What is APQP and why is it important?

Advanced Product Quality Planning (APQP) is a structured framework used in manufacturing to ensure products meet customer requirements. It defines five phases from planning through production validation, with key outputs including Process Flow Diagrams, PFMEAs, Control Plans, and Inspection Plans. QualityEngineer.ai automates APQP document creation with AI, generating interconnected documents where each feeds context into the next.

What are the 18 elements of a PPAP submission?

The 18 PPAP elements are: 1) Design Records, 2) Engineering Change Documents, 3) Customer Engineering Approval, 4) Design FMEA, 5) Process Flow Diagram, 6) Process FMEA, 7) Control Plan, 8) Measurement System Analysis, 9) Dimensional Results, 10) Material/Performance Test Results, 11) Initial Process Studies, 12) Qualified Laboratory Documentation, 13) Appearance Approval Report, 14) Sample Production Parts, 15) Master Sample, 16) Checking Aids, 17) Customer-Specific Requirements, and 18) Part Submission Warrant. QualityEngineer.ai tracks all 18 elements with AI-powered gap analysis.

What is a Control Plan in manufacturing?

A Control Plan is a living document that describes the methods and controls needed to ensure product quality at each step of the manufacturing process. It specifies what characteristics to measure, how to measure them, sample sizes, frequencies, and reaction plans when measurements fall out of specification. Control Plans are a required output of the APQP process and a key element of PPAP submissions.

What is PFMEA and how does it relate to Control Plans?

Process Failure Mode and Effects Analysis (PFMEA) identifies potential failure modes in a manufacturing process, their causes, and their effects. Each failure mode is scored for severity, occurrence, and detection to calculate a Risk Priority Number (RPN). The PFMEA directly feeds the Control Plan: high-risk failure modes identified in the PFMEA require corresponding controls, inspection methods, and reaction plans in the Control Plan.

What quality standards does QualityEngineer.ai support?

QualityEngineer.ai supports major manufacturing quality standards including IATF 16949 (automotive), ISO 9001 (general quality management), AS9100 (aerospace), ISO 13485 (medical devices), and VDA 6.3 process audits. The platform covers automotive PPAP, FMEA, APQP, MSA, and SPC workflows, and is designed to help quality engineers meet audit requirements across these frameworks.

AS9100 Internal Audit Checklist: What Aerospace Quality Teams Need to Cover

The internal audit binder lands on your desk on a Tuesday morning. Surveillance is in eight weeks, the previous lead auditor moved to a different program, and the most recent internal audit report from your largest aerospace customer flagged three minor nonconformances against Clause 8.1.1 that were never fully closed. The standard sitting on the shelf is AS9100D. The question is not whether you have an audit program. The question is whether the audit program is going to find the things the certification body is going to find.

Aerospace quality auditing is different from automotive in ways that matter. The standard expects more configuration management discipline, more counterfeit parts awareness, more first article rigor, more product safety analysis, and a much shorter tolerance for findings that touch product safety or airworthiness. An IATF 16949 audit program will not catch every AS9100 gap, even though the underlying ISO 9001:2015 base is the same.

This guide covers the AS9100D internal audit clauses, the aerospace adders that catch suppliers off guard, the common findings that show up in surveillance reports year after year, and how to run an audit that actually prepares your team for a Stage 2 visit.

What AS9100D Requires for Internal Audits

AS9100D was published in 2016 and remains the current revision at the time of writing. Confirm the revision before every audit cycle, since the IAQG has signaled work on a future update.

Internal audits live in Clause 9.2. The base ISO 9001:2015 requirement is that you plan, establish, implement, and maintain an audit program that defines criteria, scope, frequency, and methods. Auditors must be objective and impartial, which means they cannot audit their own work. Results are reported to relevant management. Corrections and corrective actions are taken without undue delay. Documented information is retained as evidence.

AS9100 layers aerospace adders on top:

The audit program must address all requirements of AS9100D, applicable customer requirements (Boeing D6, Airbus AQRP, Lockheed and Northrop and Raytheon supplier manuals, Embraer, Bombardier, and others), statutory and regulatory requirements (FAA, EASA, and others as applicable), and your own QMS documentation.
The audit program must address QMS effectiveness, manufacturing processes, and product. This is the same three-tier expectation found in IATF 16949, but in aerospace the product audit emphasis is on first articles, configuration baselines, and conformance evidence per AS9102 where applicable.
Auditors must be competent against AS9100, the audited process, the applicable customer specific requirements, and any relevant regulatory requirements. Auditor competence records are a frequent finding category in aerospace.

If your audit program treats AS9100D as ISO 9001 with extra paragraphs, you will miss findings that the certification body will not.

The Three Audit Types Aerospace Programs Need

AS9100D Clause 9.2.2.1 is explicit about the audit types your program must cover.

QMS audits against the standard's clauses. This is the audit type most programs do reasonably well. The risk is treating clauses as a documentation checklist rather than a process effectiveness review.
Manufacturing process audits against process-specific criteria. For aerospace this means your process specifications, work instructions, FAI plans, and any NADCAP audit criteria for special processes you perform in house. AS9100 does not require NADCAP, but most primes do, and your manufacturing process audit needs to cover the same ground a NADCAP auditor would walk.
Product audits verifying that product meets customer requirements at defined stages. Aerospace product audits typically include first article inspection per AS9102, configuration verification against the released drawing or model, and conformance to the contracted spec list including DPD or MBD requirements where applicable.

Most internal audit programs cover QMS audits well, manufacturing process audits unevenly, and product audits poorly. The first place a tough certification body auditor will look is the product audit history, because that is where the gap between the QMS on paper and the product as built shows up.

AS9100 Internal Audit Checklist

Treat this as a starting point. Customize for your customer specific requirements (Boeing D6-1276, Airbus AQRP, Lockheed Martin LM-AERO QPM, and others), your applicable regulatory requirements (FAA Part 21, EASA Part 21G, and others), and your own QMS documentation.

Section 1: Context of the Organization (Clause 4)

Is the scope of the QMS documented, and does it explicitly state the products, services, and locations covered?
Are interested parties (customers, regulators, suppliers, certifying bodies) and their relevant requirements identified and reviewed?
Are external and internal issues that affect the QMS identified and reviewed at planned intervals?
Is the QMS scope statement aligned with what the certification certificate covers, with no implied scope creep into uncertified products or sites?

Section 2: Leadership (Clause 5)

Does top management demonstrate leadership by participating in management review and resourcing the QMS?
Is the quality policy communicated and understood at all levels (verify by asking floor employees, not just by checking that the policy is posted)?
Are quality objectives measurable, monitored, and linked to the quality policy?
Has top management appointed personnel with documented responsibility and authority for product safety, ethical behavior, and aerospace specific QMS reporting? AS9100 Clause 5.1.1 calls these out explicitly, beyond the base ISO 9001 management responsibility list.
Are customer representatives, where required by contract, defined with authority and responsibility?

Section 3: Planning (Clause 6)

Are risks and opportunities identified and addressed in the QMS, including risks to product safety and conformity?
Are quality objectives established at relevant functions, levels, and processes, with action plans and resources defined?
Is change management documented when changes to the QMS are planned, including changes to processes, equipment, materials, and personnel that affect conformity?

Section 4: Support, Resources and Competence (Clause 7)

Is there evidence of training records for all personnel performing quality affecting work?
Are competency requirements defined for each role, including special processes (heat treat, NDT, welding, brazing, plating, chemical processing) where applicable?
Are measuring and monitoring resources calibrated with records retained, including environmental conditions for the calibration?
Is the calibration status of equipment clearly identifiable on the equipment itself?
Are gauge studies or measurement system analyses current and acceptable for all critical measurement systems?
Is documented information controlled with version history, approval records, and retrieval evidence for the legacy revisions a regulator might ask for?

Common finding: Calibration records exist, but the gauge that measured the dimensions on a delivered first article cannot be traced back to its calibration record at the date of measurement. The traceability link is the point, not the calibration sticker.

Section 5: Operation, Operational Planning (Clause 8.1)

Is operational planning documented for each program, including resources, criteria for processes, and acceptance criteria?
Is operational risk management evident? AS9100 Clause 8.1.1 requires operational risk management beyond the strategic risk treatment in Clause 6.
Is configuration management defined and applied? AS9100 Clause 8.1.2 covers configuration identification, change control, configuration status accounting, and configuration audits.
Is product safety addressed throughout the product life cycle? AS9100 Clause 8.1.3 requires explicit product safety planning.
Are counterfeit parts prevention controls in place? AS9100 Clause 8.1.4 requires the organization to plan, implement, and control processes to prevent counterfeit or suspect counterfeit parts from being used and from delivery to the customer.

Section 6: Operation, Requirements for Products and Services (Clause 8.2)

Is the customer requirements review process documented and applied to every contract or order, including changes to existing contracts?
Are statutory and regulatory requirements identified and addressed, including export control where applicable?
Are special requirements, critical items, and key characteristics identified during requirements review and flowed into design and production?

Section 7: Operation, Design and Development (Clause 8.3)

If design responsibility applies, is design and development planning documented with stages, reviews, verification, and validation defined?
Are design inputs traceable to design outputs?
Are design changes controlled with documented review, verification, validation, and approval records?
Is the configuration baseline maintained through the design phase and into production release?

If your scope excludes design, your audit covers the requirements review (Clause 8.2) closely instead, since design responsibility sits with the customer.

Section 8: Operation, Externally Provided Processes, Products and Services (Clause 8.4)

Is the supplier approval process documented with criteria for selection, evaluation, and re-evaluation?
Is an Approved Supplier List maintained with the scope of approval clear (commodities, processes, special processes)?
Is the flowdown of customer requirements to suppliers documented and verified?
Are special process suppliers approved against the relevant industry approval (NADCAP, customer specific approval, or contractual equivalent)?
Is supplier performance monitored with on time delivery and quality performance data, with escalation triggers for declining performance?
Are counterfeit parts prevention requirements flowed down to distributors, brokers, and other non original manufacturer suppliers (Clause 8.1.4 ties to 8.4)?

Common finding: Special process supplier approvals exist, but the scope of approval (alloys, processes, certifications) is not actively verified at PO release. A heat treat supplier approved for 17-4PH receives a PO for Inconel 718, the supplier accepts and processes the PO, and the conformance evidence does not appear until the FAI is rejected.

Section 9: Operation, Production and Service Provision (Clause 8.5)

Are production processes controlled per the planning output (work instructions, control plans, inspection plans, FAI plans where applicable)?
Is identification and traceability maintained throughout production? AS9100 Clause 8.5.2 has more prescriptive traceability requirements than ISO 9001.
Is property belonging to customers or external providers (tooling, gages, materials, intellectual property) identified, controlled, and reported on if lost or damaged?
Is preservation of product (handling, packaging, storage, protection, ESD where applicable) maintained through production and delivery?
Is post delivery activity (warranty, service, return, repair) defined and applied?
Is control of changes to production processes documented and validated, with first article re-verification triggered where required?

Section 10: Operation, Release of Products and Services (Clause 8.6)

Are release activities at planned arrangements (in process inspection, final inspection, first article inspection per AS9102 where applicable) performed and documented?
Is evidence of conformity retained, including the authority responsible for release?
If the customer requires source inspection or government source inspection, is the requirement flowed to the inspection plan and respected at release?

Section 11: Operation, Control of Nonconforming Outputs (Clause 8.7)

Are nonconforming outputs identified, segregated, and controlled to prevent unintended use or delivery?
Is disposition (use as is, repair, rework, scrap, return to supplier) authorized by personnel with defined authority, and is customer concession obtained where required?
Are records of nonconformities, dispositions, and any concessions retained with traceability to the affected product?

Section 12: Performance Evaluation (Clause 9)

Are monitoring and measurement of QMS performance defined, including customer satisfaction (Clause 9.1.2), on time delivery, and quality performance?
Is the internal audit program planned, executed, and tracked against the schedule, with all clauses, processes, and shifts covered over the cycle?
Is management review held at planned intervals with the AS9100 required inputs (Clause 9.3.2) addressed and outputs documented?

Section 13: Improvement (Clause 10)

Are nonconformities identified through internal audit, customer complaint, supplier issue, and process monitoring captured in a corrective action system?
Is the corrective action process structured around root cause analysis, with verification of effectiveness before closure?
Is the documented information for nonconformities and corrective actions retained?

AS9100 vs ISO 9001: The Aerospace Adders That Catch Suppliers

If your audit program is built on an ISO 9001 checklist with AS9100 references bolted on, the adders are where you fail. The clauses to walk slowly:

Clause 8.1.2 Configuration Management. Configuration identification, change control, status accounting, and configuration audits. Most ISO 9001 programs do not have a configuration audit on the calendar.
Clause 8.1.3 Product Safety. Explicit product safety planning, including the identification of hazards through the product life cycle. Aerospace primes will look for evidence of a product safety review on the program.
Clause 8.1.4 Counterfeit Parts. Prevention plan, training, controlled sourcing (especially for distributors and brokers), incoming inspection criteria, and reporting. The G-19 series guidance from SAE is a useful reference.
Clause 8.4.3 Information for External Providers. The flowdown clause. AS9100 has a longer list of items that must be flowed to suppliers, including key characteristics, design records, sample inspection requirements, FAI requirements, qualification of personnel, and the right of access for the organization, the customer, and regulatory authorities.
Clause 8.5.2 Identification and Traceability. AS9100 expects unique identification and the ability to trace back to material, manufacturing, and inspection records over the required retention period. Lot traceability for fasteners, raw material traceability for safety critical features, and serial number traceability for assemblies.

If your QMS does not have a documented configuration management process, a documented product safety plan, a documented counterfeit parts prevention plan, and a documented flowdown matrix, your QMS is not AS9100 ready, regardless of what the certificate on the wall says.

AS9100 vs AS9102 vs NADCAP: Clearing the Confusion

Three acronyms aerospace suppliers conflate at their cost.

AS9100D is the QMS standard. It is what the certification body audits against. Your certificate says AS9100D. Internal audits cover AS9100D clauses.
AS9102B is the First Article Inspection standard. It defines the AS9102 forms (Form 1, 2, 3) and the rules for when a first article is required, when it must be re-verified, and what the documentation package looks like. AS9100D requires that you maintain conformity evidence; AS9102B is the typical method for the first article portion of that evidence. The Sales agent has had multiple prospect calls where the buyer asked for "AS9100 certification on this part" when they meant a completed AS9102 FAI package. Train your front office to know the difference.
NADCAP is an industry managed accreditation program for special processes (heat treat, NDT, welding, brazing, surface treatments, chemical processing, composites, and others). NADCAP is required by most aerospace primes for the special processes in scope. It is not required by AS9100D. A NADCAP audit is not an AS9100 audit, although the two often touch the same control points on the floor.

In your audit program, AS9100D is the QMS audit, AS9102 is part of the product audit content for first articles, and NADCAP applies to your special process suppliers and to your own special processes if you perform them in house.

Common AS9100 Findings That Burn Suppliers

Year after year, certification body summary reports surface the same findings. The pattern:

Configuration management gaps. A configuration baseline was changed, the change record exists, but the affected production paperwork still references the prior baseline. Or the configuration audit on the calendar was not performed.
Counterfeit parts prevention not implemented. A documented plan exists. Training records exist. But the receiving inspection criteria for distributor sourced material does not include any counterfeit prevention checks, and the supplier qualification record for distributors does not capture the AS6174 or AS5553 awareness expected.
First article re-verification triggers missed. AS9102 requires re-verification on certain triggers (lapse in production, change in supplier, change in process, change in design). Programs that do not encode the trigger logic into the manufacturing planning miss the re-verification and ship to a stale FAI.
Special process flowdown weak. The Approved Supplier List shows the special process supplier as approved for the process. The PO does not specify the alloy, the temper, the spec, or the customer specific override. The conformance certificate that comes back is not enough to satisfy the prime's audit.
Internal audit competence not evidenced. Auditor records show training was completed, but there is no evidence the auditor was deemed competent against AS9100D, the customer specific requirements, or the audited process. AS9100 Clause 7.2 expects competence determination, not only training completion.
Risk management documented at the strategic level only. Operational risk management at the program level (AS9100 Clause 8.1.1) is missing. The certification body wants to see operational risk applied to the program, with mitigations tied back to specific risks.
Product safety not addressed. No record of product safety being considered during planning, design (where applicable), or change. The certification body will look for evidence that the team identified hazards and treated them.

If your internal audit program does not raise findings in these categories at all, the program is not finding what is there. Compare your internal audit findings against your last surveillance report and look for the gaps.

How to Run an Internal Audit That Actually Prepares You

The audit program that prepares you is the one that mirrors the depth and pattern of a third party audit, not the one that fills a binder.

Audit the process, not the procedure. Walk the floor. Pick a serial number on a delivered part and trace it backwards through the records. Pick an open NCR and trace it forward through the corrective action. The disconnects show up where the records meet the floor.
Schedule against the cycle. Every clause and every process gets audited within the certification cycle, with high risk areas (special processes, configuration management, counterfeit parts, FAI) audited more frequently. Map the schedule against the calendar and against the auditor competence matrix.
Audit at the work cell, not the conference room. The interview at the desk catches what the floor has been told. The walk catches what the floor actually does.
Treat findings as data. Track findings by clause, by process, by line, by shift. Patterns of recurrence are the real story. Three findings in three audits at the same line is not three findings, it is a process control failure.
Close findings with verification. A closed finding without verification of effectiveness is an open finding waiting to be re-cited.
Use the customer report as audit input. Your largest aerospace customer's recent supplier audit findings are the highest signal source you have. Map them into the next internal audit scope.

Internal audit is not the rehearsal. The certification body audit is not the test. The customer audit is the test, and product in service is the final exam. The internal audit program exists so you do not learn about a configuration baseline drift from a quality escape on a flying article.

How QualityEngineer.ai Helps

The Build module is QualityEngineer.ai's planning workspace for the audit evidence package: Process Flow, PFMEA, Control Plan, FAI plans, and the cascade between them. When a Process Flow step changes, the downstream plans pick up the change in the same workspace, so the configuration baseline and the inspection plan move together. When a key characteristic is identified, it propagates through to the Control Plan and to the FAI plan as a measured characteristic, with the inspection method and acceptance criteria bound to the source.

For supplier audits, Supplier Quality tracks supplier performance, special process scope of approval, and flowdown verification, with the kind of detail an AS9100 8.4 audit looks for. The on time delivery and quality performance data sit alongside the approval scope and the qualification records, so an internal audit of supplier control can pull a complete picture in one place rather than reconciling six spreadsheets.

For first article submission packages, the Package module handles the conformance evidence assembly, with cross document validation between the FAI, the inspection plan, the gauge calibration records, and the special process certifications. The structure mirrors AS9102 Form 1, 2, and 3 expectations.

The internal audit program itself sits in the Monitor module, with clause coverage, audit schedule, and finding closure tracking against the cycle. The pattern of findings by clause and by process surfaces the recurrence patterns that should drive the next audit scope.

For teams running AS9100 alongside automotive programs, the IATF 16949 Internal Audit Checklist covers the automotive specific clauses and three audit type expectations, with similar structure adapted to the IATF requirements.

Summary

AS9100D is the aerospace QMS standard, and the audit program your team runs against it has to find what the certification body and the customer audit will find. Configuration management, product safety, counterfeit parts, flowdown, and traceability are the aerospace adders that distinguish AS9100 from a base ISO 9001 program. AS9102 is the first article method, and NADCAP is the special process accreditation, and neither is a substitute for an AS9100 internal audit.

The audit program that actually prepares you is the one that walks the floor, traces records backwards from delivered serial numbers, treats findings as recurrence data, and closes findings with verification of effectiveness. Internal audit is not a binder. It is the rehearsal for the moment a quality escape on a flying article asks the question your audit program should have asked first.

QualityEngineer.ai's Build module, Supplier Quality, Package module, and Monitor module implement the AS9100D adders as a connected workflow. Start free, no credit card required.

About the Author

Daniel Crouse is the founder of QualityEngineer.ai. 15+ years in supplier quality, PPAP, and manufacturing systems. Built QualityEngineer.ai because quality engineers deserve better tools than Excel. Connect on LinkedIn.