How OCAP affects AS9100 Companies

The revised SAE AS9104/1A requires AS 9100 CBs (Certification Bodies… AKA Registrars) to use the “Organization Certification Analysis Process (OCAP)” to determine an overall “risk rating” for each registered company. This “risk-rating” will then be used during audit planning — to provide reductions or increases (by ±10%, as per AS9104/1A, “Table 9 - Audit Duration Risk Adjustments”) in certification and surveillance audit durations from baseline audit durations found in SAE AS9104/1A, “Table 8 - Audit Duration Per Site”.

The OCAP is defined in SAE AS9104/1A as:

3.8 Organization Certification Analysis Process (OCAP)
An interactive process between the organization and CB to determine the organization’s AQMS scope and associated certification audit program, and conduct a risk assessment for certification within the ICOP scheme.

The OASIS database was scheduled to begin supporting the new SAE AS9104/1A criteria by 3/31/23. And the new OCAP process is required to be fully implemented by the Certifying Bodies (CBs) no later than 3/31/24.

As per IAQG COT Supplemental Rule 004, sec. 5.3, the AS91xx Certified organization must “Provide CBs with information required for the OCAP review at least 90 days prior to the 9104-1:2022 transition audit”.

You will receive a written request (e.g., a letter or questionnaire) from your CB when they're ready for your OCAP data. If your company fails to provide this information within the required 90-day period, then the audit cannot be performed, and the CB will (as per SAE AS9104/1A, sec. 8.2.2) follow its processes for cancellation, missed surveillance audit, or expired certification.

Further, as per SAE AS9104/1A, sec. 9.1.10 states:

AQMS certified organizations shall provide data required by this standard, to their CB prior to initial, surveillance, and recertification audits for the completion of the OCAP analysis.

NOTE: Failure to provide accurate and timely data may result in the issuance of a nonconformity by the CB and/or prevent certification.

Such a nonconformity would cite a failure to comply with the requirements of an “interested party” (i.e., the CB) and reference AS9100, sec. 4.2, “Understanding the Needs and Expectations of Interested Parties”.

The data provided will be used by the CB for determining an overall “risk rating” (High, Medium, Low) for each certified company. The overall “risk rating” is calculated using AS9104/1A, Table 7 - “Organizational Risk Determination”, shown below.

Prior to providing such data, you should read this entire article in order to understand how it will be used.

In addition to the above KPIs, the OCAP requirement includes “Customer Complaints / Feedback” as requiring a “Quality Objective”.

This data is typically highly subjective (e.g., customer “perceptions”) and is much more difficult to analyze due to numerous factors. For example, some customer complaints and feedback (e.g., from “Customer-Satisfaction Surveys”) are directly related to customer-imposed restrictions on the level of control the company has over its processes (e.g., customer-mandated suppliers and/or service providers, customer-specified material/parts, fixed/frozen or customer-approved processes). In other cases, after reasonable efforts have been made to understand the customer’s requirements, the customer continues to communicate incorrectly/poorly stated requirements – primarily due to the customer’s continued inability to adequately define and/or articulate their requirements.

Upon re-visiting AS9100, sec. 9.1.2, “Customer Satisfaction” we read:

Information to be monitored and used for the evaluation of customer satisfaction shall include, but is not limited to, product and service conformity, on-time delivery performance, customer complaints, and corrective action requests. The organization shall develop and implement plans for customer satisfaction improvement that address deficiencies identified by these evaluations, and assess the effectiveness of the results.

Since customer complaints and corrective action requests are already required to be monitored, it makes more sense to establish “objectives” associated with this data rather than to initiate subjective “Customer-Satisfaction Surveys”.

Examples of potential objectives include:

Based on the concerns described above, the company should have a process for analyzing “customer complaints” to determine their validity prior to being input to the KPI.

Also, since AS9100, clause 8.5.1,c,2 allows for sampling, it is recognized that there will be an acceptable number of defects delivered (through an assigned AQL or AOQL). Consequently, the company should have a process for analyzing all “corrective action requests” received from customers to determine whether the associated nonconformity was the result of an “Assignable Cause” variation (which can be addressed through a corrective action) or was the result of a “Common Cause” variation (with NO assignable cause) in the process. Where the nonconformity was due to a “Common Cause” variation in the process, the only way to address this is through changing the process (if possible) or introducing risk controls to mitigate the probability or impact of recurring nonconformities.

AS9100 auditors are required (by SAE AS9101, "Quality Management Systems - Audit Requirements for Aviation, Space, and Defense Organizations") to complete a “Process Effectiveness Assessment Report” (PEAR), Form 3, for EACH “key” process identified by the customer. The PEARs include a matrix (shown below) where the auditor selects a number (1-5) as an indication of the effectiveness of the process based upon whether:

• No nonconformities AND the “Quality Objective(s)” were met (scoring a “5”)
• One or more nonconformities were identified BUT the “Quality Objective(s)” were met (scoring ≤4)
• No nonconformities were identified BUT one or more “Quality Objective(s)” were NOT met (scoring ≤4)
• One or more nonconformities were identified AND one or more “Quality Objective(s)” were NOT met (scoring ≤3)

If the terminology in the PEAR is confusing (i.e., “Planned Activities” vs. “Planned Results”), this is explained in AS9101 (Rev. G) sections:

3.7 Planned Activities
The means, methods, and internal requirements by which the organization intends to achieve planned results of a given process to meet customer requirements. Planned activities include conformity to process requirements and maintained documented information.

3.8 Planned Results
The intended performance of a process as determined and measured by the organization. Planned results include product and service conformity and On-time Delivery (OTD) to meet customer requirements, and may include other elements related to the process, as defined by the organization.

As per AS9104/1A, “Table 7 - Organizational Risk Determination”, the AS9100 auditor will use the PEAR with the lowest score to calculate the “Risk Factor”.

Strategy
The strategy to have a low “Risk Factor” in this category is to ensure that ALL “Quality Objectives” (associated with PEARs) are (1) realistic and (2) consistently met. In addition, you should focus your internal audits on those processes associated with PEARs to mitigate the possibility of any non-conformities arising from those areas.

AS9104/1A, sec. 8.5.1.3.4 states: “CBs shall require that organizations provide information regarding the use of additional aerospace standard(s) listed within the IAQG Standards Register during the initial Stage 1 audit and update, as needed, prior to surveillance or recertification audits (see Table 4)”.

The most commonly invoked supplemental AS91xx standards are AS9102 (Aerospace first article inspection requirement) & 9146 (Foreign object debris – FOD). If a standard is contractually imposed on the company (e.g., by a customer) then additional time may be added to each site where the related processes are performed. This new requirement is also intended to ensure that the CB assigns auditors who are competent in auditing compliance with those additional standards.