Is there a better way to do a complete assessment of our QMS?

[AS9100Dbag]

First some context:

I have no quality management experience. I'm a lowly inspector who has been charged with significant responsibility for the last 8 or so months:, assisting our quality manager with assessing our QMS after our prior manager retired last year.

Spoiler

it sucks

I'm a smart dude and my boss trusts me to take it seriously and become capable, and he needs the help, but I am UTTERLY unqualified. My boss has no previous experience in his role, but he's been working in manufacturing for a long time and has a pretty good general idea about QMSs, but I don't believe he's been responsible for building/assessing/maintaining one. We're figuring it out largely on our own and I'm so grateful for the guidance you guys have been giving me for some time now.

I work in a small manufacturing company of about 30 employees. The QMS is obviously a mess to anyone that uses it or looks at it, even myself, but our manufacturing processes are mature and stable and well controlled. As such, our customer issues very few C.A.s, but we could probably make inroads in efficiency and cost, I think. There are significant holes in the way we meet some requirements, more importantly there's a tremendous opportunity to improve the things we don't do well. I've already consumed the 'process over requirements' Kool-Aid.

Even as a small company with one product line and one customer, we have more than 1800 controlled documents in our QMS. This does not include any drawings or spec documentation, merely guidelines, procedures, forms, work instructions etc. It is a straight-up fucking nightmare. We consistently do good work, but it's not in any way a result of an effective QMS.

We're not going to be bringing in consultants and the argument that we need implementation guidance for a certification we already have is moot. I have gone through a 5-day AS9100D lead auditor certification course, and I've read much AIQG and ISO guidance documentation, the ASQ ISO9001:2015 Explained book, and Craig Cochran's ISO in Plain English book. The two of us ARE going to be doing this on our own. That's great for me, personally, but it's a daunting task.

We began by defining processes and interactions. Now that we've properly conceptualized our company's processes I have to assess them and the way in which we support them with documentation. We have to figure out what our own process requirements are, then develop an audit program, audit, and then start cleaning up the mess.

I have gone through the standard and color-code highlighted all "shall" statements categorizing them into 4 types: things we need to think about, things we need to do, management specific responsibilities, and documentation requirements. Thereafter, I've begun to look at a process, Product Design for instance, and then go through the standard, requirement by requirement and see if it applies. I then note the clause and verbiage in a correspondingly color-coded process assessment (proto-audit) document. Effectively, I'm creating documents for myself that mimic the AS9101 Form 2: QMS Process Matrix Report from our last audit, but instead of a "C" or "NC" bubble, I transcribe the detail of the clause verbiage and notes specific to our process in order to define which standard requirements are applicable to that process. I'm going to do this for all of our core processes. I'll then repeat this exercise with regard to NADCAP, our customer's Supplier Quality Manual, and any regulatory standards by which we're bound. Then we'll begin looking at our onerous pile of documentation, probably having to do a half-assed internal audit in there before our CB audit in October, because the getting our arms around our documentation (I told you there are 1800 controlled QMS docs?) and then developing a legit audit program is a long haul type of project.

Now onto the questions:

Is there a better way for me to be identifying the requirements of our processes while maintaining a holistic yet granular approach to assessing this bloated and inefficient monstrosity of ours, and also accommodating my own baseline experience and knowledge deficits? Is there a better way for me to discern what applies to which process, and to not miss anything?

How would I go about determining if there's some regulation by which we're bound that we haven't identified? How one could possibly ever determine if they're compliant with the whole of federal, military, and international aerospace regulations I have no idea. Like the massive tax code, that you can't possibly comply is probably at least part of the point.

What am I not thinking about in tearing our QMS down to the frame and rebuilding it?

 

[thermal duc]

I will preface this by stating that i am by no means an expert on AS9100 but I'm in a similar situation. I work in a company that has less than 50 employees. we have well established processes, and well established quality control and glowing reviews from all of our customers. But we are not yet AS9100, and at a customers requirement we are working on shifting our system to be AS9100, for the most part this means writing a little more stuff down as about 95% of the specification was already being done. That being said, here are my thoughts.

How many of the 1800 "controlled" documents are checked and updated annually or bi-annually? Its an opinion, but if a document is considered to be controlled a bi-annual check and/or update is about the minimum maintenance needed. In the same thought how many of the 1800 are forms and work instructions? Its an opinion again but work instructions and forms that are not directly related to the QMS aren't really "QMS documents". They can be documented and or retained information that supports your QMS, but they are operational documents that are used either way it sounds like a nightmare.

We began by defining processes and interactions. Now that we've properly conceptualized our company's processes I have to assess them and the way in which we support them with documentation. We have to figure out what our own process requirements are, then develop an audit program, audit, and then start cleaning up the mess.

What processes have you defined?
Your approach seems reasonable and correct, if your processes are currently operating well then there isn't a need to make major changes to them right now. I would try to get your AS9100 system fully set up before you start making changes to your processes.

Now on to the rest of your post. QMS is not regulatory compliance. QMS is not NADCAP, and QMS is not your customers documents. You NEED to have systems in place that handle those things but they are not a part of your QMS, they are either minimums to operate your business, or minimums to meet your customers needs. if you aren't doing those things already then that needs to be done immediately. Your QMS should include a statement that you are compliant with the required regulations and customer specifications, and that should be a true statement. your QMS should not say we are certified to MIL-xyz BAC-qkd AMS-pfd etc. customer and regulatory requirements change and should be maintained elsewhere, your QMS should have a contract review process outlined, and part of that process is making sure that you meet the required specs for each contract.

I don't know if the way you are going about understand the spec is the best way but it is exactly what I did. Great minds think alike, but fools rarely differ. We made the mistake of hiring a consultant to the tune of 1500$ who was absolutely useless, gave us blatantly incorrect and highly opinionated information and a canned manual that was basically a copy of the spec from a different company he had worked with. There are certainly good consultants out there, but I think your decision to get trained and go it alone is a valid one.

Your QMS is the framework by which your business ensures and improves quality. AS9100 really doesn't have a whole lot in it that isn't basic business sense. I would suggest taking the specification and auditor guidance and going line by line and asking your self "Do we do this? If so how, and how can we prove it? and if not, How can we add this?"

Then write your quality manual, You can find tons of examples online as many AS9100 orgs post their manuals on their website. A LOT of these are essentially the specification with changes in the wording, Shall to will, has or does for example. These manuals are pretty much garbage in my opinion, certain places you should copy the spec, there are some lists in AS9100 where there is no other way to say "we will do this list of things", but try to rewrite every section as it applies to your business. This is your QMS not mine, not your auditor's, not your CB's. There are things you have to include but ultimately this should about your businesses needs and should work for you not against you.

While you are writing the above you will notice things you aren't doing that you need to be doing, or at the very least things that you aren't writing down that the spec requites you to write down, note these and come back to them. Once your manual is finished start writing these documents, processes, forms, etc., There are a lot of ways to structure the required documentation the correct one is the one that works best for your business.

TLDR;

AS9100 stands alone, it says you will meet other specifications as needed but it is independent.

Document the things that are required, the things you need to prove you are doing things, and the things your business needs. Anything else is not value added.

keep 0.1 in mind AS9100 doesn't define how you need to structure anything, or what you have to call anything. Your system will not be uniform with anyone else's because no other organization needs exactly what you need. Read the spec and supporting documents. Make sure you can back up that you are meeting the spec, and actually use it. The point is not certification, its to improve your processes. If your system is sprawling and mostly unused, but somehow working find the things that work (i bet you they are things you have to do as part of AS9100) keep them and get rid of the rest.

Make sure everyone knows what is changing and make sure management is really 100% on board, it wont work otherwise.

Those are my thoughts, like I said I'm a newbie here too but I think I have a fairly good handle on the spec. Good luck you can get this done its not as bad as it seems. I'm sure the experts will show up soon to offer even better advice.

 

[indubioush]

Sounds like you have your work cut out for you. If I were you, I would interview all employees that do a quality system required activity and ask them the following questions:

How do you record the results of this activity?
How do you know how to record the results of this activity?

All existing forms used should be carried through to the new system.
All instruction documentation that people reference should be carried to the new system.

I would not audit 1800 documents. I would find out what docs are currently used, and then audit only those to determine your QMS gaps.

 

[Kronos147]

I would follow the history of the company. What kind of audits did you do before? What is the plan in place? Follow that plan and adjust accordingly (Plan - Do - Check - Act).

As you do the audit, it should tell you what's wrong. Fix that first. As a result of your audit, you may conclude there is an Opportunity for Improvement to review the controlled documents and reduce the number. You may find you are not reviewing your docs per policy, and there is a non-conformity.

If that was the case, use the system to manage the nonconformity and correct this issue.

As you do that, you may find an OFI or non-conformance with the corrective action system. Then you can address that, as well.

 

[Ninja]

I'm a smart dude and my boss trusts me to take it seriously and become capable

but I am UTTERLY {currently} unqualified.

I added the bold word...

Consider engaging an outside consultant...not to do the job for you, but to jump start your learning curve.
If it were me, and if I chose to go that route...I would approach someone with a history of doing Internal Audits for AS9100...but discuss with them thoroughly what your intent is before the fact.
"Don't come in and audit...come in and sort-of audit/review things, with me by your side, then let's chat extensively about what you've seen and what gave you heartburn. No audit report needed or accepted...this is not an audit."

This may be a good way to start your familiarization with the matching of requirements vs. real life...
If you find a decent guy/gal, they may appreciate the change of pace...

 

[Sidney Vianna]

What am I not thinking about in tearing our QMS down to the frame and rebuilding it?

Spoiler: ALERT

The path to nirvana...

The secret for all that you seek is to understand and enlighten the "leaders" of the organization that any quality system to be effective, sustainable , value-added and value-perceived can only be attained and maintained when it is seamlessly and stealthly embedded in the organization's business processes. QUALITY happens (or not) in real time, where the action is; not after the fact by inspecting it and paperworking it.

Nobody would expect an organization to rely on one or two individuals to demonstrate it's commitment to ETHICS. The same principle applies to QUALITY.

Good luck.

 

[Ralba]

I am in a similar situation, except I have some experience in implementing processes, updating procedures, controlling documents, and a single QMS implementation. Still, I had to learn a great deal. Our audit is scheduled and our trajectory is promising, but I had a great deal to learn as I set up our system.


At first, I tried to just do a turtle chart to identify all current transfers of information and materials, and then to do a gap analysis in our procedures/processes. I kept finding, through root-cause analysis and risk analysis, many gaps in our system in how we measured results and how we communicated information. I found many gaps in our QMS or failure to apply existing processes.

Now, what I am doing is a little different and I have started making huge leaps of progress after taking this approach. I used the results of my turtle-chart to understand our processes, updated our processes to fix gaps/potential problems, and then updated the related procedures. I then set up a monitoring/results collection system of routine audits on processes, especially recently updated processes. I use the results to iterate and update as necessary. While this has turned out to be very close to just changing everything, the results have been great so far.

Conceptually, I just do this: "What are we actually doing?" > "What should we actually do?" > "Make what we say we do what we now actually do." > "Keep an eye on it."

 

[Ninja]

Conceptually, I just do this: "What are we actually doing?" > "What should we actually do?" > "Make what we say we do what we now actually do." > "Keep an eye on it."

I Like the approach, though I would reverse #1 and #2...
Decide what you want first...then start looking at reality...otherwise you are externally biased.

 

[AS9100Dbag]

How many of the 1800 "controlled" documents are checked and updated annually or bi-annually? Its an opinion, but if a document is considered to be controlled a bi-annual check and/or update is about the minimum maintenance needed. In the same thought how many of the 1800 are forms and work instructions? Its an opinion again but work instructions and forms that are not directly related to the QMS aren't really "QMS documents". They can be documented and or retained information that supports your QMS, but they are operational documents that are used either way it sounds like a nightmare.

It's my impression that document review had mostly been happening reactively. I can't say for sure. If there's a regular doc review procedure, I haven't seen it, nor any evidence that informal reviews have been performed. Documents are revised. If I were so inclined (I'm not), I may be able to put together a meaningless analysis of document revision dates to prove or disprove its existence

Our master documents spreadsheet had not been updated regularly in some time. Many obsolete documents still resided, unquarantined, in the active doc control folders. Some documents were placed into a document archive folder with unrelated documents, despite each section of the QMS documentation having its own archive locations. For example, there were production control documents in an archive folder for planning documents. Were they meant to be quarantined, just dropped into the wrong folder, or are these documents that have a relevant function and were dragged there by mistake in Windows Explorer? A record of regular document review could potentially have answered that question, rather than having to open each file, look for revision information, compare to other documents, ask around the persons who would use that document if they do, etc.

What processes have you defined?

"Core" processes are:

Identification of Customer Needs
Design and Development
Purchasing
Production

This is where I'm starting. I'll move onto the other product realization processes (receiving, QC/testing/metrology, packaging/shipping etc. and try to get packing and shipping moved into the "support" section of our IOP diagram even if preservation of outputs is a product provision requirement) prioritizing audit, then QC/calibration processes, next management processes like planning and review, and then support processes like training, people, and facilities management. I know that putting management and planning down the line a bit looks kinda bottom-up, but we literally make one product line for one customer and aren't seeking any new customers or markets. Our business has basically not changed dramatically since its founding. We just exist to make this REDACTED here for those folks over here.

Now on to the rest of your post. QMS is not regulatory compliance. QMS is not NADCAP, and QMS is not your customers documents. You NEED to have systems in place that handle those things but they are not a part of your QMS, they are either minimums to operate your business, or minimums to meet your customers needs. if you aren't doing those things already then that needs to be done immediately. Your QMS should include a statement that you are compliant with the required regulations and customer specifications, and that should be a true statement. your QMS should not say we are certified to MIL-xyz BAC-qkd AMS-pfd etc. customer and regulatory requirements change and should be maintained elsewhere, your QMS should have a contract review process outlined, and part of that process is making sure that you meet the required specs for each contract.

The way I've been thinking about this is kinda like playing guitar. I'm at the stage of this where every finger placement on the fretting hand seems like an independent thing, but in reality all of those components make up a chord which at some point seems less conceptually independent of other chords to make riffs, rhythms and ultimately songs. For someone that knows how everything should fit together (a long-term experienced QM professional), they just pick up the instrument and start playing a song. They intuitively remember the individual requirements to producing the sound. They'll pick up a shortfall in a QMS like a sloppy, buzzing fretting mistake (bzz bzz "What's this damaged part with no red on it even though other scrap parts were marked? You don't positively control NC product until it can be rendered unuseable" bzz "there's nothing in this configuration management doc about traceablity to previous designs" bzz "organizational planning and product planning are different and there's only one planning document; that's a red flag" bzz bzz), and they'll be more capable of identifying how that impacts the business, or rather, they'll probably work backward from a problem found and be able to predict what a company isn't doing that causes it. I still have to look at each finger placement, so that has a lot to do with the approach of looking HARD at standards and regulations and a line by line review. Thankfully, the song is mostly playing itself in my company. What a tortured metaphor. Anyway, much of my job is merely to document things for the sake of proveability of a well functioning system. That's also kinda driving the super granular approach for me.

Then write your quality manual, You can find tons of examples online as many AS9100 orgs post their manuals on their website. A LOT of these are essentially the specification with changes in the wording, Shall to will, has or does for example.

...

While you are writing the above you will notice things you aren't doing that you need to be doing, or at the very least things that you aren't writing down that the spec requites you to write down, note these and come back to them. Once your manual is finished start writing these documents, processes, forms, etc., There are a lot of ways to structure the required documentation the correct one is the one that works best for your business.

lol my existing quality manual. The first part of it is serious effort to plagiarize the standard while rewording carefully. Next bit is just verbatim regurgitation of AS9100D. Then a return to some(?) effort, where the production control section appears to again be verbatim, but not in order. It seems almost as if the QM printed out the standard, cut the prescriptive statements into strips and then transcribed them into the manual in the order in which he drew the strips of paper from a hat.

I added the bold word...
...

If it were me, and if I chose to go that route...I would approach someone with a history of doing Internal Audits for AS9100...but discuss with them thoroughly what your intent is before the fact.

I appreciate the vote of confidence.

Thankfully, the assembly manager was the only other inspector in my room for my first year here and she was an auditor at an automotive company. I've been able to enlist her assistance, and expect to lean on her increasingly as the program comes together. And while she's crazy busy in her current role, I suspect that I can recruit her as an auditor when that time comes.

Spoiler: ALERT

The path to nirvana...

The secret for all that you seek is to understand and enlighten the "leaders" of the organization that any quality system to be effective, sustainable , value-added and value-perceived can only be attained and maintained when it is seamlessly and stealthly embedded in the organization's business processes. QUALITY happens (or not) in real time, where the action is; not after the fact by inspecting it and paperworking it.

You are my Elsmar Cove bestie. See attached screenshot of my twitter account.


Everyone, thank you so much for the thoughtful replies and a lot of actionable advice.