Are FMEA or similar tools required by AS9100 for risk management?

AS9100 does require risk management, but it does not require FMEA, FMECA, or any specific tool. FMEA is one recognized method for identifying and mitigating risk, yet the standard is written to be tool-agnostic.

What AS9100 actually requires for risk management

AS9100 (e.g., Rev. D, clause 6.1 and related clauses) expects you to:

• Plan actions to address risks and opportunities related to product quality and conformity.
• Define and apply a risk management process that is appropriate to your products and operations.
• Establish criteria for risk acceptance, prioritization, and treatment.
• Integrate risk thinking into planning, design and development, production, and change control.
• Maintain documented information (evidence) showing how risks are identified, evaluated, mitigated, and reviewed.

The standard does not name FMEA as a requirement. Certification bodies will not normally insist on FMEA specifically, provided your risk management approach is robust and traceable.

Using FMEA and similar tools in an AS9100 context

While not mandated, FMEA (or FMECA, hazard analysis, risk registers, etc.) is often used because it provides:

• Structured identification of failure modes, causes, and effects at product or process level.
• A way to prioritize issues using severity/occurrence/detection or similar scoring.
• Clear linkage to controls, inspection plans, work instructions, and process changes.

In regulated aerospace environments, FMEA or similar methods can also help tie together design inputs, process controls, inspection characteristics (e.g., for AS9102/FAI), and NCR/CAPA data. That said, an FMEA that is created once for audit and never maintained will not satisfy AS9100 expectations on risk being an ongoing discipline.

What auditors typically look for

Auditors generally focus on the effectiveness and consistency of your risk approach, not the brand name of the method:

• Can you show how high-risk items are identified and prioritized?
• Are risks linked to actions (controls, additional inspection, process changes, training, supplier controls)?
• Is risk information kept current when there are engineering changes, process changes, supplier changes, or new NCR trends?
• Is there traceability between risk assessments and downstream artifacts such as routers, work instructions, control plans, and inspection records?
• Is risk management integrated into design reviews, MRB decisions, and CAPA, or is it a stand-alone form?

If you can demonstrate these elements using another structured method (risk matrix, hazard analysis, bow-tie diagrams, etc.), that is typically acceptable.

Brownfield and systems reality

In most aerospace plants, risk management data ends up scattered across legacy QMS, spreadsheets, PLM, and MES/ERP. Introducing a new FMEA tool or module can be useful, but it also introduces:

• Integration risk: keeping FMEA in sync with current BOMs, routings, and work instructions.
• Change control burden: ensuring that engineering changes, supplier changes, and process changes trigger FMEA reviews.
• Validation and qualification cost: if the tool feeds controlled documentation or is used as a quality record, it may require validation and documented change control.

Trying to replace all existing risk-related artifacts with a single new tool often fails in long-lifecycle, regulated environments because of downtime constraints, integration complexity, and the need to preserve historical evidence. A more realistic approach is usually to:

• Define a minimum, standard risk method (which may be FMEA-based) for new or changed products and processes.
• Phase it in where the risk and payback are highest, instead of retrofitting every legacy part family at once.
• Ensure that whatever tool you use feeds or aligns with your existing MES/ERP/QMS artifacts without breaking traceability.

Practical takeaway

You do not have to use FMEA to comply with AS9100, but you do need a disciplined, documented, and maintained approach to risk management. Choose tools that fit your process maturity and system landscape, and focus on traceability, integration with planning and change control, and evidence that risks drive concrete actions.