Optimize your AQMS using OCAP & PBS/RP
The revised 9104-1 CB’s standard
The 9104-1 standard defines the International Aerospace Quality Group (IAQG) scheme requirements for managing Aerospace Quality Management System (AQMS) certification (commonly referred to as the ‘ICOP scheme’) undertaken by accredited certification bodies (CBs).
This "CB standard" represents a comprehensive revision of the previous standard and is a significant step up in the drive to reduce AQMS (Aerospace Quality Management System) nonconformities with new criteria to allow audit reductions for consistently high‑performing organizations.
These revisions will impact all certified organizations
The alignment with ISO/IEC 17021-1:2015, ISO/IEC 17011:2017 criteria and IAF Mandatory Documents is preserved and supplemented by Aviation, Space & Defence industry unique ICOP sector scheme requirements.
The previous ‘site structures’ (Campus, Several Site and Complex) are replaced by single and multi-sites only. Where a physical location of a site exists, and Information & Communication Technology (ICT) is utilized, a maximum of half of the audit duration may be conducted remotely.
As a result of these significant changes, the CBs now require ‘active organization participation’ in the audit planning process by requiring them to submit AQMS performance and change data in advance of any audit. The CB process includes a review and documentation of the submitted data (by the lead auditor) prior to starting an audit. Organizations must justify the ‘non‑applicability’ of site processes and identify supporting IAQG standards they have implemented in their AQMS.
Overview: Organization Certification Analysis Process (OCAP)
The ‘Audit Calculator’ previously used to determine audit duration is replaced by a risk-based Organization Certification Analysis Process (OCAP) which uses data defining the organization context, core processes, certification structure (single or multi-site) and applicable IAQG standards to determine audit duration based on the IAF MB ‘baseline’.
With risk (Low/Medium/High) established at the organization/site level, audit duration is decreased/increased accordingly (minus 10% / no change / add 10%).
Overview: Performance Based Surveillance and Recertification Process (PBS/R)
There is also an option to utilize a Performance Based Surveillance and Recertification Process (PBS/R) which can lead to a reduction of up to 33% in audit duration for organizations/sites.
Entry to this process is allowed only after one certification cycle (3 years) and the organization must demonstrate –
Robust Internal Audit Program / ASD Lead Auditor Course for auditors
Low/No Complaints
Meet KPIs consistently
Consistent good results with no major NCRs from CB audits
Once deployed, CBs evaluate and make appropriate process adjustments when organizations who are approved for PBS/RP are not in conformance with continuing requirements.
Details: Organization Certification Analysis Process (OCAP)
The requirements covering the International Aerospace Quality Group (IAQG) industry controlled other party (ICOP) scheme for 9100/9110/9120 certifications have been revised! A key change is the introduction of an interactive Organization Certification Analysis Process (OCAP).
The certification process will now reflect an organization’s complexity, the efficacy of its internal audit program and the use of ‘performance-based elements' for risk analysis that include on-time delivery, conformity of delivered product/service, customer satisfaction and process effectiveness (PEAR scores).
Each ‘performance-based element’ is individually scored for risk –
Risk Level = Low [score 1]
Risk Level – Medium [score 3]
Risk Level – High [score 6]
The certification bodies (CBs) will use these scores to increase audit time when risks are high, or reward high-performing “low-risk” organizations with audit time reductions. Also, movement of audit duration between sites for multi-site organization is now allowed.
Organization <complexity> is based on the IAF MD 5 Table QMS 1 which has simplified the definition of ‘sites’ as being either single site (organization) or multi site –
Small (single site) simple – Risk Level = Low
Small (single site) complex – Risk Level = Medium
Large (multi-site) – Risk Level = Medium
Large (multi-site) – Risk Level = High
The organization’s <internal audit program> is assessed against strict characteristics and deemed to be –
High Performing Audit Program – Risk Level = Low
─ properly resourced audit program
─ multi-event audit program, audit full QMS annually
─ audit program driven by risk and data
─ effective corrective action program
Average Audit Program – Risk Level = Medium
─ limited resources for audit program
─ internal audit is an annual event
─ full QMS is covered annually
─ conforming corrective action program
Low Performing Audit Program – Risk Level = High
─ audit program is not properly resourced
─ primarily desk top audits
─ audit program does not prevent major third-party nonconformities
─ full QMS not covered annually
─ ineffective corrective action program
The organization’s <performance> for customers is based on verifiable data to separately assess –
On-time delivery
Conformity of delivered product/service
Customer satisfaction
Each performance metric individually evaluated in terms of ‘customer expectation’ –
Exceeds – Risk Level = Low
Meets – Risk Level = Medium
Below – Risk Level = High
The organization’s <process effectiveness> is evaluated based on the lowest performing PEAR scores from previous CB audits.
PEAR value 5 – Risk Level = Low
PEAR value 3-4 – Risk Level = Medium
PEAR value 1-2 – Risk Level = High
The overall <organizational risk> used for determining CB site audit duration is determined by adding the ‘risk scores’ for the above elements using –
Risk level LOW – total score 6 to 11
Risk level MEDIUM – total score 12 to 24
Risk level HIGH – total score 25 to 36
All CBs use the <audit duration baseline> defined in Table 8. of IAF MD 5, which specifies the initial/surveillance/recertification audit durations related to the number of site personnel, as their starting point.
The <applicability of site processes> is used to adjust audit duration. Non‑applicable requirements result in audit duration reduction from the baseline. For example, if there is no product/service design and development undertaken, the audit duration is reduced by 10%.
The overall <organizational risk> score is then used to adjust the audit duration as appropriate –
Risk Level = Low (total score 6 to 11) – reduction of 10%
Risk Level = Medium (total score 12 to 24) – no change
Risk Level = High (total score 25 to 36) – addition of 10%
All of these ‘adjustments’ are added to give the total audit duration time adjustment which can be ‘plus’ or ‘minus’.
However, the CB will make audit duration <additions> for –
auditing contractual requirements identified within other IAQG Standards (e.g. AS9102, AS9103, AS9145, etc.)
verification of corrective actions from previous audit nonconformities
OCAP analysis, audit planning, and report writing (mandated as plus 20%!)
Example
Consider a “make-to-print” machinist organization (does not undertake product design and development) currently certified to AS9100. They employ 165 people and have applied for their triannual recertification.
Based on the IAF MB ‘baseline’, their audit duration is 7-days
Their CB has evaluated and recorded their ‘risk elements’ to be Low (total score 9) which equates to a 10% reduction in audit duration.
As they do not undertake product design and development, there is a further 20% reduction in audit duration.
Total audit duration time adjustment is 10% + 20% = 30%
This equates to (7 x 0.3) or 2.1-days reduction – i.e. audit duration is 7 – 2.1 = 5-days rounded to the nearest ½-day
To arrive at the actual audit duration the CB adds 20% (for OCAP analysis, audit planning, and report writing) – i.e. 5 + (5 x 0.2) – 6-days
Details: Performance Based Surveillance/Recertification Process (PBS/RP)
The IAQG’s new Performance Based Surveillance/Recertification Process (PBS/RP) PBS/RP) is an optional process based on objective evidence and demonstration that a certified organization continually maintains a conforming, effective, and high performing AQMS. PBS/RP replaces the IAF process for advanced surveillance and recertification procedures (IAF MD3:2008).
The bar is set high for both entry into, and remaining in, PBS/SP
The qualification and continued use of this PBS/RP is based on a certified organization’s performance, including objective evidence and demonstration that the organization continually maintains a conforming and effective AQMS that meets aerospace/defence customer expectations.
AS9100/9110/9120 certified organizations can now be rewarded with an appropriate reduction in audit time from the duration baseline upon successful implementation and maintenance of PBS/RP –
For single site structure using PBS/RP, audit duration may be reduced up to 33%
For multi-site structures, audit duration for each site may be reduced up to 33% per site
Although PBS/RP is an ‘optional process’, any certified organization may utilize PBS/RP provided they meet the stringent PBS/RP qualification requirements and criteria defined in Table D.1, 9104/1 –
A. Completion of one AQMS certification cycle.
B. The OCAP risk analysis results in a low/medium risk for each site, including the central function.
C. Implementation of an Internal Audit Program in accordance with ISO 19011, including:
Annual audit of all applicable AQMS requirements; and
Defined, structured, multiple event audit program that adjusts throughout the calendar year based upon:
─ performance
─ customer complaints
─ risk; and
─ change management
D. Internal auditor competency that includes:
Auditor(s) that have completed a TPAB approved ASD Lead Auditor course (reference 9104-3).
E. Organization has an ethics policy that includes communication and reporting processes.
F. No externally identified major nonconformity (e.g. CB, customers, regulatory authorities), as defined in 9101, in the past 12 months related to internal audit, management review, or corrective action processes issued to either a single site or to the central function within a multi-site structure.
G. No certificate suspension due to an AQMS nonconformance in the past six years.
H. Meeting customer satisfaction metrics, based on customer provided data.
With these requirements and criteria met, an organization must formally apply to their CB for use of PBS/RP with documented information to support evidence of conformity for the above items.
The organization’s certification body (CB) must then apply to their Accreditation Body (AB) and obtain approval, prior to implementation PBS/RP.
Typically, successful maintenance of PBS/RP may result in up to 33% reductions in audit durations (and consequently cost) for both surveillance and/or recertification.
Note: The total reduction (by site) after all adjustments (including risk adjustments) cannot exceed 50% of the audit duration baseline.
There will be, of course, an annual PBS/RP evaluation by the CB which includes information provided by the organization.
Organizations that are approved for PBS/RP and are not in conformance with continuing requirements must implement corrections or be subject to adjustments, suspension, or loss of PBS/RP. Details of such ‘issues’ and the related PBS/RP ‘adjustment’ are detailed in Table D.2, 9104-1.
Empowerment training courses
It is essential that organizations understand the new ‘rules’ and ‘analyses’ being used by CBs.
These changes offer an opportunity for an organization to take steps to optimize the effectiveness of its AQMS, minimize CB NCRs, boost customer satisfaction, and reduce the duration of CB audits and overall certification program costs
TEC’s e-Learning and Face-to-Face courses provide a comprehensive explanation of the CB’s analysis and ‘risk scoring’ processes and give details of ‘tried-and-tested’ tools and methodologies to meet OCAP & PBS/RP requirements and optimise your AQMS.
Learn how to –
re-define organization context, scope and certification structure
accommodate climate action changes
confirm additional aerospace standard(s)
reduce organization complexity
tighten up internal audits
maximize PEAR scores
meet/exceed customer KPI targets
create an Ethics Policy
implement processes for Change management (NOC), Counterfeit parts prevention, Safety Management System (SMS)