| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| articles:ocap [2023/06/17 19:44] – [OCAP Requirements] rrandall | articles:ocap [2023/09/14 10:24] (current) – [OCAP Implementation Timeline] rrandall |
|---|
| ====== How OCAP affects AS9100 Companies ====== | ====== How OCAP affects AS9100 Companies ====== |
| |
| The revised [[https://www.sae.org/standards/content/as9104/1a/|SAE AS9104/1A]] requires AS 9100 CBs (Certification Bodies... AKA Registrars) to use the "//Organization Certification Analysis Process (OCAP)//" to determine an overall "risk rating" for each registered company. This "risk-rating" will then be used during audit planning — to provide reductions or increases (by ±10%, as per AS9104/1A, "//Table 9 - Audit Duration Risk Adjustments//") in certification and surveillance audit durations from baseline audit durations found in [[https://www.sae.org/standards/content/as9104/1a/|SAE AS9104/1A]], "Table 8 - Audit Duration Per Site". | The revised [[https://www.sae.org/standards/content/as9104/1a/|SAE AS9104/1A]] requires AS 9100 CBs (Certification Bodies... AKA Registrars) to use the "//Organization Certification Analysis Process (OCAP)//" to determine an overall "risk rating" for each certified company. This "risk-rating" will then be used during audit planning — to provide reductions or increases (by ±10%, as per AS9104/1A, "//Table 9 - Audit Duration Risk Adjustments//") in certification and surveillance audit durations from baseline audit durations found in [[https://www.sae.org/standards/content/as9104/1a/|SAE AS9104/1A]], "Table 8 - Audit Duration Per Site". |
| |
| <WRAP center round info 60%> | <WRAP center round info 80%> |
| For differentiation between "audit duration" vs. "audit time" read: [[articles:what_is_audit_duration_vs_audit_time|"What is "Audit Duration" vs. "Audit Time"]]. | For differentiation between "audit duration" vs. "audit time" read: [[articles:what_is_audit_duration_vs_audit_time|"What is "Audit Duration" vs. "Audit Time"]]. |
| </WRAP> | </WRAP> |
| ==== OCAP Implementation Timeline ==== | ==== OCAP Implementation Timeline ==== |
| |
| The OASIS database was scheduled to begin supporting the new [[https://www.sae.org/standards/content/as9104/1a/|SAE AS9104/1A]] criteria by 3/31/23. And the new OCAP process is required to be fully implemented by the Certifying Bodies (CBs) no later than 3/31/24. | The OASIS database "//should//" be updated to support the new [[https://www.sae.org/standards/content/as9104/1a/|SAE AS9104/1A]] by July 24, 2023 (no promises). The new OCAP process is required to be fully implemented by the Certifying Bodies (CBs) no later than 3/31/24. |
| |
| <WRAP center round info 80%>Information concerning the timeline for OCAP implementation by the registrars (and the downloadable "Organization Certification Analysis Process (OCAP) Tool") is online at: [[https://oasishelp.iaqg.org/91042022-series-and-91012022-transition/]]</WRAP> | <WRAP center round info 80%>Information concerning the timeline for OCAP implementation by the registrars (and the downloadable "Organization Certification Analysis Process (OCAP) Tool") is online at: [[https://oasishelp.iaqg.org/91042022-series-and-91012022-transition/]]</WRAP> |
| ==== Providing OCAP Data ==== | ==== Providing OCAP Data ==== |
| |
| As per [[https://oasishelp.iaqg.org/wp-content/uploads/2022/12/2022-12-07-SR004-for-9104-Series-Transition-Rev-B-v2.pdf?1686587114917|IAQG COT Supplemental Rule 004]], sec. 5.3, the AS91xx Certified organization must "//Provide CBs with information required for the OCAP review at least 90 days prior to the 9104-1:2022 transition audit//". | As per [[https://oasishelp.iaqg.org/wp-content/uploads/2022/12/2022-12-07-SR004-for-9104-Series-Transition-Rev-B-v2.pdf?1686587114917|IAQG COT Supplemental Rule 004]], sec. 5.3, each AS91xx Certified organization must "//Provide CBs with information required for the OCAP review at least 90 days prior to the 9104-1:2022 transition audit//". |
| |
| You will receive a written request (e.g., a letter or questionnaire) from your CB when they're ready for your OCAP data. If your company fails to provide this information within the required 90-day period, then the audit cannot be performed, and the CB will (as per [[https://www.sae.org/standards/content/as9104/1a/|SAE AS9104/1A]], sec. 8.2.2) follow its processes for cancellation, missed surveillance audit, or expired certification. | You will receive a written request (e.g., a letter or questionnaire) from your CB when they're ready for your OCAP data. If your company fails to provide this information within the required 90-day period, then the audit cannot be performed, and the CB will (as per [[https://www.sae.org/standards/content/as9104/1a/|SAE AS9104/1A]], sec. 8.2.2) follow its processes for cancellation, missed surveillance audit, or expired certification. |
| NOTE: Failure to provide accurate and timely data may result in the issuance of a nonconformity by the CB and/or prevent certification.//</blockquote> | NOTE: Failure to provide accurate and timely data may result in the issuance of a nonconformity by the CB and/or prevent certification.//</blockquote> |
| |
| Such a nonconformity would cite a failure to comply with the requirements of an "//interested party//" (i.e., the CB) and reference AS9100, sec. 4.2, "Understanding the Needs and Expectations of Interested Parties". | Such a nonconformity would cite a failure to comply with the requirements of an "//interested party//" (i.e., the CB) and reference AS91xx, sec. 4.2, "Understanding the Needs and Expectations of Interested Parties". |
| |
| <WRAP center round info 80%> | <WRAP center round info 80%> |
| The data provided will be used by the CB for determining an overall "risk rating" (High, Medium, Low) for each certified company. The overall "risk rating" is calculated using AS9104/1A, Table 7 - "//Organizational Risk Determination//", shown below. | The data provided will be used by the CB for determining an overall "risk rating" (High, Medium, Low) for each certified company. The overall "risk rating" is calculated using AS9104/1A, Table 7 - "//Organizational Risk Determination//", shown below. |
| |
| Prior to providing such data, you should read this entire article in order to understand how it will be used. | Prior to providing such data, you should read this entire article (including the hyperlinked articles below each "Risk Factor" in Table 7, for a detailed discussion of each) in order to understand how it will be used. |
| |
| ^ AS9104/1A, Table 7 - Organizational Risk Determination ^^^^^^ | ^ AS9104/1A, Table 7 - Organizational Risk Determination ^^^^^^ |
| ^ Risk Factor ^ Data Source ^ LOW (1) ^ MED (3) ^ HIGH (6) ^ Risk Score ^ | ^ Risk Factor ^ Data Source ^ LOW (1) ^ MED (3) ^ HIGH (6) ^ Risk Score ^ |
| | [[articles:ocap-complexity|Complexity]] | Figure 2 | Low | Med | High | A | | | [[articles:ocap-complexity|Complexity]] | [[articles:ocap-complexity|Figure 2]] | Low | Med | High | A | |
| | [[articles:ocap-internal_audit|Internal Audit]] | Table 5 | Low | Med | High | B | | | [[articles:ocap-internal_audit|Internal Audit]] | [[articles:ocap-internal_audit|Table 5]] | Low | Med | High | B | |
| | [[articles:ocap-otd|On-Time Delivery]] | Organization | Exceeds | Meets | Below | C | | | [[articles:ocap-otd|On-Time Delivery]] | Organization | Exceeds | Meets | Below | C | |
| | [[articles:ocap-otd|Conformity of Delivered Product or Service (e.g., item escape rate)]] | Organization | Exceeds | Meets | Below | D | | | [[articles:ocap-otd|Conformity of Delivered Product or Service (e.g., item escape rate)]] | Organization | Exceeds | Meets | Below | D | |
| CBs will be calculating your company's "Risk Score" using the IAQG "OCAP Tool" (Excel), freely available from: https://iaqg.org/certification-management/ | CBs will be calculating your company's "Risk Score" using the IAQG "OCAP Tool" (Excel), freely available from: https://iaqg.org/certification-management/ |
| |
| Download the "Risk Tool" and complete it for your company as you read the requirements (below). | Download the "Risk Tool" and complete it for your company as you read the requirements. |
| </WRAP> | </WRAP> |
| |
| |
| |
| |
| |
| ==== Customer Complaints / Feedback ==== | |
| |
| In addition to the above KPIs, the OCAP requirement includes "Customer Complaints / Feedback" as requiring a "Quality Objective". | |
| |
| This data is typically highly subjective (e.g., customer "perceptions") and is much more difficult to analyze due to numerous factors. For example, some customer complaints and feedback (e.g., from "Customer-Satisfaction Surveys") are directly related to customer-imposed restrictions on the level of control the company has over its processes (e.g., customer-mandated suppliers and/or service providers, customer-specified material/parts, fixed/frozen or customer-approved processes). In other cases, after reasonable efforts have been made to understand the customer’s requirements, the customer continues to communicate incorrectly/poorly stated requirements – primarily due to the customer’s continued inability to adequately define and/or articulate their requirements. | |
| |
| Upon re-visiting AS9100, sec. 9.1.2, "Customer Satisfaction" we read: | |
| <blockquote>//Information to be monitored and used for the evaluation of customer satisfaction shall include, but is not limited to, product and service conformity, on-time delivery performance, __customer complaints, and corrective action requests__. The organization shall develop and implement plans for customer satisfaction improvement that address deficiencies identified by these evaluations, and assess the effectiveness of the results.//</blockquote> | |
| |
| Since customer complaints and corrective action requests are already required to be monitored, it makes more sense to establish "objectives" associated with this data rather than to initiate subjective "Customer-Satisfaction Surveys". | |
| |
| Examples of potential objectives include: | |
| ^ KPI ^ Objective ^ | |
| | Customer Complaints | ≤1% of Orders Fulfilled | | |
| | Customer Corrective Action Requests | ≤1% of Orders Fulfilled | | |
| |
| Based on the concerns described above, the company //should// have a process for analyzing "customer complaints" to determine their validity prior to being input to the KPI. | |
| |
| Also, since AS9100, clause 8.5.1,c,2 allows for sampling, it is recognized that there will be an acceptable number of defects delivered (through an assigned AQL or AOQL). Consequently, the company //should// have a process for analyzing all "//corrective action requests//" received from customers to determine whether the associated nonconformity was the result of an "Assignable Cause" variation (which can be addressed through a corrective action) or was the result of a “Common Cause” variation (with NO assignable cause) in the process. Where the nonconformity was due to a “Common Cause” variation in the process, the only way to address this is through changing the process (if possible) or introducing risk controls to mitigate the probability or impact of recurring nonconformities. | |
| |
| |
| ==== AQMS Process Effectiveness from Previous Audit Report ==== | |
| |
| AS9100 auditors are required (by [[https://www.sae.org/standards/content/as9101g/|SAE AS9101, "Quality Management Systems - Audit Requirements for Aviation, Space, and Defense Organizations"]]) to complete a "Process Effectiveness Assessment Report" (PEAR), Form 3, for __EACH__ "key" process identified by the customer. The PEARs include a matrix (shown below) where the auditor selects a number (1-5) as an indication of the effectiveness of the process based upon whether: | |
| * No nonconformities AND the "Quality Objective(s)" were met (scoring a "5") | |
| * One or more nonconformities were identified BUT the "Quality Objective(s)" were met (scoring ≤4) | |
| * No nonconformities were identified BUT one or more "Quality Objective(s)" were NOT met (scoring ≤4) | |
| * One or more nonconformities were identified AND one or more "Quality Objective(s)" were NOT met (scoring ≤3) | |
| |
| {{ :articles:as9101f_pear_table.png?direct&600 |}} | |
| |
| If the terminology in the PEAR is confusing (i.e., "Planned Activities" vs. "Planned Results"), this is explained in AS9101 (Rev. G) sections: | |
| |
| <blockquote>3.7 Planned Activities \\ | |
| The means, methods, and internal requirements by which the organization intends to achieve planned results of a given process to meet customer requirements. Planned activities include conformity to process requirements and maintained documented information. \\ \\ | |
| 3.8 Planned Results \\ | |
| The intended performance of a process as determined and measured by the organization. Planned results include product and service conformity and On-time Delivery (OTD) to meet customer requirements, and may include other elements related to the process, as defined by the organization.</blockquote> | |
| |
| As per AS9104/1A, "Table 7 - Organizational Risk Determination", the AS9100 auditor will use the PEAR with the lowest score to calculate the "Risk Factor". | |
| |
| __Strategy__ \\ | |
| The strategy to have a low "Risk Factor" in this category is to ensure that ALL "Quality Objectives" (associated with PEARs) are (1) realistic and (2) consistently met. In addition, you should focus your internal audits on those processes associated with PEARs to mitigate the possibility of any non-conformities arising from those areas. | |
| |
| ==== Other AS9104/1A Considerations ==== | ==== Other AS9104/1A Considerations ==== |
| |
| AS9104/1A, sec. 8.5.1.3.4 states: "//CBs shall require that organizations provide information regarding the use of additional aerospace standard(s) listed within the [[https://tst.iaqg.org/iaqg/publications/standardsregister.pdf|IAQG Standards Register]] during the initial Stage 1 audit and update, as needed, prior to surveillance or recertification audits (see Table 4)//". | AS9104/1A, sec. 8.5.1.3.4 states: |
| | <blockquote>"//CBs shall require that organizations provide information regarding the use of additional aerospace standard(s) listed within the [[https://tst.iaqg.org/iaqg/publications/standardsregister.pdf|IAQG Standards Register]] during the initial Stage 1 audit and update, as needed, prior to surveillance or recertification audits (see Table 4)//".</blockquote> |
| |
| The most commonly invoked supplemental AS91xx standards are AS9102 (Aerospace first article inspection requirement) & 9146 (Foreign object debris – FOD). If a standard is contractually imposed on the company (e.g., by a customer) then additional time //may// be added to each site where the related processes are performed. This new requirement is also intended to ensure that the CB assigns auditors who are competent in auditing compliance with those additional standards. | The most commonly invoked supplemental AS91xx standards are AS9102 (Aerospace first article inspection requirement) & 9146 (Foreign object debris – FOD). If a standard is contractually imposed on the company (e.g., by a customer) then additional time //may// be added to each site where the related processes are performed (ref. [[https://iaf.nu/en/iaf-documents-categories/|IAF MD5 "Determination of Audit Time for QMS-EMS-OHS Audits”]], sec. 8, "//Factors for Adjustments of Audit Time of Management Systems (QMS, EMS, and OH&SMS)//"). This new requirement is also intended to ensure that the CB assigns auditors who are competent in auditing compliance with those additional standards. |
| |
| {{page>wiki:pathforward}} | {{page>wiki:pathforward}} |
