That said there is generally some truth in the concern over the value of procedures. Regulated industries usually learn quickly that procedures are essential. Without them (including ensuring they are accurate) the regulatory authorities have concerns about how effective the organization is. When they are found inaccurate the authorities rightly question whether the organization has effective control.

The truth is that procedures are a poor form of control to make a process operate the way you want it to. They do a good job of defining it (so long as they are written well) but if you want something to happen you need to implement controls into the process. Controls come in many types and forms and some are more effective than others. Think of controls as those things along the way that keep things consistent and ensure we end up where we want to. When things don’t go right we need to put in place more controls. Often when things go wrong its because of the humans involved and the subsequent human error – whether it is “forgot”, a mistake, or even “too lazy.” While there are arguments that we have poorly trained or motivated humans in the process (and they may be valid root causes), the truth is that it is the humans who often cause the variation in our organizations management processes. From this it is possible to see that training is a control that we apply to a process but that it is not always as reliable as we would like. We could strengthen that control by defining repeated, regular (say annual) training so that it is hard to forget. Of course training is a process too and so there needs to be a mechanism – a control, that ensures the process is effective.

Common forms of control are forms (to ensure information is captured consistently ….and that forces behavior by requesting data), checklists (which are a form of procedure in their own right), templates, software, etc. It is possible to perceive how tooling is a form of control and even signs posted in an organization.
The better controls are the ones that cause behavior to be consistent and so it often captures data too – such as forms, checklists and many types of software. Signs may change behavior – they may not. But if you have to capture information on a form, then consistent behavior should ensue (of course it doesn’t always).
It is things like this that cause people to operate processes effectively. When you determine there are problems (perhaps a tangible nonconformance from an audit) you could/should look for solutions that include effective controls. Without them you may just be hoping that the problem doesn’t re-occur.

There is obviously more to it than this but the solution is a balance between all of the options. Well written, meaningful and optimal procedures, detailed work instructions, photo samples, product examples, forms, templates, software, etc. The exact balance – that’s up to you.

Cavendish Scott, Inc. helps organizations review their processes and where appropriate challenges the controls that exist. We document procedures that meet ISO requirements without changing what you do if the controls demonstrate conformance and suggest sensible alternatives where changes need to be made. Click here to ask for help.

Free e-Book: How to Avoid Famous Mistakes With ISO 9001

Want to avoid some of the most common auditing mistakes for ISO 9001? Get our free e-book on common ISO mistakes and how to avoid them.

Download Now

The main reason you should consider a lead auditor class is that it’s the best ISO training that you can easily get. There simply isn’t any other type of ISO training that is publicly available that provides such in-depth coverage of the ISO subject matter.  You won’t be an expert at the end of it but your level of understanding will soar.  Accredited courses cover the standard in some detail (interpretation, application, auditing), discuss how to audit (and be audited — including planning, documentation review, scheduling auditing technique, writing and arguing findings and report writing) and how to address findings — corrective and preventive action.  During most courses there is discussion about consulting, good and bad auditing techniques and how to get through an audit (without actually cheating).  The exposure to the content, the opportunity to discuss your specific issues with experts, and to interact with like-minded attendees with different experiences, ideas and situations will make your ISO project go much more smoothly, will give you ideas to improve your existing ISO system and, of course, it will show you what needs to be done for a decent audit.  Yes you can cut corners but don’t expect the results if you don’t commit to the right level of training.

However, there is actually no requirement in ISO for anyone to go through lead auditor training.  An organization is merely required to conduct audits by competent auditors (and lead auditor training is a good way of getting there).  There is no requirement for any type of qualification in ISO.  Many organizations impose this “lead auditor” requirement by defining the training requirements for their auditors (they must pass a lead auditor class) and then giving this title to the main auditor (or auditors) in the organization.  If you take the course and pass you do have a certificate.  And its about lead auditing.  So surely you can call yourself a certified lead auditor?  Seems reasonable.  No argument here.

One major advantage of accredited lead auditor classes is that they are accredited.  This doesn’t mean that there aren’t bad courses out there.  We have all suffered death by powerpoint and lead auditor courses are notorious for it.  300+ slides and a huge role-playing case study throughout.  But accreditation means that essential curriculum is covered, and that controls are in place for its quality.  This is not true of unaccredited training classes where there is simply NO oversight.

Yes it is possible to design a better class without the restrictions of accreditation.  A better class would be customized to your company, use your documentation in exercises and perform an audit on your location.  But if you are one person looking for a public class, then accredited is the way to go.  What’s more is that organizations who provide accredited training are required to have management systems in place.  When they provide customized and unaccredited training (because it is possible to — after all, we provide customized unaccredited training) then that training is provided by an organization that understands how to deliver training effectively and has demonstrated that through accreditation.  Without accreditation you have nothing to fall back on if it’s not as you would expect.

When considering customized in-house training, training provided by an accredited training organization does have some assurances that non-accredited organizations don’t provide.  Ask how many slides the training course has.  Avoid the Powerpoint boredom.

Cavendish Scott is an IRCA accredited training organization and offers a public ISO 9001 Lead Auditor training class.  We have about 25 powerpoint slides — the rest is exercises, quizzes, role-play and a live audit.  This class is ideal for ISO project managers, ISO coordinators and people running an ISO system, people at the management level, and of course, ISO auditors.  We customize this course when we provide it on-site so that it is relevant and meaningful to the organizations management system.  We have presentations from in-house management, use the organization’s documentation in exercises, and we perform a witnessed audit on the organizations processes.  We can present versions with ISO 9001, ISO 13485, AS9100, ISO 14001, ISO 27001 and can customize combinations of different standards.

Click here for more information about Cavendish Scott training.

Want to avoid some of the most common auditing mistakes for ISO 9001? Get our free e-book on common ISO mistakes and how to avoid them.

Download Now

— JM, Management, Oil Industry Machine Shop, Colorado

Thanks again,

 — Director, Nuclear Services and Products Organization

Free e-Book: Upgrading to ISO 13485 From ISO 9001

Want to know why you should upgrade your ISO? Get our free e-book on making the transition from ISO 9001 to ISO 13485.

She kindly allows us to display her presentation.  With her agreement we have modified the content to remove background and benefit information about Platinum Registration. The presentation covers many of the differences between ISO 13485 and ISO 9001  but read below for more information about some of the issues which have to be considered.  You can see the presentation here: Upgrading to ISO 13485.

Organizations who are already registered to ISO 9001 are often interested in migrating to industry specific versions of the standard.  These include TS16949 (for the Automotive Industry), AS9100 (for the Aerospace Industry) and ISO 13485 (for the Medical Device Manufacturing Industry).  In some instances, customers are insisting on conformance and in others, organizations want the marketing advantage to break into or extend their involvement in the industry.

These versions enhance the requirements of ISO 9001 by adding additional requirements that must be built into the management system and implemented – with evidence, to demonstrate conformance to an auditor.

This presentation looks at the differences that exist between ISO 9001 and ISO 13485 but the principle is the same with the other standards.

With ISO 13485 the scope of the management system is very important.  ISO 13485 is used by the medical device regulatory agencies in Europe, Canada, Australia and Japan (among others) and has been accepted by a global harmonization task force which is supported by the US.  At this time, the FDA does not use ISO 13485 and thus steps must be taken to address their requirements (CFR 21 Pt 820) if it is also applicable.  For many higher risk devices, agencies require that this standard is implemented before they will allow the marketing of the medical device.

But these rules typically only apply to the device manufacturer.  Many contractors seeking ISO 13485 do not manufacture the actual device.  And even if they did manufacture a complete device, they would only have a secondary responsibility for meeting the regulatory requirements (including ISO 13485) unless it was their name on the label as the owner of the device.  More frequently a contractor is producing parts for the medical device company who might finally assemble and sell the device.  It is they who are subject to the regulatory requirements and they want an easy life justifying how some of their parts are made to their regulators.  Thus they are keen on the contractor registering to ISO 13485.

ISO 13485 contains a number of requirements that are applicable only to the device manufacturer.  For instance, the collection of post-market intelligence.  Being registered to ISO 13485 implies that you have the ability to collect post market intelligence about the medical device.  However, a contractor might not even know what device their part is used in.  In some situations the contractor cannot exclude these requirements (like for instance they might be able to exclude the requirement for the control of sterilization) and must be able to demonstrate an ability to do something that they will never have any use to do.

The contractor needs to think carefully about what they want their management system to cover (i.e. the scope) and make this clear to the chosen registrar and their auditor so that no surprises occur.  These things are not always spelled out in the standards and highlight the reason why experienced help is essential in order to achieve success.

Other differences and additions to the standard are much clearer and simply require updating or new documented procedures and the implementation of simple processes or training.  So long as the interpretation is understood (and it is not always clear) then this is a straight forward process that just takes time and resources.

All management systems require internal auditing.  Done well internal audits bring benefits by protecting against issues before they are found by the registrar, highlighting opportunities (and waste) and giving confidence in the effectiveness of the management system.  When upgrading to a new standard an internal audit needs to be conducted.  This will ensure you haven’t missed anything and show conformance to the new standard has been achieved.  Technically it is possible to audit only the changes but if this not done well, a registrar should reject the audit as ineffective.  Bearing in mind that an internal audit would be necessary anyway, a slightly enhanced audit for the new standard is just a little more effort than normal.

Cavendish Scott, Inc. has been consulting, training and auditing on the implementation of ISO 9001 and industry specific standards for 25 years.  Upgrading an existing ISO system to meet an additional standard is something we are frequently asked to assist with.  Typically we review documentation, make adjustments to existing documents and write new procedures, support with the training, understanding and implementation of new processes and changes.  We then conduct internal audits (which usually have to be completed anyway) at a slightly enhanced level to prove conformance with the additional standard – and guarantee successful registration.  For more information tell us a little about what you want to achieve by clicking here.

Click here for the presentation:
http://www.cavendishscott.com/articles-info/articles/wp-content/uploads/2010/06/ISO-13485-v-ISO-9001-060310.pdf

Free e-Book: Upgrading to ISO 13485 From ISO 9001

Want to know why you should upgrade your ISO? Get our free e-book on making the transition from ISO 9001 to ISO 13485.

The IAQG mandated training was announced on May 1.  The training mandatory for any professional auditor to upgrade from Rev B to Rev C.  Before they can conduct registrar audits they must take and pass the training.  Then they must reapply to the RABQSA to upgrade their registration status so they can be formally recognized as Rev C auditors.  For new auditors, the content of this training will have to be integrated into the “normal” lead auditor training.

This training is also important for organizations upgrading to Rev C.  Not that they should attend the training but they should be aware of what auditors are being told.  It is likely this training will tell them where to focus, and how aggressive to be.  It is essential that you don’t upgrade your system to Rev C without knowing how and what will be audited.  Unfortunately the training content is still not available.  While some training courses have been presented, there is still no public information on content at this time.  We’ll bring you this final piece of the puzzle as soon as more information is available.

The training is substantial.  There is an 8 our on-line module (which can be avoided if you pass the exam at the beginning) and then 4 days in class training.  Also the training is very expensive – about $4000 for the training itself, then add travel and accommodation, loss of work revenue and re-registration fees.  For most auditors this will represent about $10,000.  There is a good chance that some auditors simply wont do this and thus availability of Rev C auditors will become even more difficult.

Cavendish Scott, Inc. has analyzed the changes from Rev B to Rev C and identified the best solutions for different situations.  We have also designed solutions to address the issues introduced in AS9101D.  While these changes are simple in some area, it is likely to be the most rigorously audited and if you have not fully addressed everything there is a significant chance of you losing your registration for a year.   With our approach Cavendish Scott, Inc. guarantees that you will maintain your registration. Here are more details or contact us if you have any specific questions.

Process approach. Many organizations wanted ISO for cheap.  They implemented a documented system that basically copied the standard.  It was quick.  It was easy.  But it wasn’t particularly useful.  It didn’t describe what actually went on in the organization and never helped with understanding how the organization worked.  It didn’t help with improvement but it did take maintenance to make sure it was working.  It was often bureaucratic, difficult to follow and was managed separately to how the organization was actually run.  Finally someone is pushing the process approach.  If your documents were written around the structure of the ISO standard then you are not demonstrating a process approach.  Ideally you should re-write you system in a process based manner.  If you don’t then you need a good way to demonstrate that you fully understand and use your system in a process based manner.  This should be a tangible response to be able to demonstrate it to an auditor.

Process Based Auditing. Registrars are mandated to audit in a process based manner.  Six audit approaches have been included in the standard are although registrars are free to audit in any manner they want, it is likely that they will opt to simply follow these approaches.  While it might not change the way you design your system, you should at least ensure you change the way you conduct audits to fully prepare for your AS auditor.

PEAR. The Process Effectiveness Assessment Report.  Auditors are required to assess the effectiveness of your systems.  A low score results in a nonconformity including a major nonconformity.  Although this is not a “requirement” contained in the AS standard, you are just as likely to lose your certificate (and new rules mean you could lose it for a year minimum) for missing this.  The scoring is applicable to key production and service provision processes.  The first thing you need Is a process (with supporting evidence) to identify which processes you are going to score and to justify those that you are not.  Although this is not your choice and your auditor may require a score for processes you have tried to exclude, you are likely to be more successful if you have a formal process with tangible evidence.  This is going to be a controversial area.  It is not difficult to perceive many organizations missing the issue (it is not in AS), complaining, appealing and even asking their customers to intervene.  It is going to be interesting.  By implementing a solution in advance, there is a good chance that your auditor will simply accept it.

AS9100C Checklist. While rumored that it would be cut out of the Rev D standard, it is still there.  This is a good thing for auditing as it ensures a thorough audit is completed.  Fundamentally nothing changed here but continue to expect a thorough and complete audit.

This standard provides us much more to think about than AS alone.  How its actually implemented is yet to be seen.  The IAQG mandatory training, which might resolve this is reviewed here.

Cavendish Scott, Inc. has analyzed the changes from Rev B to Rev C and identified the best solutions for different situations.  We have also designed solutions to address the issues introduced in AS9101D.  While these changes are simple in some area, it is likely to be the most rigorously audited and if you have not fully addressed everything there is a significant chance of you losing your registration for a year.  With our approach Cavendish Scott, Inc. guarantees that you will maintain your registration.  Here are more details or contact us if you have any specific questions.

Their original schedule still remains intact.  Key milestones for this schedule are:

• Release of sanctioned (mandatory) auditor training – End of April 2010
• Once re-accredited for AS91ooC with trained auditors for AS9100C Certification Bodies are free to start updating clients to AS9100C.
• Until July 1, 2011 Certification Bodies can audit to either AS9100B or C.
• After July1, 2011 all audits must be to the AS9100C version of the standard.

As mentioned this schedule that was published in 2009 is still approximately accurate.  The additional information provided gives specific deadlines to accreditation agencies, auditor oversight bodies and training organization oversight bodies.   For example it requires the auditor oversight bodies to come up with a transition path for their auditor members to upgrade.

The auditor training material will be available at the end of April and it might take the training organizations say a month to train their trainers, incorporate the material and get themselves organized to be able to present the courses.  These training organizations must then be formally reviewed by the training oversight organizations.  Perhaps allow another month for this to take place.  Now auditors can formally access the training courses, pass the exam and submit their information to be included on the OASIS database (recognizing them as fully qualified AS auditors).  This might take another month.  Thus it may take until the end of July until auditors are trained and available.

Certification Bodies also need to be accredited to perform AS9100C audits.  This will involve them updating their management system and using trained auditors.  They can then be subject to an accreditation audit as the final step.  If then had been planning the upgrade well, their management system will already be modified and they will be attempting book their accreditation as soon as they have qualified auditors.  Lets allow just another month to do this.  In this scenario it might be the end of August 2010 before AS9100C upgrade audits can take place.

Obviously there are possible scenarios that might allow upgrades to take place sooner.  If the auditor training can be managed in May (and some may be)  and the Certification Body accreditation audit can take place in June, for instance.  However, there is a limited number of both training oversight auditors and accreditation auditors.   And whether it is booking a training class or and oversight/accreditation audit, flights are preferred with 2-3 weeks notice and these things just take time.

It is almost certain that Certification Bodies wont be able to upgrade ALL of their auditors for some time – perhaps until after the end of the year.  This will have an impact on your choice of when you upgrade.

If your audit (surveillance or reassessment) is after August 2011 (or even by the end of the year) you are unlikely to be allowed to upgrade until 2011 (and then you wont have a choice to not upgrade it being after July 2011).

You best choice is to contact your Certification Body and attempt to firm up your upgrade audit date.  They are unlikely to know until more experience of the training is gained but your persistence is important.  Similarly you MUST plan your system upgrade.  It is essential you account for the changes that AS9100D will bring (in particular the PEAR effectiveness review process) and unless you are certain of your upgrade timing you might consider adding the AS9100C changes without removing AS9100B aspects – yet!  This will mean you are ready for any date that your Certification Body might give you and you will be certain of passing.

Cavendish Scott is providing upgrade consulting including document modification, new procedures, widespread integration of new elements (e.g., risk), PEAR, training and addressing AS9100B and C.  We are also providing AS9100C internal audits so that a successful upgrade can be guaranteed. Click here to find out more: AS9100C Upgrade

IAQG has stipulated that to upgrade an existing AS9100B management system to AS9100C can be conducted during a normal surveillance or reassessment audit.  Upgrades during surveillance will require an audit at reassessment levels (twice as long as a surveillance audit) and upgrade during reassessment will require an audit at initial assessment levels (33% more).

Further, while the audit duration tables for AS9100C remain basically the same as they are currently, the rules have been changed to state that the table only covers ON-SITE time.  In other words each audit is likely to grow by a day or so as certification bodies used to include off-site time in this calculation.

What this means is that as soon as AS9100C starts to become audited, AS auditors are going to have twice their normal workload.  It is extremely unlikely that certification bodies will have the capacity to take on any new AS audits as their customers push to upgrade as soon as they can so they can distinguish themselves to their customers.

If you are trying to obtain AS certification during 2010 you need to go for the B version and book your audit for no later than June/July.  If you can convince a Certification Body you will be ready for the C version then book your audit later in the year (more auditors will be qualified and it will be more likely) and get a very firm commitment from the Certification Body.  Good luck with that.

If you are currently AS9100B then make sure you contact your Certification Body and confirm your surveillance/reassessment audit.  Make sure you confirm this very strongly with your certification body.  Perhaps contact your auditor directly and confirm it.  Get their personal buy-in (making it more difficult for them to change it).  Maybe pay in advance.

Customers rarely inform you about their plans and Certification customers are no different.  If you were a Certification Body and a large, important customer phoned requesting an upgrade with a month or two notice you are unlikely to turn them down.  Auditors will be pulled off of other jobs to be able to get that job done.  Smaller organizations might be made to suffer – it is even possible that the Certification Body might simply drop smaller customers if they don”t have resources.

All of this will start about July/August/September time frame as auditors and Certification Bodies become qualified to conduct audits to AS9100C and its going to last a couple of years  (More on timing…).  Auditors might be tempted to switch Certification Bodies with promises of bigger fees.  Audit costs to clients will rise.

Of course there is really no way of telling how this will play out in the end.   The Certification Bodies don”t really know because nobody knows when everyone will want to upgrade and who else will want AS9100C audits.  The IAQG has allowed a couple of years to upgrade but that only reduces the increased workload to one and a half times as busy rather than twice as busy.

We can all hope that there are no scheduling problems but there is no downside to taking charge of this situation, informing your Certification Body of your upgrade plans, your expected upgrade audit date and firming up your audit for this year.

Cavendish Scott, Inc. is providing a standard upgrade consulting package including all modifications to all documents, integration of new requirements, new procedures and importantly a thorough pre-assessment/internal audit to make sure you will pass.  Guaranteed Success for a fixed price!  And your audits for 2010 are taken care of! Click here to find out more: AS9100C upgrade

Here is a summary of the key points and a link to the full review of this draft.

Process Approach — Strong emphasis on an understanding and use of a process approach by organizations.  If your documents are not process based you should perhaps worry.

Auditing Methodology — Strong emphasis on 6 specified methods of auditing which outline key issues which are “recommended” to be included in an audit.

More audit time needed — It is “expected” that the previously specified “total” audit time is now applied as “on-site” time.  Time will be added for off-site activities which are also about to increase.  AS9101D specifies lots of extra information needed prior to audits and additional information and activities during the audit which is going to ensure a thorough and effective audit – but also a longer and more intensive audit.

Objective Evidence Record (OER) — although there was talk about removing the laborious checklist that was previously mandated – it is still there in the current draft standard.  While this is potentially a barrier to process based auditing (which will cause much confusion to some auditors) it is the only way that anyone will be able to see that the auditor has done a good job of assuring every requirement of the standard has been audited.  Without this or an equivalent audits will simply fail.

Process Effectiveness Assessment Report (PEAR) — Auditors are now required to assess the effectiveness of processes in an organization.  Not all processes will be subject to this assessment but certainly all important ones.  This is an obvious need during an audit but this is going to be beyond the ability of many auditors who just audit to checklists.  The way to ensure you stay clear of problems is to do this on behalf of the auditor and make it indisputable.

Perhaps the final note to mention here is that there are rumors that AS9101D publication is delayed.  This wont cause a problem to the overall progress of AS9100C release and upgrading as the aforementioned sanctioned training is not expected to be “available” until April.  Unfortunately nobody really knows the timescales as the key milestones are dependent upon the results of committees voting.

Here is a more detailed description of what you might have to do and how your audit might be performed.

The Process Approach

The process approach has always been “out there” as a concept when developing management systems.  Cavendish Scott, Inc. has been using the process approach since 1985.  We didn’t call it that but it just made sense that the right way to build a management system was to structure it around the organization and not copy the requirements of a standard.  Unfortunately many organizations saw fit to base their management system on the standard, structuring it around the numbering and titles of the standard and not really describing their own processes.  Somehow this was satisfactory for the registrars.  In 2000, ISO tried to rectify this by describing the process approach.  Then they back-tracked declaring that although a process approach is contained within their model, they were not prescribing any method and that organizations already ISO registered would not need to rewrite their procedures.  Currently ISO is in decline (there are less certificates in the US than there were last year) and one of the reasons is that organizations saw little benefit – and so did their customers.  Part of the blame for this is that a system based around the requirements of a standard is difficult to maintain and is unlikely to yield benefits.  Further, registrars were reluctant to ask organizations to change – for fear of losing business and accreditation agencies too didn’t want to rock the boat.  Now for instance the accreditation agencies are getting tough on root cause/corrective actions despite the fact that this has been an issue since the original issue of the standard at in 1987.  However, the accreditation agencies still don’t press registrars to insist on a process approach.

Clearly the aerospace industry is not putting up with the inadequacies of the accreditation or registration processes.  AS9101D is their attempt to address the process model issue.   This is a direct quote from the draft.

n0.2 Auditing Approach

This standard supports the engagement and evaluation of an organization’s quality management system process approach, as required by the 9100-series standards. When evaluating an organization’s quality management system, there are basic questions that should be asked of every process, for example:

• Is the process identified and appropriately defined?
• Are responsibilities assigned?
• Are the processes implemented and maintained?
• Is the process effective in achieving the desired results?

This, the new auditing methodology (see details later) and requirements throughout the AS9101D standard are pressing for organizations to understand a process approach.  If your system is based on the standards requirements it does NOT demonstrate that you understand the process approach, implemented processes and process based control.  Given this it is hard to understand how an auditor will not generate nonconformances on the effectiveness of the system.  If there is no procedure (or flowchart or process diagram or something) describing your production process, for instance, then you have not met the 4.1 requirement to define your processes.  Whether nonconofrmances get generated remains to be seen.  Auditors have accepted poor process definitions for years.  Given that without good process definitions, measurement, objectives and improvement are not easy to achieve, these nonconformances are long overdue.

Auditing Methodology

This standard identifies 6 approaches that “CAN” be used to conduct audits.  The note following that statement implies that this is expected as a minimum.  This probably means that registrars cannot ignore the methods or they will get in trouble.  They will have to generate tools to help them ensure the audit utilizes these methods (as a minimum) and generates evidence to prove they have.  It is complicated to integrate these methods into the audit approach currently used which almost exclusively relies on the existing AS9100C checklist.  Consequently expect some registrars and/or auditors to simply do these methods/approaches in addition to the checklist.  Perhaps the mandated training will address integration of these methodologies with the checklist but even so it is a difficult concept.

The following extract includes the introduction to this Audit Methodology and then lists the he six methodologies by title and gives a brief (not verbatim) description including extracts.  Some of the methodologies include lengthy descriptions with many items listed.  Here they are summarized to give an example of what they are about.

4.1.2 Audit Methodology

The following approaches identify different audit methods that can be used, as appropriate, to conduct audits.

NOTE: The identified methods are not intended to be a complete listing, but represent a significant contribution for auditors to evaluate quality management system conformity and effectiveness. Use of these methods will help transition from clause based auditing and put focus on the actual processes, their effectiveness, and their ability to meet the quality objectives.

4.1.2.1 Customer Focus

“The audit team should assess whether customer satisfaction is adequately evaluated and appropriate actions are taken”.  “Customer feedback is a process and should be audited as a process” – these extracts from the section highlight where this audit methodology focuses.

4.1.2.2 Organizational Leadership

There should be an interview(s) with top management to evaluate the establishment of policy, objectives and about commitment. -  This is not the only place where an “interview with top management” is discussed.  It is hard to believe but perhaps some auditors have not been insisting on meeting top management.  It will be hard to avoid now.

4.1.2.3 Quality Management System Performance and Effectiveness

Methodology subjects include a review of the processes for complaints, internal audits, stakeholder feedback, nonconformances, preventive actions, management review meetings and performance to targets.  These subjects are going to be addressed in many other areas (the methodology does not say how they will be met).  The key will be to ensure they are linked where appropriate and evidence complete to demonstrate the methodology has not been ignored.

4.1.2.4 Process Management

“The audit team should conduct quality management system audits using a method that focuses on process performance and effectiveness; this ensures that priority is given to the following:

a) reviewing the organization’s processes, their sequence and interactions, and performance against requirements …..”

Also mentioned, the auditor is to look for defined measures with a focus on processes that directly impact the customer.

4.1.2.5 Process Performance and Effectiveness

Measurements that indicate or directly measure the effectiveness of processes.  The example quoted is KPI’s (Key Performance Indicators).  In truth ISO has always stressed the importance of this.

4.1.2.6 Continual Improvement

“The audit team should evaluate the organization’s interrelated processes and activities for continual improvement of the quality management system, its processes, their conformity, and effectiveness in order to:

• ensure focus on issues that are important to the organization, their customers”

Many other items are listed in the continual improvement methodology but this is where the focus is.  Note also that improvement is a process and not incidental and unrelated improvements that might have occurred.  And the focus is on things that are important.

More Information Required by Registrars

Before the audit, registrars must obtain more information in order to be able to “take into account” results of internal audits, performance measures, previous Management Review results and the proportion of aerospace (and defense) customers compared to total revenue.

All of this information must be obtained before the audit starts so that planning can be conducted appropriately.  Registrars will have to spend more time on this activity (and it will have an impact on their customer service, response and probably costs.

During the Stage 1 audit they are required to review risk assessment methods, customer satisfaction data, special processes, preventive programs e.g. FOD, in addition to everything that they normally cover in a stage one (e. g. internal audits).  Again more time and perhaps more cost (but this should assure audits that get to stage 2 are more successful).

Stage 2 Audits are required to include a review of all new [aerospace] customers, a review of customer satisfaction, special processes, continual improvement of the QMS and an interview with top Managemnet.

This is not particularly a significant increase over previous “expectations” although some additional effort will be required.

Process Efficiency Assessment Report (PEAR)

This requirement is new.  It is hoped that sanctioned training will include substantial training for auditors as judging the effectiveness of a process that you get to see for a matter of minutes (rarely hours) is quite a task.  However, the form that records the PEAR provides a simple approach and this is where well organized companies will address this issue before the audit and make the auditors life easy.  Choosing the right measures for effectiveness will be important.  Inappropriate measures are likely to be dismissed but measures that take too much effort may be unpopular.  The following extract outlines the importance of the PEAR.

“The results of effectiveness shall be recorded on the PEAR (see Appendix C) for each audited product realization process. The level of effectiveness for each process shall be recorded on the PEAR (statement of effectiveness level). If the level of effectiveness has been classified as a ‘2’ or a ‘1’, this shall result in a nonconformity being issued against 9100-series standards clauses 4.1.c and f (see clause 4.2.4).”

Note that if you are issued a PEAR with a level 3, it is a reasonable expectation that during the next audit, that process will be at a level 4.  “Appropriate” actions should ensure that.

The following is a listing of the key fields in the PEAR form.  At the bottom is the classification of the effectiveness level mentioned above.

Process Name:

Process details, including associated process interfaces:

Applicable 9100/9110/9120 clause(s):

Organization’s method for determining process effectiveness:

Auditor observations and comments supporting process effectiveness determination:

Statement of Effectiveness Level:

The process is:

1. Not implemented; planned results are not achieved.
2. Implemented; planned results are not achieved and appropriate actions not taken.
3. Implemented; planned results are not achieved, but appropriate actions being taken.
4. Implemented; planned results are achieved.

Objective Evidence Record

Although there were rumors that the checklist was going to be removed, it is still included in the current draft although in a different format.  This is a good thing – despite what many auditors claim.  Without this, there is insufficient evidence to demonstrate what was audited.  If any problems occur it would be impossible to follow up and see what the auditor looked at and possibly clear them of blame.  Registrars are allowed to have their own checklist so long as it meets the same intent.

Nonconformances

“Recurrence of the same or similar nonconformity found during consecutive audits at a particular site/location shall be considered as a failure of the corrective action process (see 9100-series standards clause 8.5.2) and shall result in a major nonconformity being issued”

Inadequate corrective action will no longer be tolerated in aerospace quality management systems.

Conclusion

Many of the issues introduced here represent a substantial change in auditing content and approach.  In many respects this is disappointing because what the standard is calling for is mainly good auditing practice by competent and capable auditors.  Auditors are witnessed and it is possible that many auditors will be prohibited to audit if they are unable to demonstrate best practice auditing.  This too is a good thing as an industry as important as the aerospace industry deserves good auditors to ensure effective quality and to drive improvement up and costs down.  That is not the case at the moment and this standard has the opportunity to make substantial, meaningful and beneficial change throughout the aerospace industry and the ISO industry in general.

Organizations will need to carefully prepare for AS9100C.  Not necessarily because the standard has changed much but because the auditing approach is getting more sophisticated and better.  This will represent some additional cost and effort for organizations but with the loss from the supplier base of those that didn’t do it, and the potential benefits that can be achieved with ISO/AS with the right focus, companies who put that effort in early are likely to reap the benefits.

Cavendish Scott, Inc. invests time and expertise in ensuring AS9100C consulting projects are successful.  We are professional about our understanding and design consulting approaches that guarantee success.  For more information about what we might do and how we might help you upgrade your AS system, contact us.