What evidence do auditors typically look for under AS9100 Rev D?

Auditors under AS9100 Rev D are looking for objective evidence that your quality management system (QMS) is defined, implemented as documented, under control, and effective. The specific evidence will vary by organization and audit scope, but it typically clusters around the following areas.

1. Context, scope, and leadership

• Documented scope of the QMS and applicability of clauses.
• Quality policy and measurable quality objectives that align with customer and regulatory requirements.
• Evidence of management commitment, such as management review records, agendas, minutes, and resulting actions.
• Documented organizational roles, responsibilities, and authorities.

2. Documented information and configuration control

• Document control procedures that address creation, review, approval, distribution, revision, and obsolescence.
• Controlled procedures, work instructions, specifications, and quality plans that are current and available at the point of use (paper or digital).
• Evidence of configuration management for product definition data, including engineering changes, ECNs/ECOs, and configuration baselines.
• Change control records that show impact assessment, approvals, and implementation tracking across affected functions and systems (ERP, MES, PLM, QMS).

3. Risk-based thinking and operational risk management

• Evidence of risk assessment and mitigation for products and processes, including documented methods and risk registers where applicable.
• Integration of risk into planning, such as special process controls, additional inspections, or supplier controls driven by risk.
• Records showing periodic review of risks, changes in risk ratings, and actions taken.
• Evidence that risk considerations are used in decisions about changes, nonconformities, and improvement priorities.

4. Contract review and requirements management

• Contract, PO, and customer requirement review records, including technical, quality, and delivery requirements.
• Evidence that flowed-down customer and regulatory requirements are captured, analyzed, and translated into internal documentation and work instructions.
• Change management records for contract changes, including communication with customers and internal updates.
• Evidence of handling of ambiguous, conflicting, or missing requirements and corresponding customer clarifications.

5. Design and development (when in scope)

• Design and development planning, including responsibilities, stages, and reviews.
• Design inputs, design outputs, and their traceability to requirements.
• Design review, verification, and validation records, including test plans, reports, and approvals.
• Configuration management of design data across tools (e.g., CAD, PLM, ERP, MES) and evidence of change control.
• Evidence that design changes are evaluated for impact on production, inspection, suppliers, and fielded product.

6. Purchasing and supplier control

• Approved supplier list and criteria for selection, evaluation, and re-evaluation.
• Supplier performance data (OTD, quality, escapes) and actions taken when performance degrades.
• Purchase orders showing proper flowdown of technical, quality, and regulatory requirements, including special process approvals where applicable.
• Evidence of control for outsourced processes, including agreements, certifications, and surveillance where needed.
• Receiving inspection and verification records, including handling of discrepancies and supplier nonconformances.

7. Production, inspection, and process control

• Documented process controls, routers/travelers, and work instructions that match what operators actually do.
• Evidence that the latest revisions of drawings, specifications, and instructions are in use at each workstation.
• Process capability, setup verification, and first-piece/first-article inspection records (including AS9102 where applicable).
• Records demonstrating control of special processes, including qualification, periodic verification, and operator certification.
• Inspection and test records showing that defined characteristics, sampling plans, and acceptance criteria were applied.
• Evidence of control over rework, repair, concessions/deviations, and associated approvals.

8. Identification, traceability, and preservation

• Evidence of lot/serial number tracking and linkage to materials, processes, inspections, and test results.
• Marking and labeling practices that align with specifications and customer requirements.
• Records supporting material certifications, CoCs/CoAs, and their linkage to specific parts or lots.
• Evidence of control of customer property, calibrated tooling, and key inspection assets.
• Procedures and records for handling, storage, packaging, preservation, and delivery to prevent damage and degradation.

9. Nonconformance, corrective action, and problem solving

• Nonconformance reports (NCRs) covering detection, segregation, disposition, and communication.
• Material review board (MRB) records, including risk assessment and customer/regulatory approvals when required.
• Corrective action and preventive action (CAPA) records demonstrating root cause analysis, containment, corrective actions, verification of effectiveness, and closure.
• Evidence that recurring issues are identified, escalated, and addressed at the system level, not just at the incident level.
• Trend data and analysis used to prioritize corrective actions and improvement projects.

10. Internal audits and management review

• Internal audit program, schedule, and risk-based rationale for audit frequency and scope.
• Internal audit reports, objective evidence collected, and documented nonconformities or observations.
• Corrective actions resulting from internal audits and evidence that they were implemented and verified.
• Management review inputs and outputs, including performance data, risks, opportunities, and decisions or actions.

11. Competence, awareness, and training

• Defined competence requirements for key roles, including operators, inspectors, special process personnel, and auditors.
• Training records, qualifications, and certifications (e.g., special processes, NDT, inspection qualifications).
• Evidence that personnel are aware of the quality policy, their contribution to product conformity and safety, and the implications of nonconformance.
• Evidence that training effectiveness is evaluated, not just that training events occurred.

12. Data use, performance monitoring, and continual improvement

• Defined KPIs and performance measures for quality, delivery, and process performance.
• Monitoring and analysis records, including trends, dashboards, or reports used in routine reviews.
• Evidence that data is used to prioritize improvement actions, resource allocation, and risk mitigation.
• Records of improvement projects, kaizen events, or process changes and how their effectiveness was assessed.

Brownfield and systems reality

In most aerospace environments, evidence is scattered across legacy ERP, MES, PLM, QMS tools, local databases, spreadsheets, and paper travelers. Auditors are less concerned about which system you use and more about whether:

• The records are complete, accurate, and consistent across systems.
• You can retrieve the right evidence quickly, with clear traceability.
• Changes are controlled and synchronized so that operators do not work to obsolete data.
• There is a clear audit trail showing who did what, when, and under what revision.

Full rip-and-replace of core systems solely for audit readiness is rarely practical in regulated, long-lifecycle aerospace operations due to validation burdens, downtime risk, and integration complexity. Incremental improvements to evidence capture, data integrity, and traceability within the existing stack are more common and generally lower risk.

Key constraint: evidence depends on your actual processes

The exact evidence auditors expect will depend on:

• Whether design is in scope or excluded.
• Your product mix, special processes, and regulatory environment.
• The maturity and integration level of your current systems and records.
• Customer-specific requirements and additional flowdowns.

For planning, assume auditors will sample across processes and expect to see records that connect requirements, risk, execution, inspection, nonconformance handling, and management actions in a coherent, traceable way.