Reference Paragraphs. Appendix B AQS Auditor Handbook

Size: px
Start display at page:

Download "Reference Paragraphs. Appendix B AQS Auditor Handbook"

Transcription

1 Introduction Auditing is a basic tool to assess effective implementation of and conformity to Quality Management System (QMS) requirements. In addition to the determination of conformity, this handbook focuses on the evaluation of effectiveness of the QMS and it s associated processes. Most initial and reaccreditation audits are performed in conjunction with a special process audit. This handbook is intended to provide definitions and criteria consistent with industry evaluation of Quality Management Systems. This handbook provides applicable excerpts from SAE AS9101 as guidance for performing and assessing the client/organization s compliance with the AQS 001 checklist. Additional information and guidance for performance and assessment of audits can be found in American Society of Quality (ASQ) Body of Knowledge (BoK) The ASQ Auditing Handbook; Principals, Implementation and Use, 3rd Edition. This Auditor Handbook has been prepared to assist with the AQS 001 Audits as follows: Provide general guidance on expectations as to the Supplier s preparation for an audit and on the execution of the audit This handbook does not add any requirements over and above the process code 001 Basic Quality System D requirements. Reference Paragraphs The format of the table below is: BLACK text is a paraphrase of the checklist RED text highlights documents and records required BLUE text is intended to provide guidance for assessment of conformity

2 Checklist Guidance Guidance 4 Quality Management System 4.1 General Requirements A quality management system (QMS) has been established, documented, implemented, and maintained with evidence of continual effectiveness improvement The QMS addresses customer, statutory, and regulatory requirements Outsourced processes are defined and controlled This paragraph is generally verified by examining the overall system during the audit. Key features that the system needs to possess: System is established and supported by documentation Are policies, procedures and practices documented where specified? Are resources (manpower/processes) in place and operating to support the QMS processes, for example: Competency & training Planning of Product Realization Purchasing Controls (including outsourcing) Production Controls Change Controls Production Validation (Inspection & Test) Identification & Traceability Control of Monitoring and Measuring Equipment Internal Audit Records Nonconforming Product Corrective Action etc. 4.2 Documentation Requirements a. Documented statement of a quality policy and quality objectives b. Documented quality manual c. Documented procedures required by 001 checklist d. Documented records required by 001 checklist Supplier s personnel have access to and are aware of relevant QMS documentation and changes to it. What does the quality policy mean to the company Employees Management Customers Quality Policy Review the client/organization Quality Policy Quality Objectives Quality objectives must identify the company s desired goals. Various metric may be used to track the effectiveness of the QMS in achieving the objectives by measuring the performance of products, processes, customer satisfaction, suppliers, use of resources, etc. Examples include: Defect rates Rework and repair costs Reduction in variation, cycle time, set up time Improved First Time Yield (FTY) Reduction in Customer returns or complaints

3 Improved Customer satisfaction ratings Reduced delivered faults from suppliers Improved efficiency Increased safety results These objectives may be set at various levels in the organization depending on organization size. The number of objectives should be manageable for the size of the organization. Quality objectives must be measurable to facilitate the determination of improvement. Objectives must have a time frame associated with them. Documented used in this checklist requires established written policy, procedure or manual that is under revision control as defined by the organization. Examples of documents include, but not limited to: Policy Procedure Standard Practice Instruction booklet Handbook Guide Book Instruction manual etc. Verify that the QMS documents are available to company personnel as well as their customers and/or regulatory representatives Quality Manual Quality manual is established, maintained and: a. Includes the scope of the QMS b. Includes QMS documented procedures or reference to them c. describes the interaction between the processes of the QMS Verify the structure of the QMS Scope Procedures Processes Control of Documents Documents required by the QMS are controlled Records are controlled per Control of Records (4.2.4) A documented PROCEDURE exists and includes the controls for: a. approval process b. review, update, and re approval process c. Identification of changes and current revision status d. documents are available where needed (point of use) e. documents are legible and identifiable f. external documents are identified and controlled g. obsolete documents are identified and controlled The client/organization must define the method for controlling documents created or retained in their procedure. The documents must be made available for review by customers and/or regulatory representatives Control of Records Records are established and controlled A documented PROCEDURE exists that includes controls for: identification storage protection retrieval retention disposition

4 supplier created and/or retained records Records are legible, identifiable and retrievable Records procedure must specify methods for Identification, storage, protection, retention, disposition retention and control of supplier records, these are records created by sub tier suppliers to the organization being audited Review records for legibility and identification. Sample records to verify they are retrievable. 5 Management Responsibility (May not apply to NDT Consultants) 5.1 Management Commitment Evidence of top management commitment includes: a. communicating importance of meeting customer, statutory and regulatory requirements b. ensuring quality policy and objectives are established, b. conducting management reviews c. ensuring the availability of resources Interview top management to gauge commitment. Determine what methods are used within the organization on communicating the importance of meeting customer, statutory or regulatory quality and technical requirements. Management review is a periodic review of current business status, QMS effectiveness, and activities. What conclusion/actions did management take away from the review? Review samples of management reviews. 5.2 Customer Focus Top management ensures that customer requirements are determined and met to enhance customer satisfaction. Top management ensures that product conformity and on time delivery performance are measured and appropriate action is taken if planned results are not, or will not be achieved. Customer satisfaction is evident if the supplier is delivering conforming product. Check customer complaints, quality and deliver performance from supplier s customers Responsibility and Authority and Communication Top management ensures that responsibilities and authorities: are defined communicated Policies or procedures may provide the structure for assigning roles and responsibilities. Interviews with top management should provide insight into communication or implementation. Additional evidence may be determined during the course of the audit and during interviews with other personnel. Responsibilities and authorities may also be written in job descriptions, annual evaluation requirements/reports, etc Management Representative Top management appointed Management Representative exists Management Representative s responsibility and authority include: a. ensuring QMS processes are established, implemented, and maintained b. organizational freedom and unrestricted access to top management for resolution of quality management issues

5 Verify Management representative s responsibilities and authority include: Establish, implement and maintain QMS processes Review organizational structure to ensure management representative has organizational freedom and access to top management. Interview management representative and top management to confirm organizational structure and access. 5.4 Management Review General Top management reviews the QMS for suitability, adequacy, and effectiveness at planned intervals Management Review records are maintained Management review is a periodic review of current business status and activities. What Conclusion / actions did management take away from the eview? Sample Management Review records Verify reviews are accomplished at defined intervals Ensure QMS capability and effectiveness are reviewed Ensure records are being maintained 6 Resource Management 6.1 Provision of Resources Resources determined and provided to: a. implement and maintain the QMS and improve its effectiveness b. enhance customer satisfaction Resources may include, but not limited to: Manpower Data/Information Infrastructure Work Environment Equipment etc. 6.2 Human Resources Personnel competency is based on education, training, skills and experience Verify that policy, process or practice establishes competency based on defined education, training, skills and/or experience Competence, Training and Awareness a. Competence for personnel performing work affecting product quality is determined b. Training to achieve competence is provided c. Evaluates effectiveness of actions taken d. Ensures personnel are aware of the relevance and importance of their activities and contribution to realizing of quality objectives e. Maintains appropriate records per clause (Control of Records) requirements Verify organization: provides training maintains records of training evaluates the effectiveness of this training (this can be shown through: testing, review of performance, etc.) competence can be evaluated through other methods, with records maintained (grandfathered individuals, company divestures, etc.) 6.3 Work Environment (May not apply to NDT Consultants) Determine and manage the work environment needed to achieve product conformity

6 The organization identifies and manages conditions of the work environment, examples of, but not limited to: ergonomics cleanliness temperature noise light NOTE: Personnel comfort that does not affect product integrity or quality is not auditable under this paragraph. Extreme environmental conditions that affect personnel safety may violate local, state or federal law (OHSA, etc.) 7 Product Realization 7.1 Planning of Product Realization (May not apply to NDT Consultants) Plan and develop consistent product realization processes Product realization planning reflect the following: a. quality objectives and product requirements b. processes, documents, and resources c. verification, validation, monitoring, measurement, inspection and test activities d. records e. product configuration Planning is in a suitable form for the organization's operations Verify the organization s product realization processes are planned (in a format suitable for the organization s operations). The organization can define the format and methodology that is appropriate. The planning for product realization (production including fabrication, processing, assembly, etc.) needs to include (as appropriate for the process or operation) Defined quality objectives (accept/reject criteria) Detailed processes, documents and resources Manpower Data/Information Infrastructure Work Environment Equipment etc. Specified operations to accomplish or verify process: verification/validations Monitoring & Measurement equipment Inspection & Test Planning provides a record of the process Supports applicable configuration and traceability requirements. Configuration management is the control of design changes flowed down from the customer. All design changes may not be applicable to all processors. Traceability includes part identification and design configuration Determination of Requirements Related to the Product Determine customer requirements, including delivery and post delivery activities b. Determine requirements not stated by the customer, but necessary for specified or intended use c. Determine applicable statutory and regulatory requirements d. Determine any additional necessary requirements Verify organization reviews contract/purchase order for customer, statutory and regulatory requirements for incorporation into production/processing planning Review of Requirements Related to the Product Reviews product requirements prior to commitment to supply a product Reviews conducted to the customer documentation to ensure: a. product requirements are defined

7 b. differing contract requirements are resolved c. organization has the ability to meet the requirements d. special product requirements are determined e. risks have been identified Records of reviews and actions are maintained Where the customer provides no documented requirements, they are confirmed before acceptance Documents are amended and personnel made aware when product requirements are changed Verify organization establishes within their processes, Customer related requirements. When no documented requirements are identified by the customer the organization shall confirm customer requirements prior to acceptance. Verify organization has a process to ensure product/process changes are incorporated into relevant processing/product documents and personnel are made aware of changed requirements (including customer notification). Verify the review includes evaluation of risk to delivery or compliance (e.g., new technology, short delivery cycle, etc.) Records of reviews and actions may include (but are not limited to): revised purchase order, from Customer authority, etc. Verbal changes are not sufficient; follow up documentation is the record of change Customer Communication Determine and implement effective arrangements for communicating with customers in relation to: a. product information b. inquiries, contracts or order handling, including amendments c. customer feedback, including customer complaints Verify organization has process for customer communication, changes shall not be implemented if verbal, need to take into account customer satisfaction, complaints and feedback Purchasing (May not apply to NDT Consultants) Purchasing Process Purchased product conforms to specified requirements Responsibility evident for product conformity for all purchased products (including customer directed suppliers) Criteria for selection, evaluation, and re evaluation are established Records of evaluations and actions arising from the evaluation are maintained a. Register of approved suppliers including scope of approval b. Supplier performance is periodically reviewed c. Process for dealing with suppliers that do not meet requirements is defined d. The organization and all suppliers use customer approved special process sources e. The process, responsibilities, and authority for the approved status decision, changes and conditions for controlled use determined The organization is responsible to evaluate and select suppliers based on their ability to supply product and services to meet the organization s requirements. Review purchasing processes and verify: Supplier selection/approval and re evaluation process that include assessment of capability List of approved suppliers (Register) Scope of approval, for example: commodity, process, etc. Supplier performance is periodically evaluated (against specific criteria) and process for managing those not meeting minimum requirements. Responsibilities and authority for: Approved source list (register of approve suppliers) Purchase orders The organization is responsible for products purchased from suppliers even when they are using customer directed/designated sources of supply or customer approved processors (special process sources). Review records for compliance with requirements.

8 7.3.2 Purchasing Information Purchasing information includes (where appropriate): a. product, procedures, processes, and equipment approvals b. personnel qualifications c. QMS requirements d. revision status relevant technical data e. requirements for design, test, inspection, verification, use of statistical techniques and related instructions for acceptance (including critical items and key characteristics) f. requirements for test specimens g. requirements for the suppliers to notify of nonconforming product receive nonconforming product disposition approvals notify of changes to product, processes, suppliers and facilities flow down requirements h. records retention requirements i. right of access Adequacy of purchase requirements prior to issuance Purchasing information is required to describe the product/service being purchased including where appropriate (not all information is applicable to all products and/or services): Requirements for approval of material, procedures, processes and equipment Requirements for qualified personnel Quality requirements appropriate for the product or service being procured. Including customer, statutory or regulatory quality system requirements. Technical requirements documents including applicable revision status Specific processing, acceptance, verification or test instructions Critical control items Key characteristics Nonconformance notification and disposition instructions Product, process, facility changes Sub tier flow down requirements Records retention (see 4,2,4 guidance) Right of access Purchase orders must flow the right of access of the customer and regulatory authorities to any supplier that is directly involved in the processing or supplying of product that is incorporated into the end product. Organizations must be sensitive to the interpretation of whether this includes those suppliers directly involved with the determination of the conformity of the product. Right of access may not be applicable to commercially available processing materials and commodities that are not intended for delivery or incorporation into the deliverable end item Verification of Purchased Product Activities to ensure purchased product meets purchase requirements have been established and implemented Requirement for issuance of a Certification of Conformance (CofC) A process of product recall is implemented when product released for use prior to completion of required incoming verification Requirements for supplier delegations defined and a register of delegations maintained Purchasing information defines information about the verification activities at the supplier's premises Verify the organization has established acceptance inspection or other process/activity to ensure products meet purchasing requirements. In coming acceptance processes may include but are not limited to: Product inspection Verification of sub tier inspection and test Verification of certificate of conformance: lists the scope of the work performed including any

9 deviations or exceptions and the specification(s) and revision level to which the hardware is processed. N/A response for product recall process is supported for those facilities that do not integrate purchased product into Customer hardware/parts. N/A response is also supported for organizations that expressly document that non conformances, missing data, incomplete certifications, etc. will cause material to be held or returned rather than being released to the production area. Examples: testing laboratories Confirm that sub tier supplier delegation process is defined and a list (register) is maintained. N/A response is supported when the organization does not delegate verification activities. Review sample of purchase order(s) to ensure verification activities are defined (where applicable). 7.4 Control of Production and Service Provision (May not apply to NDT Consultants) Production and service provisions are planned and achieved under controlled conditions including: a. availability of product characteristics b. availability of necessary work instructions c. use of suitable equipment d. availability and use of monitoring and measurement (M&M) equipment e. implementation of M&M f. implementation of product release, delivery, and post delivery activities g. accountability for all product during production h. evidence that all operations have been completed as planned i. provisions for a Foreign Object Debris/Damage (FOD) program j. monitoring and control of utilities and supplies k. criteria for workmanship Planning appropriately considers: managing critical items and key characteristics measurement tooling identifying in process verification points special processes Verify the organization has the information available that specifies the product/process characteristics. Where applicable, specific work instructions that ensure quality/integrity of the product/process must be available. Planning should address preparation, set up as well as operation, inspection/test and acceptance. Provisions in the work instructions must address selection of equipment, tools, monitoring and measuring and provide instruction and a record of all operational, inspection, test and acceptance activities. Details must address accept/reject criteria as well as controls for critical/ key characteristics when identified. FOD program should be appropriate to the risk at the organization. It can range from simple to complex Control of Production Process Changes Personnel authorized to approve changes are defined Changes affecting processes, equipment, tools, or software are controlled and documented Changes are assessed to confirm that product conformity has not been adversely effected This requirement is intended to ensure changes in production operation or tooling are approved by the process or design authority (sometimes the customer). A change in production or tooling could result in unintended product/process characteristic that are not apparent to the operator Control of Production Equipment, Tools and Software Programs Production equipment, tools, and software used to automate, control, or monitor processes are validated prior to release for production and are maintained Storage requirements are defined for production equipment or tooling Control software for numerical control (NC) machine programs, automated control and/or monitoring processes must be validated (proofed) prior to use and the equipment, tools and programs are maintained. Validation may include: First Article Inspection, virtual processing, scrap/representative part processing. Storage requirements include periodic preservation and condition checks.

10 7.4.2 Validation of Processes for Production Provision Special processes are validated prior to use Special process validations demonstrate the ability to achieve planned results Established planning including, as applicable, a. criteria for review and approval b. approval of equipment and qualification of personnel c. use of specific methods and procedures d. requirements for records e. revalidation Special process controls are defined and controlled by specific Commodity Groups and/or Customers who establish requirements and controls Identification and traceability Products identified throughout product realization Product configuration maintained Product status is identified throughout product realization Controls in place for media used for acceptance When required, traceability is controlled through unique product identification and records are maintained Verify the organization has an established method to identify the product throughout processing operations. If traceability requirements are imposed, the organization shall have a method to control and record the unique identification of the product. Examples of media used for acceptance include: stamps, electronic signatures, employee numbers, passwords, etc. Controls must be in place to ensure traceability to the individual using the media. Controls also need to cover: loss, employee no longer at facility, etc. N/A supported when only hand written signatures or initials used. Verify capability to provide special identification requirements or levels of traceability when required by customer or regulatory authority Customer Property Customer property is adequately controlled through the identification, verification, protection and safeguarding Lost, damaged, or product unsuitable for use is reported to the customer and records maintained Review customer property control processes and records to ensure that customer property maintains identification and is protected from improper/unauthorized use and environmental deterioration. Ensure verification of property conditions. Property may include, but not limited to: intellectual property, including data used for design, production and/or inspection tooling, fixturing, gauging, packaging parts for processing, sub assemblies, detail parts for assembly Customer supplied material (raw, forging, etc.) Preservation of Product Products are preserved during internal processing and delivered Preservation includes identification, handling, packaging, storage and protection Preservation controls are applied to the constituent parts Preservation of product includes appropriate: a. cleaning b. foreign object controls c. special handling for sensitive products d. marking and labeling e. shelf life control and stock rotation f. special handling for hazardous materials

11 Ensure product is protected from processing through delivery to maintain quality and integrity of product or process Production Process Verification When required by contract, the organization shall use a representative item from the first production run of a new part or assembly to verify that the production processes, production documentation and tooling are capable of producing parts and assemblies that meet requirements. This process shall be repeated when changes occur that invalidate the original results (e.g., engineering changes, manufacturing process changes, tooling changes). NOTE: This activity is often referred to as first article inspection. First Article Inspection is typically required when manufacturing to a physical engineering configuration. 7.5 Control of Monitoring and Measuring (M&M) Equipment (May not apply to NDT Consultants) Product Monitoring & Measuring (M&M) and appropriate Monitoring & Measuring equipment have been determined A register of the M&M equipment is maintained Processes are defined for M&M equipment calibration (and/or verification, including equipment type, identification, location, frequency, check method and acceptance criteria) Environmental conditions are suitable for the calibrations, inspections, measurements, and testing a. M&M equipment are calibrated (and/or verified) at specified intervals against traceable standards b. M&M equipment are adjusted, when necessary c. M&M equipment have unique identifiers Equipment d. M&M equipment are safeguarded from adjustments e. M&M equipment are adequately protected A M&M equipment calibration (and/or verification) recall process exists Previous results are assessed, recorded, and acted upon when M&M equipment is found out of tolerance, as appropriate Calibration (and/or verification) records are retained Software used for M&M is confirmed before initial use and reconfirmed, as necessary M&M equipment may include: test hardware/software, Automated Test Equipment, plotters used to produce inspection data, etc. Personal equipment and tools used to measure or inspect for conformance and acceptance must be included in the system. Sample M&M to verify accuracy and completeness of register or log of M&M equipment. Calibration status of the tools and equipment is maintained. Sample the M&M found out of tolerance to verify adequate assessment and action. 8 Measurement, Analysis and Improvement 8.1 Customer Satisfaction As one of the measurements of the performance of the QMS, information relating to customer perception as to whether the organization has met customer requirements is monitored. The methods for obtaining and using this information shall be determined by the organization. The organization shall have plans for customer satisfaction improvement that address deficiencies identified by these evaluations, and assess the effectiveness of the results. Verify the organization has a process for reviewing and determining if they are meeting customer requirements, a process in place if they are not. The information monitored for customer satisfaction shall include product conformity, on time delivery performance, customer complaints and corrective action requests. 8.2 Internal Audit Internal audits conducted at planned intervals a. audits ensure conformity to planned arrangements, requirements of the applicable AC7004 checklist and organization's QMS requirements b. audits ensure the QMS is effectively implemented and maintained

12 Audits based on status and importance of processes and previous audit results to define criteria, scope, frequency, and methods Auditors do not audit their own work A documented internal audit PROCEDURE exists Audit records are maintained Timely corrective actions are taken by management in audited areas Follow up activities verify and report actions taken Verify the organization has a documented internal audit procedure that requires assessment of the QMS. Frequency and scope of assessments are defined. Actions are assigned and taken to correct nonconformities detected during internal audits. Follow up actions verify implementation and effectiveness of corrective action. 8.3 Monitoring and Measurement (M&M) of Processes (May not apply to NDT Consultants) Methods for M&M of QMS processes are in place and demonstrate that processes achieve planned results Correction and corrective actions are taken when results are not achieved Process nonconformities result in: a. actions to correct the nonconforming process b. evaluations of the affect on products c. determinations of the affect on other processes or products d. control of non conforming product (NCP) This section refers to the ongoing monitoring to assess the effectiveness of the QMS processes, rather than the sampling done by the internal audit process. Verify organization provides oversight of processes to ensure planned results are achieved. Examples of QMS processes include, but are not limited to: purchasing, internal auditing, corrective action, document control, record control, customer complaints, etc. 8.4 Monitoring and Measurement (M&M) of Product (May not apply to NDT Consultants) M&M of product characteristics are performed and maintained Acceptance measurement requirements are documented and include: a. acceptance and/or rejection criteria b. the sequence where measurement and testing operations are planned c. records of measurement results d. specific measurement instruments required Critical items are controlled and monitored Sampling plans are justified on the basis of recognized statistical principles and appropriate for use Product released for use prior to the completion of planned activities is controlled to allow for recall Records reflect person(s) authorizing release of product for delivery Release of product and/or delivery of services are not performed until all planned activities are accomplished or without Authority/customer approval Documents required to accompany the product are present at delivery Verify organization provides for the inspection and test of product to ensure requirements have been met. Acceptance needs to be performed at planned sequences in the operation, using specified measurement equipment to evaluate product characteristics to defined accept/reject criteria. Defects that are identified during processing (that are outside of the scope of the contract) are processed per customer requirements. Results of inspections & tests shall be recorded. 8.5 Control of Non Conforming Product (NCP) (May not apply to NDT Consultants) Non Conforming Product (NCP) is identified and controlled A documented PROCEDURE exist for handling of NCP The responsibility and authority for the review and disposition of nonconforming product are defined The process for approving personnel making these decisions is defined NCP controls include: a. actions to eliminate the nonconformity b. use, release, or acceptance by customer concession

13 c. actions to preclude its intended use or application d. actions on the effects of NCP, when detected after delivery or use, include timely reporting e. actions to contain the nonconformity effect on other processes or products Dispositions of use as is or repair is used only after approval from design responsible organizations Dispositions of use as is or repair are not used without customer authorization Scrap product is marked or positively controlled Corrected NCP is subjected to re verification NCP records are maintained Verify that nonconformance control processes are defined and that all departures from defined product characteristics and performance requirements are documented and dispositioned. Use As Is and Repair dispositions are approved by the customer and/or design authority. Rework and repair require re inspection. Records of all product non conformances shall be maintained. N/A responses for and are supported when an organization returns non conforming material to the Customer. 8.6 Corrective Action (CA) Actions are taken to eliminate the causes of nonconformities A documented PROCEDURE exist that includes: a. reviewing of nonconformities b. determining the causes of nonconformities c. evaluating action to prevent recurrence d. determining and implementing actions e. record of actions taken f. reviewing the effectiveness of corrective actions g. flowing down corrective action (CA) requirements to suppliers h. actions where timely and/or effective CAs are not achieved i. determining if additional non conforming product exists Verify CA procedures include the review of product as well as process nonconformities. CA process includes nonconformities identified during Internal and external audits. Sample CA records for internal and supplier issues for adequacy and completeness of records in accordance with procedures.