AS9100 Under Revision – First thoughts

The proposed IA9100 includes the following language regarding “culture”:
§ Leadership – Clause 5.1.1.k – (NEW) ensuring goals and objectives intended to build a quality culture are consistent with policies, vision, mission, values, and the context of the organization (See clause 4.).”
AND
§ Environment for the Operation of Processes – Clause 7.1.4 NOTE: d. – (NEW) culture (e.g., quality, ethical behavior, product and personnel safety, quality of work life).

My thoughts…
While sec. 5.1.1k is a requirement, I see this as nothing more than virtue signaling from IAQG; which will be highly subjective and effectively non-auditable. And the “Note” under sec. 7.1.4d is completely non-auditable.

Conclusion:
No impact.

§ Leadership – Clause 5.1.1.l. – (New) promoting an ethical work environment – NOTE: For example, policy, expectations of conduct, periodic training and awareness, reporting channels, investigation, resolution of concerns, and ensuring no punitive action from reporting concerns)
§ Environment for the Operation of Processes – Clause 7.1.4 NOTE: d. – (NEW) culture (e.g., quality, ethical behavior, product and personnel safety, quality of work life).

My thoughts…
I see “5.1.1.l. – promoting an ethical work environment” as just more virtue signaling (and perhaps a weak CYA for the industry). I feel fairly confident in this because the current requirements relating to ethics (shown below) are typically ignored by the AS9100 auditors.

§ Awareness – Clause 7.3 – the importance of ethical behavior
§ Information for External Providers – Clause 8.4.3 m.3. – the importance of ethical behavior.

Conclusion:
No impact.

§ 7.5.3.1 - Control of documented information (Enhanced)
When documented information is managed electronically, data protection processes shall be defined implemented, and maintained (e.g., protection from loss, access control, off-site data management, unauthorized changes, unintended alteration, corruption).
AND
§ 7.1.7 - Information Security (New)
The organization shall plan, implement, and control information security to safeguard the QMS to achieve its intended results.

My thoughts…
While some people in the Aerospace community are “losing their minds” that auditors will be mandating CMMC, that is NOT contained in either of these requirements. Also, notice that neither of these additions requires documented information. IMO, these additions are simply clarifications recognizing that we live in the 21st century.

Conclusion:
Minimal impact.

The organization shall plan, implement, and control the processes needed to assure product safety. These processes include, as appropriate:
a. identification of hazards, including reactive and proactive methods;
b. analysis, assessment, and control of safety risks associated with identified hazards(see 8.1.1);
c. identification and management of changes that may impact product safety;
d. assessment of the effectiveness of safety processes (see 9.1.3 and 10.1);
e. provision of training on product safety responsibilities to relevant personnel (see 7.2 and 7.3);
f. communication and awareness of product safety information, including safety-critical information, safety events, and changes to safety procedures, as applicable (see 7.3 and 7.4);
g. reporting of safety events to the customer, authorities, and type certificate holder in accordance with customer and regulatory requirements.

My thoughts…
I find this addition very interesting considering that I've not gotten a consistent interpretation of what “Product Safety” is from any certification body (CB) Auditor. IAQG should have addressed this issue first.
For “Build-to-Print” machine shops, it's typically interpreted as “protection” of the product from damage (e.g., rust, gouges, scrapes). For “Design-Responsible” manufacturers, it typically involves ensuring that end users are protected from a defective or malfunctioning product.
Ultimately, even though a “Risk Register” is not required, I believe that auditors will effectively “mandate” them in order to have some objective evidence to examine. Also, I suspect that auditors will be examining “Training” records relating to “Product Safety”.

Conclusion:
Moderate impact.

The organization shall plan, implement, and control processes, appropriate to the organization and the product, for the prevention of counterfeit or suspect counterfeit part use and their inclusion in product(s) delivered to the customer. These processes shall include, as applicable:
a. training of appropriate persons in the awareness and prevention of counterfeit parts (e.g., personnel involved in procurement, receiving inspection, shipping inspection and material control);
b. application of a parts obsolescence monitoring program;
c. controls for acquiring externally provided product from original or authorized manufacturers, authorized distributors, or other approved sources;
d. requirements for assuring traceability of parts and components to their original or authorized manufacturers;
e. verification and test methodologies to detect counterfeit parts;
f. monitoring of counterfeit parts reporting from external sources;
g. segregation, containment and reporting of suspect or detected counterfeit parts.

My thoughts…
Provided that a company is effectively complying with “c” & “d.” (above), I don't think that very many of the above requirements will be “applicable” to the vast majority of IA9100 companies.

Conclusion:
Minimal impact.