How OCAP affects AS9100 Companies

The revised SAE AS9104/1A requires AS 9100 CBs (Certification Bodies… AKA Registrars) to use the “Organization Certification Analysis Process (OCAP)” to determine an overall “risk rating” for each certified company. This “risk-rating” will then be used during audit planning — to provide reductions or increases (by ±10%, as per AS9104/1A, “Table 9 - Audit Duration Risk Adjustments”) in certification and surveillance audit durations from baseline audit durations found in SAE AS9104/1A, “Table 8 - Audit Duration Per Site”.

For differentiation between “audit duration” vs. “audit time” read: "What is "Audit Duration" vs. "Audit Time".

While not part of OCAP, SAE AS9104/1A, sec. states: “When an ISO 9001 certificate has been issued with a different scope of certification than the AQMS certificate, the ISO 9001 standard shall not be listed on the AQMS certificate.

While many AS91xx companies don't realize that they could have different scopes… one for ISO 9001 and another for AS91xx, this requirement addresses how the CBs will handle those situations.

What is OCAP

The OCAP is defined in SAE AS9104/1A as:

3.8 Organization Certification Analysis Process (OCAP)
An interactive process between the organization and CB to determine the organization’s AQMS scope and associated certification audit program, and conduct a risk assessment for certification within the ICOP scheme.

The OCAP does NOT impact ISO 9001 certified companies. However, ISO 9001 audit time is subject to numerous considerations (addressed in IAF MD5 "Determination of Audit Time for QMS-EMS-OHS Audits”, sec. 8, “Factors for Adjustments of Audit Time of Management Systems (QMS, EMS, and OH&SMS)”).

SAE AS9104/1A, sec. states: The analysis shall be:
a. Conducted prior to initial certification and updated for each surveillance or recertification audit;
b. Verified and the verification documented by the CB’s audit team; and
c. Updated by the audit team and adjustments made to the audit plan or program, as applicable.

NOTE 1: A tool is available to assist in this process called the Organization Certification Analysis Process (OCAP) Tool.
NOTE 2: Data from Stage 1 activities can be used to document the analysis of the organization.

OCAP Implementation Timeline

The OASIS database “should” be updated to support the new SAE AS9104/1A by July 24, 2023 (no promises). The new OCAP process is required to be fully implemented by the Certifying Bodies (CBs) no later than 3/31/24.

Information concerning the timeline for OCAP implementation by the registrars (and the downloadable “Organization Certification Analysis Process (OCAP) Tool”) is online at:

Providing OCAP Data

As per IAQG COT Supplemental Rule 004, sec. 5.3, each AS91xx Certified organization must “Provide CBs with information required for the OCAP review at least 90 days prior to the 9104-1:2022 transition audit”.

You will receive a written request (e.g., a letter or questionnaire) from your CB when they're ready for your OCAP data. If your company fails to provide this information within the required 90-day period, then the audit cannot be performed, and the CB will (as per SAE AS9104/1A, sec. 8.2.2) follow its processes for cancellation, missed surveillance audit, or expired certification.

Further, as per SAE AS9104/1A, sec. 9.1.10 states:

AQMS certified organizations shall provide data required by this standard, to their CB prior to initial, surveillance, and recertification audits for the completion of the OCAP analysis.

NOTE: Failure to provide accurate and timely data may result in the issuance of a nonconformity by the CB and/or prevent certification.

Such a nonconformity would cite a failure to comply with the requirements of an “interested party” (i.e., the CB) and reference AS91xx, sec. 4.2, “Understanding the Needs and Expectations of Interested Parties”.

The CB “should” only be asking for the current or most recent KPI data because what they're seeking is a “starting point” in the OCAP process.

OCAP Requirements

The data provided will be used by the CB for determining an overall “risk rating” (High, Medium, Low) for each certified company. The overall “risk rating” is calculated using AS9104/1A, Table 7 - “Organizational Risk Determination”, shown below.

Prior to providing such data, you should read this entire article (including the hyperlinked articles below each “Risk Factor” in Table 7, for a detailed discussion of each) in order to understand how it will be used.

AS9104/1A, Table 7 - Organizational Risk Determination
Risk Factor Data Source LOW (1) MED (3) HIGH (6) Risk Score
Complexity Figure 2 Low Med High A
Internal Audit Table 5 Low Med High B
On-Time Delivery Organization Exceeds Meets Below C
Conformity of Delivered Product or Service (e.g., item escape rate) Organization Exceeds Meets Below D
Customer Complaints / Feedback Organization Exceeds Meets Below E
AQMS Process Effectiveness from Previous Audit Report PEARs (lowest value) 5 3-4 1-2 F
Total Risk Score = ∑(A+B+C+D+E+F) = R R
When R = (36 to 25) Risk is HIGH, (24 to 12) Risk is MED, (11 to 6) Risk is LOW
Example: A=High (6), B=Low (1), C=Low (1), D=Med (3), E=Med (3), and F=Low (1). Therefore ∑(6+1+1+3+3+1) = 15
Organizational Risk = Medium

CBs will be calculating your company's “Risk Score” using the IAQG “OCAP Tool” (Excel), freely available from:

Download the “Risk Tool” and complete it for your company as you read the requirements.

Other AS9104/1A Considerations

AS9104/1A, sec. states:

CBs shall require that organizations provide information regarding the use of additional aerospace standard(s) listed within the IAQG Standards Register during the initial Stage 1 audit and update, as needed, prior to surveillance or recertification audits (see Table 4)”.

The most commonly invoked supplemental AS91xx standards are AS9102 (Aerospace first article inspection requirement) & 9146 (Foreign object debris – FOD). If a standard is contractually imposed on the company (e.g., by a customer) then additional time may be added to each site where the related processes are performed (ref. IAF MD5 "Determination of Audit Time for QMS-EMS-OHS Audits”, sec. 8, “Factors for Adjustments of Audit Time of Management Systems (QMS, EMS, and OH&SMS)”). This new requirement is also intended to ensure that the CB assigns auditors who are competent in auditing compliance with those additional standards.

Source: If you’re ready for a path forward now…
Just click here to schedule your FREE Certification Strategy Meeting (via Zoom) with me. I’ll answer any questions you might have. No sales pitch. Just information.

Or, for my cell phone & e-mail address, visit the contact us page.

100% of our clients achieve certification on their first attempt.

This means that no CB has ever required a “follow-up” or “special” audit for any of our clients prior to being issued their certification.

We provide you with “peace of mind” that we'll take care of QMS certification!