OASIS Next Gen G 2 and AQMS 2016

OASIS Next. Gen (G 2) and AQMS: 2016 for Auditors PRI Registrar August 17, 2017

Introduction • All AQMS: 2016 audits must be conducted in OASIS Next. Gen. – Starting June 15, 2017, all Aerospace audits must be conducted to the 2016 revision. • Special audits (including transfers, scope extensions, response to complaints, and NCR closures) for clients who have not yet upgraded to AQMS: 2016 may be performed to the previous standard revision. • This training will cover PRI Registrar’s process for audits in OASIS Next. Gen. – IAQG has provided training material on the functionality of the system via the Help section in OASIS. – Please review the IAQG training material, and contact Samantha Brock (sbrock@p-r-i. org) with any questions. 2

Introduction • The IAQG training, along with a large collection of guidance material is available via the Help icon in OASIS. – In many cases, OASIS will provide targeted help topics, depending on what page the user is on when they select the Help icon. 3

Introduction • If the targeted help topics don’t address the current need, selecting the “General Help” link leads to a page with the full selection of help topics. 4

Introduction • On the General Help page, please note that recordings of two webinars are available, including a demo of the Next. Gen functionality that may be particularly helpful. 5

Scheduling 6

Scheduling • All scheduling activities will be conducted in RMS, as previously. – Audit dates will still be set in RMS, and must be accepted by both auditors and clients. – Audit days and any notes will continue to be listed in RMS audits. 7

Scheduling • Multisites – RMS and OASIS treat multisites in fundamentally different ways. • RMS treats each site as its own audit, while OASIS treats all site visits as part of a single audit. – The individual site audits will continue to be scheduled and accepted separately in RMS, but all site visits and audit teams will be assigned as part of a single audit and audit team in OASIS. • The Master Lead Auditor will be assigned as the Lead Auditor for the overall multisite audit. 8

Pre-Audit 9

Pre-Audit • After scheduling, the audit will be conducted and documented exclusively in OASIS. • The auditor will collect all PRI Registrar audit documents from the Plan tab of the RMS audit. • The auditor(s) will only return to RMS to submit their expense report. 10

Pre-Audit • Approximately 45 -60 days prior to the scheduled start of an audit, the office is responsible for creating an audit entry in OASIS. • Once the audit has been created, all assigned auditors will receive an automated email from OASIS, informing them that the audit has been created. – Do not ignore emails from OASIS. 11

Example Email 12

Pre-Audit • PRI Registrar will use supporting Aerospace audit documents that most auditors will be familiar with (e. g. , the RF-12 Audit Plan, RF-114 Audit Planning Resource, RF-116 Cert Structure Determination, etc. ). – These PRI-specific documents will be downloaded from the Plan tab of the RMS audit. 13

Example 14

Pre-Audit • When you receive automated emails from OASIS, they will include the client name and the audit number. – In an effort to manage work internally, PRI Registrar is adopting an OASIS-specific audit numbering system. – The number will consist of the initials of the client manager handling the audit, followed by the RMS audit number. • Because an initial audit in OASIS includes both the Stage 1 and Stage 2 audits, the RMS audit number used will be from the Stage 2 audit. • Likewise, because OASIS includes all sites in a multisite as part of a single audit, the RMS audit number used will be taken from the central site audit. 15

Pre-Audit • The RF-12 (Audit Plan) will be provided as part of the document package. – The RF-12 S 1 will be provided for Stage 1 audits, and the RF 12 T will be provided for Transfer audits. The regular audit plan will be used for all other audits performed in OASIS. • PRI Registrar still expects the audit plan to be completed and sent to the client 30 days prior to the start of the audit. • Once the plan is complete, it is the auditor’s responsibility to upload a pdf of the form into the “Audit Plan and Audit Calc” section of the Audit Package tab. 16

Example Uploading Audit Plan 17

Pre-Audit • The audit plan can always be replaced if modifications need to be made. 18

Audit 19

Audit • During the audit, auditors should reference the RF-115 provided in the RMS Help tab for a description of which documents are required for a given type of audit. • For the IAQG forms, all data is to be entered directly into OASIS, in the appropriate form/section. – Please refer to IAQG’s training for additional detail. 20

Audit • It is the responsibility of the Lead Auditor to enter the client processes in OASIS, when that information is available. – List the processes that will appear on the QMS Matrix (and PEARs), per the RF 117 schedule. – This will need to be done at all upgrade audits (surveillance and recertification), and at all initial audits. Processes will be pulled forward for future audits. 21

Audit • During the audit, the auditor is still responsible for verifying the OASIS Administrator, and additionally, the OASIS Representative. – OASIS now makes verifying this information very easy with a dedicated button. 22

Audit • When completing the IAQG forms, the auditor(s) need to be sure that they have completed all fields (with “N/a” if no response is required). • OASIS will not prevent an incomplete form from being submitted. 23

Audit • When entering NCRs into OASIS, be sure to enter the Issue Date as the end date of the audit so that due dates calculate correctly. 24

Audit • Be aware that the Supplier Representative will need to go into OASIS and sign off on the NCRs before the client will be able to respond the NCRs. 25

Audit • For detailed instructions on NCR Management, all auditors are STRONGLY encouraged to read (in detail) the IAQG presentation on the topic. • The office will have limited ability to monitor NCR management, and so it becomes the auditor’s responsibility to drive the process. – NCR dashboards have been implemented in RMS (for both client manager and auditor use), but these simply track due dates; they will not provide real-time NCR status updates. – The office will only be notified by OASIS in the event that deadlines are missed. – Once those deadlines are missed, it will be time to suspend. 26

Audit **It will be the primary responsibility of the lead auditor to ensure none of the deadlines are missed. ** **If due dates are encroaching, and the client is unresponsive, the lead auditor should contact the client manager for help. ** 27

Audit • Until December 31, 2017 or June 15, 2018 (depending on whether a client is semi-annual or annual), verification of previous NCRs will be handled in the following way: – For NCRs that had been previously verified, the auditor shall obtain access to the previous audit in OASIS to review the NCRs for verification of effectiveness. – For NCRs that still require verification (i. e. , the NCRs were left in the “Accepted” status), the NCRs will be uploaded in the “Supporting Information” tab as Word documents. The lead auditor shall enter the (robust!) verification statement in each NCR, and upload them back into the Supporting Information thread. – As of June 2018, auditors will be able to enter the verification statements directly into the NCRs in the previous audit. 28

Audit • Within each NCR, there is a tab for “Discussions and Notes”. • Within this tab, the auditor may record any discussion with the client regarding NCR management. 29

Audit • For NCRs that require containment, OASIS does not offer functionality to allow submittal of partial responses in order to meet the requirements of containment. • In these cases, the client must post a message in the NCR Discussion tab to alert the auditor that containment / correction have been submitted. • The auditor shall review the containment / correction and indicate rejection or acceptance in the NCR Discussion tab. – Doing this will document the timing of acceptance in order to demonstrate conformance with containment deadlines. – If the containment cannot be accepted within the required timeframe, the lead auditor shall contact the client manager. 30

Audit • In the case of non-single sites, please note that there is no longer a requirement for separate QMS Matrices. – All applicable sites can be listed on a single QMS Matrix. – Multiple matrices may still be used, when appropriate. • OASIS will allow PEARs be shared across sites, as appropriate. – Multiple auditors will be able to access and contribute to any PEAR in the audit, at any time. **As a courtesy, team auditors should not alter existing data without the prior approval of the team lead. ** **When entering new information into a shared PEAR, the auditor shall preface the new text with their initials and date. ** – Before the lead auditor submits the audit package to CB Review, it is their responsibility to review the final PEAR for appropriate content. 31

Audit • Integrated Audits – AS 9101 F 4. 2. 3 states: • “Separate reports shall be issued for combined audits (i. e. , one for each audit performed for each standard). Where appropriate, processes common between the standards may be reported on the same PEAR (see Form 3) and QMS Process Matrix Report (see Form 2). ” – Unfortunately, OASIS does not possess the functionality to allow for multiple standards to be listed within an audit. Nor does it possess the functionality to link separate audits for shared documentation. – As a result, for all integrated audits, the auditor must complete full IAQG documentation for each standard. • PRI Registrar is not asking for duplications of our internal paperwork. Completed PRI-specific documentation is to be uploaded into the audit associated with the primary standard, and a note is to be created in the other audit’s Supporting Information tab to refer to the first audit. 32

Post-Audit 33

Post-Audit • The requirement to leave all NCRs and associated PEARs with the client has not changed. – If possible, all NCRs and associated PEARs must be uploaded into OASIS prior to the closing meeting. – If uploading these documents into OASIS is not possible (e. g. , no internet), then they must be documented on the RF-22 AS and PEAR forms (available in the RMS Help tab) and given to the client at the closing meeting. • If NCRs have already been entered into OASIS and submitted to the client, the NCR section of the RF-22 AS does not need to be completed. **Remember that audit documentation completed on-site must be done during non-audit time, which must be reflected on the audit plan. ** 34

Post-Audit • When all the required IAQG documentation has been completed, the auditor must be certain to mark each form as complete so as to change the form’s status to “Closed”. – The Form 5 Audit Report requires the Lead Auditor to sign off. • When all PRI Registrar-specific documentation is complete, it shall be uploaded into a Supporting Information thread. – All documents shall have clear file names. 35

Post-Audit • PRI Registrar maintains the expectation that audit documentation will be completed and uploaded (as necessary) within 5 business days, if possible. • When all documentation is complete, the lead auditor shall inform the assigned client manager. **OASIS does not alert the office until the package is submitted, which is not until after NCR disposition. ** **In order to keep the audit process moving, and so as not to run up against OASIS publish deadlines, the auditor shall keep the client manager updated on their progress through the audit process in OASIS. ** 36

Post-Audit • Should the client manager or expert reviewer request that the auditor modify any of the PRIspecific forms, the auditor shall clearly indicate the revision in the file name (either in the form of a date or a revision number). • When making any revisions, be sure not to use an old copy from your records. 37

Conclusion • If you have any questions about PRI’s expectations regarding the use of OASIS Next. Gen, please contact: • Samantha Brock (sbrock@p-r-i. org) or • Pete Kucan (pkucan@p-r-i. org) 38