Home Resources Blog June 2018

AS9100D Flow Down of Requirements to External Providers

18 June 2018
Many auditors write non-conformance’s simply because the company being audited does not flow down each and every requirement of 8.4.3 to their supply base… but is that right?

AS9100D requirement The Control of Externally Provided Processes, Products, and Services (previously known as purchasing in AS9100C) has proven to be one of the most misunderstood yet critical requirements of this new standard.

As a matter of fact, the industry finds the requirements found in this section to be so important, they require certification bodies to audit it annually (see AS9104/1 8.2.2.N). Within this requirement, one of the most oft-cited areas of confusion and consternation centers around the flow down of requirements from the organization to their external providers (suppliers). Particularly, many organizations struggle to determine what requirements must flow down to their external suppliers and whether all the terms listed in AS9100D are applicable for every project.

What Is The Flow Down Of Requirements?

A flow-down clause is an agreement between an organization and a general contractor stipulated in their contract. According to the clause's terms, any subcontractors the contractor hires must comply with the demands, responsibilities and liability outlined in the general contract — even though the subcontractors never signed this contract themselves. This approach systematically ensures that all the organization's specifications are met throughout the entire design, manufacturing and installation processes.

Provisions like these are vital in the aerospace industry, where each component must be made to incredibly precise specifications to ensure absolute safety. The previous AS9100 revision — AS9100C — outlined many of these flow-down requirements for the next tier of contractors, while AS9100D expanded the terms to include not just the next tier but also the entire supply chain. These revisions also help prevent the use of counterfeit parts and ensure each provider understands their role in the final product's safety and functionality.

As part of the flow-down provisions outlined in AS9100D clause 8.4.3, an organization must communicate all of its requirements in areas such as:

  • Product and service specifications
  • Service and product releases
  • Any required qualifications of individuals
  • Monitoring of the providers' performance
  • Design and development control
  • Required tests or inspections
  • Techniques for product acceptance
  • Interactions between the organization and external provider
  • The need for quality management systems, documented information and other requirements

Overall, the goal of flow-down requirements — and the AS9100D's revisions in general — is to expand the responsibility of risk management to each person in the production process.

Questioning The Applicability Of AS9100D Clause 8.4.3

I have seen many 3rd party auditors write non-conformance’s simply because the company being audited does not flow down each and every requirement of 8.4.3 to their supply base… but is that right?

Maybe, but that really depends on the organization being audited, the product or service they are supplying, the impact on that product or service on their product or service, the potential impact on the customer and their history with the supply base to name just a few considerations.

AS9100D clause 4.3 does not require an organization to not apply all requirements of this standard provided that by not doing so, the organization’s ability to ensure the conformity of its products and services and the enhancement of customer satisfaction is not compromised.

Consequently, organizations can determine that certain portions of the clause 8.4.3 are not applicable to their organization and therefore, may not have to flow down all requirements of this section to their supply base. But how can they do that? How do they make that determination and how do they show their stakeholders why they didn’t flow down each and every requirement of 8.4.3?

Determining Necessary Requirements

AS9100D 8.4.3 states that “the organization shall communicate to external providers its requirements for” a litany of things. The operative words though are “it’s requirements." Using this wording, we can infer that the provisions apply only if they're necessary to ensure an end product is safe to use and won't harm individuals or damage the surrounding environment. So if one of the provisions listed in 8.4.3 — say, for example, monitoring a provider's performance — does not at all impact the usability or safety of the part or final product, you may not have to include this requirement in your contract.

However, you must be prepared to explain your reasoning behind omitting any part of this clause. If you're audited and have not relayed the rationale behind your choices — or the omission is found to risk a product's or service's safety — you'll be found noncompliant.

The Importance Of Rationale

At a minimum, the expectation would be for the organization being audited to explain their rationale for why they do not communicate certain requirements to their external providers. If they do not communicate one particular requirement to a certain type of supplier, e.g. calibration labs, why not.

Conversely, if they communicate a particular requirement to one supplier but not to another of the same type of product or service, why not? And when these determinations were made, was their risk process employed?

In other words, not communicating all of the requirements to the supply base may be appropriate but not explaining your rationale or applying risk to that decision process would be problematic. And of course, by not communicating a requirement will have an adverse effect on your product, service or customer satisfaction, you would be in violation of AS9100D.

Requirements Needed For Product Safety

So we leave it to our customer base to determine the applicability of requirements and provide adequate justification when they deem a requirement as not applicable. The one place where I deviate from that direction though is here. My expectation of NQA auditors is that their customers must communicate their requirements to ensure that their external provider’s employees are aware of:

  • Their contribution to product safety
  • The importance of ethical behavior

I believe it is obvious and self-evident that controlling processes to prevent risk of harm to persons or damage to property and communicating your organization's expectations for ethical behavior to the supply base are of the utmost importance and are requirements that cannot or should not be brushed aside.

Remember, if the organization can apply the requirements within the QMS scope, they shall be applied. Non-applicable requirements cannot affect the organization’s ability or responsibility to ensure the conformity of its products and services and the enhancement of customer satisfaction.

Contact NQA

As an aerospace organization or an external supplier, you might have many questions about the various stipulations of AS9100D. You'll find the answers and support you need with NQA. Our team has provided certification and ongoing training to thousands of clients around the world, so we have the expertise necessary to help you overcome your particular business challenges. With these services, you can increase your business' quality, efficiency and compliance with various regulatory bodies.

Want to learn more about our aerospace management solutions? Contact us online or at (800) 649-5289 to get started.

Reviewed by: Michael Venner, NQA Aerospace and Automotive Director 12/18/2020