Aerospace | AS9100
01 QM 0723 Aerospace AS9100

All Images Source: BSI

The Aerospace Quality Management System Rulebook – Time for a Change

Before starting the revision, the writing team asked what was good, what was not so good, and what needed changing.

July 17, 2023
Image in modal.

Aerospace has a large, diverse, global supply chain. It is also struggling to keep up with demand while maintaining the essential quality and conformity of the products and services. Capacity was affected by COVID, and there now are difficulties getting enough people and some fallout from COVID in the form of health, safety and wellbeing issues. The IAQG President, Andy Maher, said in his address to the October 2022 IAQG Conference: “83% of the workforce feel overwhelmed, overburdened and have cognitive overload.” This is affecting accelerated retirement, resignations, and expectations. People got used to home working, so want to continue now that we are out of COVID. Conversely, some people need to be in a work environment, as they get their energy from being with people.

Before COVID, the IAQG started to review the Aerospace QMS rule book, AS9104/1 (EN9104-001) and the associated AS9101/EN9101, which together set out how the scheme is run. There are two others, 9104-002 and 9104-003, which have also been revised concurrently, but I shall not cover them here.

Before starting the revision, the writing team garnered the views of industry on what was good, what was not so good, and what needed changing. Then COVID added its effects and caused some further consideration, notably the use of ICT (Information & Communication Technology, i.e. remote) auditing. During COVID, the IAQG permitted 100% ICT auditing to maintain certification and third party auditing in the supply chain, a critical move. While there are some disadvantages to ICT auditing, particularly on the shop floor aspects, there are also many advantages. Certainly, some auditing has got to be better than none. The automotive IATF scheme was late in coming to this decision, perhaps exacerbating supply chain risks.


Ethics. While one might expect this to be the norm, the scheme now has a requirement on all participants to behave ethically, and indeed to report concerns. Indeed, if you go for PBS/RP (below) then you must have an ethics policy.


There are many organizations with 9100 certification whose scope indicates that they should perhaps have a different standard or an IMS covering more than one. For example, an organization may include maintenance, repair and overhaul (MRO) activities in its scope. If the MRO is of its own product, meaning it was manufactured within the scope of the certificate, then the 9100 can cover the MRO activities. If not, then the organization will need to add 9110. The same applies to organizations doing stockholding and distribution. If its own product, all is well. If not, then 9120 is required.

Some organizations have selected 9100 instead of 9110 or 9120, because they incorrectly see the three as hierarchical, with 9100 being superior. It is not. Organizations must be certified to the appropriate standard(s), so some of you may need to change or add standards. Reporting of these integrated standards is made easier, as they can all go into the same report.

Structures. Being under IAF rules, the IAQG had to drop several, campus and complex structures, so now there are only single or multiple site structures. If you are currently certified as one of these three, then at transition, your structure will change. For campus organizations in particular, this will add to audit durations.

Risk-Based Audit Duration And Planning. Here is a new acronym for you: OCAP. Organization Certification Analysis Process. This is the application of risk-based thinking to audit planning, using defined criteria. These include the organization’s size, structure, complexity/simplicity, internal audit program, performance and outcomes, including customer feedback. All these data are reviewed in OCAP to determine the audit duration and write the audit plan. This is a collaborative exercise between the Certification Body (CB, or in the U.S., registrar) and the organization. The audit duration can be increased or reduced by up to 10% based on this risk assessment.

02 QM 0723 Aerospace AS9100


Frankly, the audit durations under campus were inappropriately low, with durations for a high-risk sector like aerospace often being shorter than for an ISO9001 company making plastic toys to go in cereal boxes! Not tenable or credible.

For some large organizations, this change presents a concern from their viewpoint, as the audit duration increase could be significant. But there are things that provide some balance here. There are reductions in audit duration for sites that do not undertake certain activities. The first is design and development. The old 9104/1 tables had two columns, for with or without design. In the new tables, this is gone, but there are now reductions for sites not undertaking:

  • Management of the QMS (10%)
  • Design and development (20%)
  • Control of externally Provided Processes, Products and Services (purchasing) (15%)
  • Control of Production and Service Realization (20%)

10% is added to the audit duration for OCAP and planning, and 10% for reporting. This comprises audit time (audit duration plus 20% = audit time).

For those few, consistent, exceptionally high-performing organizations, there is the new Performance Based Surveillance/Recertification Program (PBS/RP). In short, if your organization consistently meets a very high threshold for QMS management and performance against defined criteria, then you can benefit from significant reductions in audit durations, up to 50% per site. But the entry bar is rightly very high.

If other IAQG standards such as AS9145 are flowed down to you contractually, then the CB “shall” add time to the audit duration. You are required to provide all OCAP data to your CB at least 90 days before the audit start date.

03 QM 0723 Aerospace AS9100


Having learned a lot during COVID, the scheme now permits up to 50% ICT auditing per site. Let’s consider some advantages of this.

The opening, closing and daily wash-up meetings can be held remotely, with all sites being represented at the meetings. Previously, if sites were not represented at the main opening meeting, then there had to be site opening meetings. So this saves time and travel.

You may have multiple sites operating the same process. Using ICT means the auditor can talk to all the site process owners concurrently, so the conversation on definition, performance, risk, outcomes, improvement etc. can be had once, not many times. This time-efficient method also means that with intelligent questioning, the auditor can stimulate your team into talking and thinking together, reflecting on what is good, bad, or could be done better. Even if NCRs are not identified, a good auditor may cause the team to reflect on what was discussed, the intelligent critical review applied by the auditor, and so work collaboratively to drive improvement. A value-adding audit driving internal cohesion, collaboration, shared understanding of the defined process, shared culture, and prompting thought to drive improvement.

The requirement to audit the purchasing process annually has been removed. But don’t think this means it is seen as less critical. Indeed, recent events show that it continues to be so, with the ongoing issues of supply chain capability and capacity, as well as the risks of counterfeits and SUPS. Doing OCAP and considering risks, feedback, external NCRs or escapes, it may be that the process gets more time assigned.


Here I am referring to non-aerospace standards that are implemented by organizations.

The revised 9104/1 permits integrated auditing if you have an IMS. If not, why don’t you? Here’s why you should consider it.

The primes are flowing down more requirements, and indeed, I would anticipate these growing as demands from stakeholders increase. Contractually requiring standards makes sense, because standards are simply best practice consolidated and promulgated. Apply these, and you can assure all your stakeholders, including investors, customers, regulators and indeed your own workforce.

Risks you may need to meet include cyber security, an obvious and critical requirement, so the ISO 27000 series is your go-to. Environment and sustainability, so ISO14001, or perhaps specific GHG or energy management standards relevant for your company. How do you manage, verify and report this? Health, Safety and Wellbeing (HSW) is clearly relevant to every organization, so ISO45001 & 45003 come into play.

04 QM 0723 Aerospace AS9100

These are just examples. But how do you manage all these? Organizations have separate leads for each discipline, which in itself is fine, as you need the expertise. The worrying part is when they do not work together, or even don’t know who the other leads are! Be in no doubt, they are all interdependent. For example, a contractual requirement will be to keep customer IP secure. This means IT/IS security. AS9100 has a clause covering this, so IT/IS security is part of the QMS. So why would the IT/IS security system be separate and not collaborate? Similarly, HSW. We are all aware now of how COVID affected people. Human factors have long been a consideration in aerospace and AS9100 requires that this is considered in determining root cause analysis. So another clear interdependency. The message is obvious; if each of the systems is to be simplified, optimized, efficient and effective, they need to work together. So by implementing an IMS, you can drive a shared culture, collaborative leaders and a simplified system: your people do not want to work to a multitude of separate, perhaps conflicting, requirements.