Hello everyone, I hope your week has been going well so far. I've been a lurker on this forum for a while and figured it may be helpful to ask some questions on here.
I’m a new and fairly inexperienced Quality Manager and internal auditor. I've been pulled into this position recently and I could really use some advice from people who’ve lived through a similar experience (or anyone who may have any advice on certain points written here).
I’ve inherited an ISO 9001 system that was basically a checkbox exercise. It was extremely lean, poorly implemented, and produced almost no usable or helpful records (that i can find). We are now trying to “start over” and move to AS9100 (more like frankenstein parts of the old system to the new one). Stage 2 is booked for early January. Stage 1 did not raise any concerns, but the auditor was pretty relaxed and did not look very deep, so I do not take that as a strong sign of readiness.
Right now I am both designing and auditing the QMS. We hired a consultant who handed us a generic, low-quality AS9100 manual and said “just implement this and call me.” When I sent him a detailed list of where his manual did not match how we actually operate, he more or less backed away, then came back with “ok, just implement it and let me know when you’re done.” That has not built much confidence. Budget is limited, so replacing him is not a simple decision.
Our current documentation is half-built. We have a consultant-written quality manual that does not fully reflect reality and lumps key processes into vague text. I am having a hard time interpreting the requirements of AS9100, and it is proving to be challenging to fully 'internalize' them. We do have controlled document and record control procedures (templates that are not fully implemented, since I am building the document control process as I go), an NC control template (that i have not gotten the chance to review), some internal audit templates, an updated approved supplier list, and a simple interested-party register. Most of this is new and not truly implemented yet. We have not held a management review under the new system. We have not completed a proper internal audit under the new system. We have not run NCRs or corrective actions through the new methods. In practice I am trying to implement controls at the same time as I audit them, which makes objective evidence thin and creates a gap between what the manual claims and what is actually happening.
Our AS9100 scope is defined only for aerospace and defense work that specifically requires AS9100 or similar. Commercial work is excluded. In reality we have mostly commercial work and, as far as I know, only one defense customer with CGP/ITAR implications, and another client which had AS9100 requirements in their PO. I am not convinced those terms and obligations are fully understood by management. Because of this narrow scope and low volume, there is very little truly “in-scope” work to sample.
Top management support is mixed. One manager is genuinely supportive and wants a functional system, but has no AS9100 background. The rest of management has limited QMS involvement, and acts like it is a simple thing to do. Process ownership, context, risks, and objectives are not clearly defined by leadership. It often feels like I am making decisions they should be making.
I am essentially alone on QMS. Since I am co-authoring the documentation, I am also not really able to meet impartiality for documentation review, nor am I confident that what I have done would be compliant. I could borrow someone internally to sit in on an audit, but they would not be trained in AS9100 and would rely on my guidance. The Stage 2 date is considered fixed. I have been told “if we fail, that is ok, they will give us time to fix the issues” but obviously I would like to avoid a train wreck. I am wary of relying further on our current consultant.
Given all this, I am looking for blunt, experience-based guidance on a few points:
I hope this didn't come off as too catastrophic. I believe we can be fully compliant as long as I can internalize the standard and direct the company with confidence. I will say that from what I understood so far, the AS9100 standard just sucks. It's written poorly, and the wording is confusing and inconsistent. The amendments of AS requirements on top of the old ISO requirements is not very elegant to say the least, and some of the clauses are written in the wrong order (4.1, 4.2). There's no way I'm alone in thinking this, and I'd love to hear what you all think.
Thanks in advance for any responses. I know it's a lot. Any help would be greatly appreciated.
I’m a new and fairly inexperienced Quality Manager and internal auditor. I've been pulled into this position recently and I could really use some advice from people who’ve lived through a similar experience (or anyone who may have any advice on certain points written here).
I’ve inherited an ISO 9001 system that was basically a checkbox exercise. It was extremely lean, poorly implemented, and produced almost no usable or helpful records (that i can find). We are now trying to “start over” and move to AS9100 (more like frankenstein parts of the old system to the new one). Stage 2 is booked for early January. Stage 1 did not raise any concerns, but the auditor was pretty relaxed and did not look very deep, so I do not take that as a strong sign of readiness.
Right now I am both designing and auditing the QMS. We hired a consultant who handed us a generic, low-quality AS9100 manual and said “just implement this and call me.” When I sent him a detailed list of where his manual did not match how we actually operate, he more or less backed away, then came back with “ok, just implement it and let me know when you’re done.” That has not built much confidence. Budget is limited, so replacing him is not a simple decision.
Our current documentation is half-built. We have a consultant-written quality manual that does not fully reflect reality and lumps key processes into vague text. I am having a hard time interpreting the requirements of AS9100, and it is proving to be challenging to fully 'internalize' them. We do have controlled document and record control procedures (templates that are not fully implemented, since I am building the document control process as I go), an NC control template (that i have not gotten the chance to review), some internal audit templates, an updated approved supplier list, and a simple interested-party register. Most of this is new and not truly implemented yet. We have not held a management review under the new system. We have not completed a proper internal audit under the new system. We have not run NCRs or corrective actions through the new methods. In practice I am trying to implement controls at the same time as I audit them, which makes objective evidence thin and creates a gap between what the manual claims and what is actually happening.
Our AS9100 scope is defined only for aerospace and defense work that specifically requires AS9100 or similar. Commercial work is excluded. In reality we have mostly commercial work and, as far as I know, only one defense customer with CGP/ITAR implications, and another client which had AS9100 requirements in their PO. I am not convinced those terms and obligations are fully understood by management. Because of this narrow scope and low volume, there is very little truly “in-scope” work to sample.
Top management support is mixed. One manager is genuinely supportive and wants a functional system, but has no AS9100 background. The rest of management has limited QMS involvement, and acts like it is a simple thing to do. Process ownership, context, risks, and objectives are not clearly defined by leadership. It often feels like I am making decisions they should be making.
I am essentially alone on QMS. Since I am co-authoring the documentation, I am also not really able to meet impartiality for documentation review, nor am I confident that what I have done would be compliant. I could borrow someone internally to sit in on an audit, but they would not be trained in AS9100 and would rely on my guidance. The Stage 2 date is considered fixed. I have been told “if we fail, that is ok, they will give us time to fix the issues” but obviously I would like to avoid a train wreck. I am wary of relying further on our current consultant.
Given all this, I am looking for blunt, experience-based guidance on a few points:
- With about a month before Stage 2 and very little historical evidence, what are the absolute first must-haves I should focus on? The flow of QMS requirements has had me confused for a while, especially without a solid, existing QMS to reference. What do I need to have ready so CB at least sees a credible, functioning system taking shape?
- How should we handle the fact that our scope excludes commercial work and we have almost no live in-scope jobs to audit? Is it acceptable to demonstrate processes on commercial work as a proxy and be transparent about readiness?
- How would you balance raising a few solid, system-level nonconformities versus maintaining a controlled action plan to align documentation and practice, without drowning the company in dozens of minor findings?
- In a small company where I am both designer and auditor of the QMS, what is an acceptable way to manage the conflict-of-interest concern for an AS9100 auditor?
- For those who have worked with template manuals or weak consultants, how did you salvage or replace that material without blowing up your timeline?
- For those who have been through initial AS9100 audits with CBs, what were the big “we thought we were fine, but we were not” issues that I should double-check now?
I hope this didn't come off as too catastrophic. I believe we can be fully compliant as long as I can internalize the standard and direct the company with confidence. I will say that from what I understood so far, the AS9100 standard just sucks. It's written poorly, and the wording is confusing and inconsistent. The amendments of AS requirements on top of the old ISO requirements is not very elegant to say the least, and some of the clauses are written in the wrong order (4.1, 4.2). There's no way I'm alone in thinking this, and I'd love to hear what you all think.
Thanks in advance for any responses. I know it's a lot. Any help would be greatly appreciated.
