Episode 2: AS9100 to IA9100: The 2026 Shift feat. Mike Varney

Christian Reyes (00:00)
Well, if you didn't know this now, you heard it here first. AS9100 becomes IA9100 in 2026. What changes, when do you have to comply, and how do you prep without blowing up your QMS? Today, we're going to start cutting through the noise with Mike Varney. By the end of this episode, you'll have a better idea of what to expect from the upcoming revision of AS9100 and know what you need to start looking out and preparing for. Welcome to the QCAST. I'm Christian Reyes, your host.

Joining me today is Mike Varney, president of Mike Varney Quality Management Solutions or MVQMS, where he helps businesses develop and perfect quality management systems. With over 15 years of experience in the metals industry, Mike now guides companies through certifications, namely IS9001 and AS9100, focusing on practical solutions that drive compliance and operational excellence.

I first met Mike a number of years ago, actually, through a mutual client, and I've seen firsthand the great work that he does helping aerospace companies implement and maintain QMS programs across supply chains. Mike, thank you so much for joining us today. It's great to have you on.

Mike Varney (00:59)
Absolutely, I appreciate the opportunity and thanks for the kind words.

Christian Reyes (01:02)
Of course, of course. I'm excited for today. We always have good conversations. And again, I really appreciate you taking the time to join us. I know that you're super busy. Your services are very much in high demand, not to mention the fact that we've got a new revision of AS9100 coming out supposedly next year. But let's make clear to listeners right from the top that everything that we're going to talk about, everything today is speculation.

It's technically still up in the air until the final version of the new revision is released. And even that date is technically still up in the air. It's not yet known. We expect it next year, but it's not 100%. But with that being said, it's obviously good to stay ahead of what's coming down the pipeline and better to be aware of any upcoming changes and kind of get caught off guard by them after the fact. But that being said, let's get into it and kind of start off with some of the basics and timeline.

⁓ Do you have any idea why? Why is AS 9100 changing to IA 9100? What does the IA in the name change reflect?

Mike Varney (02:01)
So that's a great question. Initially, everybody expected that the next one we would see whenever that would be was going to be an AS9100E, ⁓ because that's kind of the nomenclature it's followed since the beginning. But if anybody is familiar with other standards, the vast majority of them start with I. And that implies international standard. And the aerospace standard is kind of the only one that has avoided that, even though it's very much in international industry.

So they're transitioning from the AS nomenclature that we're used to to an IA for International Aerospace Standard. But they're going to keep the 9100 as far as what the revision number or letter will be. assuming it's going to be a dash, but that's still speculatory. But basically, it's to imply the international side of the industry.

Christian Reyes (02:44)
That makes sense. That makes sense.

Now, we expect it out in 2026, correct? As of the information we have today, the next version is coming out next year.

Mike Varney (02:54)
That's what we're hearing, based on some of my contacts I've spoken to who are involved in the process. We're anticipating Q4 of 2026. There's still some factors that could skew that in either direction. I wouldn't imagine it will get moved sooner, but it could get pushed later.

Christian Reyes (03:13)
well historically, AS9100 has on

ISO 9001 as a framework. And so with that being the expected publication being in 2026, the typical transition windows have been about three years

Mike Varney (03:28)
Right.

Christian Reyes (03:28)
Do is that to be expected in this upcoming version or any indicators that that's going to change?

Mike Varney (03:35)
What we're hearing so far is that the three-year should stand. We have not heard anything to the contrary. Three-year is usually the default. The one potential hiccup there is that this is technically considered a minor revision. And there have been times with some standards in the past where minor revisions have had an accelerated transition time, where we could see a potential two-year. I'm hoping that's not the case, because the certs are issued on a three-year lifespan. So three-year makes it nice and clean.

everybody expected it to be a major revision because it's been 10 years. So everybody expected it was going to be a big change just like the jump from 2008 to 2015 or from Rev-C to Rev-D for speaking aerospace. Those changes were pretty substantial. It included full renumbering of the clause structure.

It removed a lot of lingo that was in the older versions of the standard. But again, everything could change. There may be some stuff that we haven't seen that could still be coming down the pipeline. But we're anticipating it to be a more minor revision than the jump from AS9100C to AS9100D.

Christian Reyes (04:33)
Okay, okay. And so, if 9001 2026 slips or shifts on time, does that shift IA 9100 schedule materially at all?

Mike Varney (04:42)
That's a good question. I think they're already running about a year behind their initial schedule. So it's definitely realistic that that could potentially get pushed to 2027. As of right now,

It looks like 9001 is on track for September 26th. And then 9100 is pretty much tooled up and ready to go to implement those 9001 changes very quickly estimating for a Q4 release. So that's what it looks like is the most likely scenario. But there is still room for 9001 to kind of derail this a little bit.

The most likely scenario being that 9100 would probably wait for 9001

Christian Reyes (05:15)
Sure, at least to me it feels cleaner that way, as I'm sure to many people throughout the industry. Kind of hoping for that, but as you've said, there's no way to be sure.

Mike Varney (05:18)
⁓ Absolutely.

Christian Reyes (05:25)
Of what you've heard, what are two changes that would most alter the day-to-day evidence that an auditor would expect coming in?

Mike Varney (05:32)
⁓ So that's a good question. There's a handful of things in here that are maybe not new, but are stressed much more significantly than they may have been in the past. So for example, ethical behavior is something that was in the AS9100 standard for Rev-D that is now peppered throughout this new standard in more places than it was in the past.

Christian Reyes (05:35)
Please.

Mike Varney (05:50)
So there's much more emphasis on ethical behavior. Now, when you talk ethical behavior, ⁓ that's largely subjective. So when we talk about how that might be audited or the things an auditor might want to see when it pertains to something like ethical behavior is your training records, right? They may go out there and they may talk to people and say, hey, proof to me that we have some awareness, right? You know, let's ask people some questions. Hey, in the event of this situation, how would you handle it? Those are the things we expect to start seeing the auditors do to production personnel or inspection personnel.

people that are hands-on with product. If they see something that looks suspicious, be it a potential counterfeit situation, or if there's ⁓ uncontrolled documentation or customer-supply documentation, sensitive information that's being used or floating around in the shop, an auditor may take that opportunity to kind of role play with someone in production to make sure that they have a good grasp on what the ethical way to proceed might be. That's just an example.

We also see more mention of MSA, measurement systems analysis. We see more mention of APQP. We see more mention of ⁓ control plans. Now, none of these words are new to people in aerospace. know, AS13100, which has out for several years now, focuses on all of these things. You know, a lot of the flow down from the OEMs, focus on a lot of these things. It's just now...

opposed to being just customer specific for one product line or to satisfy one customer. This is now has to become organic in your system across the board. We can't just pick and choose and say, we're going to do MSA for this situation, but it doesn't apply to these ones. Now that's less of the case.

Christian Reyes (07:23)
That is, those are some pretty sweeping changes just in terms of, you know, putting it at a system level, embedding it at a system level. mean, across, across the organization. those are some changes that have, you know, sweeping effects. like you said, I mean, it's probably going to take some effort, ⁓ from top management levels all the way down to, you know, shop floor personnel, in terms of, you know, being prepared for, for what's coming down the pipeline.

you know, in order to come zoom in.

Mike Varney (07:49)
Absolutely.

Absolutely. And the best thing that anybody can do is it pertains to any of this stuff is to educate yourself. There is so much good information out there. And there's a of good free information out there.

So it's a good thing to at least start self-educating.

Christian Reyes (08:04)
in regards to other stuff that that's changing that you've heard, one thing that I've I've heard some talk about, is changes in regards to information security. Can you shed any light on that?

Mike Varney (08:13)
Yes,

Yes, I'm very glad you brought this up. ⁓ So information security, anybody, you know, at least 90 % of people that are in the aerospace world have been talking about CMMC, right? And the state under 171 compliance that's being flown down, you know, by the government initially, and now through all the OEMs and it's making its way to, to all of us effectively. ⁓ You know, I'm starting to see it on POs for some of my very small clients, you know, are starting to see it get trickled down.

So this has been a talking point for the past two, three, maybe even four years. You know, people talking about cybersecurity, cybersecurity is a huge deal, right? There's been a lot of very popular, very well-known breaches, you know, that have made it in the news that we're hearing a lot about. You know, I feel like once a month I'm getting an email from somebody I did business with about, you know, a legal situation due to a cyber breach. It's very familiar. So this is being flown down now in the standard.

which in the past there was some loose verbiage around ⁓ cyber security, but it was mainly around, you know, the protection of information and things like that and less about cyber itself. Cyber now is a mandatory consideration within the creation of your quality management system. And it has actually a shall statement, which is something new. That being said, how deep you go with that is at this point in time.

Christian Reyes (09:27)
Okay.

Mike Varney (09:34)
entirely up to you, meaning you develop your plan for the protection of your information technology, right, your cyber protection based on what's appropriate to your organization. That's how it's currently worded. What that's going to look like in the future, that could tweak a little bit. I'm not really sure. Obviously, if you have requirements beyond that to your your customers, that would have to supersede anything that's in the standard. So you may still have to go above and beyond that especially if you're getting things like CMMC 2.0 flow down.

But yes, we're anticipating that we're gonna have to create some sort of ⁓ information security program for every company that is planning to be IE 9100 certified going forward. I think that's going to be a mandatory. That's one I don't think we're gonna be able to get out of.

Christian Reyes (10:15)
That's a very big change that people need to be aware of. But it's also, we may grumble at some of the work that goes into this, but ultimately it's a good thing, right? I mean, as you were saying, the leaks that you hear about and the, you know, businesses that, whether it's ⁓ whatever email scheme is happening, you know, it's so prevalent nowadays. It's so prevalent. Even, I mean,

Mike Varney (10:25)
It is, it is.

I

Christian Reyes (10:37)
And this could be just me, but you know, in the past, I've always historically kind of chuckled at the IT trainings that we received, the videos that you watch, it's, something that, that personally, I don't think we can take for granted necessarily anymore. just that knowledge.

Mike Varney (10:49)
No,

Christian Reyes (10:50)
Do you have any idea what the new like must have records or artifacts are going to be for product safety? I'm like hazard logs or like safety risk registers, just training.

Mike Varney (11:02)
That's a great question. Product safety has always confused people. They hear product safety, they think it has to do with the safety of the person making the product, it has to do with the safety of the handling the product, it has to realize, and the reality is it doesn't, right? Product safety,

⁓ And I'm not saying you shouldn't do that. I'm not promoting unsafe work environments. ⁓ product safety, as is reported in 9100, has to do with the safe operation of the completed product, ensuring that the product can be used safely. Not that it's safely manufactured. Again, that should be included either way. But product safety itself actually doesn't pertain to that at all. So just that's something that's always been very confusing. But there are.

Christian Reyes (11:21)
Yeah.

Mike Varney (11:42)
some additions to the new standard that pertain to product safety that we haven't seen before. Specifically in clause 813, there's a bunch of information that emphasizes this, mainly because product safety has been very confusing to companies in the past. So they added a huge note section to the end of 813, which is where product safety is talked about, that goes on and talks about some of the processes that you can implement to promote product safety.

So the requirement pertaining to product safety itself has not changed much. It just gives you a lot better information and ideas to be able to address product safety, while still basically including the product safety requirement that was always there in the past. Just now we have like eight or 10 different options that we can use to satisfy that requirement listed in the notes section beyond product safety, which I think is one of my favorite changes that they're making, because it's gonna clear up a lot of confusion that's been out there amongst people.

regarding product safety and how to promote it, how to prove it, how to generate good evidence that we actually have some control over product safety. That's something that's always been a real gray weak spot for people, especially in audit environments.

Christian Reyes (12:46)
For sure. For sure. And speaking of audit environments, Should companies plan a time recertification to land after IE9100 publishes to combine audits

Mike Varney (12:56)
This is a great question. And this is a complicated answer. If we stick on a three-year time frame, that's best case scenario, because then everybody's stuff is always going to line up. Because your cert already that you have is three years long. You have three years to comply with the new standard, meaning there will never be a situation in which there could be a lapse, because your three years can't exceed their three years. You know what I mean?

Christian Reyes (13:01)
You

For sure. For sure.

Mike Varney (13:22)
Time frame

wise, that's best case scenario. But

If you guys are certified to AS9100, your cert expires, you know, at some point in the next three years, you can have a registrar come in while you're still certified. It's very important you have to do this while you're still certified to AS9100 because that cert can live for up to three years after the new one. While you're still certified, you can have somebody come in and do a transitionary audit.

where they will upgrade your certificate from AS9100 to IA9100. they'll come in and they'll do an audit specifically on the new stuff of the new standard and there's no lapse in time and your cert just gets upgraded. That is the best way to do it if you can do it that way. It also allows you a little bit of leniency. For example, if you're getting recertified right now, right? So you're looking at a September

2025 reissue on your certificate, meaning September 2028 is when you'll expire. Anywhere in between that timeframe from when the new standard comes out until September of 2028, you can call your CB, have them come in and do a transitionary audit and get your cert upgraded.

Christian Reyes (14:23)
That is great to know. That's great to know.

we've been talking about some of the changes a bit more top level, but if we drill down into like MSA, for example, where should small organizations start? mean, you said earlier, it obviously depends on, it can be used as a verification activity. It's not necessarily a true requirement, so to speak. But yeah, for like small organizations.

How would you suggest they start looking at that or evaluating MSA?

Mike Varney (14:47)
So that's a great question. And I know I said before, and you just reiterated, technically right now we don't foresee it being a mandatory requirement for everybody. However, we are trending in the direction of that rapidly becoming a industry best practice. Meaning that just because it's not mandatory in the standard, it's likely going to become required by a lot of the OEMs. So we will probably see it. And if it's not in this rev, it'll probably be in the next rev.

Eventually, we're all going to be at that point. So for smaller companies that aren't currently doing a traditional MSA, measurement systems analysis, the best thing that you can do is to start with a simple gauge R &R. Let's figure out our essential tools that we're using in our inspection area for our final inspection, our product acceptance instruments and the people that are taking those measurements. And let's do a really basic gauge R &R with those high level tools.

⁓ Let's start there because that alone is going to tell you so much about your company. You know, when you start to see what the variance looks like, you'll know very quickly whether you have a system that's pretty adequately staffed and adequately tooled or if we really need to do some work. Because anything that happens at that high level is likely going to kind of be reflective of things that are downstream of it. know, engage R &Rs are very simple. They don't have to be really complicated. You can do it with a handful of people and a handful of tools. You know, it can be an afternoon event.

It doesn't have to be a major occurrence. Now, if you're to do it on a product level, if you have a product with a bunch of very complicated dimensions, and we're talking about first Oracle inspections and control plans and things like that, and you're doing MSA on a product level or product line level, those can get a lot bigger. Because now it might, instead of three or four tools, it may be 10 or 15 or 20 tools. And you may have 15 different operators and five different inspectors touch it. And all of a sudden, this can become a little bigger. But for companies that are looking to just to start out,

Grab a handful of tools. Later on in the process, your final inspection or your product acceptance in those inspectors that are the ones using those tools. And let's do some basic HR and R.

Christian Reyes (16:42)
That's good advice. That's great advice.

one last thing that I wanted to do here today was just kind of go through a lightning round of myths. These are some things that we we won't name any names, but things that that we've heard thrown around in in reference to what people are expecting in the new version.

Mike Varney (16:51)
Okay. ⁓

Christian Reyes (17:00)
next in maybe next year, IA 9100 I guess you'll tell me whether they're myths or not. But yeah, just we'll start off with we'll need to rewrite our whole QMS. True or false?

Mike Varney (17:00)
Alright.

I will do my best.

Please,

false, please don't do that. ⁓ For the sake of your consultants, for the sake of your auditors, for the sake of your internal auditors, please don't do that. This is going to be a standard that has more additions and clarifications than it is a full rewrite. What you have in place is going to be good for probably 80 % or more of it. Focus on the 20%, don't throw anything out. In the end, yeah, maybe we'll make the decision to pull a couple little things as we replace it.

Christian Reyes (17:14)
Yeah.

Mike Varney (17:38)
but please don't approach this as a full system rewrite because it's not a full standard rewrite, so it shouldn't be a full QMS rewrite.

Christian Reyes (17:44)
Got it. Next, APQP is mandatory for all work.

Mike Varney (17:47)
APQP is not mandatory for all work. That is also a false. However, we should always be doing production verification activities, but a full system APQP is not a requirement unless there's a requirement of your customer. Again, it is a great tool, but it is a very costly tool, mainly in manpower. So if it's applicable and we need to do it, absolutely, it's got to be done. But that is not a blanket requirement.

Christian Reyes (17:50)
False.

Mike Varney (18:12)
for all products and all processes, I don't anticipate that being something that everybody's gonna have to do for everything.

Christian Reyes (18:17)
Got it. CMMC level cybersecurity is now required.

Mike Varney (18:21)
CMMC, well, CMMC level requirements are not mandatory for everybody unless it is a requirement from your customer, the government. Somebody is actually legitimately flowing that down to you. Like I said before, there's great tools that are available. There's great things that you can do to make a big dent in this without going the full expensive CMMC route.

Christian Reyes (18:43)
Absolutely, FAI alone proves process capability.

Mike Varney (18:47)
This is no, it does not prove that in itself. know, process capability or production process validation activities. FAI is a component of that. FAI tells you that the part is good. It doesn't necessarily tell you that the process is good. It is a component to telling you that the process is good. But we need to know also what happened upstream. We need to be doing our checks and our validation at different stages before we get to an FAI event. So,

It's more than just an FAI. FAI is a great component. I'm telling everybody to not do FAIs. Keep doing your FAIs. But we need to make sure that we're doing other things along the way. And there's some great notes in the new standard that give you kind some tips and tricks to get there to do process validation with FAI being a component of that.

Christian Reyes (19:16)
Yeah.

Great answer, great answer. Lastly, we don't know when the standard is actually gonna be released and we've got three years till after that so we can at least wait until 2027.

Mike Varney (19:35)
You probably shouldn't do that. You shouldn't do that. You probably shouldn't do that. As a consultant that handles between 40 and 50 clients, I know for a fact a chunk of mine will probably do that. No offense to any of them if they're listening. But that's inevitable, right? It's human nature to delay these things. We're all procrastinators to some extent. Please fight that urge. Don't do that.

Christian Reyes (19:37)
That's not a good idea.

Mike Varney (19:59)
If you want to wait to get a jump on these things until the actual ⁓ final release is made public and available, I think that's okay. But please make sure as soon as that's available, you're at least familiarizing yourself. You're going to make it much easier on yourself. You're going to make it easier on your auditors, on your consultants, on your inspectors, on all of your personnel. Because ultimately, it's not just, you know, the quality manager, the director of quality, or the president who's making the changes, right? These are system changes.

The whole company has to be aware of it. The whole company is going to have some level of involvement. The longer you wait, the harder it's going to be to do.

Christian Reyes (20:33)
Absolutely, absolutely is one of those things where there are some absolutely some steps. Yes, we don't know the exact, you know, verbiage and wording of the standard as it stands now. But just like what you said, you know, 10 minutes ago, ⁓ cybersecurity alone, that is definitely going to need to be addressed regardless. And as you said, there are some simple things that you can start doing now that are relatively painless. So the amount of effort that you're putting in it now on the front end, that's good. That will definitely pay off ⁓ in

likely compound any efforts that you put in at this point in time instead of waiting on the back end. It's going to be a lot more costly financially time wise. Because like you said, even though this is a minor revision, so to speak, there aren't necessarily drastic sweeping changes that we know of yet, they are like you said, they're they're process, they're they're system level. It's not just one person, not the quality manager that's going to have to update 10 SOPs and we're good to go.

there are processes and system level things that can't change overnight. So the earlier you start looking at things like this, the better for sure. As I'm sure you all will know, but like you said, humans, we procrastinate, you know.

Mike Varney (21:39)
Absolutely.

We do, we do, we tend to do that. And you know, another thing to keep in mind too, without going too far down this potential rabbit hole, you know, you're also a little bit at the mercy of the CBs here too, right? You got to remember that they now have to retrain their entire staff. They have to roll out programs that are new, you know. So there's going to be a period of time, especially at the beginning, where it's probably going to be really hard to find a CB that's going to certify you a week after the standard comes out, right?

And the longer you wait, the more people you're going to run up against that are going to be looking for time to get an audit done. the earlier you start working on these things, the earlier that you might be able to get somebody in to help you do it before that crunch at the end where everybody's trying to do it in the last second before that three-year deadline. Because that can also be costly, and it can be very tough and challenging for your company, for your CB.

you know, for everybody involved.

Christian Reyes (22:41)
Fantastic, fantastic. Well, that takes us about right up on our time here, Mike. That's really good timing on both of our parts. ⁓ But thank you again. I just want to say thank you. You dropped some gems here today and I really appreciate it. I know that the team here does and all of our listeners do as well. And for our listeners, ⁓ where can folks find you and connect with you, find your company if they would like to connect with you?

Mike Varney (22:48)
Yeah.

Yeah, absolutely. So my website is mvarneyqms.com. All my contact information is on there. I'm very active on LinkedIn under Mike Varney. I'm pretty easy to find if you want to find me. Happy to chat with anybody. But yeah, absolutely. I tend to post a decent amount of stuff regarding these topics as well to try and keep my client base updated. So feel free to reach out. Feel free to give me a follow on LinkedIn.

connect with me and ship me an email through the link on my website. happy to chat and you guys can learn a little bit more about me and some of the things that I might be able to offer and help with.

Christian Reyes (23:38)
Absolutely, absolutely and we'll put that all in the show notes. We'll put Mike's LinkedIn definitely reach out to him on LinkedIn We'll put the the website there as well. So you can just click on through So again check the show notes and if you found this episode as helpful as I did Please share it with a colleague share it with someone at your work Like comment subscribe to the Q cast and we're gonna keep them coming. So until next time stay compliant