establishing and reviewing quality objectives

    5.3 d) Is communicated and understood at appropriate levels in the organization

    5.3 e) Is reviewed for continuing suitability.

    Auditors must determine if the Quality Policy meets the intent and is understood, by interviewing personnel at all levels. Although the exact policy does not need to be recited by interviewees, the awareness of the quality policy and how their job affects the company objectives should be determined. If personnel interviewed do not know what their measurable objectives are and/or do not know what the organizational objectives are that they have a direct

  • Bureau Veritas Certification Interpretations of The Standard. Guidance for Quality Management System Auditors. Expectations for Companies Certifying to AS9100.

    15 OF 61 AS Interpretation Rev. 0 - May 9, 2007

    effect on, the auditor would be further directed to evaluate managements communication of the policy and objectives.

    The Quality Policy must be documented (typically in the quality manual because it must be controlled). The Quality Policy does not have to include objectives but should create a framework for establishing them. The Quality Policy should be stated in such a way that it aims toward continual improvement. It should be reviewed and possibly revised to meet higher aspirations.

    Bureau Veritas Certification does not require that the policy include the words continual improvement in the written policy, however it must be ascertained that it is implied and known through out the organization.

    To meet the intent of this clause, the auditor would be looking for a clearly defined Quality Policy that is sufficiently detailed to provide a framework for quality objectives that can be monitored for continual improvement. An auditor would not want to see a vague policy, such as Our Policy is to Maintain Status Quo.

    When interviewing top management, their input into, and commitment to, the quality policy needs to be determined. Is it theirs, or have they clearly just signed something written for them by the management representative?

    Note: For multi-site/corporate certifications the quality policy must be applicable for all sites.

    5.4: Planning

    5.4.1 Quality Objectives

    Auditor must determine that the organization has developed measurable quality objectives for relevant functions and levels of the organization. Bureau Veritas Certification expects overall objectives to be established at the facility/corporate level and objectives established for each identified process. Process objectives shall support the organizations overall objectives.

    The organization must establish what the relevant functions of the organization are, however at a minimum this will include all defined processes (reference 4.1 a, c, e). Sub-processes, projects, or individual objectives would be at the discretion of organization. The auditor may want to ask what criteria were used to determine if functions are relevant or not. It would be left up to the company to determine if a cost or added value benefit would result from including or not including functions of the operation when establishing quality objectives.

  • Bureau Veritas Certification Interpretations of The Standard. Guidance for Quality Management System Auditors. Expectations for Companies Certifying to AS9100.

    16 OF 61 AS Interpretation Rev. 0 - May 9, 2007

    If some functions or levels have been excluded, it may be necessary to explore, evaluate (and record) the reasons for such omissions (which might be quite acceptable at that particular stage in the continual improvement process).

    The organization must identify quality objectives that can be measurable, such as vendor on-time rating, on-time delivery, all employees will have completed an ISO 9001 awareness class and all machines will have clearly defined procedures on their usage. If the objectives were not measurable (including a time-based element where appropriate), they would not meet the intent of the standard.

    The objectives do not have to be defined in a specific document although the objectives are required to be documented (see 4.2.1 a). Objectives can either be defined in associated procedures or instructions, or could be recorded in meeting minutes such as management review records. The organization must have a process that ensures that all the objectives are clear and communicated to all employees who can influence the defined objective(s). The organization should be able to demonstrate that the objectives are being measured and reviewed (see 4.2.4 and 8.5.1).

    5.4.2: Quality Planning

    Auditors have to use their judgment in evaluating the entire collected audit evidence in order to assess effectiveness of planning activities. The auditor may also satisfy him/herself that planning was done, by interviewing the personnel involved in establishing or achieving specific quality objectives.

    Auditors are recommended to attribute such QMS deficiencies to relevant clause, requirements of which were contravened, rather than to clause 5.4.2.

    Determining effective and efficient planning may be found by evidence of:

    All those planning activities undertaken to establish the QMS in accordance with clause 4.1.

    The existence of an effective, documented, and implemented QMS that provides collective evidence demonstrating that these planning activities have been performed effectively.

    Deficiencies in the quality system that may indicate that these planning activities were not quite effective.

    The evidence and use of Strategic Plans, Business Plans, Management Review results, Contingency Plans, Quality Objectives, any programs or plans, documented or not, such as Minutes of meetings, Memos, Internal communications.

  • Bureau Veritas Certification Interpretations of The Standard. Guidance for Quality Management System Auditors. Expectations for Companies Certifying to AS9100.

    17 OF 61 AS Interpretation Rev. 0 - May 9, 2007

    Where there is lack of documented evidence, an auditor may satisfy him/herself through interviewing the personnel at those levels and functions involved in achieving particular objectives to determine the level of planning.

    Another methodology allowing audit of effective planning involves review of the progress in implementation of such plans aimed at adhering to individual objectives.

    5.5: Responsibility, Authority and Communication

    5.5.1: Responsibility and authority

    In order for the auditor to be satisfied that the intent of this element has been met, he/she may review organization charts, job descriptions or a responsibility matrix. Identification of responsibility and authority could be written into procedures and/or work instructions, as well. The auditor may also use interviews of individuals to determine if responsibility and authority has been communicated effectively.

    5.5.2: Management Representative

    Responsibilities to include:

    5.5.2 a) Ensuring that the processes needed for the quality management system are established, implemented and maintained.

    5.5.2 b) Reporting on the performance of the system to top management.

    5.5.2 c) ensuring the promotion of awareness of customer requirements, and

    5.5.2 d) the organizational freedom to resolve matters pertaining to quality.

    BV Certification: The Management Representative (MR) need not be a member of the Quality organization, though this is most often the case. Any management-level individual from any organization / discipline is acceptable. Of utmost importance is that the MR has freedom within the companys organizational, political, cultural and communication arenas. This freedom necessitates that the MR have access mobility, both vertically and horizontally, and especially across departmental boundaries. It is expected that the MR have at least a dotted-line relationship with executive management that may be exercised on an exception basis if/when internal influences impede the MRs normal freedom. It is sometimes difficult to observe / demonstrate the MRs organizational freedom. More apparent are situations where this freedom is limited, restricted or even nonexistent. This problem may be evident in cases of unresolved Quality problems, recurring problems,

  • Bureau Veritas Certification Interpretations of The Standard. Guidance for Quality Management System Auditors. Expectations for Companies Certifying to AS9100.

    18 OF 61 AS Interpretation Rev. 0 - May 9, 2007

    ineffective/untimely corrective action responses, low customer satisfaction and perception, ineffective internal audits, lack of system/process improvement, etc.

    Promotion of customer awareness might include news releases, meetings, training, photographs, models; examples of products demonstrating required visual attributes. We look for one individual to be the management representative in terms of defined responsibility. However, implementation of those responsibilities may be in the form of a defined and delegated team.

    Note: The management representative is responsible for ensuring it happens not making it happen, which is the job of line management.

    Note: For multi-site/corporate certifications the auditor will expect to see that there is a management representative with overall responsibility across all sites for ensuring that requirements are established, implemented, maintained, and for reporting on performance.

    5.5.3: Internal Communication

    Although there is no mandate for documenting methods for communication, the auditor will expect to find evidence of communication through interviews with employees. Evidence could possibly include the employees understanding of process linkage and effectiveness, customer satisfaction levels, preventive and corrective action information, on time delivery, quality costs, returned material, non-conformances. This could be communicated by access to the computer network, an information board, newsletters, or even process routers, checklists, and multifunctional meetings (see 6.2.2 d). The type and extent of the documentation will depend on the nature of the organizations products and processes, the degree of formality of communication systems and the level of communication skills within the organization and the organization culture.

    5.6: Management Review

    5.6.1: Management Review - General

    IMPORTANT INITIAL CERTIFICATION REQUIREMENT: For a new/first time registration/certification, a full round of Management Review meeting(s), including documented evidence of all required inputs and outputs, must be completed prior to the registration/certification audit (note a full internal audit cycle must be completed prior to this review see 8.2.2 Internal Audit). For multi-site/corporate certifications the review must include inputs (as appropriate) from each site (see the standard 5.6.2 a g). Normally, the review process is conducted at the headquarters location. Top management shall review the quality management system at planned intervals not only for continuing suitability and effectiveness, but also adequacy. Additionally, this review shall

  • Bureau Veritas Certification Interpretations of The Standard. Guidance for Quality Management System Auditors. Expectations for Companies Certifying to AS9100.

    19 OF 61 AS Interpretation Rev. 0 - May 9, 2007

    include assessing opportunities for improvement, the need for changes to the system, the quality policy, and quality objectives.

    These words are more prescriptive which cause a more proactive expectation and approach to keeping the system current and useful and maintaining improvement activities. The auditor cannot prescribe the intervals for reviews to occur, but can look for evidence that the frequency is sufficient to accomplish the requirements of the standard. Although the dictionary would suggest that suitable and adequate are the same, the standard seeks to distinguish both the system from a global perspective of adequacy as well as the detailed suitability of the many processes that comprise the system.

    5.6.2: Management review input

    The auditor will expect to see documented evidence that the (7) required inputs are discussed during the review. Although a documented procedure for management review is not required, records of such reviews are required (see the standard - 5.6.1 General). The minimum (7) inputs are required in those records (see the standard 5.6.2 a g). Evidence of cross functional input is also expected, which means one person alone could do the review, but there would need to be evidence of multifunctional input in the evaluation of the system and its status and actions concluded.

    5.6.3: Management review output

    Output should focus on decisions and actions related to system improvement (5.6.3 a), product improvement for customer requirements (5.6.3 b), and resource needs (5.6.3 c). Auditors expect to see that some documented conclusions have been developed. The output record must include evidence of action and progress for system improvement, customer requirements, resource needs as it all relates to system health. It is important to note that a documented procedure may or may not exist. It should also be noted that formal meetings for review may or may not happen and still be complaint - such as in the case of being accomplished in stages; on going process review; or by circulated documentation covering the system incrementally.

    Element 6: Resource Management

    6.1: Provision of Resources

    The intent of this section is to ensure that adequate resources are provided to continually improve the effectiveness of the quality management system (6.1 a) and to enhance customer satisfaction by meeting customer requirements (6.1 b). Auditor would expect to see a process for evaluating

  • Bureau Veritas Certification Interpretations of The Standard. Guidance for Quality Management System Auditors. Expectations for Companies Certifying to AS9100.

    20 OF 61 AS Interpretation Rev. 0 - May 9, 2007

    and determining resource needs. This may be through management review, production planning, budget review, long range planning etc.

    The auditor should determine that process activities are not prevented by a lack of resources. Auditors may review instances where customer requirements were not met and determine if a lack, or insufficiency, of any resources was causation factors of these instances. This requirement also ties to paragraphs 5.1 and 5.6.3, which address managements responsibility to determine and provide necessary resources. Additionally, any clear evidence of resource problems links directly to this section.

    6.2: Human Resources

    6.2.1: General

    The standard requires that personnel be competent. This could be demonstrated by a person being qualified. Competence may be based on appropriate education, training, skills, experience, and/or demonstrated performance.

    6.2.2: Competence, awareness and training

    The intent of this section is to ensure that suitably competent people are performing the activities as defined in the quality system. Evidence of the effectiveness of the training or other means of providing competent employees must be available. Employees must be aware of the impact that they have on the overall quality system. The auditor would expect employees to be able to verbalize how their job activities contribute to the achievement of the quality objectives.

    6.2.2 a) Determine the necessary competence - The requirement is in emphasis toward validating training and other activities aimed at ensuring employee competence. Identification of competency is essentially a precursor to identification of training needs. The organization should determine knowledge and/or skills an employee would need to be considered competent, in their opinion, to perform a particular job. The company could then determine if the employee performing the job possesses that knowledge or skill and, if not, consider it a training need. Changes in the business and its environment may necessitate new competencies, which may not be available. Therefore the identification of competencies may need to be revisited. There is no requirement for any particular frequency of such re-review. Competency may be defined in a job description, position profile, or by any other method or associated documents such as specific instructions or procedures. Usually competency is determined during performance reviews, if the organization does not perform reviews of this nature, other methods for determining personnel competence would need to be defined and records verified.

  • Bureau Veritas Certification Interpretations of The Standard. Guidance for Quality Management System Auditors. Expectations for Companies Certifying to AS9100.

    21 OF 61 AS Interpretation Rev. 0 - May 9, 2007

    6.2.2 b) Provide training or take other actions - The requirement allows for options other than training to obtain competent personnel. Training includes all those activities where a learning opportunity needs to be satisfied. It may take a number of forms:

    Classroom style, tutor led training; Hands on experience training; Shadowing Individual or group coaching; Mentoring; Briefings; Distance learning; Technology based training (CD ROMS, web based etc); Workshops.

    Organizations will choose whichever form best suits their needs at any particular moment. Other actions to bridge competence gaps might include:

    Recruitment; Outsourcing; Acquisitions; Use of experts and/or consultants. Documented procedures or work instructions

    All such means are acceptable as long as an organization has ensured the availability of the competencies needed.

    6.2.2 c) Evaluate the effectiveness of the actions taken - The requirement is aimed at ensuring that the training or other activity has produced the desired result. This requirement could be met in a variety of ways, including, but are not limited to:

    Observation of personnel performing their duties; Written or oral exams; Assessment of employee in achieving learning objectives during the course of the

    training program; Audit of performance at work focusing, for example, on: Productivity; Reduction of rejects; Efficiency; Interviews with the persons; Annual appraisal. Performance reviews;

  • Bureau Veritas Certification Interpretations of The Standard. Guidance for Quality Management System Auditors. Expectations for Companies Certifying to AS9100.

    22 OF 61 AS Interpretation Rev. 0 - May 9, 2007

    Discussions; Evaluation of performance, quality or other indicators; Cost reviews; Customer satisfaction assessment (see 8.2.1).

    6.2.2 d) Ensure that its personnel are aware of the relevance and importance of their activities (perhaps by internal communication see 5.5.3) and how they contribute to the achievement of the quality objectives - The requirement could be met in a variety of ways. Options include:

    Training; Memos, and/or meetings regarding the impact of various individual or departmental goals

    on quality objectives; Plant tours or briefings where an individuals work and goals are shown as an integral

    part of the larger processes; Cross functional teams working towards quality objectives and reporting their progress to

    their departments.

    Any activity that allows individuals to understand how their efforts affect quality objectives may satisfy this requirement. All personnel need to know the specific measurable objective(s) for the process that they work in; they should also know what organizational objective their process effects. They should be able to demonstrate that they know what the actual measurable is, their progress towards that goal, what the plan is to achieve the goal. If they do not know the actual numbers, they should be able to communicate the topics of the measurable and know where the actual measurements are maintained or posted.

    6.2.2 e) Maintain appropriate records - The requirement expands record keeping requirements to include education, skills and experience, in addition to training, where appropriate. There are a great variety of ways to record and provide evidence of training, education, skills and experience. Records may include:

    Diplomas; Certificates; Training log; Annotations in shift logs; Toolbox meeting notes; Attendance lists; Resumes; Employment history; Test results.

    Such records may be filed in any location as long as the requirements of 4.2.4 are observed.

  • Bureau Veritas Certification Interpretations of The Standard. Guidance for Quality Management System Auditors. Expectations for Companies Certifying to AS9100.

    23 OF 61 AS Interpretation Rev. 0 - May 9, 2007

    6.3: Infrastructure

    It is the organizations management who determines the adequacy of the infrastructure provided by the organization. Auditors will seek objective evidence to demonstrate that the necessary infrastructure exists for the quality management system to be effectively implemented, for improvement of its effectiveness, and for fulfilment of customer requirements. Auditor would expect to see a process in place for maintenance of the building(s), equipment and any other supporting services. This is generally the responsibility of the maintence and IT departments.

    6.4: Work Environment

    The organization must identify and manage all those factors of the work environment that are needed to supply a conforming product. These factors may include among others:

    Human Factors Creative work methods; Opportunities for greater involvement of personnel; Safety rules and guidance; Ergonomics; Special facilities for people.

    Physical Factors Heat; Noise; Light; Hygiene; Humidity; Cleanliness; Vibration; Pollution; Airflow.

    Different types of businesses and industry sectors may vary dramatically with regard to an acceptable work environment, so it is the organizations management who determines the adequacy of the work environment provided by the organization.

    For instance;

    A training provider may need to ensure the training area is adequately lighted and contains appropriate seating and visual aid capabilities.

    Some manufacturing facilities may require clean rooms or humidity-controlled areas.

  • Bureau Veritas Certification Interpretations of The Standard. Guidance for Quality Management System Auditors. Expectations for Companies Certifying to AS9100.

    24 OF 61 AS Interpretation Rev. 0 - May 9, 2007

    Companies handling items easily damaged by electrostatic discharge may require special flooring or equipment, and chemical storage areas may require special protective barriers.

    As an additional example, an employee might perform a particular function that requires repetitive wrist movements (i.e., tightening a screw). As the day wears on, it is possible that the overuse of the wrist could result in poorly torqued screws resulting in a possible quality defect. The company should identify such a situation and provide a means of eliminating the potential defect (i.e., air-driven screwdrivers). Evidence could consist of records of decreased quality defects and/or medical problems related to that activity.

    Element 7: Product Realization

    Exclusions/non-applicability can be claimed with in element 7 only. Exclusion should only be taken for clause 7.3 Design and Development and must be fully justified in the quality manual. Other sections within element 7 may be claimed as not applicable or not applicable at this time.

    7.1: Planning of product realization

    An organization needs to plan in advance for how they will manufacture their product or deliver their service. The plans need to take into account the product requirements and any quality objectives (7.1 a) that might be appropriate, resources and documents that may be necessary (7.1 b), what type of monitoring and/or inspection activities should be put in place to ensure the product or service will meet the requirements (7.1 c), and what types of records should be kept (7.1 d). While the sub-clause does not state that the output of this planning must be documented, it does state that it must be in a form suitable for the organizations method of operations.

    7.1 e) the identification of resources to support operation and maintenance of the product.

    BV Certification: The resources to support operation and maintenance of the product may include tech manuals, tooling, fixtures, lubricants, etc. This requirement is aimed at operational and maintenance organizations, not at manufacturing organizations. The intent is for the operational and maintenance organizations to positively identify the resources that they require to perform the operational and maintenance activities related to the product in the field.

    7.2: Customer Related Processes

    7.2.1: Determination of requirements related to the product

    This clause promotes an up-front determination of all requirements related to the product.

  • Bureau Veritas Certification Interpretations of The Standard. Guidance for Quality Management System Auditors. Expectations for Companies Certifying to AS9100.

    25 OF 61 AS Interpretation Rev. 0 - May 9, 2007

    This includes requirements for servicing which are now included as post-delivery activities, which implies anything that is provided after the customer has received the product (i.e. repair and/or warranty work, installation, maintenance, etc.).

    Specific to 7.2.1 (a)

    Post delivery activities may include among others: Product support Servicing where applicable

    Specific to 7.2.1 (b)

    Auditors should determine how the organization was proactive in evaluating if there were any additional requirements for the product or services intended use. If the organization determined there were not any additional requirements this should be evident in associated records, if there were additional requirements then evidence should be present how they were addressed in the affected process i.e. design, purchasing, manufacturing.

    The analogy that can be used here is a screwdriver, everyone knows the intended use of a screwdriver, put in and take out screws. However with a screwdriver, there are requirements that are not stated but are intended for use, such as using a screw driver to open paint cans, could be used as a chisel, pry bar, magnetization might be an issue, also if used around electricity the handle should be nonconductive, but none of these requirements might be stated by the customer, but the manufacturing organization would need to address these non-stated requirements for the screwdrivers intended use.

    Specific to 7.2.1 (c)

    The organization shall determine applicable Statutory and regulatory requirements related to the product (i.e., taking these requirements into account when designing a product or service). This includes ensuring process control (i.e., ensuring that these requirements were met).

    Statutory requirements are those that are stipulated by local/national governments that form part of regional, national and international legislation.

    Regulatory requirements are those imposed by regulatory bodies. In the UK the HSE (Health & Safety Executive) and in the USA, the EPA (Environmental Protection Agency) are examples of these. These requirements are not necessarily part of national legislation.

  • Bureau Veritas Certification Interpretations of The Standard. Guidance for Quality Management System Auditors. Expectations for Companies Certifying to AS9100.

    26 OF 61 AS Interpretation Rev. 0 - May 9, 2007

    Compliance with regulatory requirements issued by national regulators (i.e. by The Rail Authority) may be mandatory for those organizations to which they apply if a statutory instrument requires so.

    Organizations are required to comply with a number of legal requirements to be allowed to operate. Management must be aware of the requirements that apply to its products, processes and activities and should include these requirements as part of the quality management system (ISO 9004:2000 5.2.3). Auditor must verify that these requirements are identified.

    Auditors have to be aware that as the national legislation may apply to product intended for the domestic market, in the case of export sales, organizations will be required to consider the statutory and/or regulatory requirements in the target country that may apply to (a) product(s) supplied.

    Organizations are not required to maintain the lists of applicable statutory and/or regulatory requirements, nor need they maintain copies of these documents except as required by clause 7.3.2(b). Organizations must ensure that they have adequate access to / or knowledge of applicable statutory and regulatory requirements.

    7.2.2: Review of requirements related to the product

    The sub-clause mandates that the organization shall not issue a quotation or accept an order until it has been reviewed to ensure requirements are defined and the organization has the capability to meet the defined requirements. It goes on to require that records of the review and any subsequent actions be maintained. If the customer does not provide their requirements in writing (i.e., telephone call), the requirements must be confirmed before they are accepted. If the requirements are changed, all documents must be amended and relevant persons must be notified. A note is included that covers situations such as internet sales where a formal review of each order is impractical, stating, instead, that the review could cover the product information provided in catalogs and advertising material.

    d) risks (e.g. new technology, short delivery time scale) have been evaluated.

    BV Certification: The potential for risks exists in virtually every contract or order. The Standard mentions only two of the most obvious examples (i.e. new technology and short delivery time scales). Types of potential risks vary greatly depending upon contractual requirements, requirements of regulatory authorities, design responsibility, product requirements, safety and airworthiness considerations, production processes, operational constraints, business conditions / limitations, materials, procurement sources, outsourcing, etc., etc. Just a few extreme examples that may pose risk include: potential labor strikes, facilities relocations or

  • Bureau Veritas Certification Interpretations of The Standard. Guidance for Quality Management System Auditors. Expectations for Companies Certifying to AS9100.

    27 OF 61 AS Interpretation Rev. 0 - May 9, 2007

    shutdowns, environmental or climatic factors, production capacity limitations, availability of materials, adequacy of procurement sources, absence of key personnel, outage of vital equipment, etc. To a reasonable and practical extent, any and all such potential risks should be identified and their impact evaluated before accepting the contract or order. Records of contract reviews should demonstrate / document some level of deliberate, thoughtful risk evaluation activity, delineation of identified risks (if any), and resultant actions taken to mitigate or eliminate the risks.

    7.2.3: Customer communication

    The organization must establish effective arrangements for providing the customer with product information (i.e., catalogs or advertising that adequately describe the product or service), means of handling inquiries and orders, and a method for handling customer comments (both compliments and complaints).

    There is no potential for excluding section 7.2, as every organization has external customers. Where an organization with a stand-alone QMS is part of a larger group or corporation, and is taking orders solely from a central Group or Corporate Sales Organization outside its certified scope and delivering them to a central Group or Corporate Distributor outside its certified scope, then the Sales and Distribution organizations are technically external customers, invoking 7.2 routines.

    7.3: Design and development

    This clause addresses product/service development as well as (conceptual) design, so organizations involved in product/service development will have to address some or all of section 7.3 of ISO 9001:2000.

    Many companies perform some enhancements or minor reconfiguration of mature designs, and are able to use the guidance of ISO 9004:2000 in order to address some or all of section 7.3 of ISO 9001:2000.

    Some organizations subcontract design and have managed this via sections 4.1 and 7.4 of ISO 9001:2000. Such organizations may have to introduce a comprehensive design system or process, however may have to address design and development as it is applicable to the organization. They may have to address some or all sections of 7.3 to the extent that they apply.

    Document: ISO/TC 176/SC 2/N 524R3 ISO 9000 Introduction and Support Package: Guidance on ISO 9001:2000 clause 1.2 'Application' provides excellent guidance and examples on this topic (http://www.bsi.org.uk/iso-tc176-sc2).

  • Bureau Veritas Certification Interpretations of The Standard. Guidance for Quality Management System Auditors. Expectations for Companies Certifying to AS9100.

    28 OF 61 AS Interpretation Rev. 0 - May 9, 2007

    7.3.1 Design and development planning

    Although the standard does not require a documented procedure, the design process needs to demonstrate how the process is controlled and planned. The organization, however, will need to provide some type of objective evidence as to what the planning activities include. This can be accomplished with the use of time-lines, gant charts or any other planning method such as Microsoft project manager. In addition the auditor should see objective evidence of how the interfaces between other processes are managed, either through statements in associated procedures, process mapping, matrix approach or in the time line planning.

    - in respect of organization, task sequence, mandatory steps, significant stages and method of configuration control

    BV Certification: The organization is responsible for the identification the design and development stages. AS9100 imposes some additional and specific clarification of the information required: which elements of the organization are involved, where in the task sequence the stages begin/terminate, significant stages and configuration control. These additional requirements may be recorded in formal project plans, Gantt charts, checklists or in similar documentation.

    Where appropriate, due to complexity, the organization shall give consideration to the following activities:

    - structuring the design effort into significant elements; - for each element, analyzing the tasks and the necessary resources for its design and development. This analysis shall consider an identified responsible person, design content, input data, planning constraints, and performance conditions. The input data specific to each element shall be reviewed to ensure consistency with requirements.

    BV Certification: Even though this section begins where appropriate, all except the very smallest design and development projects will have defined stages and the stages usually will contain multiple tasks. It is clear that the records need to demonstrate some level of planning. It is important that the process owners are identified and that the required technical personnel are indeed available to work on the project. Although not specifically required, a table of engineering manpower allocation (projects with associated engineering hours) would be helpful to ensure that sufficient technical manpower is available. It is important to note that should be evidence of a review of input data to ensure consistency of requirements.

    The different design and development tasks to be carried out shall be defined according to specified safety or functional objectives of the product in accordance with customer and/or regulatory authority requirements.

  • Bureau Veritas Certification Interpretations of The Standard. Guidance for Quality Management System Auditors. Expectations for Companies Certifying to AS9100.

    29 OF 61 AS Interpretation Rev. 0 - May 9, 2007

    BV Certification: This is a check at the planning stage to ensure that the design and development activity actually will address all customer and regulatory requirements. The auditor will expect to see evidence of this check. Refer also to Interpretation for section 4.2.1f, above, for a discussion of regulatory requirements.

    7.3.2 Design and development inputs

    The auditor will need to review evidence that the inputs (7.3.2 a d) have been addressed based on the nature of the product being produced, that they have been reviewed for adequacy and that records are maintained of the activity.

    7.3.3 Design and development outputs

    The auditor should expect to see objective evidence that the outputs (7.3.3 a d) have been verified against the design inputs. This can be accomplished by reviewing documents, plans, etc. interfacing with the customer or internal processes and by comparison with past proven designs.

    e) identify key characteristics, when applicable, in accordance with design or contract requirements.

    BV Certification: As noted in Definitions (section 3, above), key characteristics may be identified by the customer (and/or regulatory authorities), as well as by the organization. Once key characteristics have been identified, usually at the Planning and/or Design and Development (D&D) Input stage, they must be then addressed also as part of D&D Output. The organization must show that the developed product specifically satisfies the input requirements for key characteristics.

    All pertinent data required to allow the product to be identified, manufactured, inspected, used and maintained shall be defined by the organization; for example:

    - drawings, part lists, specifications; - a listing of those drawings, part lists, and specifications necessary to define the configuration and the design features of the product; - information on material, processes, type of manufacturing and assembly of the product necessary to ensure the conformity of the product.

    BV Certification: The standard is clear; all documentation relating to the developed product must be identified as part of the D&D output. These may be included in a summary report or as part of a design review.

    7.3.4 Design and development reviews

  • Bureau Veritas Certification Interpretations of The Standard. Guidance for Quality Management System Auditors. Expectations for Companies Certifying to AS9100.

    30 OF 61 AS Interpretation Rev. 0 - May 9, 2007

    Reviews shall be conducted in accordance to the time line or plan established at the beginning of the design activity. Reviews shall show evidence that all activities required in each phase of the design have been addressed or adjustments made. Records should show who attended the reviews and that all concerned parties were present and that all actions were satisfied before proceeding forward with the design process.

    c) to authorize progression to the next stage.

    BV Certification: Design and development (D&D) reviews may vary in terms of purpose, frequency, complexity, formality, attendance and associated output documentation / review records. Regardless, there must be clearly documented evidence that an authorized individual(s) has reviewed the results / progress / status of each prescribed D&D stage / activity. Before the D&D plan can proceed to the next stage a responsible/authorized person (or personnel) must provide documented, objective evidence of progression approval (signatures being preferred). Progression authorization may appear as a specific signoff on a review checklist, in review minutes, in evaluation reports, on D&D plans, timeline charts, etc. An undocumented, passive agreement or consensus of opinion will not sufficiently meet the intent of this requirement.

    7.3.5 Design and development verification

    Design verification basically means that the product can be produced as designed and that output meets the intended inputs. Additionally it should show that the organization has the capability to produce the product with existing equipment and has the personnel competencies or has the ability to train or subcontract the required capabilities.

    NOTE: Design and/or development verification may include activities such as: - performing alternative calculations, - comparing the new design with a similar proven design, if available, - undertaking tests and demonstrations, and - reviewing the design stage documents before release.

    BV Certification: No interpretation necessary.

    7.3.6 Design and development validation

    Validation has to ensure capability of meeting intended use where known as well as specified requirements, and has been completed prior to delivery and implementation wherever practicable (typically as a prototype or first article). In most organizations they cant rely on the customer to

  • Bureau Veritas Certification Interpretations of The Standard. Guidance for Quality Management System Auditors. Expectations for Companies Certifying to AS9100.

    31 OF 61 AS Interpretation Rev. 0 - May 9, 2007

    perform the validation, the lack of a negative response from the customer does not meet the intent of this clause. The organization should have records that the product designed will meet defined user needs prior to delivery of the product to the customer. Methods of validation could include simulation techniques, proto-type build and evaluation, comparison to similar proven designs, beta testing, field evaluations, etc. Irrespective of the methods used, the validation activity should be planned, executed with records maintained as defined in the planning activity in 7.3.1.

    NOTES: - Design and/or development validation follows successful design and/or development verification. - Validation is normally performed under defined operating conditions. - Validation is normally performed on the final product, but may be necessary in earlier stages prior to product completion. - Multiple validations may be performed if there are different intended uses.

    BV Certification: No interpretation necessary.

    7.3.6.1 Documentation of Design and/or Development Verification and Validation: At the completion of design and/or development, the organization shall ensure that reports, calculations, test results, etc., demonstrate that the product definition meets the specification requirements for all identified operational conditions.

    BV Certification: This is added check to ensure, at the conclusion of the D&D effort that documentation and supporting data that was generated during the design and subsequent verification/validation does in fact meet all the input requirements. This clause supports the conclusions that should have been reached at Design Review. The auditor would expect to see evidence that verification and validation satisfy the input requirements.

    7.3.6.2 Design and/or Development Verification and Validation Testing: Where tests are necessary for verification and validation, these tests shall be planned, controlled, reviewed, and documented to ensure and prove the following:

    a) test plans or specifications identify the product being tested and the resources being used, define test objectives and conditions, parameters to be recorded, and relevant acceptance criteria; b) test procedures describe the method of operation, the performance of the test, and the recording of the results; c) the correct configuration standard of the product is submitted for the test; d) the requirements of the test plan and the test procedures are observed;

  • Bureau Veritas Certification Interpretations of The Standard. Guidance for Quality Management System Auditors. Expectations for Companies Certifying to AS9100.

    32 OF 61 AS Interpretation Rev. 0 - May 9, 2007

    e) the acceptance criteria are met.

    BV Certification: When testing is used to support verification and validation, the test results must meet the requirements presented in this clause.

    7.3.7 Design and development changes

    Design and development changes (after the original verification and validation) have to be verified and validated as appropriate (as well as reviewed) and to include evaluation of the effect of changes on constituent parts and products already delivered. If the organization chooses not to perform re-verification and re-validation on every design change, then the auditor should expect to see some very well defined criteria as to when the activity needs to occur. This includes any changes that do not affect fit, form or function.

    The organizations change control process shall provide for customer and/or regulatory authority approval of changes, when required by contract or regulatory requirement.

    BV Certification: The degree and type of the D&D change will often dictate the degree of approval required. Other conditions for approval will be defined by the customer and/or regulator agency. Additionally, the organization may add to (but not contradict) details. Approval may be as little as mere notification, to distributing approved copies, up to and including formal approval by the customer / agency) prior to implementation of the change. Documents typically subject to this requirement include pre-approved drawings. The BV Certification auditor will seek documented, objective evidence that such coordination has taken place (as appropriate) and as prescribed in the organizations documented procedure.

    7.4: Purchasing

    7.4.1 Purchasing Process

    It would be extremely uncommon for purchasing to be excluded from the quality management system (i.e., perhaps applying to such situations as small consultancies using no subcontractors, and using proprietary office materials and equipment that do not directly impact on product or service performance but not to many other situations).

    Where procurement is centrally controlled by a corporate procurement organization outside the scope of the QMS of the auditee organization, this is not justification for exclusion of 7.4 in its entirety. The audited organization is certainly responsible for providing purchasing information (7.4.2) to the corporate procurement organization, and for verification of purchased product (7.4.3) and perhaps participating in the re-evaluation process. In the event that a corporate office or other entity, outside the scope of registration, performs any sections of purchasing this

  • Bureau Veritas Certification Interpretations of The Standard. Guidance for Quality Management System Auditors. Expectations for Companies Certifying to AS9100.

    33 OF 61 AS Interpretation Rev. 0 - May 9, 2007

    shall be considered an outsourced process per requirements identified in section 4.1. Bureau Veritas Certification auditors would expect to see a documented agreement in place (i.e. an Interface Agreement) between the organization and the supplier. Auditor will expect to see a process is in place for evaluating and selecting suppliers as well as a process for ongoing re-evaluation of suppliers. While a written procedure for purchasing is not required, records of evaluation and actions arising from the evaluation are required to be maintained.

    The organization shall be responsible for the quality of all products purchased from suppliers, including customer-designated sources.

    BV Certification: In the context of this and other requirements of the Standard, product includes parts, materials, process services, etc. It is readily apparent that an organization is ultimately responsible for the quality of product purchased from its own suppliers / subcontractors. This requirement extends the scope of the organizations responsibility to include that for product purchased from customer-designated and/or customer-designated sources. The type and extent of control exercised over customer-designated or customer-approved sources may be justifiably different than that exercised over sources chosen / approved by the organization themselves. Regardless, customer-approval and/or customer-designation of sources does not relieve the organization of the responsibility to procure conforming product.

    The organization shall a) maintain a register of approved suppliers that includes the scope of the approval.

    BV Certification: A register could be in most any format and media hardcopy, electronic, a paper listing, an electronic file as part of a procurement software program, or even a manual card file. The register must be a complete, finite compilation of all approved suppliers / vendors / subcontractors - including those that are customer-designated / approved. The register must include sources that provide goods, products and services that relate to the organizations products, processes and Quality management system. Compiling the register(s) is a relatively simple and direct task. The second part of this requirement . . . that includes the scope of the approval. involves more thought. The scope of approval should describe the extent (or limitation) on what the source can (or cant) provide or perform. The description of the scope can be narrative or coded. Some examples:

    Acme Machining conventional metal machining except for chemical milling and wire EDM. Acme Hardware Distributors all metal, mechanical fasteners except for rivets. Acme Metal Distributors all ferrous and non-ferrous metals except for titanium and inconel. Acme Heat Treating heat treating processes

    .

  • Bureau Veritas Certification Interpretations of The Standard. Guidance for Quality Management System Auditors. Expectations for Companies Certifying to AS9100.

    34 OF 61 AS Interpretation Rev. 0 - May 9, 2007

    b) periodically review supplier performance; records [results] of these reviews shall be used as the basis for establishing the level of controls to be implemented.

    BV Certification: The periodicity of supplier performance reviews may vary across the organizations supply base. That is, all suppliers may not have the same review frequency. Also, the type and extent / scrutiny of the review may vary from one supplier to another. These performance reviews should be planned and meaningful - often involving cross-functional involvement (i.e. Quality, Purchasing, Manufacturing, Engineering). The reviews must be based on factual input data. Recorded results are to be used to determine ongoing / future levels or control over the supplier. Favorable performance results might justify relaxing / reducing the type/extent of control while unfavorable results would suggest the need to tighten-up on the supplier.

    c) define the necessary actions to take when dealing with suppliers that do not meet requirements.

    BV Certification: This requirement relates closely to the requirement above (7.4.1 b) regarding supplier performance reviews. Conditions / events that indicate that a supplier is not meeting requirements might include: poor results from performance reviews, occurrences and repetition of nonconformances, corrective action inadequacy and lateness, incoming inspection failures, untimely delivery performance, etc. The organization needs to define / describe specific actions they will take if the supplier is not meeting expectations / requirements. This usually includes an escalation process beginning with simple documented notification, followed by corrective action requests, then possibly special on-site audits and increased controls up to and including re