AS9100:2016 (Rev. D) Required Procedures

[kjoberk]

Hey all! Just a quick question -- I tried searching but I couldn't find the answer I was looking for.

I know in previous revisions of both ISO 9001 and AS9100, there were a number of required procedures in addition to the Quality Manual.

I'm thinking of the 6 or so that are fairly standard -- Nonconformances, Document Control, Internal Audits, and the like.

When the company I'm working with was only getting their 9001:2015 certification, I remember their consultant told them that it was not required to have procedures, though they could if they wanted to.

Is that the same for AS9100D? Are procedures optional or are there required procedures that I've somehow completely overlooked while I'm trying to get 9100 all sorted out? I've tried looking on this forum, and other websites but I cannot come up with a definitive answer. I swear I've read the standard backwards, forwards and sideways a number of times over the last few months...

Thanks all!

 

[Marc]

This is a good writeup: IATF 16949:2016 – List of mandatory documents but the writer notes he includes, in his list:

not only of all of the mandatory documents, but also those non-mandatory documents most commonly used in IATF 16949 implementation

so...

 

[Mike S.]

Technically, there are no longer requirements for specific procedures, records, or a quality manual. But… “documented information” and “retained documented information” is required (4.4.2). So.....

Required documented information includes 4.3 QMS Scope, 4.4.2 interested parties and processes with sequence and interactions and responsibilities, 5.2.2 quality policy, 6.2.1 quality objectives, 8.7.1 nonconformity control process, 10.2.1 CA process.

A ton of records…I mean retained documented information” are also required.

 

[Sidney Vianna]

Is that the same for AS9100D?

As Mike said. In the AS9100:2016 FAQ document, we have the following Q&A concerning this:

5. How has documentation requirements changed?

Specific documented procedures are no longer mentioned; it is the responsibility of the organization to maintain documented information to support the operation of its processes and retain the documented information necessary to have confidence that the processes are being carried out as planned. The extent of the documentation that is needed will depend on the business context.

Realizing that, for the most part, products being delivered in the Aviation, Space & Defense sectors are complex in nature, with a need for robust processes supporting the product realization, tribal knowledge approach to process deployment would be easily found ineffective by competent and seasoned AEA's.

 

[kjoberk]

Technically, there are no longer requirements for specific procedures, records, or a quality manual. But… “documented information” and “retained documented information” is required (4.4.2). So.....

Required documented information includes 4.3 QMS Scope, 4.4.2 interested parties and processes with sequence and interactions and responsibilities, 5.2.2 quality policy, 6.2.1 quality objectives, 8.7.1 nonconformity control process, 10.2.1 CA process.

A ton of records…I mean retained documented information” are also required.

This was the answer I was looking for -- I'm working with two different systems currently...my company was certified for 9001:2008 and went to 9110 rev. C. We already had a ton of documented procedures in place due to this. When the other company I work with started their 2015 implementation, there were many differences -- one being the requirements for written procedures (my home company was required to have them, while the other company was not), and in addition to quite a few other things, they're a much smaller company (5 people as opposed to 45).

The nuances of implementing the separate programs for the companies has been exhausting. Next time, I'm opting out of the implementation process

Thank you all for your assistance. This has definitely been a huge learning curve for me as someone who has only had on the job training for quality assurance.

 

[Aunt Rosie]

I agree with the list provided by Mike S. However, I asked the opinion of our registrar auditor during our last Rev C audit and her interpretation was that if the standard requires a "process" there should be a procedure. example 7.1.5.2 measurement traceability requires a process. I argued that a process could be controlled by software or ERP system etc so why would you need a documented procedure. I don't think she was buying it.

 

[Sidney Vianna]

I don't think she was buying it.

Let me you in a little secret: Sometimes, CB auditors bluff. They will tell you something they know is not supported in any standard requirement, i.e., there is no "shall" to defend their position, but they hope you will comply with their wishes, because it makes THEM feel better. I think it is abundantly clear through the IAQG FAQ that the "dogma" of a mandatory documented procedure no longer exists. So, you can call the auditor's bluff and she will fold, provided you can demonstrate adequate control in the absence of a documented procedure.

We have to remember that a system has to work for the organization and it's customers. Auditors likes, dislikes and opinions should never be the driving force for process engineering.

 

[Marc]

I fully agree, Sidney. And sometimes it just isn't in their paradigm to understand. I have often cited the scenario from back in 1994 where an ISO auditor said process maps were not "procedures" because they were not the traditional text documents.

I have also cited the client where the auditor wanted to cite them for "ineffective internal audits" based upon 2 years of no nonconformances demonstrated. They then showed that the prior 2 or 3 registrar audits found no nonconformanecs and pointed out that THEIR audits must be ineffective as well. Needless to say the auditor folded after a call to the company's CB contact.

The old saying was, and still is, "show me where it says that". The bottom line is if there is someone knowledgable of the standard, that person should be able to push back on the auditor.

That said, I do NOT advise making an adversarial relationship with any auditor (or CB) as has been suggested elsewhere ("dominate your registrar" is just stupid and totally counter productive).

 

[Big Jim]

Let me you in a little secret: Sometimes, CB auditors bluff. They will tell you something they know is not supported in any standard requirement, i.e., there is no "shall" to defend their position, but they hope you will comply with their wishes, because it makes THEM feel better. I think it is abundantly clear through the IAQG FAQ that the "dogma" of a mandatory documented procedure no longer exists. So, you can call the auditor's bluff and she will fold, provided you can demonstrate adequate control in the absence of a documented procedure.

We have to remember that a system has to work for the organization and it's customers. Auditors likes, dislikes and opinions should never be the driving force for process engineering.

I agree generally with this, especially because there was a time when it was generally misunderstood the processes and procedures were the same thing or nearly the same thing.

Don't get the impression that AS9100D fully gets away from documented procedures completely though, and I'm sure that is not what you meant.

Remember that 9100D requires "the organization's nonconformity control processes shall be maintained as documented information Including the provision for . . . " (8.7), and "the organization shall maintain documented information that defines the nonconformity and corrective action management process" (10.2.2).

Also remember that both ISO 9001:2015 and AS9100D says,"the organization's quality management system shall include . . . documented information determined by the organization as being necessary for the effectiveness of the quality management system" (7.5.1b)

In short, AS9100D still calls for a documented procedure for two topics and both ISO 9001:2015 and AS9100C require that you maintain documented information (a written document, including documented procedures) that your organization determines they need.

 

[Sidney Vianna]

Don't get the impression that AS9100D fully gets away from documented procedures completely though, and I'm sure that is not what you meant

I think the FAQ document is pretty clear, but I agree with you that, in the real world, taking into account the context of an aviation, space and defense organization implementing AS9100, it would be unrealistic for large portions of their QMS not to be documented. In this day and age, management by tribal knowledge is extremely risky and, pun intended, an undocumented system "would not fly".