As9100 interpretations

Bureau Veritas Certification Interpretations of The Standard.
Guidance for Quality Management System Auditors.
Expectations for Companies Certifying to AS9100.
1 OF 61
AS Interpretation Rev. 0 - May 9, 2007
Bureau Veritas Certification has established certain minimum expectations for companies who
wish to register their Aerospace Quality Management Systems (AQMS) to AS9100. These
expectations are based upon our understanding of the requirements of the standard and the
requirements for third party registration/certification to the standard gained through our
collective experience in auditing quality management systems of many varied applications.
Additionally, The ISO Technical Committee (TC) has developed several guidance documents for
various requirements of ISO9001:2000 that are applicable to the requirements of AS9100. These
documents are available to the public via Internet website http://www.bsi.org.uk/iso-tc176-sc2.
These documents are referred to throughout this document.
Auditor Notes:
This document is not intended to add to, minimize, or in any way modify the requirements of the
standard and the requirements for accredited certification to the standard. It is meant to be a
guidance tool for Bureau Veritas Certification auditors providing common understanding on the
intent of the standard and certification requirements in addition to providing clarification of the
text. For organizations seeking registration/certification, this document provides insight as to the
expectations of Bureau Veritas Certification auditors.
In order to claim conformity with AS9100, the organization has to be able to provide objective
evidence of the effectiveness of its processes and its quality management system. Clause 3.8.1
of ISO 9000:2000 defines ‘Objective evidence’ as ‘Data supporting the existence or verity of
something’ and notes that ‘Objective evidence may be obtained through observation,
measurement, test or other means’. Objective evidence does not necessarily depend on the
existence of documented procedures, records or other documents, except where specifically
mentioned in AS9100. In some cases, (for example, in clause 7.1{d} Planning of product
realization, and clause 8.4 Monitoring and measurement of product), it is up to the organization
to determine what records are necessary in order to provide objective evidence.

2 OF 61
AS9100 Interpretations
Element 4: Quality Management System
4.1: General
Section 4.1 includes the general requirements that must be met in order to establish, implement
and continually improve the effectiveness of a quality management system meeting the
requirements of the standard. These requirements are referenced to and/or further defined in
subsequent clauses of the standard. Table A, shown below, contains the cross-linked references.
Continual improvement of the effectiveness of the quality management system may be reflected
in a number of different areas. These may include:
Quality objectives;
Corrective and preventive actions;
Internal audits;
External audits;
Review of customer satisfaction surveys and associated action items;
Operation meetings producing improvement actions;
Actions initiated by suggestion programs;
Process Changes;
Infrastructure and environment changes;
Management Reviews
If continual improvement has become a way of life for a company, it is unlikely that a
demonstration of company wide continual improvement will come from only a few sources.
System deterioration would not necessarily lead to non-conformity if all actions were positive
and the improvement path is still evident and logical. The system would be questionable if the
company did not recognize it or had not reacted to the issues appropriately.
Note: It is the responsibility of the company to demonstrate improvement rather than the
auditor to look for it. Accordingly, it is useful audit practice to ask management to
identify any improvement initiatives taken since the previous visit, and any planned for
the future.
4.1 a) Process identification – Bureau Veritas Certification auditors will expect to see a process
model that explains the key processes of the business and how each relates and links to the
others. The depth of process explanation may be as detailed as the company chooses, but should

3 OF 61
be based on its customer and applicable regulations or statutory requirements, the nature of its
activities and its overall corporate strategy. In determining which processes should be
documented the organization may wish to consider factors such as:
Effect on quality
Risk of customer dissatisfaction
Statutory and/or regulatory requirements
Economic risk
Effectiveness and efficiency
Competence of personnel
Complexity of processes
Bureau Veritas Certification promotes the identification of Customer Oriented Processes
(COPS), Support Oriented Processes (SOPS) and Management Oriented Processes (MOPS)
while defining processes however, this is not a requirement. The auditor must see evidence that
the organization has identified and defined their processes.
The ISO TC document - ISO/TC 176/SC 2/N 544R - ISO 9000 Introduction and Support
Package: Guidance on the Concept and Use of the Process Approach for Management Systems,
provides basic information for understanding application of the process approach. The bulletin
defines a process as: A “Process” can be defined as a “Set of interrelated or interacting
activities, which transforms inputs into outputs”. These activities require allocation of resources
such as people and materials (http://www.bsi.org.uk/iso-tc176-sc2).
4.1 b) Sequence and interaction of these processes – The interactions of the processes must
somehow be described in the quality manual (4.2.2 c). The organization is not required to
produce system maps, flow charts, lists of processes etc. as evidence to demonstrate that the
processes and their sequence and interactions were identified. Such documents may be used by
organizations should they deem them useful, but are not mandatory. Graphical representation
such as flow-charting is perhaps the most easily understandable method for describing
interactions between processes. Other possible methods may include: documentation prepared
for implementation of the product management system (SAP, SYMIX, MRP, etc…); deployment
flowcharts; and pictorial diagrams.
The Completion of the Bureau Veritas Certification process matrix provides the relationship
between the organizations processes and the requirements of ISO9001:2000 however does not
show the interaction between the identified processes. If the organization chooses to use the
process matrix to show interaction, it must be supplemented with another method to show
process interaction. The Bureau Veritas Certification process matrix must be completed in order
to assist in the scheduling of the organizations audits.

4 OF 61
4.1 c) Criteria and methods needed to ensure that both the operation and control of these
processes are effective. This could be demonstrated with stated objectives, instructions and or
procedures as required for consistent output of the processes.
4.1 d) Ensure the availability of resources and information necessary to support the operation
and monitoring of these processes. This may be through Management Review or other methods
for defining and determining resources.
4.1 e) Monitor, measure and analyze these processes - All identified processes are subject to
requirements for monitoring, measurement, and analysis for needed improvement. The methods
employed and the timing of such analysis should be based upon priorities established by the
organization. Auditor expects to see measurable objectives established for each process. These
objectives should support the organization’s overall objectives.
4.1 f) Implement actions necessary to achieve planned results and continual improvement of
these processes – Same as described above. Auditor expects to see corrective action taken when
measurable objectives fall below target or defined action level.
Outsourced Processes: Outsourced processes must be controlled by the organization and these
controls must be defined/described within their system. Organizations are required to identify the
controls they apply for any outsourced processes. The facility quality manual must identify if
outsource processes are applicable. In addition, the client shall have written documentation on
the methods used to control the outsourced process(es). Examples of some outsourced processes
are:
Process completed wholly or partially by a sister facility outside the scope of registration.
Such as corporate performing design, purchasing or customer related processes. This may
include the entire element or a subsection i.e. corporate completes supplier evaluation and
re-evaluation of suppliers and the registered site initiates purchase orders.
Processes completed by an outside vendor or subcontractor such as heat treating, plating,
calibration, painting, powder coating, etc.
Documented objective evidence must be ascertained to ensure that these processes are being
controlled beyond the basic purchasing requirements, which are focused on controlling products
not processes. The organization is responsible to ensure that the outsourced process is meeting
applicable requirements to ISO9001:2000. Outsourced processes may be controlled through such
methods as (not limited to):
Internal Audits
Internal Agreements between two sites where only the audited site is under the scope of
registration (Interface Agreements – Bureau Veritas Certification terminology)

5 OF 61
Process performance data
Purchasing Process
ISO/TC 176/SC 2/N 630R2 ISO 9000 Introduction and Support Package: Guidance on
'Outsourced Processes: An outsourced process can be performed by a supplier that is totally
independent from the organization, or which is part of the same parent organization (i.e. a
separate department or division that is not subject to the same quality management system). It
may be provided within the physical premises or work environment of the organization, at an
independent site, or in some other manner…… The organization has to demonstrate that it
exercises sufficient control to ensure that this process is performed according to the relevant
requirements of ISO 9001:2000, and any other requirements of the organization’s quality
management system. The nature of this control will depend, among other things, on the
importance of the outsourced process, the risk involved, and the competence of the supplier to
meet the process requirements (http://www.bsi.org.uk/iso-tc176-sc2).
TABLE A: Cross-linked references
4.1 General requirements Relevant further clauses
a) Identify the processes, including
outsourcing, needed for the quality
management system and their application
throughout the organization (see 1.2),
5.4.2 QMS planning
7.1 Planning of product realization
8.1 General
b) Determine the sequence and interaction of
these processes,
5.4.2 QMS planning
7.1 Planning of product realization
4.2.2 (c)
c) Determine criteria and methods needed to
ensure that both the operation and control
of these processes are effective,
7.1 (c)
7.3.3 (c)
7.4.1 (Criteria for selection)
7.5.2
d) Ensure the availability of resources and
information necessary to support the
operation and monitoring of these
processes,
Whole of 6
e) Monitor, measure, and analyze these
processes, and,
Whole of 8.2
f) Implement actions necessary to achieve
planned results and continual
improvement of these processes.
These processes shall be managed by the
Whole of 5, 6, 7 and 8

6 OF 61
organization in accordance with the
requirements of this International Standard.
Where an organization chooses to outsource
any process that affects product conformity
with requirements, the organization shall
ensure control over such processes. Control
of such outsourced processes shall be
identified within the quality management
system.
4.2: Documentation Requirements
4.2.1: General
The Quality Management System (QMS) “documentation” shall include:
4.2.1 a) Statements showing the organization’s quality policy (see 5.3) and quality objectives
(see 5.4.1).
4.2.1 b) A quality manual (see 4.2.2).
4.2.1 c) Procedures that this standard requires (see 4.2.3, 4.2.4, 8.2.2, 8.3, 8.5.2, 8.5.3).
4.2.1 d) Documents that the organization will need to ensure that the planning, operation, and
control of their processes is effective.
4.2.1 e) Records that this standard requires (see 5.6.1, 6.2.2, 7.1, 7.2.2, 7.3.2, 7.3.4, 7.3.5, 7.3.6,
7.3.7, 7.4.1, 7.5.2, 7.5.3, 7.5.4, 7.6, 8.2.2, 8.2.4, 8.3, 8.5.2, and 8.5.3).
4.2.1 f) quality system requirements imposed by the applicable regulatory authorities.
BV Certification: This requirements effectively invokes all pertinent requirements of the industry-
applicable regulatory agencies (e.g. FAA, CAA, JAA, etc.) such as those included in FAR Part 21,
145, etc. While the BV Certification auditor may not look for conformance to those specific
regulatory requirements – a nonconformance against a closely related requirement in Standard AS9100
may be cited.
The organization shall ensure that personnel have access to quality management system documentation
and are aware of relevant procedures. Customer and/or regulatory authorities representatives shall
have access to quality management system documentation.

7 OF 61
BV Certification: It is expected that all personnel have access to relevant documentation, in any
appropriate format. Documentation can include procedures, work instructions, forms, travelers, drawings
and work standards. For complex operations, job packages should be at the workstation. In other
situations, it is sufficient for the co-worker to demonstrate knowledge of where the relevant
documentation is located.
The right of access by “customer and/or regulatory authorities” appears in several clauses throughout the
standard. A broad statement permitting right of access to quality documentation at the organization’s
facilities, coupled with flow down to suppliers and sub-tier suppliers (see section 7.4) is sufficient to
satisfy this requirement. See also the Interpretation comments under section 4.2.4, below.
4.2.2: Quality Manual
Exclusions from the quality management system must be described and justified within the
quality manual (see 4.2.2 a). The documented procedures established for the quality
management system must be included or cross-referenced in the quality manual (see 4.2.2 b). A
description of the interaction between the organization’s processes needs to be identified in the
quality manual (see 4.2.2 c).
The applicable processes might include those relating to four general categories: 1) Management
Activities, 2) Resource Management, 3) Product Realization, and 4) Measurement and
Monitoring. Most companies will prefer to focus on their own COPS, MOPS, and SOPS.
Manual content and design - There are many ways of documenting the quality management
system and organizations should adopt the approach that is most useful for effective operation of
their system.
Examples include:
Flowcharts;
Written text;
Diagrams;
System maps;
Process maps;
Process Turtles.

8 OF 61
The quality manual may have many forms. Although many organizations structure their
documentation in a typical pyramid, it is not the only, and not always the most suitable, way. A
quality manual doesn't have to exist as a separate document. The quality manual may:
Be a direct collection of QMS documents including procedures;
Be a grouping or a section of QMS documentation;
Be more than one document or level;
Be in one or more volumes;
Be a stand alone document or otherwise;
Be a collection of separate documents.
The ISO 9001:2000 standard offers companies a possibility to establish effective, user-friendly
systems. This edition offers the current users a unique opportunity to streamline their quality
management system documentation.
A separate document "addressing" all the clauses of the standard is not required by the standard -
neither does the standard require the quality manual to "address" or "cover" the requirements of
the standard. The manual may be documented specifically to the organizations processes.
4.2.2 a) Scope – The organization may exclude portions of the standard that do not apply to their
quality management system due to the nature of the product or service that they supply. ISO
9001:2000 clearly limits and identifies which activities may be excluded. The justification for
exclusion and those considered not applicable must be clearly documented in the quality manual.
If, for example, design does not apply to the quality management system, the standard stipulates
(in section 1.2 Application) how a reduction in scope of the standard may be justified and
documented within the quality manual. Bureau Veritas Certification has defined exclusion
applicability to be within the clause Design and Development (7.3) only. All other potential
exclusions within section 7 must be identified as not applicable or not applicable at this time.
ISO TC Guidance - Document: ISO/TC 176/SC 2/N 524R3 ISO 9000 Introduction and Support
Package: Guidance on ISO 9001:2000 clause 1.2 'Application:
ISO 9001:2000 clause 1, Scope, defines the scope of the standard itself. This should not be
confused with the scope of the QMS, which is a term commonly used within the context of QMS
certification/registration to describe the organization and products to which the QMS applies
(http://www.bsi.org.uk/iso-tc176-sc2).
Auditor should discuss the difference between the scope of certification and the scope of the QMS
(i.e. what is on or will be on the organization’s certificate).
The scope of the QMS should be based on the nature of the organization's products and their
realization processes, the result of risk assessment, commercial considerations, and contractual,
statutory and regulatory requirements.

9 OF 61
If an organization chooses to implement a quality management system with a limited scope, this
should be clearly defined in the organization's Quality Manual and any other publicly available
documents to avoid confusing or misleading customers and end users (this includes, for example,
certification/registration documents and marketing material).
Note: For multi-site/corporate certifications the auditor will expect to see that one quality manual
is applicable for all sites and that any changes are centrally controlled (see 4.2.3)
4.2.2 b) Documented Procedures – The manual must include reference to, at a minimum the six
required documented procedures (see 4.2.3, 4.2.4, 8.2.2, 8.3, 8.5.2, 8.5.3). The manual may
reference other documentation but must list those required documents in some format. This may
be in the form of a link or other such reference.
The notes after sub clause 4.2.1 in ISO9001: 2000 make it clear that where the standard
specifically requires a ‘documented procedure’, the procedure has to be established, documented,
implemented and maintained. It also emphasizes that the extent of the QMS documentation may
differ from one organization to another due to:
The size of the organization and the type of activities;
The complexity of processes and their interactions and
The competence of personnel
- when referencing the documented procedures, the relationship between the requirements of
this International Standard [AS9100] and the documented procedures shall be clearly shown.
BV Certification: Points of reference may be throughout the manual when discussing pertinent
subjects (imbedded in the text). All of the referenced procedures may be listed together in an appendix
/ attachment to the manual. Or, the pertinent procedure(s) may be called out at the beginning or end of
each major section of the manual. A cross reference matrix is especially effective - linking specific
clauses in the Standard – to corresponding paragraphs in the quality manual – down to specific
paragraphs in the detailed procedure (or W/I as appropriate). Regardless of the approach, the intent of
the Standard is that there be a clear, unbroken, definitive trail from a particular requirement in the
Standard, into and through the quality manual, down to the procedural (and or work instruction) level
– such that users of the documentation can clearly and readily arrive at a description of how that
requirement in the Standard is satisfied / fulfilled in the organizations system documentation.
4.2.2 c) Interaction between processes – This requirement ties closely to section 4.1 b), which is
discussed in the previous paragraphs. The interactions between the quality management system
processes do not have to be separately described, or illustrated, by charts, tables or maps. If an
organization chooses to use a process map to show interaction, just using arrows is not sufficient

10 OF 61
– a description or other depiction is required for interactions. An example might be an interaction
matrix listing COP’S across the top and SOP & MOP down the side.
Although many organizations may choose such a form, it is not a mandatory method.
Interaction between processes may be described, for instance, by way of references and/or cross-
references within the procedures, where the procedures form part of the Quality Manual. If the
procedures are not part of the Quality Manual, then the manual can not be consider acceptable to
the standard requirements, they can be in an appendix, addendum or hyper linked to the manual
if the system is electronic.
4.2.3: Control of Documents
A documented procedure is required for control of documents.
Guidance is given for documents and records in ISO/TC 176/SC 2/N 525R ISO 9000
Introduction and Support Package: Guidance on the Documentation Requirements of ISO
9001:2000 (http://www.bsi.org.uk/iso-tc176-sc2).
4.2.3 a) Approve documents – procedure must identify the approval process.
4.2.3 b) Review and update – All management system documentation must be covered by some
review strategy. The procedure must identify a period of time in which all documents are
reviewed on an ongoing basis. Different types / levels of documents may be reviewed at different
intervals / criteria and / or by different methods (i.e. – at each use, through internal audits, via
formal recalls and reviews, etc.), review should be conducted by personnel competent to do so.
Bureau Veritas auditors should assess whether review methodology demonstrates effective
document controls. Note – statutory / regulatory and customer / industry requirements may also
impact review methodology. A method must be in place to show review was completed where
there were no changes. Those documents that are updated must be put back through the
organizations required approval process (4.2.3 a).
4.2.3 c) Changes and current revision status – The procedure must identify how changes and
revisions to documents are identified. These must be identifiable for each document. How does
the user know what the changes are?
4.2.3 d) Availability of documents – procedure must identify how documents are made available
to employees. Auditor will expect to see that documents are readily available to employees
through out the facility at their points of use.
4.2.3 e) Documents are legible and readily identifiable – auditor will expect to see that
documents are maintained and remain legible and easily identifiable.

11 OF 61
4.2.3 f) Documents of external origin – Documents of external origin are those that are produced
from outside the organization that are used by the organization in support of the quality
management system processes. The procedure must address if documents of external origin are
applicable and if so how these documents are controlled by the facility. The auditor expects to
see that controls are in place to ensure current versions are used and documents are controlled
within the facility.
4.2.3 g) Obsolete documents – Procedure must address how obsolete documents are controlled to
prevent unintended use and if retained how these documents are identified.
The organization shall coordinate document changes with customers and/or regulatory authorities in
accordance with contract or regulatory requirements.
BV Certification: The degree and type of documentation change “coordination” (if required at all)
will be defined by the customer and/or regulator agency. Additionally, the organization may add to
(but not contradict) details. “Coordination” may be as little as mere notification, to distributing
approved copies, up to and including formal approval by the customer / agency) prior to
implementation. Documents typically subject to this requirement include pre-approved contracts,
statements of work, inspection/test plans, “frozen” or “fixed” process plans and routings. The BV
Certification auditor will seek documented, objective evidence that such “coordination” has taken
place (as appropriate) and as prescribed in the organizations documented procedure.
Note: For multi-site/corporate certifications the auditor will expect to see that System
documentation and changes are centrally managed (usually performed at the headquarters
location).
4.2.4: Control of Records
Records required by the organization may be in any format deemed suitable for the organizations
method of operation. A documented procedure must be in place and define the controls needed
for:
Identification – the procedure must identify the system/process is in place to identify
records. Have all required records been identified. Refer to Annex B of the ISO/TC
176/SC 2/N 525R - ISO 9000 Introduction and Support Package: Guidance on the
Documentation Requirements of ISO 9001:2000.
Storage – where records are stored – specific location i.e. Quality filing cabinet in the QC
Laboratory.
Protection – how individual records are protected i.e. tape back up every 24 hours (for
electronic records), fireproof safe, filing cabinet etc.

12 OF 61
Retrieval – any special requirements for retrieval. Generally dependant on location and
protection. May be a request process.
Retention time – identification of how long each record will be maintained.
Disposition of records – method for disposing of records i.e. shredding, burned, trash
A spreadsheet or other document may be used to identify the above requirements.
The documented procedure shall define the method for controlling records that are created by and/or
retained by suppliers.
BV Certification: The organization is ultimately responsible for all pertinent quality records that
apply to a given contract or order. Most such quality records are produced by the organization
themselves – but many are also created at the lower levels in the supply chain – at the organization’s
supplier(s) and at the supplier’s sub-tier sources. It is not uncommon for pertinent quality records to
exist at three or four levels down in the supply base. Typically, only the most significant records make
their way back to the organization. Those records that typically ‘bubble up’ are certifications and
inspection / test reports, nonconforming product concessions / waivers, etc. The majority of records
relating to the order / contract continue to reside at a level lower in the supply chain. Those records
retained by lower-level sources must still be subject to the organizations control. This control is often
managed and asserted by / through purchase order “flowdown” requirements – from the organization
to the lowest level supplier / subcontractor involved. Such “flowdown” requirements may specify
record retention periods, protection, disposition, disposal – and may describe the conditions under
which the record holder must forward the records to the organization.
Records shall be available for review by the customer and regulatory authorities in accordance with
contract or regulatory requirements.
BV Certification: This requirement most obviously applies to records maintained by the
organization. It equally applies to pertinent quality records retained by the organization’s suppliers
and by the supplier’s sub-tier sources. Pertinent records (at any level in the supply chain) may be kept
on-site, or at an off-site repository or by a remote records management service. In any event, retrieval
of such records should be relatively convenient and timely – so as not to impede “availability” to
customers and regulatory authorities. Compliance to this requirement is often managed and assured by
/ through purchase order “flowdown” requirements – from the organization to the lowest level supplier
/ subcontractor involved. Such “flowdown” typically invokes the “right of access” to all pertinent
quality records that may exist at any/all levels in the supply chain.
4.3 Configuration Management: The organization shall establish, document and maintain a
configuration management process appropriate to the product. NOTE: Guidance on
configuration management is given in ISO 10007.

13 OF 61
BV Certification: Requirements for a Configuration Management (CM) process apply to virtually all
companies and products / services – and especially to those organizations performing Design and
Development activity – and to those responsible for the design of the product / deliverable. The
formality and complexity of the CM process will vary depending on the product. CM can be applied
to products, processes and processed materials (including individual components as well as
assemblies). A configuration is most often described in terms of its integral “configuration items”.
Fundamental “building blocks” of a CM process typically include: design change control, document
change control, process change control, product identification and traceability. Changes in any of
those disciplines might translate into “configuration” change. Documentation that helps define a
specific configuration might include drawings, specifications, bills of materials, routings/travellers,
change requests, First Article Inspection Reports, nonconforming product documents (including
deviations and waivers), “where used” listings, etc. Configuration “baselines” must be established,
and any subsequent changes must be identified and controlled. After a significant number of changes,
a new baseline (model, part number, etc.) may be established.
Element 5: Management Responsibility
Note that this section has nine references to top management. This is defined in ISO
9000:2000, 3.2.7 as “person or group of people who directs or controls an organization at the
highest level”. It is therefore essential to examine top management’s commitment to, and
support for, the QMS (and to record objective evidence to support any conclusions reached).
5.1: Management Commitment
It is necessary for auditors to obtain (and record) objective evidence of management
commitment.
This would include:
5.1 a) Evidence that top management has communicated to the organization the importance
of meeting customer requirements as well as statutory and regulatory requirements. This can
be achieved through meetings, newsletters, bulletin boards, training records etc.
NOTE - statutory and regulatory requirements are broad based and include all applicable
requirements for processes, products and activities.
5.1 b) Top Management’s establishment of and input into, and commitment to, the quality
policy (its definition, delivery and maintenance) through management review or other
meetings.
5.1 c) Documented quality objectives (for all processes).

14 OF 61
5.1 d) Top Management’s active participation in management review meetings.
5.1 e) Evidence of a process for defining resource requirements and ensuring that adequate
resources are available.
In short, how well they address requirements 5.2 through 5.6.
5.2: Customer Focus
Customer requirements and customer satisfaction are directly linked with the process approach
concept in the standard. Auditors will seek objective evidence to demonstrate that the customer
requirements are indeed being met, whether the satisfaction is revealed in customer survey
results, repeat sales or any other type of mechanism that would reveal trends and lead to
improved customer satisfaction. Management review minutes might be a record where
Customer Focus is addressed. You might also look at Quality plans and or product plans that
include customer related requirements.
5.3: Quality Policy
It is expected that there is evidence that Top Management fully back the quality policy. The
standard identifies five specific points which requires that top management ensures that the
policy;
5.3 a) Is appropriate to the purpose of the organization
5.3 b) Includes a commitment to meeting requirements and to continual improvement of the
quality system
5.3 c) Provides framework for establishing and reviewing quality objectives
5.3 d) Is communicated and understood at appropriate levels in the organization
5.3 e) Is reviewed for continuing suitability.
Auditors must determine if the Quality Policy meets the intent and is understood, by
interviewing personnel at all levels. Although the exact policy does not need to be recited by
interviewees, the awareness of the quality policy and how their job affects the company
objectives should be determined. If personnel interviewed do not know what their measurable
objectives are and/or do not know what the organizational objectives are that they have a direct

15 OF 61
effect on, the auditor would be further directed to evaluate managements communication of the
policy and objectives.
The Quality Policy must be documented (typically in the quality manual because it must be
controlled). The Quality Policy does not have to include objectives but should create a
framework for establishing them. The Quality Policy should be stated in such a way that it aims
toward continual improvement. It should be reviewed and possibly revised to meet higher
aspirations.
Bureau Veritas Certification does not require that the policy include the words “continual
improvement” in the written policy, however it must be ascertained that it is implied and known
through out the organization.
To meet the intent of this clause, the auditor would be looking for a clearly defined Quality
Policy that is sufficiently detailed to provide a framework for quality objectives that can be
monitored for continual improvement. An auditor would not want to see a vague policy, such as
“Our Policy is to Maintain Status Quo”.
When interviewing top management, their input into, and commitment to, the quality policy
needs to be determined. Is it theirs, or have they clearly just signed something written for them
by the management representative?
Note: For multi-site/corporate certifications the quality policy must be applicable for all sites.
5.4: Planning
5.4.1 Quality Objectives
Auditor must determine that the organization has developed measurable quality objectives for
relevant functions and levels of the organization. Bureau Veritas Certification expects overall
objectives to be established at the facility/corporate level and objectives established for each
identified process. Process objectives shall support the organization’s overall objectives.
The organization must establish what the “relevant functions” of the organization are, however at
a minimum this will include all defined processes (reference 4.1 a, c, e). Sub-processes, projects,
or individual objectives would be at the discretion of organization. The auditor may want to ask
what criteria were used to determine if functions are relevant or not. It would be left up to the
company to determine if a cost or added value benefit would result from including or not
including functions of the operation when establishing quality objectives.

16 OF 61
If some functions or levels have been excluded, it may be necessary to explore, evaluate (and
record) the reasons for such omissions (which might be quite acceptable at that particular stage
in the continual improvement process).
The organization must identify quality objectives that can be measurable, such as “vendor on-
time rating”, “on-time delivery”, “all employees will have completed an ISO 9001 awareness
class” and “all machines will have clearly defined procedures on their usage.” If the objectives
were not measurable (including a time-based element where appropriate), they would not meet
the intent of the standard.
The objectives do not have to be defined in a specific document although the objectives are
required to be documented (see 4.2.1 a). Objectives can either be defined in associated
procedures or instructions, or could be recorded in meeting minutes such as management review
records. The organization must have a process that ensures that all the objectives are clear and
communicated to all employees who can influence the defined objective(s). The organization
should be able to demonstrate that the objectives are being measured and reviewed (see 4.2.4 and
8.5.1).
5.4.2: Quality Planning
Auditors have to use their judgment in evaluating the entire collected audit evidence in order to
assess effectiveness of planning activities. The auditor may also satisfy him/herself that planning
was done, by interviewing the personnel involved in establishing or achieving specific quality
objectives.
Auditors are recommended to attribute such QMS deficiencies to relevant clause, requirements
of which were contravened, rather than to clause 5.4.2.
Determining effective and efficient planning may be found by evidence of:
All those planning activities undertaken to establish the QMS in accordance with
clause 4.1.
The existence of an effective, documented, and implemented QMS that provides
collective evidence demonstrating that these planning activities have been performed
effectively.
Deficiencies in the quality system that may indicate that these planning activities
were not quite effective.
The evidence and use of Strategic Plans, Business Plans, Management Review
results, Contingency Plans, Quality Objectives, any programs or plans, documented
or not, such as Minutes of meetings, Memos, Internal communications.

17 OF 61
Where there is lack of documented evidence, an auditor may satisfy him/herself through
interviewing the personnel at those levels and functions involved in achieving particular
objectives to determine the level of planning.
Another methodology allowing audit of effective planning involves review of the progress in
implementation of such plans aimed at adhering to individual objectives.
5.5: Responsibility, Authority and Communication
5.5.1: Responsibility and authority
In order for the auditor to be satisfied that the intent of this element has been met, he/she may
review organization charts, job descriptions or a responsibility matrix. Identification of
responsibility and authority could be written into procedures and/or work instructions, as well.
The auditor may also use interviews of individuals to determine if responsibility and authority
has been communicated effectively.
5.5.2: Management Representative
Responsibilities to include:
5.5.2 a) Ensuring that the processes needed for the quality management system are established,
implemented and maintained.
5.5.2 b) Reporting on the performance of the system to top management.
5.5.2 c) ensuring the promotion of awareness of customer requirements, and
5.5.2 d) the organizational freedom to resolve matters pertaining to quality.
BV Certification: The Management Representative (MR) need not be a member of the Quality
organization, though this is most often the case. Any management-level individual from any
organization / discipline is acceptable. Of utmost importance is that the MR has freedom within the
company’s organizational, political, cultural and communication arenas. This freedom necessitates
that the MR have access mobility, both vertically and horizontally, and especially across departmental
boundaries. It is expected that the MR have at least a dotted-line relationship with executive
management that may be exercised on an exception basis – if/when internal “influences” impede the
MR’s normal “freedom”. It is sometimes difficult to observe / demonstrate the MR’s organizational
freedom. More apparent are situations where this freedom is limited, restricted or even nonexistent.
This problem may be evident in cases of unresolved Quality problems, recurring problems,

18 OF 61
ineffective/untimely corrective action responses, low customer satisfaction and perception, ineffective
internal audits, lack of system/process improvement, etc.
Promotion of customer awareness might include news releases, meetings, training, photographs,
models; examples of products demonstrating required visual attributes. We look for one
individual to be the management representative in terms of defined responsibility. However,
implementation of those responsibilities may be in the form of a defined and delegated team.
Note: The management representative is responsible for ensuring it happens – not making it
happen, which is the job of line management.
Note: For multi-site/corporate certifications the auditor will expect to see that there is a
management representative with overall responsibility across all sites for ensuring that
requirements are established, implemented, maintained, and for reporting on performance.
5.5.3: Internal Communication
Although there is no mandate for documenting methods for communication, the auditor will
expect to find evidence of communication through interviews with employees. Evidence could
possibly include the employees understanding of process linkage and effectiveness, customer
satisfaction levels, preventive and corrective action information, on time delivery, quality costs,
returned material, non-conformances. This could be communicated by access to the computer
network, an information board, newsletters, or even process routers, checklists, and
multifunctional meetings (see 6.2.2 d). The type and extent of the documentation will depend on
the nature of the organization’s products and processes, the degree of formality of
communication systems and the level of communication skills within the organization and the
organization culture.
5.6: Management Review
5.6.1: Management Review - General
IMPORTANT INITIAL CERTIFICATION REQUIREMENT: For a new/first time
registration/certification, a full round of Management Review meeting(s), including documented
evidence of all required inputs and outputs, must be completed prior to the
registration/certification audit (note a full internal audit cycle must be completed prior to this
review – see 8.2.2 Internal Audit). For multi-site/corporate certifications the review must
include inputs (as appropriate) from each site (see the standard 5.6.2 a – g). Normally, the review
process is conducted at the headquarters location.
Top management shall review the quality management system at planned intervals not only for
continuing suitability and effectiveness, but also adequacy. Additionally, this review shall

19 OF 61
include assessing opportunities for improvement, the need for changes to the system, the quality
policy, and quality objectives.
These words are more prescriptive which cause a more proactive expectation and approach to
keeping the system current and useful and maintaining improvement activities. The auditor
cannot prescribe the intervals for reviews to occur, but can look for evidence that the frequency
is sufficient to accomplish the requirements of the standard. Although the dictionary would
suggest that suitable and adequate are the same, the standard seeks to distinguish both the system
from a global perspective of adequacy as well as the detailed suitability of the many processes
that comprise the system.
5.6.2: Management review input
The auditor will expect to see documented evidence that the (7) required inputs are discussed
during the review. Although a documented procedure for management review is not required,
records of such reviews are required (see the standard - 5.6.1 General). The minimum (7) inputs
are required in those records (see the standard 5.6.2 a – g). Evidence of cross functional input is
also expected, which means one person alone could do the review, but there would need to be
evidence of multifunctional input in the evaluation of the system and its status and actions
concluded.
5.6.3: Management review output
Output should focus on decisions and actions related to system improvement (5.6.3 a), product
improvement for customer requirements (5.6.3 b), and resource needs (5.6.3 c). Auditors expect
to see that some documented conclusions have been developed. The output record must include
evidence of action and progress for system improvement, customer requirements, resource needs
as it all relates to system health. It is important to note that a documented procedure may or may
not exist. It should also be noted that formal meetings for review may or may not happen and
still be complaint - such as in the case of being accomplished in stages; on going process review;
or by circulated documentation covering the system incrementally.
Element 6: Resource Management
6.1: Provision of Resources
The intent of this section is to ensure that adequate resources are provided to continually improve
the effectiveness of the quality management system (6.1 a) and to enhance customer satisfaction
by meeting customer requirements (6.1 b). Auditor would expect to see a process for evaluating

20 OF 61
and determining resource needs. This may be through management review, production planning,
budget review, long range planning etc.
The auditor should determine that process activities are not prevented by a lack of resources.
Auditors may review instances where customer requirements were not met and determine if a
lack, or insufficiency, of any resources was causation factors of these instances. This
requirement also ties to paragraphs 5.1 and 5.6.3, which address management’s responsibility to
determine and provide necessary resources. Additionally, any clear evidence of resource
problems links directly to this section.
6.2: Human Resources
6.2.1: General
The standard requires that personnel be “competent”. This could be demonstrated by a person
being “qualified”. Competence may be based on appropriate education, training, skills,
experience, and/or demonstrated performance.
6.2.2: Competence, awareness and training
The intent of this section is to ensure that suitably competent people are performing the activities
as defined in the quality system. Evidence of the effectiveness of the training or other means of
providing competent employees must be available. Employees must be aware of the impact that
they have on the overall quality system. The auditor would expect employees to be able to
verbalize how their job activities contribute to the achievement of the quality objectives.
6.2.2 a) Determine the necessary competence - The requirement is in emphasis toward validating
training and other activities aimed at ensuring employee competence. Identification of
competency is essentially a precursor to identification of training needs. The organization should
determine knowledge and/or skills an employee would need to be considered competent, in their
opinion, to perform a particular job. The company could then determine if the employee
performing the job possesses that knowledge or skill and, if not, consider it a training need.
Changes in the business and its environment may necessitate new competencies, which may not
be available. Therefore the identification of competencies may need to be revisited. There is no
requirement for any particular frequency of such re-review. Competency may be defined in a job
description, position profile, or by any other method or associated documents such as specific
instructions or procedures. Usually competency is determined during performance reviews, if the
organization does not perform reviews of this nature, other methods for determining personnel
competence would need to be defined and records verified.

21 OF 61
6.2.2 b) Provide training or take other actions - The requirement allows for options other than
training to obtain competent personnel. Training includes all those activities where a learning
opportunity needs to be satisfied. It may take a number of forms:
Classroom style, tutor led training;
Hands on experience training;
Shadowing
Individual or group coaching;
Mentoring;
Briefings;
Distance learning;
Technology based training (CD ROMS, web based etc);
Workshops.
Organizations will choose whichever form best suits their needs at any particular moment. Other
actions to bridge competence gaps might include:
Recruitment;
Outsourcing;
Acquisitions;
Use of experts and/or consultants.
Documented procedures or work instructions
All such means are acceptable as long as an organization has ensured the availability of the
competencies needed.
6.2.2 c) Evaluate the effectiveness of the actions taken - The requirement is aimed at ensuring
that the training or other activity has produced the desired result. This requirement could be met
in a variety of ways, including, but are not limited to:
Observation of personnel performing their duties;
Written or oral exams;
Assessment of employee in achieving learning objectives during the course of the
training program;
Audit of performance at work focusing, for example, on:
Productivity;
Reduction of rejects;
Efficiency;
Interviews with the persons;
Annual appraisal.
Performance reviews;

22 OF 61
Discussions;
Evaluation of performance, quality or other indicators;
Cost reviews;
Customer satisfaction assessment (see 8.2.1).
6.2.2 d) Ensure that its personnel are aware of the relevance and importance of their activities
(perhaps by internal communication – see 5.5.3) and how they contribute to the achievement of
the quality objectives - The requirement could be met in a variety of ways. Options include:
Training;
Memos, and/or meetings regarding the impact of various individual or departmental goals
on quality objectives;
Plant tours or briefings where an individual’s work and goals are shown as an integral
part of the larger processes;
Cross functional teams working towards quality objectives and reporting their progress to
their departments.
Any activity that allows individuals to understand how their efforts affect quality objectives may
satisfy this requirement. All personnel need to know the specific measurable objective(s) for the
process that they work in; they should also know what organizational objective their process
effects. They should be able to demonstrate that they know what the actual measurable is, their
progress towards that goal, what the plan is to achieve the goal. If they do not know the actual
numbers, they should be able to communicate the topics of the measurable and know where the
actual measurements are maintained or posted.
6.2.2 e) Maintain appropriate records - The requirement expands record keeping requirements to
include education, skills and experience, in addition to training, where appropriate. There are a
great variety of ways to record and provide evidence of training, education, skills and
experience. Records may include:
Diplomas;
Certificates;
Training log;
Annotations in shift logs;
Toolbox meeting notes;
Attendance lists;
Resumes;
Employment history;
Test results.
Such records may be filed in any location as long as the requirements of 4.2.4 are observed.

23 OF 61
6.3: Infrastructure
It is the organization’s management who determines the adequacy of the infrastructure provided
by the organization. Auditors will seek objective evidence to demonstrate that the necessary
infrastructure exists for the quality management system to be effectively implemented, for
improvement of its effectiveness, and for fulfilment of customer requirements. Auditor would
expect to see a process in place for maintenance of the building(s), equipment and any other
supporting services. This is generally the responsibility of the maintence and IT departments.
6.4: Work Environment
The organization must identify and manage all those factors of the work environment that are
needed to supply a conforming product. These factors may include among others:
Human Factors
Creative work methods;
Opportunities for greater involvement of personnel;
Safety rules and guidance;
Ergonomics;
Special facilities for people.
Physical Factors
Heat;
Noise;
Light;
Hygiene;
Humidity;
Cleanliness;
Vibration;
Pollution;
Airflow.
Different types of businesses and industry sectors may vary dramatically with regard to an
acceptable work environment, so it is the organization’s management who determines the
adequacy of the work environment provided by the organization.
For instance;
A training provider may need to ensure the training area is adequately lighted and
contains appropriate seating and visual aid capabilities.
Some manufacturing facilities may require “clean rooms” or humidity-controlled areas.

24 OF 61
Companies handling items easily damaged by electrostatic discharge may require special
flooring or equipment, and chemical storage areas may require special protective barriers.
As an additional example, an employee might perform a particular function that requires
repetitive wrist movements (i.e., tightening a screw). As the day wears on, it is possible that the
overuse of the wrist could result in poorly torqued screws resulting in a possible quality defect.
The company should identify such a situation and provide a means of eliminating the potential
defect (i.e., air-driven screwdrivers). Evidence could consist of records of decreased quality
defects and/or medical problems related to that activity.
Element 7: Product Realization
Exclusions/non-applicability can be claimed with in element 7 only. “Exclusion” should
only be taken for clause 7.3 Design and Development and must be fully justified in the
quality manual. Other sections within element 7 may be claimed as “not applicable” or “not
applicable at this time”.
7.1: Planning of product realization
An organization needs to plan in advance for how they will manufacture their product or deliver
their service. The plans need to take into account the product requirements and any quality
objectives (7.1 a) that might be appropriate, resources and documents that may be necessary (7.1
b), what type of monitoring and/or inspection activities should be put in place to ensure the
product or service will meet the requirements (7.1 c), and what types of records should be kept
(7.1 d). While the sub-clause does not state that the output of this planning must be documented,
it does state that it must be in a form suitable for the organization’s method of operations.
7.1 e) the identification of resources to support operation and maintenance of the product.
BV Certification: The resources to support operation and maintenance of the product may include
tech manuals, tooling, fixtures, lubricants, etc. This requirement is aimed at operational and
maintenance organizations, not at manufacturing organizations. The intent is for the operational and
maintenance organizations to positively identify the resources that they require to perform the
operational and maintenance activities related to the product in the field.
7.2: Customer Related Processes
7.2.1: Determination of requirements related to the product
This clause promotes an up-front determination of all requirements related to the product.

25 OF 61
This includes requirements for “servicing” which are now included as “post-delivery activities”,
which implies anything that is provided after the customer has received the product (i.e. repair
and/or warranty work, installation, maintenance, etc.).
Specific to 7.2.1 (a)
Post delivery activities may include among others:
Product support
Servicing where applicable
Specific to 7.2.1 (b)
Auditors should determine how the organization was proactive in evaluating if there were any
additional requirements for the product or service’s intended use. If the organization determined
there were not any additional requirements this should be evident in associated records, if there
were additional requirements then evidence should be present how they were addressed in the
affected process i.e. design, purchasing, manufacturing.
The analogy that can be used here is a screwdriver, everyone knows the intended use of a
screwdriver, put in and take out screws. However with a screwdriver, there are requirements that
are not stated but are intended for use, such as using a screw driver to open paint cans, could be
used as a chisel, pry bar, magnetization might be an issue, also if used around electricity the
handle should be nonconductive, but none of these requirements might be stated by the customer,
but the manufacturing organization would need to address these non-stated requirements for the
screwdriver’s intended use.
Specific to 7.2.1 (c)
The organization shall determine applicable Statutory and regulatory requirements related to the
product (i.e., taking these requirements into account when designing a product or service). This
includes ensuring process control (i.e., ensuring that these requirements were met).
Statutory requirements are those that are stipulated by local/national governments that form part
of regional, national and international legislation.
Regulatory requirements are those imposed by regulatory bodies. In the UK the HSE (Health &
Safety Executive) and in the USA, the EPA (Environmental Protection Agency) are examples of
these. These requirements are not necessarily part of national legislation.

26 OF 61
Compliance with regulatory requirements issued by national regulators (i.e. by The Rail
Authority) may be mandatory for those organizations to which they apply if a statutory
instrument requires so.
Organizations are required to comply with a number of legal requirements to be allowed to
operate. Management must be aware of the requirements that apply to its products, processes
and activities and should include these requirements as part of the quality management system
(ISO 9004:2000 – 5.2.3). Auditor must verify that these requirements are identified.
Auditors have to be aware that as the national legislation may apply to product intended for the
domestic market, in the case of export sales, organizations will be required to consider the
statutory and/or regulatory requirements in the target country that may apply to (a) product(s)
supplied.
Organizations are not required to maintain the lists of applicable statutory and/or regulatory
requirements, nor need they maintain copies of these documents except as required by clause
7.3.2(b). Organizations must ensure that they have adequate access to / or knowledge of
applicable statutory and regulatory requirements.
7.2.2: Review of requirements related to the product
The sub-clause mandates that the organization shall not issue a quotation or accept an order until
it has been reviewed to ensure requirements are defined and the organization has the capability to
meet the defined requirements. It goes on to require that records of the review and any
subsequent actions be maintained. If the customer does not provide their requirements in writing
(i.e., telephone call), the requirements must be confirmed before they are accepted. If the
requirements are changed, all documents must be amended and relevant persons must be
notified. A note is included that covers situations such as internet sales where a formal review of
each order is impractical, stating, instead, that the review could cover the product information
provided in catalogs and advertising material.
d) risks (e.g. new technology, short delivery time scale) have been evaluated.
BV Certification: The potential for “risks” exists in virtually every contract or order. The
Standard mentions only two of the most obvious examples (i.e. new technology and short
delivery time scales). Types of potential risks vary greatly depending upon contractual
requirements, requirements of regulatory authorities, design responsibility, product requirements,
safety and airworthiness considerations, production processes, operational constraints, business
conditions / limitations, materials, procurement sources, outsourcing, etc., etc. Just a few
extreme examples that may pose ‘risk’ include: potential labor strikes, facilities relocations or

27 OF 61
shutdowns, environmental or climatic factors, production capacity limitations, availability of
materials, adequacy of procurement sources, absence of key personnel, outage of vital
equipment, etc. To a reasonable and practical extent, any and all such potential risks should be
identified and their impact evaluated before accepting the contract or order. Records of contract
reviews should demonstrate / document some level of deliberate, thoughtful “risk evaluation”
activity, delineation of identified risks (if any), and resultant actions taken to mitigate or
eliminate the risks.
7.2.3: Customer communication
The organization must establish effective arrangements for providing the customer with product
information (i.e., catalogs or advertising that adequately describe the product or service), means
of handling inquiries and orders, and a method for handling customer comments (both
compliments and complaints).
There is no potential for excluding section 7.2, as every organization has external customers.
Where an organization with a stand-alone QMS is part of a larger group or corporation, and is
taking orders solely from a central Group or Corporate Sales Organization outside its certified
scope and delivering them to a central Group or Corporate Distributor outside its certified scope,
then the Sales and Distribution organizations are technically external customers, invoking 7.2
routines.
7.3: Design and development
This clause addresses product/service development as well as (conceptual) design, so
organizations involved in product/service development will have to address some or all of
section 7.3 of ISO 9001:2000.
Many companies perform some enhancements or minor reconfiguration of mature designs, and
are able to use the guidance of ISO 9004:2000 in order to address some or all of section 7.3 of
ISO 9001:2000.
Some organizations subcontract design and have managed this via sections 4.1 and 7.4 of ISO
9001:2000. Such organizations may have to introduce a comprehensive design system or
process, however may have to address design and development as it is applicable to the
organization. They may have to address some or all sections of 7.3 to the extent that they apply.
Document: ISO/TC 176/SC 2/N 524R3 ISO 9000 Introduction and Support Package:
Guidance on ISO 9001:2000 clause 1.2 'Application' provides excellent guidance and examples
on this topic (http://www.bsi.org.uk/iso-tc176-sc2).

28 OF 61
7.3.1 Design and development planning
Although the standard does not require a documented procedure, the design process needs to
demonstrate how the process is controlled and planned. The organization, however, will need to
provide some type of objective evidence as to what the planning activities include. This can be
accomplished with the use of time-lines, gant charts or any other planning method such as
Microsoft project manager. In addition the auditor should see objective evidence of how the
interfaces between other processes are managed, either through statements in associated
procedures, process mapping, matrix approach or in the time line planning.
- in respect of organization, task sequence, mandatory steps, significant stages and method of
configuration control
BV Certification: The organization is responsible for the identification the design and
development stages. AS9100 imposes some additional and specific clarification of the
information required: which elements of the organization are involved, where in the task
sequence the stages begin/terminate, significant stages and configuration control. These
additional requirements may be recorded in formal project plans, Gantt charts, checklists or in
similar documentation.
Where appropriate, due to complexity, the organization shall give consideration to the following
activities:
- structuring the design effort into significant elements;
- for each element, analyzing the tasks and the necessary resources for its design and
development. This analysis shall consider an identified responsible person, design content,
input data, planning constraints, and performance conditions. The input data specific to each
element shall be reviewed to ensure consistency with requirements.
BV Certification: Even though this section begins “where appropriate”, all except the very smallest
design and development projects will have defined stages and the stages usually will contain multiple
tasks. It is clear that the records need to demonstrate some level of planning. It is important that the
process owners are identified and that the required technical personnel are indeed available to work on
the project. Although not specifically required, a table of engineering manpower allocation (projects
with associated engineering hours) would be helpful to ensure that sufficient technical manpower is
available. It is important to note that should be evidence of a review of input data to ensure
consistency of requirements.
The different design and development tasks to be carried out shall be defined according to specified
safety or functional objectives of the product in accordance with customer and/or regulatory authority
requirements.

29 OF 61
BV Certification: This is a check at the planning stage to ensure that the design and development
activity actually will address all customer and regulatory requirements. The auditor will expect to see
evidence of this check. Refer also to Interpretation for section 4.2.1f, above, for a discussion of
regulatory requirements.
7.3.2 Design and development inputs
The auditor will need to review evidence that the inputs (7.3.2 a – d) have been addressed based
on the nature of the product being produced, that they have been reviewed for adequacy and that
records are maintained of the activity.
7.3.3 Design and development outputs
The auditor should expect to see objective evidence that the outputs (7.3.3 a – d) have been
verified against the design inputs. This can be accomplished by reviewing documents, plans, etc.
interfacing with the customer or internal processes and by comparison with past proven designs.
e) identify key characteristics, when applicable, in accordance with design or contract requirements.
BV Certification: As noted in Definitions (section 3, above), key characteristics may be identified by
the customer (and/or regulatory authorities), as well as by the organization. Once key characteristics
have been identified, usually at the Planning and/or Design and Development (D&D) Input stage, they
must be then addressed also as part of D&D Output. The organization must show that the developed
product specifically satisfies the input requirements for key characteristics.
All pertinent data required to allow the product to be identified, manufactured, inspected, used and
maintained shall be defined by the organization; for example:
- drawings, part lists, specifications;
- a listing of those drawings, part lists, and specifications necessary to define the
configuration and the design features of the product;
- information on material, processes, type of manufacturing and assembly of the
product necessary to ensure the conformity of the product.
BV Certification: The standard is clear; all documentation relating to the developed product must be
identified as part of the D&D output. These may be included in a summary report or as part of a
design review.
7.3.4 Design and development reviews

30 OF 61
Reviews shall be conducted in accordance to the time line or plan established at the beginning of
the design activity. Reviews shall show evidence that all activities required in each phase of the
design have been addressed or adjustments made. Records should show who attended the
reviews and that all concerned parties were present and that all actions were satisfied before
proceeding forward with the design process.
c) to authorize progression to the next stage.
BV Certification: Design and development (D&D) reviews may vary in terms of purpose, frequency,
complexity, formality, attendance and associated output documentation / review records. Regardless,
there must be clearly documented evidence that an authorized individual(s) has reviewed the results /
progress / status of each prescribed D&D stage / activity. Before the D&D plan can proceed to the
next stage – a responsible/authorized person (or personnel) must provide documented, objective
evidence of progression approval (signatures being preferred). Progression authorization may appear
as a specific signoff on a review checklist, in review minutes, in evaluation reports, on D&D plans,
timeline charts, etc. An undocumented, passive agreement or consensus of opinion will not
sufficiently meet the intent of this requirement.
7.3.5 Design and development verification
Design verification basically means that the product can be produced as designed and that output
meets the intended inputs. Additionally it should show that the organization has the capability to
produce the product with existing equipment and has the personnel competencies or has the
ability to train or subcontract the required capabilities.
NOTE: Design and/or development verification may include activities such as:
- performing alternative calculations,
- comparing the new design with a similar proven design, if available,
- undertaking tests and demonstrations, and
- reviewing the design stage documents before release.
BV Certification: No interpretation necessary.
7.3.6 Design and development validation
Validation has to ensure capability of meeting “intended use where known” as well as specified
requirements, and has been completed prior to delivery and implementation wherever practicable
(typically as a prototype or first article). In most organizations they can’t rely on the customer to

31 OF 61
perform the validation, the lack of a negative response from the customer does not meet the
intent of this clause. The organization should have records that the product designed will meet
defined user needs prior to delivery of the product to the customer. Methods of validation could
include simulation techniques, proto-type build and evaluation, comparison to similar proven
designs, beta testing, field evaluations, etc. Irrespective of the methods used, the validation
activity should be planned, executed with records maintained as defined in the planning activity
in 7.3.1.
NOTES:
- Design and/or development validation follows successful design and/or development
verification.
- Validation is normally performed under defined operating conditions.
- Validation is normally performed on the final product, but may be necessary in
earlier stages prior to product completion.
- Multiple validations may be performed if there are different intended uses.
7.3.6.1 Documentation of Design and/or Development Verification and Validation: At the completion
of design and/or development, the organization shall ensure that reports, calculations, test results, etc.,
demonstrate that the product definition meets the specification requirements for all identified
operational conditions.
BV Certification: This is added check to ensure, at the conclusion of the D&D effort that
documentation and supporting data that was generated during the design and subsequent
verification/validation does in fact meet all the input requirements. This clause supports the
conclusions that should have been reached at Design Review. The auditor would expect to see
evidence that verification and validation satisfy the input requirements.
7.3.6.2 Design and/or Development Verification and Validation Testing: Where tests are necessary for
verification and validation, these tests shall be planned, controlled, reviewed, and documented to ensure
and prove the following:
a) test plans or specifications identify the product being tested and the resources being used,
define test objectives and conditions, parameters to be recorded, and relevant acceptance
criteria;
b) test procedures describe the method of operation, the performance of the test, and the
recording of the results;
c) the correct configuration standard of the product is submitted for the test;
d) the requirements of the test plan and the test procedures are observed;

32 OF 61
e) the acceptance criteria are met.
BV Certification: When testing is used to support verification and validation, the test results must
meet the requirements presented in this clause.
7.3.7 Design and development changes
Design and development changes (after the original verification and validation) have to be
“verified and validated as appropriate” (as well as reviewed) and to “include evaluation of the
effect of changes on constituent parts and products already delivered”. If the organization
chooses not to perform re-verification and re-validation on every design change, then the auditor
should expect to see some very well defined criteria as to when the activity needs to occur. This
includes any changes that do not affect fit, form or function.
The organization’s change control process shall provide for customer and/or regulatory authority
approval of changes, when required by contract or regulatory requirement.
BV Certification: The degree and type of the D&D change will often dictate the degree of
approval required. Other conditions for “approval” will be defined by the customer and/or
regulator agency. Additionally, the organization may add to (but not contradict) details.
“Approval” may be as little as mere notification, to distributing approved copies, up to and
including formal approval by the customer / agency) prior to implementation of the change.
Documents typically subject to this requirement include pre-approved drawings. The BV
Certification auditor will seek documented, objective evidence that such “coordination” has
taken place (as appropriate) and as prescribed in the organization’s documented procedure.
7.4: Purchasing
7.4.1 Purchasing Process
It would be extremely uncommon for purchasing to be excluded from the quality management
system (i.e., perhaps applying to such situations as small consultancies using no subcontractors,
and using proprietary office materials and equipment that do not directly impact on product or
service performance – but not to many other situations).
Where procurement is centrally controlled by a corporate procurement organization outside the
scope of the QMS of the auditee organization, this is not justification for exclusion of 7.4 in its
entirety. The audited organization is certainly responsible for providing purchasing information
(7.4.2) to the corporate procurement organization, and for verification of purchased product
(7.4.3) – and perhaps participating in the re-evaluation process. In the event that a corporate
office or other entity, outside the scope of registration, performs any sections of purchasing this

33 OF 61
shall be considered an outsourced process per requirements identified in section 4.1. Bureau
Veritas Certification auditors would expect to see a documented agreement in place (i.e. an
Interface Agreement) between the organization and the supplier.
Auditor will expect to see a process is in place for evaluating and selecting suppliers as well as a
process for ongoing re-evaluation of suppliers. While a written procedure for purchasing is not
required, records of evaluation and actions arising from the evaluation are required to be
maintained.
The organization shall be responsible for the quality of all products purchased from suppliers,
including customer-designated sources.
BV Certification: In the context of this and other requirements of the Standard, “product” includes
parts, materials, process services, etc. It is readily apparent that an organization is ultimately
responsible for the quality of product purchased from its own suppliers / subcontractors. This
requirement extends the scope of the organization’s responsibility to include that for product
purchased from customer-designated and/or customer-designated sources. The type and extent of
control exercised over customer-designated or customer-approved sources may be justifiably different
than that exercised over sources chosen / approved by the organization themselves. Regardless,
customer-approval and/or customer-designation of sources does not relieve the organization of the
responsibility to procure conforming “product”.
The organization shall
a) maintain a register of approved suppliers that includes the scope of the approval.
BV Certification: A “register” could be in most any format and media – hardcopy, electronic, a paper
listing, an electronic file as part of a procurement software program, or even a manual card file. The
register must be a complete, finite compilation of all approved suppliers / vendors / subcontractors -
including those that are customer-designated / approved. The register must include sources that
provide goods, products and services that relate to the organization’s products, processes and Quality
management system. Compiling the register(s) is a relatively simple and direct task. The second part
of this requirement – “ . . . that includes the scope of the approval.” involves more thought. The
“scope of approval” should describe the extent (or limitation) on what the source can (or can’t) provide
or perform. The description of the “scope” can be narrative or coded. Some examples:
− Acme Machining – conventional metal machining except for chemical milling and wire EDM.
− Acme Hardware Distributors – all metal, mechanical fasteners except for rivets.
− Acme Metal Distributors – all ferrous and non-ferrous metals except for titanium and inconel.
− Acme Heat Treating – heat treating processes
.

34 OF 61
b) periodically review supplier performance; records [results] of these reviews shall be used as the basis
for establishing the level of controls to be implemented.
BV Certification: The periodicity of supplier performance reviews may vary across the
organization’s supply base. That is, all suppliers may not have the same review frequency. Also, the
type and extent / scrutiny of the review may vary from one supplier to another. These performance
reviews should be planned and meaningful - often involving cross-functional involvement (i.e.
Quality, Purchasing, Manufacturing, Engineering). The reviews must be based on factual input data.
Recorded results are to be used to determine ongoing / future levels or control over the supplier.
Favorable performance results might justify relaxing / reducing the type/extent of control – while
unfavorable results would suggest the need to “tighten-up” on the supplier.
c) define the necessary actions to take when dealing with suppliers that do not meet requirements.
BV Certification: This requirement relates closely to the requirement above (7.4.1 b) regarding
supplier performance reviews. Conditions / events that indicate that a supplier is not meeting
requirements might include: poor results from performance reviews, occurrences and repetition of
nonconformances, corrective action inadequacy and lateness, incoming inspection failures, untimely
delivery performance, etc. The organization needs to define / describe specific actions they will take if
the supplier is not meeting expectations / requirements. This usually includes an “escalation” process
– beginning with simple documented notification, followed by corrective action requests, then possibly
special on-site audits and increased controls up to and including removal from the approved supplier
listing. The auditor will expect to see documented, objective evidence of actions taken.
d) ensure where required that both the organization and all suppliers use customer-approved special
process sources.
BV Certification: The intent of this requirement includes customer-approved and customer-
designated sources as well. The requirement applies not only to the organization and their immediate
suppliers – but also to all lower-level, sub-tier sources involved in the contract or order. Compliance
to this requirement usually begins with thorough review of customer requirements, identifying those
sources that are customer-designated and customer-approved, then “flowing-down” (via purchasing
documents) the requirement to all applicable lower-level sources. It is not unusual for this requirement
to apply to sources that are 3-4 levels down in the supply chain.
e) ensure that the function having responsibility for approving supplier quality systems has the
authority to disapprove the use of sources.
BV Certification: The “function” having approval responsibility might not be confined to a single
person of department. Often, approval is a cross-functional or multi-functional event – involving
Quality, Purchasing Engineering, Manufacturing, etc. – as appropriate. If any or all of those

35 OF 61
“functions” (entities, personnel, departments, etc.) have been given approval responsibility, then they
must have disapproval authority as well.
7.4.2 Purchasing Information
Purchasing information may take many forms however is generally a purchase order or
requisition. The auditor will expect to see that the information clearly describes the product to be
purchased as well as any other requirements, including as appropriate:
7.4.2 a) the approval of products, procedures, processes and equipment.
7.4.2 b) the qualification requirements of personnel.
7.4.2 c) the QMS requirements.
7.4.2 d) the name or other positive identification, and applicable issues of specifications, drawings,
process requirements, inspection instructions and other relevant technical data
BV Certification: Describing the “applicable issues” is the essence of this requirement. “Issues”
refers to the revision level (number, letter, date, etc.) of the document / data that is being invoked on
the supplier. “Applicable” infers that the version being invoked is not necessarily the latest / current
revision – an earlier version may be desired. Even if the organization does indeed wish to invoke the
latest / current version – they must identify the specific revision. It is not sufficient for them to simply
state “latest revision”. Doing so gives the supplier insufficient, ambiguous information. The supplier
may not have the wherewithal to determine what the latest revision is – and may mistakenly /
ignorantly use the “latest” (though outdated) version in their possession.
7.4.2 e) requirements for design, test, examination, inspection and related instructions for acceptance
by the organization
BV Certification: as applicable. When the purchased product is clearly defined (e.g. by
specifications, drawings, etc.), an understanding needs to be in place to ensure that the supplier
understands that the product must in fact meet requirements. Further, the supplier must understand
that correction and/or corrective action will be expected if the delivered products do not meet the
purchase requirements. This understanding is normally achieved through a statement to that effect in
the purchase order or in the terms and conditions (T&Cs).
7.4.2 f) requirements for test specimens (e.g., production method, number, storage conditions) for
design approval, inspection, investigation or auditing

36 OF 61
BV Certification: this clause applies, if applicable.
7.4.2 g) requirements relative to
− supplier notification to organization of nonconforming product and
− arrangements for organization approval of supplier nonconforming material
BV Certification: The organization must communicate these requirements to their suppliers. For
some reason, many organizations fail to communicate these requirements. Evidence of notification is
required.
7.4.2 h) requirements for the supplier to notify the organization of changes in product and/or process
definition and, where required, obtain organization approval
BV Certification: Same as notification of nonconforming product (above). Evidence of notification
is required.
7.4.2 i) right of access by the organization, their customer, and regulatory authorities to all facilities
involved in the order and to all applicable records
BV Certification: As above, evidence of notification is required.
7.4.2 j) requirements for the supplier to flow down to sub-tier suppliers the applicable
requirements in the purchasing documents, including key characteristics where required
BV Certification: As above, evidence of notification is required.
7.4.3 Verification of Purchased Product
Auditor will expect to see a process is in place to verify that purchased product meets
requirements. This may take many forms depending on the product. Auditor will verify that these
requirements are known and being accomplished. This may include receiving inspection and
testing, visual inspection, receipt of certificates of conformance etc. In the event verification will
take place at the suppliers premises the method for doing so must be stated in the purchasing
information.
Verification activities may include
a) obtaining objective evidence of the quality of the product from suppliers (e.g.,
accompanying documentation, certificate of conformity, test reports, statistical records,
process control),
b) inspection and audit at supplier’s premises,

37 OF 61
c) review of the required documentation,
d) inspection of products upon receipt, and
e) delegation of verification to the supplier, or supplier certification
BV Certification: The standard provides some guidance here with respect to the type of verification
activities. Quite obviously, the auditor needs to determine which activities apply to the organization
and to then audit accordingly.
Purchased product shall not be used or processed until it has been verified as conforming to specified
requirements unless it is released under positive recall procedure.
BV Certification: It is expected product is only rarely “released under positive recall” prior to
verification of conformance. The organization has the responsibility of defining what verification
activities are necessary to determine conformance. Typically, this is embodied in the “type and
extent” of control that the organization exercises over purchased product.
Where the organization utilizes test reports to verify purchased product, the data in those reports shall
be acceptable per applicable specifications. The organization shall periodically validate test reports for
raw material.
BV Certification: When using test report to verify purchased product, the organization must be able
to substantiate that the data in the test reports is indeed acceptable. Commonly, assigned personnel
(often an individual associated with the Quality function) will review the certificates of test against the
applicable specifications, placing a check (√) next to the acceptable values. Initials or quality stamp
would be evidence of the review. Merely placing the certificates in a file folder is not evidence of
review.
The test reports must be validated “periodically”. The organization needs to define the periodicity.
Validation of the first test report each year is often used. This would be acceptable if there are no
nonconformities associated with a product. In the case of bar stock that is produced by a given mill
but purchased from several distributors, validation of the product from a single distributor would be
considered to be acceptable. The auditor needs to make a judgment with respect to the interval
between validations. Typically volume and criticality would be important considerations.
Where the organization delegates verification activities to the supplier, the requirements for delegation
shall be defined and a register of delegations maintained.
Where specified in the contract, the customer or the customer’s representative shall be afforded the
right to verify at the supplier’s premises and the organization’s premises that subcontracted product
conforms to specified requirements.

38 OF 61
BV Certification: This is another example of right of entry. The organization needs a documented
statement permitting right of entry.
Verification by the customer shall not be used by the organization as evidence of effective control of
quality by the supplier and shall not absolve the organization of the responsibility to provide acceptable
product, nor shall it preclude subsequent rejection by the customer.
7.5 Production and Service Provision
7.5.1: Control of product and service provision
There is the possibility of defining sub-clauses 7.5.1 b) work instructions, 7.5.1 c) the use of
suitable equipment, and 7.5.1 f) post delivery activities as not applicable to the scope of their
quality management system. The non-applicability of these items must be justified in the quality
manual (4.2.2 a) and must not “affect the organization’s ability, or responsibility to provide
product that meets customer and applicable regulatory requirements” (1.2).
The auditor will expect to see that production activity is well defined and understood. This is
generally ascertained through interviews with employees on the production floor, review of
documentation and observations. The auditor will verify the following at a minimum:
Planning shall consider, as applicable,
- the establishment of process controls and development of control plans where key characteristics
have been identified,
- the identification of in-process verification points when adequate verification of conformance
cannot be performed at a later stage of realization,
- the design, manufacture, and use of tooling so that variable measurements can be taken,
particularly for key characteristics, and
- special processes (see 7.5.2).
BV Certification: These requirements generally reflect good planning. Objective evidence might
include detailed work instructions, set-up sheets, shop travellers and instructions for in-process/ final
inspection.

39 OF 61
7.5.1 a) the information describing the characteristic of the product. This may be in the form of a
work order, traveller, schedule etc.
7.5.1 b) the availability of work instructions or procedures as applicable. These may be in any
format (electronic or paper); instructions may simply be included on the work order or traveller.
Instructions do not have to be documented and could simply be provided through training. The
auditor will review Control of Document, 4.2.3 as applicable.
7.5.1 c) the use of suitable equipment. The auditor will expect to see evidence that equipment is
suitable for the process and that it is maintained. The auditor will investigate how equipment is
maintained and how malfunctions are handled. This may be in conjunction with Infrastructure
6.3.
7.5.1 d - e) the availability of suitable monitoring and measuring devices and the implementation
of monitoring and measurement. Measuring and monitoring may require record keeping i.e.
operator log sheets, inspection sheets, routers or other documentation. Documentation will be
reviewed as applicable per Control of Records 4.2.4.
7.5.1 f) the release, delivery and post delivery activities. Whether in process or final the auditor
will expect to see that release, delivery and post delivery activities are defined. This may include
release to the next process or for shipment to customers.
7.5.1 g) accountability for all product during manufacture (e.g., parts quantities, split orders,
nonconforming product)
BV Certification: The organization needs to demonstrate a process of accountability for manufactured
product. This is often accomplished through the use of travelers or through bar coding at the
workstations. The effectiveness of the process for ensuring accountability needs to be verified during
the audit. Sometimes parts are physically lost, either internally or during outside processing.
Whenever there are issues surrounding product accountability, the organization needs to demonstrate
appropriate corrective action.
7.5.1 h) evidence that all manufacturing and inspection operations have been completed as planned,
or as otherwise documented and authorized
BV Certification: Many organizations control manufacturing and inspection operations through use
of shop travellers with operator initials after each operation has been completed. A similar result can
be achieved through the use of bar codes that are scanned at each workstation. Whatever method is
used, the auditor should verify that all manufacturing and inspection operations for representative jobs
have been completed. If evidence of completion for all operations is lacking, the reason needs to be
“documented and authorized”.

As9100 interpretations

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to As9100 interpretations

Similar to As9100 interpretations (20)

Recently uploaded

Recently uploaded (20)

As9100 interpretations