The AS9100 Guide for Aerospace Quality Management

AS9100 is the quality management standard that the aviation, space, and defense industry requires across its supply chain. This guide covers what the standard requires, how it differs from ISO 9001, and what the certification process actually looks like.

What is AS9100

AS9100 is a Quality Management System (QMS) standard developed specifically for the aviation, space, and defense industries. It is maintained by the International Aerospace Quality Group (IAQG) and published through SAE International. The standard governs how an organization manages every process that affects end-product quality. This includes:

• Customer requirements
• Production workflows
• Supplier Management
• Nonconformance
• Continual improvement
• Managing risk proactively

It was created because aerospace is one of the few industries where the margin for error is effectively zero. The consequences of a quality failure in aerospace are grounded fleets, FAA investigations, and potentially lost lives. AS9100 exists to provide the aerospace and defense industry with a common, auditable framework for consistently managing quality.

What is AS9100 Rev D?

Rev D is the most current version of AS9100, published in September 2016. The standard has undergone four revisions since its original release in 1999, progressing from Rev A to Rev C as the industry’s quality expectations evolved. Rev D introduced several meaningful changes from Rev C, including risk-based thinking, supplier controls, and a dedicated product safety clause, to name a few.

Who does AS9100 Apply to?

Organization Type	Role in Aerospace
OEMs and Prime Contractors	Design and manufacture complete aircraft, spacecraft, or defense systems
Tier 1 Suppliers	Supply major assemblies and subsystems directly to primes
Machined Parts Manufacturers	Produce flight-critical and structural components to tight aerospace tolerances
Electronics and Avionics Suppliers	Manufacture PCBs, wiring harnesses, and safety-critical avionics hardware
Fabricators and Sheet Metal Shops	Produce structural airframe and interior components
Casting and Forging Houses	Supply raw-form metal parts used in engines, landing gear, and airframes
Special Process Providers	Perform Nadcap-controlled processes including heat treatment, plating, and NDT
Distributors	Stock and supply AS9120-governed aerospace-grade hardware and materials
MRO Organizations	Maintain, repair, and overhaul aircraft, engines, and components under AS9110

AS9100 vs. ISO 9001

ISO 9001 is the world’s most widely adopted quality management standard. It provides a foundation that manufacturers and distributors across almost every industry use to demonstrate that their quality management processes are documented, implemented, and consistently followed. AS9100 builds on that ISO 9001:2015 foundation but adds over 100 requirements specific to the aviation, space, and defense industries. You can achieve ISO 9001 compliance through AS9100 certification, but ISO 9001 compliance alone does not satisfy AS9100 requirements.

These additions are not minor. They address the critical safety consequences of failure, long product lifecycles, complex regulatory traceability requirements, and a global supply chain where a counterfeit or nonconforming part can pass through multiple tiers before anyone catches it. AS9100 also establishes its own governance structure through the IAQG, with every audit result recorded in the OASIS database, a level of supply chain visibility that ISO 9001 certification does not provide.

Aerospace Quality Management Requirements

These are the areas auditors look hardest at and where most implementation effort is concentrated.

• Product Safety: Organizations must maintain documented processes for identifying and managing product safety risks across the entire lifecycle. Auditors expect active, ongoing evidence that safety considerations are being applied at every stage of production.

• Counterfeit Parts Prevention: Suppliers must maintain traceability back to original manufacturers, use approved source lists, and have a documented quarantine and disposition process for any suspect material. The FAA estimates roughly 2% of parts installed on aircraft annually are counterfeit, making this one of the most scrutinized areas in any aerospace audit.

• Configuration Management: Organizations must ensure that what is being built matches the current approved engineering revision at all times. Changes must be reviewed, authorized, and fully traceable. Configuration disconnects between engineering drawings and the shop floor are among the most common audit findings.

• Production Process Verification (PPV): PPV verifies that the production process itself can consistently produce a conforming product, not just that the first part off the line passed inspection. While similar in concept to First Article Inspection (FAI), PPV focuses on the process’s capability rather than the part’s conformance.

• Human Factors: Root cause analysis for nonconformances must consider human factors such as fatigue, distraction, and communication errors. Identifying the symptom rather than the human or systemic cause is one of the most common corrective action failures auditors find.

• Ethical Behavior: Personnel at all levels must demonstrate ethical behavior as a formal requirement. Auditors expect evidence of training and awareness, not just a code of conduct on paper.

The 10-Clause Structure of AS9100

AS9100 is organized into 10 clauses, a structure introduced in Revision D to realign with the ISO 9001:2015’s framework. This structure is aligned with all other ISO standards, making it easier to integrate AS9100 with other certifications.

• Clauses 1-3: Three introductory clauses covering the scope of the standard, normative references, and key definitions. They establish the framework and terminology used throughout the standard but contain no auditable requirements.

• Clause 4 (Context of the Organization): Requires organizations to understand the internal and external factors that could affect product quality. This clause also requires identifying interested parties, such as customers and regulators, and defining their scope in the quality system.

• Clause 5 (Leadership): Requires top management to take direct accountability for the QMS, not just delegate it. AS9100 specifically adds requirements for leadership involvement in product safety and ethical behavior.

• Clause 6 (Planning): Requires organizations to identify risks and opportunities in their supply chain and manufacturing process. Clause 6 requires establishing measurable quality objectives and planning how changes to the quality management system will be controlled.

• Clause 7 (Support): Covers the resources required to run the quality system effectively. This includes educating competent personnel, ensuring calibrated equipment, providing adequate infrastructure, and maintaining controlled documentation.

• Clause 8 (Operation): The largest and most audit-intensive clause in the standard, covering the full production lifecycle. Clause 8 governs everything from how customer requirements are reviewed and accepted, through production planning, supplier management, and nonconforming material control. For most manufacturers, this is where most implementation effort is concentrated and where most audit failures occur.

• Clause 9 (Performance Evaluation): Requires organizations to monitor and measure quality management performance and objectives through internal audits, customer satisfaction data, and formal management reviews.

• Clause 10 (Improvement): Requires organizations to address nonconformances by identifying and fixing root causes rather than surface-level symptoms. Clause 10 also drives continual improvement of the quality management process, ensuring the same issues do not recur.

The AS9100 Certification Process

Becoming AS9100 certified is a structured process that requires an audit by an IAQG-accredited Certification Body (CB). A list of accredited CBs is available on the IAQG website (free registration required).

1. Obtain the standard and conduct a gap analysis. Purchase AS9100 Rev D from SAE International and assess where your current practices fall short of requirements.

2. Build or update your QMS documentation. AS9100 requires documented information at specific points. This includes a quality policy, procedures, work instructions, and records.

3. Train staff and implement processes. Documented procedures are not sufficient if the people executing them don’t understand them. Training records are auditable.

4. Run the QMS for 3 to 6 months to generate records. Certification bodies require evidence that your QMS has been operating, not just documented. You need internal audit records, management review minutes, corrective action records, and production quality records before a Stage 2 audit can proceed.

5. Conduct an internal audit. Clause 9.2 requires you to internally audit your QMS. The internal audit must cover all clauses and all applicable processes. Findings must be documented and addressed.

6. Conduct a management review. Clause 9.3 requires top management to review the QMS with specific inputs including audit results, quality objectives performance, customer feedback, and risks. This must be documented.

7. Stage 1 audit (document review, 1-2 days). The CB reviews your QMS documentation and determines whether you are ready for an on-site assessment. Stage 1 findings must be addressed before Stage 2 proceeds.

8. Stage 2 audit (on-site, evidence-based, 2-5 days). Auditors spend 2 to 5 days on-site verifying that your QMS is implemented and effective. They will interview personnel, review records, and observe processes. This is where certification is determined.

Once certified, your certificate is valid for three years. Annual surveillance audits are required to maintain it. At three years, a full recertification audit is conducted.

Timeline

For a supplier starting from scratch with no prior ISO 9001 certification, the realistic timeline to initial certification is 9 to 12 months. Organizations already holding ISO 9001 certification can often shorten that to 6 months or less, since the foundational QMS structure is already in place and the extra work focuses only on aerospace-specific requirements.

The records generation phase typically takes the most time. Many certification bodies require your quality management system to be operational for a minimum of 3 to 6 months before the Stage 2 audit can proceed. You cannot shortcut this by backdating records, as auditors and OASIS data can easily spot anomalies.

Cost

Cost varies significantly by organization size, scope complexity, and whether external consultants are used. For a small-to-mid-size manufacturer in the 50 to 200 employee range, total initial certification cost typically falls between $15,000 and $40,000. A 100-person company with a moderate scope should budget approximately $20,000 to $30,000 as a working estimate.

The main cost buckets are:

• Internal preparation: Cost of hourly staff wages to manage gap analysis, documentation, and training (often the largest and most underestimated cost).
• External consultant fees (if used): A highly variable cost, but $5,000 to $15,000 is a common range for targeted engagements.
• eQMS software: Depends on the platform but roughly ranges from $5,000 to $25,000 annually. Spreadsheet-based systems are permitted by the standard.
• Audit fees for initial certification: Covers the costs of an auditor’s time for 2 to 5 days of Stage 2, audits plus the shorter Stage 1.
• Ongoing surveillance audits: Takes 1 to 3 days per year for the three-year certification cycle.

Common AS9100 Audit Failures

Understanding where other manufacturers often have issues is useful for both prioritizing implementation and avoiding your own surprises on audit day.

Supplier controls (Clause 8.4.1) Consistently the top combined finding in IAQG OASIS data across all AS9100 standard series. The most common failure is an approved supplier list that exists only as a document, without an active evaluation and monitoring process.

• Auditors will ask: how do you select suppliers, what criteria do you use, how do you monitor ongoing performance, and can you show records of those activities?

Root cause analysis quality: Corrective action is one of the most audited processes in any quality system. The most common failure is identifying the symptom as the cause, rather than the systemic reason it happened.

• Auditors expect a documented root cause analysis method (5 Why, Fishbone, or equivalent), objective evidence that the analysis was performed, and a root cause that explains recurrence, not just a description of what went wrong.

Management review: Clause 9.3 specifies what inputs a management review must address. Many suppliers complete this exercise too late in the year to generate useful output, or conduct it in a way that is too superficial to produce evidence of genuine management engagement.

• Auditors will review meeting minutes and look for documented decisions and actions, not just attendance records.

Competence records: Clause 7.2 requires organizations to define competence requirements for roles that affect product quality, verify that personnel meet them, and retain records. The most common gap is in how competence is defined, and in job descriptions that list activities but not the knowledge, skills, or qualifications required to perform them.

• Auditors will look for defined competence criteria tied to specific roles, evidence that personnel have been evaluated against those criteria, and records that demonstrate the gap was closed, not just that training occurred.

Treating aerospace-specific clauses as documentation exercises: Product safety, counterfeit parts prevention, and configuration management are three areas where suppliers frequently produce a procedure for certification purposes but cannot demonstrate active implementation. A procedure that nobody uses is evidence of a gap, not compliance.

• Auditors observe processes, interview personnel, and review production records to verify that what is written is actually being done.

What Happens If You Receive Findings

Receiving findings during an AS9100 audit is not uncommon, especially for first certification audits. What matters is how they are addressed. Findings are classified as either minor or major.

• Minor nonconformances indicate an isolated gap or lapse in the QMS. They require a documented corrective action submitted to the certification body, typically within 90 days, with closure verified at the next surveillance audit.

• Major nonconformances indicate a systemic failure or a complete breakdown of a QMS requirement. These must be fully resolved and evidence of closure reviewed by the CB before your certificate can be issued.

If multiple major findings remain unresolved, your certification may be withheld entirely or issued with conditions requiring follow-up verification before the certificate becomes valid.

Related Aerospace Standards

AS9100 sits within a broader family of aerospace quality standards, each covering a specific part of the aviation, space, and defense supply chains. While none of these standards require a separate AS9100 certification, understanding them matters because your customers will likely require some of these standards directly.

• AS9102 (First Article Inspection (FAI)): Defines the requirements for a formal FAI process. It directly supports Clause 8.5.1.3 of AS9100 and is frequently called out in customer purchase orders and quality flow-downs.
• AS9110 (MRO and Maintenance Organizations): The equivalent of AS9100 for maintenance, repair, and overhaul operations.
• AS9120 (Distributors): Covers distribution and part suppliers that stock and supply aerospace-grade parts without manufacturing them. The structure parallels AS9100 but omits certain manufacturing-specific requirements while adding distributor-specific controls around traceability and counterfeit parts.
• AS9101 (Audit Requirements Standard): Governs how certification body audits across the AS9100 standard series are conducted. Manufacturers don’t implement AS9101 directly, but understanding it gives you a clearer picture of what auditors are required to evaluate, how findings must be classified, and what evidence they are obligated to collect during your Stage 1 and Stage 2 assessments.

Is AS9100 Rebranding to IA9100?

Yes, AS9100 is being revised and renamed as IA9100. The “IA” stands for International Aerospace, a rebranding intended to reflect the standard’s global scope and align it more explicitly with its international governance structure. The final publication of IA9100 is expected in late 2026, aligned with the ISO 9001:2026 revision cycle.

The transition window is expected to be 2 to 3 years from publication, placing the hard deadline to update existing AS9100 certifications at approximately 2028 to 2029. During the transition period, certification bodies will accept audits to either the current or the new standard. After the deadline, AS9100 Rev D certificates will expire, and only IA9100 certification will be recognized.

What Is Changing

The revision is being described by the IAQG as a modernizing update rather than a structural overhaul. The core clause framework is preserved. The changes that are confirmed or widely anticipated include:

• Expanded product safety requirements, applied more broadly across the standard.
• Information security and cybersecurity: a formal clause addressing data integrity and cyber risk, not previously included in AS9100.
• Stronger sub-tier supplier controls, requiring organizations to reach deeper into their supply chains.
• Ethics and quality culture requirements appear more frequently throughout the standard, not just in isolated clauses.
• Greater audit emphasis on statistical methods, including Measurement System Analysis (MSA), Statistical Process Control (SPC), and APQP, which are expected to become more audit-critical rather than optional.
• A new cadence model: IA9100 is expected to move toward smaller, more frequent updates rather than large multi-year revision cycles.

What to Do Now

There is no reason to overhaul your QMS immediately. Your AS9100 Rev D certification remains valid and auditable through the transition window. That said, two areas are worth proactive attention.

• Cybersecurity and information security should be on your radar now. If your organization has not assessed its data and system security posture against any framework, NIST SP 800-171, CMMC, or otherwise, the IA9100 requirement will require you to do so. Starting that assessment early is more manageable than retrofitting it under audit pressure.

• Sub-tier supplier controls are the other area worth addressing proactively. If your current supplier quality program focuses primarily on your direct Tier 1 suppliers with limited visibility into what your suppliers are buying from their suppliers, the IA9100 direction is clear. Begin extending your supplier quality processes down the supply chain immediately.

Frequently Asked Questions

Do I need AS9100 certification if my customer hasn’t asked for it?

Not legally. There is no regulatory mandate that requires AS9100 certification independent of customer requirements. However, most aerospace OEMs and prime contractors require it of their supply chain either explicitly in contracts or through supplier qualification processes.

If you are pursuing aerospace business at any meaningful scale, certification is effectively a market requirement rather than a choice. Some customers will accept suppliers actively working toward certification while they complete the process.

What is the OASIS database and why does it matter?

OASIS, the Online Aerospace Supplier Information System, is the IAQG’s global database of AS9100 certification data and audit results. Every AS9100 certification status, surveillance audit result, and nonconformance finding for every certified supplier worldwide is recorded there.

Major aerospace customers use OASIS to vet suppliers before awarding contracts and to monitor the performance of existing ones. A clean OASIS record is a business asset; recurring findings or a conditional status are a commercial liability.

How long does AS9100 certification take?

For a company starting from no prior ISO certification, plan for 9 to 12 months. The main constraint is the records generation phase. You need documented evidence that your QMS has been running for at least 3 to 6 months before the Stage 2 certification audit. If you already hold ISO 9001 certification, the timeline can shorten to 6 to 9 months, since the QMS infrastructure is already in place and the work focuses on the aerospace-specific gaps.

Is AS9100 certification the same as NADCAP accreditation?

No. These are separate programs that address different things. AS9100 certification covers your overall Quality Management System, how your organization manages quality across all processes. NADCAP (National Aerospace and Defense Contractors Accreditation Program) is a special process accreditation that covers specific high-risk manufacturing processes like heat treatment, non-destructive testing, welding, and chemical processing.

Many aerospace suppliers need both. AS9100 certification does not satisfy NADCAP requirements, and NADCAP accreditation does not substitute for AS9100 certification.

Can a small supplier realistically achieve AS9100 certification?

Yes. The standard applies to organizations of any size, and the majority of AS9100-certified companies are small and mid-size suppliers. The certification is scalable. A 20-person machine shop and a 500-person integrated manufacturer are both auditable to the same standard, with the scope and complexity of the audit adjusted accordingly.

The most common challenge for smaller suppliers is not the complexity of the requirements but the internal bandwidth to build and maintain the QMS alongside production work. Phased implementation, starting with the highest-audit-risk clauses, is an effective approach. Use eQMS software to consolidate the work of managing AS9100 for lean operations.