AS9100D Flow Down of Requirements to External Providers
AS9100D requirement The Control of Externally Provided Processes, Products, and Services (previously known as purchasing in AS9100C) has proven to be one of the most misunderstood yet critical requirements of this new standard.
As a matter of fact, the industry finds the requirements found in this section to be so important, they require certification bodies to audit it annually (see AS9104/1 8.2.2.N). Within this requirement, one of the most oft cited areas of confusion and consternation centers around the flow down of requirements from the organization to their external providers (suppliers).
I have seen many 3rd party auditors write non-conformance’s simply because the company being audited does not flow down each and every requirement of 8.4.3 to their supply base… but is that right?
Maybe, but that really depends on the organization being audited, the product or service they are supplying, the impact on that product or service on their product or service, the potential impact on the customer and their history with the supply base to name just a few considerations.
AS9100D clause 4.3 does not require an organization to not apply all requirements of this standard provided that by not doing so, the organization’s ability to ensure the conformity of its products and services and the enhancement of customer satisfaction is not compromised.
Consequently, organizations can determine that certain portions of the clause 8.4.3 are not applicable to their organization and therefore, may not have to flow down all requirements of this section to their supply base. But how can they do that? How do they make that determination and how do they show their stakeholders why they didn’t flow down each and every requirement of 8.4.3?
AS9100D 8.4.3 states that “the organization shall communicate to external providers its requirements for” a litany of things. The operative words though are “it’s requirements”. At a minimum, the expectation would be for the organization being audited to explain their rationale for why they do not communicate certain requirements to their external providers. If they do not communicate one particular requirement to a certain type of supplier, e.g. calibration labs, why not.
Conversely, if they communicate a particular requirement to one supplier but not to another of the same type of product or service, why not? And when these determinations were made, was their risk process employed?
In other words, not communicating all of the requirements to the supply base may be appropriate but not explaining your rationale or applying risk to that decision process would be problematic. And of course, by not communicating a requirement will have an adverse effect on your product, service or customer satisfaction, you would be in violation of AS9100D.
So we leave it to our customer base to determine applicability of requirements and provide adequate justification when they deem a requirement as not applicable. The one place where I deviate from that direction though is here. My expectation of NQA auditors is that their customers must communicate their requirements to ensure that their external provider’s employees are aware of:
- Their contribution to product safety
- The importance of ethical behavior
I believe it is obvious and self-evident that controlling processes to prevent risk of harm to persons or damage to property and communicating your organizations expectations for ethical behavior to the supply base are of the utmost importance and are requirements that cannot or should not be brushed aside.
Remember, if the organization can apply the requirements within the QMS scope, they shall be applied. Non-applicable requirements cannot affect the organization’s ability or responsibility to ensure the conformity of its products and services and the enhancement of customer satisfaction.