Something went down at IAQG and or ANAB, because a recent spate of nonconformities issued to AS9100 users shows that certification body auditors are hammering hard on the clauses related to purchase order (PO) flowdowns.

In only the past two months, Oxebridge clients have reported at least seven minor nonconformities — and one major (which is being disputed, so keep reading) — on sub-clauses related to either 8.2 or 8.4. Specifically, it appears that auditors have been instructed to focus on how the company reviews incoming customer POs (under clause 8.2) and then how they then flow down those customer requirements via outgoing POs (under clause 8.4.)

Some of these findings have been bogus, while others are totally valid. Let’s knock the bogus ones out first, though.

At least half of the findings issued to Oxebridge clients wrongly asserted that the company was obligated to flow down all the bullet list requirements from AS9100D clause 8.4.3 (a) through (m) on their outgoing purchase orders. This is untrue. A while back I filed a request for clarification on this point with IAQG and they have, in fact, updated their official clarifications document to assure that only the applicable bullets (a) through (m) are to be flowed down. The problem was caused by, natch, the ISO 9001 drafting team who left out the term “as applicable” in the latest edition, which acts as the backbone for the AS9100 text. But the official IAQG ruling is that bullets (a) through (m) are all “as applicable.” You would not, for example, flow down training requirements for staff if you are ordering parts from Grainger or Amazon.

So Oxebridge has been successful in getting a number of these minor NCRs thrown out because the auditors were improperly interpreting the standard.  This included the major NCR I mentioned earlier, which was artificially elevated due to this kind of improper interpretation by the auditor.

But many of the findings are also valid. The scenario goes like this: your company receives a customer PO, and does a poor job of reviewing the requirements and fine-print “T’s and C’s” (terms and conditions.) Buried in there is a requirement to flow some of those requirements down to your suppliers. Having failed to review the incoming PO properly, you’re outgoing POs are then insufficient, too. The auditor need only compare the incoming customer PO vs. your outgoing supplier PO to catch this.

Again, some auditors are wrongly asserting that you have to flow down all customer requirements to all suppliers, which is crazy. You are allowed to apply some logic here. You’re not going to flow down the “conflict-free minerals” requirement if you’re buying paint from Sherwin-Williams, and you won’t flow down compliance to the Dodd-Frank Act to your calibration lab.

Where the auditors are right, however, is when you neglect to flow down the requirements that do matter. This may mean flowing down ITAR compliance, for example, to the plating house receiving your customer’s drawings.

Because CB auditors are suddenly raging on this issue, be sure you have implemented the following in some manner:

  1. Ensure your incoming PO review does a thorough assessment of the customer’s PO requirements, including those listed on the individual line items, but then also the fine print “T’s and C’s.” For the next few weeks or months, consider going over each incoming PO with a yellow highlighter and marking each requirement that pertains to your work.
  2. If the customer PO references a T’s and C’s document on their website or portal, go verify that, too. It doesn’t matter if it’s 1,000 pages long, read it and break down which requirements apply to you and which do not. Again, get out the highlighter. Failure to do so could get you sued or make you liable for liquidated damages.
  3. For your aerospace prime customers (Boeing, Lockheed, etc.) consider developing a flowdown matrix that breaks out which requirements must be flowed down to suppliers. Then, break this down further, defining which type of supplier (plating house, raw materials provider, fasteners, etc.) would receive which customer flowdown on their PO.
  4. Start including this language on your outgoing POs to suppliers. If your POs are generated out of software that makes adding text to POs difficult, figure a way to add a file attachment. Your CB auditor is not going to care if your software sucks (I’m looking at you, Peachtree) so you can’t claim it’s impossible to flow down requirements purely because you can’t add lines on your PO.
  5. Consider making your own comprehensive list of standard T’s and C’s (and “quality clauses”) which you then flowdown on each PO, either through boilerplate language, or by adding a link to a page on your company website that lists “supplier quality requirements.” For the latter, make sure the link won’t change when you update those requirements, so don’t put the revision number in the link URL.

This will be a headache at first, but will quickly become routine after you have this well implemented for your repeat customers and repeat suppliers. But it’s critically important, since the POs are legal documents that dictate the requirements for the various parties. If you fail to deliver on a customer’s PO requirement, they can reject your product or, worse, sue you. If your supplier fails to deliver want you want, you can’t reject or sue if your PO didn’t have the proper language on it.

I’m not sure why CBs suddenly woke up to auditing this clause after how many decades, but they are awake, and you need to be ready.

 

 

    About Christopher Paris

    Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001:2015. He reviews wines for the irreverent wine blog, Winepisser.