Guest blog post by Marcia Buser and Tristan Buser-Molatore
In our last blog post, we reported on the new aerospace quality requirements for preventing counterfeit product as presented at the American Aerospace Quality Group aerospace auditors workshop held July 21 and 22. In this post we share what we learned about new requirements related to purchasing and control of suppliers.
ISO 9001:2015 covers this under clause 8 Operations, formerly clause 7 Product Realization. What was clause 7.4 Purchasing becomes clause 8.4 Control of externally provided processes, products and services.
Other than the change in terminology from “suppliers” to “external providers,” the ISO 9001:2015 requirements are very similar to the 2008 revision with a bit more explicit language around the selection for approved suppliers and information given to them. The change in terminology in both ISO 9001 and the AS quality management standards reflects an emphasis that the requirements include any outsourced processes, not just products.
AS9100D retains similar additional requirements and amplifications as revision AS9100C along with the following changes from the current revision:
- More explicit requirement for external providers to apply appropriate controls to their direct and sub-tier external providers, to ensure consistency throughout the whole supply chain. This expands on the current “flow down” requirements and requires organizations to not just flow-down to the next tier but put controls in place to ensure they are adhered to throughout the supply chain.
Some of the new flow downs relate to:
- Prevention of counterfeit parts
- Ensuring individuals in the supply chain are aware of their contribution to product or service conformity and safety as well as the importance of ethical behavior.
- Added evaluation of data on test reports provided, to confirm the results comply with requirements as well as added a requirement for a validation process of test reports accuracy for raw materials identified as a significant operation risk. Some readers who have experience with earlier versions of AS9100 may recognize that it was a requirement that is added back after being removed from revision C.
- Evaluation of data on test reports is being added to avoid noncompliance of test report results with the requirements. Organizations will need to determine the products for which test reports will be required and at receiving, check that the test results are compliant before accepting the parts.
This requirement is intended to prevent inaccurate, incomplete or unduly altered test reports for raw materials from introducing undue risks on critical applications. It will require organizations to determine the critical raw material for which this clause will apply (according to customers’ requirements, as design outputs or safety analysis outputs), then define the process to be applied (e.g. periodic scheduled retests performed on samples) and finally to apply the process and take necessary actions.
AS9100C limited risk previously to the selection and use of external providers. Revision D expands risk management throughout the entire process. 8.4 Control of externally provided processes, products and services states “The organization shall identify and manage the risks associated with the external provision of processes, products, and services, as well as the selection and use of external providers.” This expands on the AS9100C requirement to “determine and manage the risk when selecting and using suppliers.”
Some other differences between AS9100C and D include:
- A note is added that allows the use of customer data in evaluation and section: “NOTE: During external provider evaluation and selection, the organization can use quality data from objective and reliable external sources, as evaluated by the organization (e.g., information from accredited quality management system or process certification bodies, external provider approvals from government authorities or customers). Use of such data would be only one element of an organization’s external provider control process and the organization remains responsible for verifying that externally provided processes, products, and services meet specified requirements.”
- The current requirement to just include record retention requirements in purchasing information now requires the organization to “define the requirements for controlling documented information created by and/or retained by external providers.”
- In AS9100C, when performing periodic evaluation of supplier performance, the organization had to use results to be used as a basis for establishing the level of controls. Now these results are only required to be a consideration.
- Lastly, the new revision introduces the concept of “Review of production part approval process data.” Those who have worked in the automotive industry will recognize the PPAP requirement. A new AS standard, AS9145 is in process of being developed for APQP/PPAP process. Look for this to be flowed-down from the Primes in the future. No date for its release has been established.
Presentations from the workshop are available on the AAQG website:
http://www.sae.org/aaqg/audit_information/workshops.htm
___________________________________________________________________________________
About the authors: Tristan Buser-Molatore and Marcia Buser are preferred providers for OMEP specializing in implementing and auditing quality management systems for ISO 9001, AS9100 and ISO 13485.