Professional Documents
Culture Documents
Issued
AEROSPACE
STANDARD Revised
COORDINATION DRAFT
6 June 2008
FOREWORD
To assure customer satisfaction, aviation, space, and defense organizations must produce, and continually
improve, safe, reliable products that meet or exceed customer and applicable statutory and regulatory
requirements. The globalization of the industry and the resulting diversity of regional and national requirements
and expectations have complicated this objective. Organizations have the challenge of purchasing products
from suppliers throughout the world and at all levels of the supply chain. Suppliers have the challenge of
delivering products to multiple customers having varying quality expectations and requirements.
Industry has established the International Aerospace Quality Group (IAQG), with representatives from
companies in the Americas, Asia/Pacific and Europe, to implement initiatives that make significant
improvements in quality and reductions in cost throughout the value stream. This standard has been prepared
by the IAQG.
This document standardizes the requirements for conducting and reporting of quality management system
audits. It can be used by aviation, space and defense organizations at all levels throughout the global supply
chain.
This document provides requirements for an audit and reporting process based on:
REVISION SUMMARY/RATIONALE
This standard has been revised to incorporate the 2008 changes to IAQG 9100-series standard quality
management system requirements and requirements for accredited certification introduced by ISO/IEC
17021:2006.
FOREWORD ...................................................................................................................................................... 1
INTRODUCTION ................................................................................................................................................ 4
0.1 GENERAL ............................................................................................................................................... 4
0.2. AUDITING APPROACH ............................................................................................................................. 4
REQUIREMENTS............................................................................................................................................... 5
1. SCOPE ........................................................................................................................................................ 5
1.1 GENERAL ............................................................................................................................................... 5
1.2 APPLICATION ......................................................................................................................................... 5
2. NORMATIVE REFERENCES ..................................................................................................................... 6
0.1 General
Auditing is one of the basic tools to assess effective implementation of, and conformance to quality
management system requirements.
In addition to determination of compliance, this standard focuses on evaluation of effectiveness.
The major purpose of an organization is not to be compliant with quality management system requirements but
to be effective in fulfilling customer expectations and delivering products that meet those expectations.
In other words: an organization cannot fulfill the requirements of the quality management system standard and
at the same time deliver products that do not fulfill customer specifications.
This audit standard supports the new requirements in the 9100-series standards (2008/2009) such as critical
items, special requirements, On-time Delivery (OTD) performance, risk management and project
management.
This standard is written to support the process approach for quality management systems as described in the
9100-series standards.
When evaluating quality management systems, there are four basic questions that should be asked in relation
to every process being evaluated:
a) is the process identified and appropriately defined?
b) are responsibilities assigned?
c) are the procedures implemented and maintained?
d) is the process effective in achieving the desired results?
The collective answers to these questions can determine the result of the evaluation.
Additionally, product quality (as delivered), customer satisfaction and quality management system
effectiveness are to be considered as interrelated. This interrelation should be reflected in the audit and the
associated results.
1. SCOPE
1.1 General
This standard specifies requirements on the preparation and execution of the audit process and the content
and composition of the Audit Report when determining conformance to the 9100-series standards and the
organizations ability to meet customer, regulatory and the organizations own requirements.
NOTE 1: In this standard the terms 9100-series standards comprises the following quality management
system standards as developed by the International Aerospace Quality Group (IAQG) and published by various
national standardization organizations: 9100, 9110 and 9120.
The requirements in this standard are in addition to the requirements in the standards for conformance
assessment, auditing and certification as published by International Organization for Standardization
(ISO)/International Electrotechnical Commission (IEC): ISO/IEC 17000 and ISO/IEC 17021.
When there is conflict between the standards, the requirements of this standard shall take precedence.
NOTE 2: At the moment of publication of this standard, the ISO Committee on conformity assessment,
(ISO/CASCO) is working on a new standard ISO/IEC 17021-2, Conformity assessment Requirements for
third-party certification auditing of management systems. This standard will contain additional requirements,
comparing to the existing 19011 and 17021. Awaiting publication, expected late 2010, some of the foreseen
requirements are included in this issue of 9101 as gray shaded text. After publication of ISO/IEC 17021-2,
9101 will be modified and re-issued in order to prevent duplication.
NOTE 3: This document also contains recommended practices that may be used by audit teams when
executing the audit process. Certification bodies are not mandated to use recommended practices material
when similar or equivalent methods/material are used. In such case, the certification body should be able to
demonstrate the equivalence of the method/material during the initial accreditation and periodic oversight as
described in 9104-2.
NOTE 4: Users of this standard are encouraged to use guidance material separately published by IAQG, such
as the Guidance tool for auditing aviation, space and defense quality management systems.
1.2 Application
This standard shall be used for audits of 9100-series standards by certification bodies for certification of
organizations, under the umbrella of the aviation, space and defense industry certification scheme [also known
as Industry Controlled Other Party (ICOP) scheme], as defined in the IAQG 9104-series standards.
The relevant parts of this standard (e.g. clauses 4.2.1, 4.2.2, 4.2.3 and 4.2.4) and the form templates in the
st nd
appendices may be used for internal (1 party) audits and external audits at suppliers (2 party audits).
This also applies to methodologies, guidance material and document formats (e.g. audit reports,
nonconformance reports and other documents described in appendices).
In such case the words certification body should be read as auditor or auditing organization, and the word
client should be auditee or audited organization, as appropriate.
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced document
(including any amendments) applies.
AS/EN/JISQ 9100* Quality Management Systems Requirements for Aviation, Space and
Defense
AS/EN 9120* Quality Management Systems Requirements for Aviation, Space and
Defense Distributors
AS/EN/SJAC 9104-3* Requirements for Aerospace Auditor Competency and Training Course
ISO 19011: 2002 Guidelines for quality and/or environmental management systems auditing
ISO/IEC 17021: 2006 Requirements for bodies providing audit and certification of management systems
* As developed under the auspice of the International Aerospace Quality Group IAQG and published by various
Standards bodies (e.g. SAE, ASD, EN, JISQ).
NOTE 2: AS/EN/SJAC 9104 will be replace in the near future by AS/EN/SJAC 9104-1.
The first audit cycle starts with the last day of the stage 2 audit and ends with the first day of the re-certification
audit. Each subsequent audit cycle starts from the last day of the re-certification audit.
3.2 Containment:
Action to control and mitigate impact of a problem and protect the customer's operation (stop the problem
getting worse). Includes correction, immediate corrective action, immediate communication and verification
that the problem does not further degrade.
The time interval between the initial certification decision and re-certification decision or between two re-
certification decisions.
Document stating results and providing evidence of determination of nonconformity to audit criteria, including
root cause, corrective action implementation and review by the auditor.
Web-based IAQG database containing information on participating National aerospace Industry Associations,
Accreditation Bodies (ABs), accredited Certification Review Bodies (CRBs), authenticated aerospace
Experience Auditors, Certified Suppliers and Assessments.
Independent and officially accredited Organization engaged in audit and certification activities that is under
control and oversight of Aerospace Industry.
This section consists of three primary areas: clause 4.1 identifies phases of a complete audit process; clause
4.2 provides information on the common activities that shall be used to support the audit phases; and clause
4.3 describes the specific requirements for each phase. All sections must be complied with during a complete
audit cycle.
NOTE: Although Intermediate/Special Audit is not listed as a part of the audit cycle, it is applicable after initial
certification and then when directed by special request. They are addressed in clause 4.3.6.
The audit process established to assess conformance of quality management systems to the 9100-series of
standards shall meet the requirements of ISO/IEC 17021 and the additional requirements defined by this
standard. When there is conflict, the requirements of this standard shall take precedence.
4.1 General
Audit phases
The audit process shall consist of the following phases:
Phase a, b and c are only applicable for initial audit or transfer of certification.
NOTE: Although certification is formally part of the process, requirements for certification are defined by 9104-
series.
Common activities
Audit planning, on-site auditing and audit reporting are common activities linked with phases b, c, d and e.
Nonconformity management is common for phases c, d and e.
The requirements for activities apply to each phase of the program as indicated in Figure 1.
Phase b, c and d shall be described in the audit program, established during the preliminary contact/application
phase.
Audit
phase Preliminary Stage 1 Stage 2 Surveillance Re-certification
(4.3) Contact
Common 4.3.1 4.3.2 4.3.3 4.3.4 4.3.5
activity (4.2)
Audit planning
4.2.1
On-site
auditing
4.2.2
Audit reporting
4.2.3
Nonconformity
management
4.2.4
FIGURE 1: RELATION BETWEEN AUDIT PHASES AND COMMON AUDIT ACTIVITIES
NOTE: for each audit phase the indicated common audit activities are applicable.
The audit team leader shall be appointed before the stage 1 audit. Possible audit team members shall be
identified. After the stage 1 audit the team composition for stage 2 shall be reviewed based on information as
received and observed during the stage 1 audit, followed by the final appointment of the team members.
The audit activities shall be prioritized based on risk to the customer (i.e. customer concerns and / or customer
special statuses).
The composition of the audit team shall be determined. The team shall consist of sufficient members, qualified
to address the issues and findings as identified during the previous visit.
As an input into the audit planning process, the audit team leader shall obtain information from the organization
regarding customers requiring certification (i.e. 9100/9110/9120) and the percentage of aviation, space and
defense business each represents. The audit team leader shall ensure that the percentage of audit time
planned on any one customer is commensurate with the percentage of aerospace business each customer
represents (e.g. customer X may only have 20% of the business so do not spend 80% of the time verifying
customer X's needs if customer Y has 80% of the business).
NOTE: The need to use translators, as applicable, may also impact the plan and duration.
4.2.2.1 General
a) Process Approach
The audit team shall conduct quality management system audits using a process approach that focuses on
performance and effectiveness. The process approach used by the audit team shall ensure that priority is
given to:
reviewing the organizations processes, their sequence and interactions, and performance against
measures defined, with focus on the processes that directly impact the customer;
reviewing the process objectives / targets, with focus on areas where targets are not being met and on
issues which have the greatest impact on the customer(s);
reviewing what plans are in place to ensure targets are met;
reviewing what corrective action plans are in place where targets are not being met; and
pursuing audit trails to relations between customer concerns, performance against objectives and relevant
process controls.
b) Customer Approach
The audit team shall use the percentage of aviation, space and defense business each represents (see clause
4.2.1) to verify that the organization is addressing customer satisfaction appropriately with all customers. This
includes verifying that any customer specific requirements are addressed.
d) Opening Meeting
An opening meeting shall be held with the clients management and, where appropriate, those responsible for
the functions or processes to be audited. The purpose of an opening meeting is to confirm the audit plan, to
provide a short explanation of how the audit activities will be undertaken, to confirm communication channels,
and to provide an opportunity for the client to ask questions.
The meeting shall be formal and records of the attendance shall be kept. The meeting shall be conducted by
the audit team leader, and the following items shall be included:
a) introduction of the participants, including an outline of their roles;
b) confirmation of the type of audit, objectives, scope and criteria;
c) confirmation of the audit plan and other relevant arrangements with the client, such as the date and time for
the closing meeting, interim meetings between the audit team and the clients management, and any late
changes;
d) confirmation of formal communication channels between the audit team and the client;
e) confirmation that the resources and facilities needed by the audit team are available;
f) confirmation of matters relating to confidentiality;
g) confirmation of relevant work safety, emergency and security procedures for the audit team;
h) confirmation of the availability, roles and identities of any guides and where relevant observers;
i) the method of reporting, including any grading of audit findings; and,
j) information about the conditions under which the audit may be prematurely terminated.
Dependent on the type of the audit the following items should included as applicable:
a) confirmation of the status of findings of the previous review or audit;
b) methods and procedures to be used to conduct the audit, including advising the client that the audit
evidence is based on a sample of the information available and therefore there is an element of uncertainty
in auditing;
c) confirmation of the language to be used during the audit, where relevant;
d) confirmation that, during the audit, the client will be kept informed of audit progress.
e) Site Tour
The audit team leader may decide to conduct a site tour to address significant changes in scope or facilities
since the last visit or to familiarize team members with the organizations activities. The audit team shall record
and retain key observations for use during the audit.
Recommended Practice
It is recommended that the process approach to auditing should not be driven by a clause or a section
structured questionnaire or checklist.
Checklists and/or questionnaires may be used as a tool:
a) a reference or memory jogger for the auditor;
b) a repository for auditor notes not a mandatory objective evidence repository; and
c) a record of conformance status and audit plan completion.
Certification body tools that accomplish the same objectives are acceptable but, shall become part of the
audit file/record.
Checklists may be used to assure that the organizations processes cover the requirements of the quality
management system standard.
Recommended Practice
Top management should participate and not merely be represented (e.g. by the quality manager).
It is important to change the focus of attention from the quality manager to the top management of
the organization.
An auditor with limited auditing experience should not be assigned to interview top management.
The timing of the top management interview should be planned, to ensure convenience and
punctuality.
During the interview, the audit team should seek evidence of their commitment.
The audit team can, by utilizing appropriate business terminology for the top management, ask
relevant questions that :
a) seek to obtain evidence of top managements awareness of and commitment to quality and its
relevance to the organization's overall objectives and quality management system, and
b) establish evidence of conformity to the 9100-series standard requirements for top management
responsibility.
The use of open-ended questions is encouraged, including the integration of recent performance
data as collected during previous visits (e.g. the stage 1 audit).
Examples of questions to gather evidence on compliance of the management commitment with
clause 5.1 of the 9100-series requirements could be:
what is the purpose, direction, mission and vision of the organization?
what aspects (elements / goals) of its long term strategy has the quality management system
been designed to deliver?
how does top management measure the effectiveness of the quality management system?
is the quality management system effective? and
what are the key metrics/measures used by top management to determine this?
The audit team should constantly be looking for opportunities to corroborate the responses
received from top management during the interview(s). This includes :
a) determining if top management are involved in management reviews ;
b) evaluating the commitment and involvement of Top Management in the establishment,
implementation, monitoring and updating of the quality policy; and
c) analyzing if top management is involved in continual improvement
Each on-site audit, except for follow-up and special audits, shall include an audit of:
a) the handling of customer complaints, customer feedback data (e.g. periodic performance reports received
from customers), other customer data (e.g. results of customer surveys) and stakeholder feedback (e.g.
feedback from regulatory authorities, other interested parties);
b) internal and external audits of the quality management system, including their associated records;
c) the control of process and product nonconformities, including corrective actions and the effectiveness of
corrective actions taken;
d) preventive actions and the effectiveness of actions taken;
e) management review, including associated records (i.e. inputs, outputs, actions taken);
f) (internal) performance monitoring, measurement, reporting and reviews against key stakeholder and
internal performance objectives and targets, including review of continual improvement activities and
associated records;
g) the organizations current performance against targets (including customer specific targets) and its
associated records of corrective actions taken where targets are not being met; and
h) the status and effectiveness of the organizations process performance improvement activities and their
outcomes related to product quality.
NOTE 1: Evaluation of the effectiveness of the quality management system should consider how well the
system is deployed, as demonstrated by the measures defined by the organization to meet customer
satisfaction and company objectives.
Recommended Practice
Feedback from the customer is one of the primary performance indicators that can be used to judge the
overall effectiveness of the quality management system. It is important, therefore, for the auditor to verify that
a) the organizations customer communication channels promote an adequate awareness of the process
by which customers can provide feedback
b) inputs to the customer feedback process include relevant, representative and reliable data,
c) this data is analyzed effectively, and
d) the output from this process provides useful information to the management review and other quality
management system processes, to enhance customer satisfaction and drive continual improvement.
See also ISO 9001 Auditing Practices Group Guidance on:
Auditing customer feedback processes, as published jointly by ISO/CASCO and IAF.
Other indicators that can be used to review the overall effectiveness of the quality management system are
measurements of the quality and On-time delivery of the products supplied by the organization, e.g. :
if the target for On-time Delivery was 90%, and the actual figure is 70%, the overall system and (some of)
the processes linked with OTD are not effective,
targeted levels of (internal and external) Product Defect rate and customer returns,
Auditors should assess if top management has defined methods for measurement of the organization's overall
performance in order to determine whether planned objectives and targets have been achieved.
The audit team shall audit processes as identified in the audit plan in adequate depth and detail to give
confidence that the organizations process(es) are capable of meeting process key performance indicators
(KPI), including any customer specific targets.
The audit team shall determine, as appropriate for each organization, if:
a) their processes are identified and appropriately defined (see NOTE below),
b) the process sequence and interactions are defined.
Additionally determine for each process if:
c) input/output, process activities, and resources are described,
d) responsibilities are assigned and responsible functions are identified,
e) process controls are defined,
f) the availability of resources and information necessary to operate and support is ensured,
g) each process is monitored, measured and analyzed against planned results (= determination of process
effectiveness),
NOTE 1: Planned results can be related to outputs or to the process activities itself.
h) actions are implemented as needed to achieve planned results and to promote continual improvement, and
i) the process is effective in achieving the desired results; verify performance information available (e.g.
percentage of nonconforming parts/products, percentage on-time delivery, etc).
NOTE 2: The following process categories are distinguished: core product realization processes, support
processes and management processes. The first category is specific for each organization.
The other categories are common to all types of organizations (e.g. continual improvement, nonconformity
management, monitoring and measurement, ).
The audit team shall focus on the processes that directly impact the customer(s) and on low performing
processes, based on performance data. The audit team shall audit these processes to determine not merely
process compliance, but also evaluate their effectiveness
The results shall be recorded on the Effectiveness Assessment Record: see Appendix 7.
Recommended Practice
When preparing and auditing a process, identify and ask questions on:
what is the process?
what is it trying to achieve?
is the process defined (i.e. inputs, outputs, resources and controls defined)?
who is the customer of the process?
what is the desired level of performance?
what are the measures (e.g. KPIs)?
do these reflect specified customer targets/performance requirements?
what is the current level of performance?
where performance is not being achieved, are improvement plans in place?
do they include applicable customer specific requirements?
are responsibilities of process owners and process performers defined?
is the process implemented as defined?
There is not one single process mapping method. There are many tools on the market that can be
used for process analysis, including am process elements (i.e. turtle diagram, octopus diagram,
SIPOC method).
The audit team shall assess if customer satisfaction is based on customer provided non-conformance data,
corrective action requests, satisfaction surveys results and complaints, regarding product quality, on time
delivery, service provision, but also responsiveness to requests, etc.
Recommended practice
Customer feedback is a process. It needs to be audited as a process, not as a clause of the standard.
An evaluation also needs to be performed on the way in which the process is managed (see 9100 series
standards, clause 4.1.c), and its ability to provide meaningful information with which to judge the overall
effectiveness of the quality management system. The way in which the organization obtains this feedback
(the method) is up to the organization to define.
The auditor should therefore be aware of the many factors that can affect the organizations approach, and
should recognize that there is no fixed recipe. Due consideration should be given to factors such as:
organization size and complexity
degree of sophistication of products and customers
risks associated with the product
diversity of customer base
The auditor needs to be aware of the specific characteristics of the organizations products that are likely to
impact customer satisfaction. Throughout the audit, the auditor should be alert for indications that may
suggest customer satisfaction or dissatisfaction which could serve as input into the audit of the customer
feedback process. Good sources of such information may include, for example:
goods returned by the customer;
warranty claims;
revised invoices;
credit notes;
articles in the media;
direct observation of, or communication with the customer (e.g. in a service organization).
See also ISO 9001 Auditing Practices Group Guidance:
Auditing customer feedback processes, published jointly by ISO/CASCO and the IAF.
If a organization operates special processes (reference 9100/9110, clause 7.5.2), the audit team shall audit the
validation, as well as, the monitoring and measuring of these processes.
NOTE: When an organization declares that special processes are excluded from the scope of certification, an
evaluation of the justification of this exclusion must be completed by the audit team during stage 1 of the initial
audit.
NOTE 1: Special processes are managed by using qualified personnel, and controlling physical or chemical
special process characteristics [e.g, temperature, time (process duration), pressure, (chemical) composition of
materials (product or process treatment, e.g. surface)].
rd
NOTE 2: Sometimes an audit has been performed by a specialized independent 3 party (e.g. Nadcap). In
such case the audit team may take the results of the audit by this independent organization into account.
When nonconformities are identified, the audit team shall categorize the nonconformity major/minor according
to the definitions in 9104-1. Also the need for containment shall be reviewed by the audit team. Any
containment action and correction may be reviewed during the audit
The Non Conformance Report (NCR) form in Appendix 2 shall be used to record nonconformities.
Each Non Conformance Report shall contain only one nonconformity. Multiple instances of the same
nonconformity shall be considered as one nonconformity.
The identified nonconformities shall not be closed during the same on-site audit in which it was raised.
The audit team leader shall attempt to resolve any diverging opinions concerning audit evidence or findings,
and unresolved points shall be recorded.
Recommended Practice
Remember, a nonconformity is the non-fulfillment of a requirement, so if the auditor cannot identify a
requirement, then the auditor cannot raise a nonconformity.
Important NOTE: If there is no audit evidence there is no nonconformity. If there is evidence it must be
documented as a nonconformity, instead of being soft graded with another classification (e.g. observations,
opportunities for improvement, recommendations). In the longer term, neither the organization, its
customers, nor the certification body benefit by the use of softer classifications, as this risks the nonconformity
being given a lower priority for corrective action.
Any diverging opinions regarding the audit findings or conclusions between the audit team and the client shall
be discussed and resolved where possible. Any diverging opinions that are not resolved shall be recorded and
referred to the certification body.
Individual clauses and sub-clauses of chapter 7 of the 9100 standard series may be identified as Not
Applicable (N/A). Exclusions shall be reported in the Audit Report.
Use of Not Evaluated (N/E) shall not be used in an initial or re-certification audit.
At the conclusion of each certification, surveillance and re-certification audit a report shall be compiled
containing the information and using the standard templates as defined in Appendix 1, 3 and 5.
The certification body shall leave copies of all information pertaining to the audit results (e.g. check lists,
findings, supporting documents, or other correspondence) with the audit organization for the purpose of
sharing information with their customers.
Certification body tools such as check lists or questionnaires (see Recommended practice associated to
4.2.2.1) and auditor notes shall become part of the audit file/records.
Recommended Practice
When compiling an audit report, the guidelines defined in ISO19011 clause 6.6.1 should be considered.
Audit reports may be tailored to suit the business terminology of the audit organization.
Audit reports should be issued within the agreed time period. If this is not possible, the reasons for the delay
should be communicated to the audited organization and a new issue date agreed upon.
If the audit team consists of more than one auditor, individual summary reports may be of benefit to assist the
audit team leader in compiling the overall report. The documents defined in Appendix 4 should be considered
for use, to enable the capture of findings by each audit team member (e.g. coverage of the 9100-series
standard clauses, departments subject to audit, processes covered, summary findings).
The use of a process based audit questionnaire is recommended for those auditors who are less
experienced, however their use remains optional. Certification bodies may choose to develop and use its own
questionnaire.
Audit reports may be tailored to suit the business terminology of the audit organization.
The certification body shall require the organization to record the containment and corrective action(s) on the
Non Conformance Report (see Appendix 2).
a) Containment
The certification body shall require the organization to determine and report the specific containment actions
including correction within 7 days after audit. The certification body shall review the containment actions
including correction within the next 14 days.
The certification body shall issue a report to the organization after verification of corrective actions is complete.
The report shall provide details of verification for each nonconformity identified.
st nd
NOTE: 1 and 2 party auditors may use the same approach as described above.
Recommended Practice
If there is an indication that the organization does not properly control and/or implement corrective actions,
the auditor should verify the corrective action process (reference 9100-series standard clause 8.5.2). In
that case it is likely that this process is ineffective and justifies the issue of nonconformity.
The certification body shall require from the organization to provide the following:
- The revenue for aviation, space and defense industry, and the total revenue;
- The number of employees working for aviation, space and defense and the total workforce; and
- The names of the major customers in the aviation, space and defense industry supply chain.
All activities to be included in the scope of certification shall be relevant to the scope of the applicable 9100
series standard for aviation, space and defense customers.
NOTE: see guidance on applicability in 9100 clause 1.2.
Limited access
Organizations may on occasion deny auditors access to proprietary or classified information and/or areas due
to the competitive sensitivity or national security regulations invoked in customer contracts. The certification
body shall require from the organization information if any activities, programs, specifications and/or areas are
not accessible because of restrictive or confidential nature.
The scope of certification shall not include processes that were not audited to sufficient depth to verify
organizations conformance. They may, however, be included if the product processes can be proven to be
similar to processes that can be assessed and the same quality management system procedures and controls
are invoked and audited internally.
In the audit report exclusions for these programs, customers and/or activities shall be stated with supporting
justification provided.
The certification body shall appoint an audit team leader that has sufficient knowledge about the activities of
the intended scope of certification to determine if auditors with specific competences and/or additional
technical experts are needed.
Throughout the certification cycle, the certification body shall ensure that audit time is identified in accordance
with clause 9.1.4 of ISO/IEC 17021.This may have influence on the audit duration.
Where the information provided by client is not sufficient, clarification and additional information shall be
sought.
The certification body shall prepare a draft audit program which identifies the audit activities required to be
conducted throughout the certification cycle. This shall be communicated to the client.
Modifications to the audit program shall be communicated to and agreed with the client.
The audit duration for stage 1 and stage 2 shall be determined by the audit team leader. The audit time for
stage 2 shall be reviewed after the stage 1 audit.
4.3.2.1 General
The stage 1 audit shall:
be performed by the audit team leader established for the initial audit, and
include an on-site visit by the audit team leader, except for 9120 where stage 1 audit may be conducted off-
site, based on considerations such as the size, location, risk and previous knowledge, etc of the
organization.
For organizations with more than one site but with a single quality management system, the stage 1 visit shall
include the identified central function with the authority for administration, control, audit, review and
maintenance of the single quality management system . Also included shall be a relevant number of
representative sites, including all sites with different technologies and dissimilar activities. This will give the
audit team sufficient information in order to identify the complexity, risk and scale of the activities covered by
the quality management system subject to certification, any differences between sites and to what extent each
site produce or provide substantially the same kind of products or services according to the same procedures
and methods.
The stage 1 visit shall include a tour of the site facilities. This will enable the audit team leader or audit team to
gain a greater understanding of the organizations processes, equipment, areas, products and state of
readiness in preparation for the stage 2 visit.
Following acceptance of the audit program by the client and to enable the audit program to be confirmed, the
audit team shall, during the stage one audit activity, collect sufficient information to enable the certification
body:
- to determine if additional expertise or auditors are required to assemble a competent audit team(s).
- to identify any additional audit activities necessary to fulfill the requirements for initial certification.
NOTE: Examples of customer specific quality management system requirements are: First Article Inspection
Requirements (e.g. 9102), quality records to be created and maintained by the organization, coordination of
document changes, defined key characteristics, approval of design changes by the customer, flow down of
requirements to sub-tiers, customer notification of production process changes, traceability and handling of
nonconformities, applicability of other IAQG quality management system standards in contracts, e.g. 9115,
9131, etc.
If possible, certification bodies should acquire access to the performance data of the organization available in
customer databases.
A copy of the stage 1 audit results shall be given to the organization at the time of the stage 1 audit completion
or at an agreed to time soon afterwards. The report shall identify issues to resolve prior to stage 2 audit
activities.
The audit findings shall be recorded in the stage 1 Audit report format as in Appendix 5.
For all potential nonconformities identified during stage 1, including those related to documentation review, the
certification body shall require from the organization a corrective action plan to be available before the
beginning of the stage 2 audit.
Recommend Practice
The recommended interval between a successful stage 1 and stage 2 visits should normally be six weeks
but no longer than three months. However, when planning the interval between stage 1 and stage 2 visits,
certification bodies must consider:
the needs and ability of the organization to resolve any areas of concern that may be identified during
the stage 1 visit, and
the continued relevance of the work accomplished during the stage 1 visit.
Certification bodies must make the organization aware of the implications of having an interval either
shorter or longer than the norm.
Certification bodies may use a standardized form to collect information from the customers of the
organization (see Appendix 6: Collection of Customer Quality Data before Auditing an Organization).
The certification body shall ensure that the client has effectively identified the cause of all
nonconformities and shall verify the effectiveness of any correction and corrective actions taken. Details of the
evidence obtained to support the resolution of nonconformities shall be recorded.
Verification of effectiveness of correction and corrective action may be carried out based on a review of
documentation provided by the client, or where necessary, through verification on-site.
The evidence for the review and verification for the resolution of nonconformities shall be
recorded.
4.3.4 Surveillance
[ISO/IEC 17021 9.3]
All elements of the applicable quality management system standard and all organizations processes that are
part of the quality management system shall be audited during the surveillance audits within one certification
cycle.
The audit method(s) to be used (e.g. specific problem-, area-, product- or sub-process-audits), shall be based
on the outcome of the audit teams review of system performance data.
The composition of the audit team needs to be determined, based on the audit plan for the surveillance visit.
The certification body accredited office shall define a risk mitigation scheme that addresses the consecutive
use of the same auditors at the same organization. This risk mitigation scheme shall include the use of past
audit report data/conclusions with comparison to the organizations customer performance data.
Audit plans for surveillance shall be based on continuing operational control of process and on product
performance indicators and performance trends for the previous 12 months (both for quality and On-time-
Delivery). Repeated nonconformities on the lack of actual performance data or operational control shall be
reason for suspension of the certification.
The certification body shall use the Online Aerospace Supplier Information System (OASIS) customer
feedback requests to assist with audit planning for surveillance and re-certification audits.
In such case, the certification body shall react as requested in the feedback request and shall inform the
requester on the action status, using OASIS functionality.
For surveillance audits, the audit team leader shall advise within the report whether recorded nonconformities
should be reason for suspension of the existing certificate.
4.3.5 Re-certification
[ISO/IEC 17021 9.4]
The re-certification audit should be planned minimum 3 months before the expiry date of the current certificate.
The Scope of certification shall be verified prior to each re-certification audit.
Any change of approval status issued by a customer shall be reviewed by the audit team on the impact on the
certification status.
During the re-certification audit all processes and quality management system elements shall be audited (same
as initial stage 2 audit).
All nonconformities shall be closed and verified by the audit team before a recommendation for re-certification
can be made.
These audits will be coordinated with the organization prior to the visit. The organization must be given
information about the reason and subject of the visit.
An audit plan must be completed and submitted to the organization prior to arrival. The requester (see under a)
must be notified in advance of the audit dates.
Appendix 1: Table for verification of the completeness of the process oriented auditing versus 9100 series
standard requirements
NOTE : The attached templates contain some examples,indicated as italic text for guidance and instruction .
This text shall be removed before using the templates in actual situations.
e.g.Machining
e.g.Painting
e.g. contracting
Process Clause
category
M 5.4 Planning
A 5.5 Responsibility, authority and communication
N
5.6 Management review
A
G 8.1 Meas., Analysis and Impr. General
E 8.2 Monitoring and measurement
M
8.2.1 Customer satisfaction
E
N 8.2.2 Internal audit
T 8.2.3 Monitoring and measurement of processes
8.4 Analysis of data
8.5 Improvement
8.5.1 Continual improvement
8.5.2 Corrective action
8.5.3 Preventive action
NOTE: 7.3 not applicable for 9120 Page 2
Auditing
Auditing Company
Name Non Conformance Report Company
Logo
Organization: NCR number:
Objective evidence:
Section 4- NCR closed out by Auditor on (date): Approved by Audit Team Leader name/date:
Organization
Company Name: Contact Details
Address: Telephone:
Facsimile:
Subsidiary of: E-mail:
Web-site: www. Representative:
Audited location(s): Title:
Audit Objectives:
Audit Scope
Permitted Exclusions
from 9100/9010/9020:
Certificate/Approval Expiration Date:
Number:
Audit Team
Audit Team Leader:
Observers/Translators:
Audit Criterion
Standards (): 9100 9110 9120 Version:
Quality Manual Reference: Revision:
Nonconformity
Total number of nonconformities raised during this audit:
Total Major: Total Minor:
Report Issue
Audit Team Leader
Name:
Auditing Company:
Audited Organization
Representative:
Report Distribution:
Page 1
This audit report is the property of the audited and the auditing orgarganization. Distribution to other companies or
individuals is authorised only by written agreement of the audited and the auditing orgarganization.
AUDIT CONCLUSIONS
Audit Summary:
General summary of the audit; overall results, including comments relating to the:
effectiveness of the quality management system, to enhance customer satisfaction by meeting
customer requirements;
ability of the organization to constantly provide product that meets customer and applicable regulatory
requirements; and
ability of the organizations quality management system to continually improve its effectiveness.
Page 2
Summary of Effectiveness :
Statement of
)
Effectiveness (
realized
and results are
Planned activities
results not realized
realized but planned
Planned activities
realized
and results are not
planned activities
EAR
Process Summary
Ref #
Page 4
Comments:
Report Issue
Name:
Position:
Date:
Page 5
Auditor notes :
Page 1
This audit report is the property of the audited and the auditing orgarganization. Distribution to other companies or
individuals is authorised only by written agreement of the audited and the auditing orgarganization.
Auditor notes (cont.) :
Note : As a team member the nonconformance issues identified may be a single nonconformity or roll up to a
systemic issue identified by multiple auditors
Opportunities for Improvement :
Strengths/Good Practices
Recording completeness of the process oriented auditing for each individual auditor: see appendix 1 of 9101
Page 2
This audit report is the property of the audited and the auditing orgarganization. Distribution to other companies or
individuals is authorised only by written agreement of the audited and the auditing orgarganization.
Appendix 5: Audit Report (Stage 1)
Auditing company
name STAGE 1 AUDIT REPORT Auditing
Company
Date(s) Duration Report Logo
of audit: (Man Days): Date:
Organization
Company Name: Contact Details
Telephone:
Address:
Facsimile:
Subsidiary of: e-mail:
Web Site: www. Representative:
Location(s) Visited: Title:
Preferred Language for Stage 2: Interpreter Needed (Yes/No):?
Proposed Certification Scope:
Permitted Exclusions from
9100/9010/9020:
Audit Criterion
Standards (): 9100 9110 9120 Version:
Quality Manual Reference: Revision:
Page 1
This audit report is the property of the audited and the auditing orgarganization. Distribution to other companies or
individuals is authorised only by written agreement of the audited and the auditing orgarganization.
High Level Process/Procedure Confirmation (S=Satisfactory, U= Unsatisfactory)
Requirement ) U(
Reference: S( ) Comments:
Evidence of a documented procedure
covering control of documents (4.2.3)
Evidence of a documented procedure
covering control of records (4.2.4)
Evidence of a documented procedure
covering internal audit (8.2.2)
Evidence and applicability of a quality
manual
Evidence of Quality Manual interaction with
support functions (on site or remote)
Evidence that all the requirements of 9100-
series standards are addressed by the
organization's processes
Evidence of the description and sequence
of processes
Evidence of a documented procedure
covering control of nonconforming product
(8.3)
Evidence of a documented procedure
covering corrective action (8.5.2)
Evidence of a documented procedure
covering preventive action (8.5.3)
Evidence of the description of process
interaction
Evidence of the identification of outsourced
processes
Evidence of management review planning
and results from previous twelve months
Evidence of internal audit planning and
results from previous twelve months
Comments (summary of above if unsatisfactory)
Comments (summary of above trends, plus any other customer performance information gathered):
Page 2
This audit report is the property of the audit client and thecertification body. Distribution to other companies or
individuals is authorised only by written agreement of the audi clinet and of thecertification body.
Customer Quality Management System Approval Status (limited, probation, suspension, withdrawal)
Customer Approval Status
Additional Aviation, Space and Defense Customer Quality Management System Requirements
Customer : Description of Additional Requirement : Document Reference :
Comments:
(Audit team leader to verify and confirm that the organization has a process for identifying, communicating
and implementing customer specific requirements)
Page 3
This audit report is the property of the audit client and thecertification body. Distribution to other companies or
individuals is authorised only by written agreement of the audi clinet and of thecertification body.
Key Process Information (specific process information obtained from the organization, including summary comments)
Process Comments
Process Mapping
Risk Management
Regulatory Requirements/Authority
Approval/Recognitions
Configuration Management
Project/Program Management
Restricted areas/proprietary
information/confidentiality
Export Limitations/Controls
Has the organization been requested to submit a corrective action plan prior to the Stage 2
Yes/No
audit
Proposed Stage 2 audit man day calculation (number of audit man days):
Proposed date(s) of the Stage 2 audit (elapsed time should be between six weeks and
three months):
Composition/competency of the audit team for the Stage 2 audit should include:
Organization Confirmation
Organization agrees that all results of the audit including report, findings, corrective actions,
checklists, auditor notes etc. are made available for customer/potential customer review as Yes/No
required :
Report Issue
Audit Team Leader
Name:
Auditing organization:
Organization
Representative:
Report Distribution:
Page 5
This audit report is the property of the audit client and thecertification body. Distribution to other companies or
individuals is authorised only by written agreement of the audi clinet and of thecertification body.
Appendix 6: Audit Planning -Collection of Customer Quality Data
Auditing company
name COLLECTION OF CUSTOMER QUALITY DATA Auditing company logo
Phone:
Site (s) to be Audited
(Addresses):
Fax/E-mail:
Auditing
organization:
Scope of Certification:
Sending Date:
4 5 6 7 8
Weak elements of the Quality 1 2 1 2 3 4 5 6 1 2 3 4 1 2 3 4 5 6 1 2 3 4 5
ManagementSystem you consider
necessary to focus on during the audit
(plus comments, if any)
A(=good) B C D(=poor)
Easiness of communication
Responsiveness on requests
Tick A, B, C, or D as appropriate
(plus comments if any)
A(=good) B C D(=poor)
Compliance with delivery times (On
time delivery) (agreed targets and
current performance)
Tick A, B, C, or D as appropriate
(plus comments if any)
1 2
Organization: Report Number:
3 4
Site: Issued Date:
5
Process Name: Process category
Core Product realization Support Management
Details of process assessed including associated interfaces:
6
9100/9110/9120 Clause(s) Reference:
7
Associated Support Process(es) Assessed:
8
Statement of Effectiveness:
The assessed process has been determined that planned activities and results are realized
The assessed process has been determined that planned activities are realized but planned results are
not realized
The process has been determined that planned activities and results are not realized
9
How was process effectiveness determined (methodology)?
10
Objective Evidence, Observed Conditions, Data, and Comments to Support Effectiveness
Determination
11 12
Audit Team Leader: Signature and Date:
Signature indicates that all relevant requirements (including requirements for support processes identified in Block #7) have been
assessed to determine effectiveness of the core or support process identified in Block #5.
Page 1
Instructions
Effectiveness Assessment Record
Rules for EAR Total
for each specific Core product realization proces one EAR Max app.. 10-12
for each Support process one EAR 9
for each Management process one EAR 8
4 Indicate the date that the audit report was issued to the organization identified in Block
#1.
12 Signature of the audit team leader and date. Signature indicates that all relevant
requirements (including requirements for support processes identified in Block #7)
have been auditor to determine effectiveness of the core/support/foundation process
NOTE 1: Indication of a MAJOR nonconformance shall result in core process determination as "ineffective".
NOTE 2: An indication of minor nonconformance(s) may result in core process determination of "effective".
Page 2
Planning of Product
Devices (7.6)
Core Product realization processes
(7.1.4)
(specific for each organization)
Page 3