{{keywords>ocap,as9100}}
====== How OCAP affects AS9100 Companies ======
The revised [[https://www.sae.org/standards/content/as9104/1a/|SAE AS9104/1A]] requires AS 9100 CBs (Certification Bodies... AKA Registrars) to use the "//Organization Certification Analysis Process (OCAP)//" to determine an overall "risk rating" for each certified company. This "risk-rating" will then be used during audit planning — to provide reductions or increases (by ±10%, as per AS9104/1A, "//Table 9 - Audit Duration Risk Adjustments//") in certification and surveillance audit durations from baseline audit durations found in [[https://www.sae.org/standards/content/as9104/1a/|SAE AS9104/1A]], "Table 8 - Audit Duration Per Site".
For differentiation between "audit duration" vs. "audit time" read: [[articles:what_is_audit_duration_vs_audit_time|"What is "Audit Duration" vs. "Audit Time"]].
While not part of OCAP, SAE AS9104/1A, sec. 8.2.4.3 states: "//When an ISO 9001 certificate has been issued with a different scope of certification than the AQMS certificate, the ISO 9001 standard shall not be listed on the AQMS certificate.//" \\
While many AS91xx companies don't realize that they could have different scopes... one for ISO 9001 and another for AS91xx, this requirement addresses how the CBs will handle those situations.
===== What is OCAP =====
The OCAP is defined in [[https://www.sae.org/standards/content/as9104/1a/|SAE AS9104/1A]] as:
3.8 Organization Certification Analysis Process (OCAP) \\
An interactive process between the organization and CB to determine the organization’s AQMS scope and associated certification audit program, and conduct a risk assessment for certification within the [[https://iaqg.org/certification/|ICOP scheme]].
The OCAP does NOT impact ISO 9001 certified companies. However, ISO 9001 audit time is subject to numerous considerations (addressed in [[https://iaf.nu/en/iaf-documents-categories/|IAF MD5 "Determination of Audit Time for QMS-EMS-OHS Audits”]], sec. 8, "//Factors for Adjustments of Audit Time of Management Systems (QMS, EMS, and OH&SMS)//").
SAE AS9104/1A, sec. 8.5.1.2 states: //The analysis shall be: \\
a. Conducted prior to initial certification and updated for each surveillance or recertification audit; \\
b. Verified and the verification documented by the CB’s audit team; and \\
c. Updated by the audit team and adjustments made to the audit plan or program, as applicable. \\
\\
NOTE 1: A tool is available to assist in this process called the Organization Certification Analysis Process (OCAP) Tool. \\
NOTE 2: Data from Stage 1 activities can be used to document the analysis of the organization.//
==== OCAP Implementation Timeline ====
The OASIS database "//should//" be updated to support the new [[https://www.sae.org/standards/content/as9104/1a/|SAE AS9104/1A]] by July 24, 2023 (no promises). The new OCAP process is required to be fully implemented by the Certifying Bodies (CBs) no later than 3/31/24.
Information concerning the timeline for OCAP implementation by the registrars (and the downloadable "Organization Certification Analysis Process (OCAP) Tool") is online at: [[https://oasishelp.iaqg.org/91042022-series-and-91012022-transition/]]
==== Providing OCAP Data ====
As per [[https://oasishelp.iaqg.org/wp-content/uploads/2022/12/2022-12-07-SR004-for-9104-Series-Transition-Rev-B-v2.pdf?1686587114917|IAQG COT Supplemental Rule 004]], sec. 5.3, each AS91xx Certified organization must "//Provide CBs with information required for the OCAP review at least 90 days prior to the 9104-1:2022 transition audit//".
You will receive a written request (e.g., a letter or questionnaire) from your CB when they're ready for your OCAP data. If your company fails to provide this information within the required 90-day period, then the audit cannot be performed, and the CB will (as per [[https://www.sae.org/standards/content/as9104/1a/|SAE AS9104/1A]], sec. 8.2.2) follow its processes for cancellation, missed surveillance audit, or expired certification.
Further, as per [[https://www.sae.org/standards/content/as9104/1a/|SAE AS9104/1A]], sec. 9.1.10 states:
//AQMS certified organizations shall provide data required by this standard, to their CB prior to initial, surveillance, and recertification audits for the completion of the OCAP analysis. \\
\\
NOTE: Failure to provide accurate and timely data may result in the issuance of a nonconformity by the CB and/or prevent certification.//
Such a nonconformity would cite a failure to comply with the requirements of an "//interested party//" (i.e., the CB) and reference AS91xx, sec. 4.2, "Understanding the Needs and Expectations of Interested Parties".
The CB "//should//" only be asking for the current or most recent KPI data because what they're seeking is a "starting point" in the OCAP process.
===== OCAP Requirements =====
The data provided will be used by the CB for determining an overall "risk rating" (High, Medium, Low) for each certified company. The overall "risk rating" is calculated using AS9104/1A, Table 7 - "//Organizational Risk Determination//", shown below.
Prior to providing such data, you should read this entire article (including the hyperlinked articles below each "Risk Factor" in Table 7, for a detailed discussion of each) in order to understand how it will be used.
^ AS9104/1A, Table 7 - Organizational Risk Determination ^^^^^^
^ Risk Factor ^ Data Source ^ LOW (1) ^ MED (3) ^ HIGH (6) ^ Risk Score ^
| [[articles:ocap-complexity|Complexity]] | [[articles:ocap-complexity|Figure 2]] | Low | Med | High | A |
| [[articles:ocap-internal_audit|Internal Audit]] | [[articles:ocap-internal_audit|Table 5]] | Low | Med | High | B |
| [[articles:ocap-otd|On-Time Delivery]] | Organization | Exceeds | Meets | Below | C |
| [[articles:ocap-otd|Conformity of Delivered Product or Service (e.g., item escape rate)]] | Organization | Exceeds | Meets | Below | D |
| [[articles:ocap-customer_complaints_feedback|Customer Complaints / Feedback]] | Organization | Exceeds | Meets | Below | E |
| [[articles:ocap-aqms_process_effectiveness|AQMS Process Effectiveness from Previous Audit Report]] | PEARs (lowest value) | 5 | 3-4 | 1-2 | F |
| Total Risk Score = ∑(A+B+C+D+E+F) = R ||||| R |
| When R = (36 to 25) Risk is HIGH, (24 to 12) Risk is MED, (11 to 6) Risk is LOW \\ Example: A=High (6), B=Low (1), C=Low (1), D=Med (3), E=Med (3), and F=Low (1). Therefore ∑(6+1+1+3+3+1) = 15 \\ Organizational Risk = Medium ||||||
CBs will be calculating your company's "Risk Score" using the IAQG "OCAP Tool" (Excel), freely available from: https://iaqg.org/certification-management/
Download the "Risk Tool" and complete it for your company as you read the requirements.
==== Other AS9104/1A Considerations ====
AS9104/1A, sec. 8.5.1.3.4 states:
"//CBs shall require that organizations provide information regarding the use of additional aerospace standard(s) listed within the [[https://tst.iaqg.org/iaqg/publications/standardsregister.pdf|IAQG Standards Register]] during the initial Stage 1 audit and update, as needed, prior to surveillance or recertification audits (see Table 4)//".
The most commonly invoked supplemental AS91xx standards are AS9102 (Aerospace first article inspection requirement) & 9146 (Foreign object debris – FOD). If a standard is contractually imposed on the company (e.g., by a customer) then additional time //may// be added to each site where the related processes are performed (ref. [[https://iaf.nu/en/iaf-documents-categories/|IAF MD5 "Determination of Audit Time for QMS-EMS-OHS Audits”]], sec. 8, "//Factors for Adjustments of Audit Time of Management Systems (QMS, EMS, and OH&SMS)//"). This new requirement is also intended to ensure that the CB assigns auditors who are competent in auditing compliance with those additional standards.
{{page>wiki:pathforward}}