AS9100 Certification: Why and What Next
The standard says that people should understand the importance of what they do.
I was a group quality manager for an engineering company that made aero-engine parts. As part of the culture change program, I gave a presentation on examples of aircraft crashes and causes. A poorly machined blisk that caused an in-flight turbine failure, an oil-pipe with a thin wall in one area that cracked and leaked causing a fire, and an incident I personally saw, the crash of a military helicopter in Germany which was due to a series of quality failures. It made people reflect on what they do, how they do it. If the process says the speeds and feeds are x and y, stick to it. Don’t increase them just to get the batch finished earlier. It was no longer a part, it was an aircraft part, for an engine that might power my holiday flight.
How does certification fit in? Why do we need that? We get a certificate on the wall which gets us approved to supply to aerospace companies, but—and here’s the oft-heard lament—“we don’t get any value add.”
The first question is: what are your expectations from a third-party certification body (CB) or registrar audit? It seems that many want a third-party auditor to come in, review the organization, and then, based on their experience (they see hundreds of companies, systems, tools, etc.) be given direct help on how to do things, what to do, what not to do, which tools to use. In other words, they expect to be given consultancy. Here’s the rub: accreditation specifically prohibits consultancy.
“Why?” you may ask. Simply, if an auditor/registrar tells you how to do something, then thereafter he is auditing his own work. He is therefore not impartial, not able to raise NCRs if it is wrong or not working; he and the registrar are compromised. This applies equally to your internal audits. A compromised audit is not an effective audit. You will definitely not get any value add from that!
So how do they add value? Can they add value? Frankly, it depends on your registrar and auditor. A good audit will give an organization a thorough wire-brushing. It will identify issues, weaknesses, problems, potential problems, risks, performance issues. It will also identify where the system is performing well, good practice: things to be celebrated and shared and if appropriate, implemented throughout. These will be discussed with top management at the closing meeting.
Which top manager would not want to know where his organization is failing, or weak, or wasting resources, or not addressing significant risks? Which would not want to know what is good and effective, so can be spread to good effect?
The closing meeting and report will give assurance regarding things that are working well and are effective, and direct intelligence on those that are not. Bring it on!
Behind this must be openness on the part of the auditees. It seems that sometimes, third-party certification bodies (CB) or registrars are seen as “the police.” Companies think they have to prepare for an audit—why? Either your QMS is working consistently and delivering conforming products and services on time, or it is not. The reality is there is no perfect system. I have yet to see an organization consistently deliver 100% OTD and 100% conformity, though that should be your aim.
The culture of the organization must mean that people are free to talk and not hide issues. Critically, the manager’s job or bonus should not be on the line; “If you get any major NCs, you’re fired!” An open and just culture is required. Regulators such as the FAA or EASA put a lot of emphasis on having a just culture. Auditors will soon spot a closed, fearful one.
NCRs must be seen as an opportunity to improve. Now clearly, if there is a raft of them, then there is something more fundamentally amiss, but let’s remember that only top management can really make this work. A quality manager without authority cannot succeed. Top management must support the management team, give them the required authority and be seen to lead. “Give us the tools and we will finish the job” as Winston Churchill put it in 1941.
Top management is responsible for the outcomes of the QMS. Don’t fear an audit.
The next way in which real value add is achieved is the management of NCRs. A CB raises an NCR. You have to carry out your containment to prevent further problems, escapes, etc. Then the real work: root-cause analysis (RCA) and corrective action plans (CAP).
Many will proclaim expertise on this, but the reality is that a large proportion of the root-cause analysis that we see in NCRs is lamentable. It’s shallow, stops at the first perceived issue: “human error,” the “operator made a mistake.” Give me a break. Look deeper! There are many techniques for root-cause analysis, and you need different techniques for different problems. The “5 whys” is good for simple issues, but don’t stop at the first why! Be like a curious 5-year-old.
Daddy, why does that happen? Because of x, son.
But why daddy? Because of y, son.
But why daddy? Because of z, son.
But why daddy? Ask your mother…
You get the idea.
For more complex issues, try 8D, Ishikawa or any of the multitude of tools out there, but do it well.
Then, the test. A good auditor/CB/registrar will intelligently and critically review your RCA and CAP. If it does not go deep enough, does not get the real root cause or causal factors, and if the CAP does not address them, then it should/will get rejected. Not to mess you about, but to drive you to be better! To help you make your QMS more effective.
A less robust or caring auditor will accept the first RCA and CAP submission just to get it out of his inbox. You do not benefit from this, in fact it harms you. When it is reviewed again the following year, you get the same NCR, plus another for ineffective corrective actions!
So you’ve addressed all the NCRs, you have listened to the closing meeting brief and acted on the intelligence the auditor gave you. Your QMS is working better, delivering to your customers, keeping them happy, winning and retaining business. You have less waste, better visibility of performance of processes, actions in place to continually improve. You have your certificate.
Value add anyone? You get it from a good audit and robust, intelligent critical review of your plans.
Now let’s look at an aspect that can make a difference in how the QMS is seen by your team—culture. How can I refine the culture of my organization? What might motivate people to be diligent, to apply themselves consistently?
Why are they all stakeholders in what we do?
The standard says that people should understand the importance of what they do. Refer to 9100 clause 7.3 c and d. Okay, so they get paid for doing it. The company stands if they are profitable, so they are stakeholders in the company. Enough?
Quite often, in organizations further removed from aircraft manufacture, repair or operation, the people don’t think in terms of the item being fitted to an aircraft, or an aero-engine. It is just a billet, a machined part, a PCB, a pump….
But where does that go? How am I affected? Surely we just want to get them out the door and get paid? Keep up the cash flow, finish the batch.
Who amongst you flies on holiday with your family? Who flies on business? When you put on your garish shirt, your flip-flops and favorite-but-tatty straw hat, and board an aircraft to fly to Sunnyville, do you want to know that the aircraft is 100% serviceable, the parts are 100% conforming? Or would you accept 98%? Or 92%?
So I invite you to think about your organization. How can you work with your CB/registrar/auditor to get the most from your audits?
How can you create a culture of openness, a just culture that means things are flagged and addressed, not hidden?
How can you lead most effectively?