5 common mistakes software organizations make implementing AS9100 requirements

Mikhail Sudbin

Mikhail Sudbin
Chief Technology Officer at Advalange

Certification against AS9100, an extension of ISO9000 in the aerospace domain, became a de facto standard for organizations in the area. I would like to share my opinion in this blog post on common mistakes that organizations make implementing AS9100 for this first time. The list is not exhaustive but these topics should definitely be in question while evaluating a transition to AS9100/9115.

1. Quality is inside, not outside

“Quality is everyone’s responsibility.” W. Edwards Deming.

How often did you hear something like: “Do not bother our developers. They are struggling to provide the product. Let us arrange a quality management department and it will handle quality…” I heard it way more than once. In my opinion it is one of the most critical mistakes.

You cannot just make a new entity in an organization structure and hope that everything will go smoothly. In the best case you will end up with a quality management system that aims to achieve the certificate from CB. In the worst case you will get a department with people who do not know what they are doing their job for. Also you will notice the degradation in the internal climate and opposition between development and quality. If you really want your QMS to be an essential part of the business process, think about changing the mentality and culture of your organization first.

If you feel that your company is not mature enough to implement a quality-oriented mind set, do not hurry. Put building an AS9100 environment as a strategic goal and approach it wisely. We will talk a little bit more about it in point 3.

2. Be sure to understand words correctly

It is all about terminology. ISO9000 and AS9100/9115 have their own glossary. Sometimes you may discover that words do not mean what you think they do. Consider quality assurance. Lots of people in the software development domain put an equals sign between a set of different testing practices and quality assurance. ISO9000 understands this term more widely: all the planned and systematic activities implemented within the quality system that can be demonstrated to provide confidence that a product or service will fulfill requirements for quality. For example, getting the confidence that a project has a valid risk plan or that key customer requirements are captured correctly are parts of quality assurance.

You need to understand terms like “process”, “quality goal”, “critical item”, and “management commitment” and so on clearly before you can make reasonable decisions. Moreover, you need to tailor these terms to practices in the context of your organization. I experienced instances when the semantically same thing was done twice just because the standard calls it differently than it is used to be called inside the organization. What is worse, sometimes the incorrect practice that hurts the product is implemented just due to misinterpretation.

3. Start AS9100 with management commitment and quality goals

Once again, a quotation from W. Edwards Deming:

“What should be the aim of management? What is their job? Quality is the responsibility of the top people. Its origin is in the boardroom. They are the ones who decide.”

It is not a rare occasion when a person is appointed to be the quality management department lead. Then this person is deemed to be solely in charge of quality planning, establishing quality goals, corrective actions and so on. All other managers have more important things to do.

It does not work this way. Quality management aspects should be a valuable part of the management decision-making environment. Furthermore, there is an intention to reword “quality management system” into “business management system” in the ongoing revisions of the standard to make it clearer.

You need to tie your quality management to your business strategy. Define business goals first. Then adjust your organization and process structure accordingly. After this, refine business goals into process goals or as AS9100 says, process quality objectives. Do not forget that everything is changing. Do not be shy evaluating your results and questioning your goals. Get to the appropriate level, even to business strategy if needed, and adjust the whole tree accordingly. This cycle is the core of the standard.

4. Quality management structure should match the organization’s needs in the first place

Once I heard a beautiful phrase from a CB auditor:

“I feel that something is wrong when I open the quality manual and see that its structure is 100% the same as the AS9100 table of contents.”

Often things go the following way: The organization takes AS9100 as a basis and rewrite existing procedure documents to match what is written in the standard. Then it conducts gap analysis and adds missed procedures. Then the organization tries to implement this new procedure set into its existing context. Sadly, some ISO\AS consultants go the same way. Maybe this way is easier for a consultant or an auditor but it definitely hurts development. Do not be surprised to face a huge resistance implementing AS9100 this way.

More difficult way but more promising in the long term is to tailor the standard to what your organization does, not vice versa. Choose the process structure that fits your organization best. Focus on the spirit of the law, not the letter. Do not be scared bringing exclusions to your quality management but do not forget that you may miss something really important. In my opinion organizations should use in its everyday life a procedure structure convenient to the core of its business, and the quality manual should be more of tracing-to-AS9100 document. In most cases compliance to the standard is a matter of correct interpretation of the rules, not blind adherence to words.

5. Be neither too rigorous nor too common

Sometimes the quality management system is too granular, and sometimes it is too common. I have experienced the negative effect of both sides. In one organization they tried to treat each sub-stage of the development life cycle as a separate process. Such an approach introduced a lot of overhead because they had to establish quality goals and track effectiveness of each particular small brick in their work. Moreover, the goals and metrics were specific in each case and they had a huge problem tailoring them to their business needs in a unified way. In another organization they had several business units but tried to gather them under a single engineering process umbrella. Different units had their own traits. The synthetic metrics they tried to use were not relevant enough. Obviously they failed.

Similar to point 4, the recipe is quite straightforward. You should tailor the level of rigor of your processes to your business goals and relevant organization structure. Be ready to miss the bull’s-eye the first time. Focus on the aspects that are of higher priority. Repeat the cycle and get feedback from real life. Leave the structure parts that are useful and reconsider the ones that produce paperwork that nobody reads. Evaluate your decision-making process at the top level. If you need some special, unique report every time you make a decision, it means that your quality management structure is doing the wrong thing.


These five points may seem obvious when you are reading this post. But surprisingly, many organizations that I encountered makes one or more of these mistakes. In the worst case it leads to the following: there is the organization’s operations and there is its quality management system. And they are separate from each other.

If you can reasonably say “No. My organization has not made this mistake” for each of these five points, you are very lucky to be a part of such a company.