{{:articles:as9100-under_revision.png?nolink&600 |}} ====== First Thoughts ====== ===== Culture ===== The proposed IA9100 includes the following language regarding "culture": \\ //§ Leadership – Clause 5.1.1.k – (NEW) ensuring goals and objectives intended to build a quality culture are consistent with policies, vision, mission, values, and the context of the organization (See clause 4.).//” \\ AND \\ //§ Environment for the Operation of Processes – Clause 7.1.4 NOTE: d. – (NEW) culture (e.g., quality, ethical behavior, product and personnel safety, quality of work life).// __My thoughts...__ \\ While sec. 5.1.1k is a requirement, I see this as nothing more than virtue signaling from IAQG; which will be highly subjective and effectively non-auditable. And the "Note" under sec. 7.1.4d is completely non-auditable. __Conclusion:__ \\ No impact. ===== Ethics ===== //§ Leadership – Clause 5.1.1.l. – (New) promoting an ethical work environment – NOTE: For example, policy, expectations of conduct, periodic training and awareness, reporting channels, investigation, resolution of concerns, and ensuring no punitive action from reporting concerns) \\ § Environment for the Operation of Processes – Clause 7.1.4 NOTE: d. – (NEW) culture (e.g., quality, ethical behavior, product and personnel safety, quality of work life).// \\ \\ __My thoughts...__ \\ I see "//5.1.1.l. – promoting an ethical work environment//" as just more virtue signaling (and perhaps a weak CYA for the industry). I feel fairly confident in this because the current requirements relating to ethics (shown below) are typically ignored by the AS9100 auditors. \\ //§ Awareness – Clause 7.3 – the importance of ethical behavior \\ § Information for External Providers – Clause 8.4.3 m.3. – the importance of ethical behavior.// __Conclusion:__ \\ No impact. ===== Information Security and Data Protection (New) ===== § 7.5.3.1 - Control of documented information (Enhanced) \\ When documented information is managed electronically, data protection processes shall be defined implemented, and maintained (e.g., protection from loss, access control, off-site data management, unauthorized changes, unintended alteration, corruption). \\ AND \\ § 7.1.7 - Information Security (New) \\ The organization shall plan, implement, and control information security to safeguard the QMS to achieve its intended results. \\ __My thoughts...__ \\ While some people in the Aerospace community are "losing their minds" that auditors will be mandating CMMC, that is NOT contained in either of these requirements. Also, notice that neither of these additions requires documented information. IMO, these additions are simply clarifications recognizing that we live in the 21st century. __Conclusion:__ \\ Minimal impact. ===== 8.1.3 Product Safety (Enhanced) ===== //The organization shall plan, implement, and control the processes needed to assure product safety. These processes include, as appropriate: \\ a. identification of hazards, including reactive and proactive methods; \\ b. analysis, assessment, and control of safety risks associated with identified hazards(see 8.1.1); \\ c. identification and management of changes that may impact product safety; \\ d. assessment of the effectiveness of safety processes (see 9.1.3 and 10.1); \\ e. provision of training on product safety responsibilities to relevant personnel (see 7.2 and 7.3); \\ f. communication and awareness of product safety information, including safety-critical information, safety events, and changes to safety procedures, as applicable (see 7.3 and 7.4); \\ g. reporting of safety events to the customer, authorities, and type certificate holder in accordance with customer and regulatory requirements//.\\ __My thoughts...__ \\ I find this addition very interesting considering that I've __not__ gotten a consistent interpretation of what "Product Safety" is from any certification body (CB) Auditor. IAQG should have addressed this issue first. \\ For "Build-to-Print" machine shops, it's typically interpreted as "protection" of the product from damage (e.g., rust, gouges, scrapes). For "Design-Responsible" manufacturers, it typically involves ensuring that end users are protected from a defective or malfunctioning product. \\ Ultimately, even though a "Risk Register" is not required, I believe that auditors will effectively "mandate" them in order to have some objective evidence to examine. Also, I suspect that auditors will be examining "Training" records relating to "Product Safety". __Conclusion:__ \\ Moderate impact. ===== 8.1.4 Prevention of Counterfeit Parts (Enhanced) ===== //The organization shall plan, implement, and control processes, appropriate to the organization and the product, for the prevention of counterfeit or suspect counterfeit part use and their inclusion in product(s) delivered to the customer. These processes shall include, as applicable: \\ a. training of appropriate persons in the awareness and prevention of counterfeit parts (e.g., personnel involved in procurement, receiving inspection, shipping inspection and material control); \\ b. application of a parts obsolescence monitoring program; \\ c. controls for acquiring externally provided product from original or authorized manufacturers, authorized distributors, or other approved sources; \\ d. requirements for assuring traceability of parts and components to their original or authorized manufacturers; \\ e. verification and test methodologies to detect counterfeit parts; \\ f. monitoring of counterfeit parts reporting from external sources; \\ g. segregation, containment and reporting of suspect or detected counterfeit parts.// \\ __My thoughts...__ \\ Provided that a company is effectively complying with "a", "c" & "d." (above), I don't think that very many of the above requirements will be "applicable" to the vast majority of IA9100 companies. __Conclusion:__ \\ Minimal impact. ===== Sub-tier Control ===== //Clause 8.4.3.k.d. – (New) Determining the level of control of their direct and sub-tier external providers;// \\ __My thoughts...__ \\ This is simply an expansion of the current requirement in Clause 8.4.1: \\ //"The organization shall require that external providers apply appropriate controls to their direct and sub-tier external providers, to ensure that requirements are met."// \\ Since the AS9100 "Clarifications" document (i.e., official interpretations) has "clarified" that ALL of 8.4.3 must be either flowed down to suppliers OR excluded with justification, this is just one more thing for companies to add to the "Supplier Requirements". \\ __Conclusion:__ \\ Minimal impact. ===== Operational Planning and Control (Enhanced) ===== //8.1.k. – planning and implementing operations to prevent, detect and mitigate the risk of foreign objects and debris.// \\ __My thoughts...__ \\ All I can say about this "new" requirement is... what took them so long? Auditors have been looking for FOD control since day 1 of AS9100D. This "new" requirement is merely the formalization of an "implied" requirement. However, while not specifically required, I suspect that IA9100 auditors will "expect" to see risk mitigation actions identified in a "risk register"... and records reflecting that personnel have been trained and deemed competent in control of FOD. __Conclusion:__ \\ Minimal impact. ===== Design and Development of Products and Services – Clause 8.3.2.1 – (Enhanced) ===== //"When appropriate, The organization shall divide the design and development effort into distinct activities __defining__ the tasks, necessary resources, responsibilities, design content, and inputs and outputs __for each activity__."// \\ __My thoughts...__ \\ The biggest change here is the removal of "When Appropriate" AND the inclusion of "for each activity". In my experience, the vast majority of AS9100 auditors are "generalists" (i.e., NOT Engineers). And typically do a poor job of auditing sec. 8.3. I doubt that very many AS9100 auditors are going to notice this subtle change. __Conclusion:__ \\ Minimal impact.