company confidential registration management committee 1 auditing the implementation of counterfeit...

Company Confidential

Registration Management Committee

1

Auditing the Implementation of Counterfeit Electronic PartsControl Plan Requirements

Bill Zint, Program ManagerHoneywell Inspection & Audit (HIA)

Daryl KepplerHIA Quality Engineer

July 19, 2012

RMC WorkshopMinneapolis, MN 19 – 20 July 2012

RMC Workshop Minneapolis, MN 19 – 20 July 2012


2

Introduction• The requirements for mitigating Counterfeit Parts (CP) threats

to an organization’s product line are clearly delineated in AS5553*.

• Counterfeit Electronic Parts (CEP) Control Plans are “Risk Based.” – Per AS5553 (Counterfeit Electronic Parts; Avoidance, Detection,

Mitigation, and Disposition): “The organization shall develop and implement a CEP Control Plan that documents its processes used for risk mitigation, disposition, and reporting of counterfeit parts.”

• AS5553 requirements are tailored to achieve a level of acceptable risk that balances likelihood, consequence and cost.

• Auditors need to understand that the acceptable level of risk can vary widely within an company, product line and components.

*AS5553 accreditation rules currently being written



3

Approach• For purposes of this briefing, the following will

be discussed:– basic requirements contained in AS5553

– some of the verifications that need to be addressed during the audit

– some audit considerations based on the level of tailoring that is described in the organization’s CEP Control Plan.

Additional information is found in the Notes section on some of the slides



4

Audit Areas for CEP Control Plan• CEP Control Plan documents an organization’s

processes that address:– Parts Availability

– Purchasing

– Purchasing Information

– Verification of Purchased Product

– In Process Investigation

– Material Control

– Reporting



5

Parts Availability• Requirement:

– The CEP Control Plan addresses processes that ensure availability of authentic parts throughout the product’s life cycle

• Verification:– Are new and existing parts management/procurement

addressed in control plan?

– Are obsolescence management processes implemented?

– Are these processes periodically reviewed/revised?

• Audit considerations:– Have all parts been reviewed for life cycle availability?

– Have alternate procurement options been established for Diminishing Manufacturing Sources and Material Shortages (DMSMS)?



6

Purchasing• Requirement:

– Electronic parts should be purchased, whenever possible, directly from OCMs or from authorized suppliers.

• Verification:– Controlled process to assess risk of receiving CP from all

suppliers

– Current controlled list of approved suppliers based on risk

– Flow down of requirements to all tiers of suppliers

– Risk mitigation plan for procuring parts from other than OCMs

– Documented traceability of all parts

• Audit considerations:– Are audit schedules for suppliers periodically reviewed and

adjusted based on supplier part source procurement risk?

– Ensure suppliers QMS contain documented processes to prevent CP from entering the supply chain



7

Purchasing Information• Requirement

– Procurement contract language should include requirements which will help ensure that conforming, authentic materials are received

• Verification– Implementation of risk-based approach for buying parts from

suppliers» Documented evidence of supplier’s procurement, quality processes

and part heritage» Supplier’s compliance with buyer’s imposed procurement quality

requirements and clauses

• Audit considerations:– Have appropriate levels of risk mitigation been used on parts

without complete product traceability?

– Is supplier’s deliverable data meeting contractual requirements for delivered parts?



8

Verification of Purchased Product• Requirement

– Documented processes shall assure detection of counterfeit parts prior to formal product acceptance

• Verification– Implementation of risk-based approach for test and inspection

of parts based on part heritage and sources of supply

– Documented results of risk-based parts testing

• Audit considerations:– Risk based approach defines extent of testing required for

product acceptance

– Appropriate/approved levels of testing used for all parts

– Control plan and contract clauses should be reviewed prior to audit for part testing requirements



9

In Process Investigation• Requirement

– Documented processes for detection, verification, and control of in-process and in-service suspected counterfeit parts

• Verification– Implementation of CP processes for:

» Detection of suspected counterfeit or nonconforming parts

» Verification of counterfeit or nonconforming parts» Segregating suspected CP during confirmation testing



10

In Process Investigation (Cont.)• Audit considerations:

– If CP or nonconforming parts have entered the supply chain:» Review results of buyer/seller investigation » Verify seller has implemented recommended corrective

action(s)

– Have Approved Vendor/Buyers Lists been re-evaluated?» Have resulting recommendations been implemented?



11

• Requirement– Documented process for ensuring

nonconforming and CP do not re-enter supply chain under fraudulent circumstances

• Verification– Adherence to material control plan for

nonconforming, suspected and confirmed CP

– Implementation of internal disposition process» Quarantine procedures» Proper handling of nonconforming parts

designated as scrap or surplus parts

Material Control



12

• Audit considerations:» For nonconforming parts:

• Review scrap, surplus and return product processes

» For suspected and/or confirmed CP:• Ensure these parts are properly segregated until

disposition has been approved • Is access controlled?• Has any additional testing been performed on the

suspected parts—if so, has it been properly documented?

Material Control (Cont.)



13

Reporting• Requirement

– Timely notification to customers, government-reporting organizations (e.g., GIDEP), industry-supported organizations (e.g., ERAI), and law enforcement authorities for suspected and confirmed CP

• Verification– Implementation of reporting process that

identifies:» Part information» Affected part or material» Description of failure/how identified as counterfeit» Identification of provider



14

Reporting (Cont.)• Audit considerations:

– Reporting of suspected/confirmed CP is per the control plan and contractual requirements:» If procedures for reporting are required by control

plan and/or contract, are they being followed? » Verify reports have been submitted in a timely

fashion, received and accepted by designated agency (e.g., GIDEP, ERAI, Law Enforcement)



15

Conclusion• CP processes are risk-based, auditors should

expect considerable variability within organizations and product lines

• CEP Control Plans may remain constant throughout the product life cycle but successful implementation of the plan will require evolving processes based on the changing CP threats

• Auditors will need to review the CEP Control Plan and all contractual documents prior to each audit—adjust auditing requirements accordingly



16

Conclusion (Cont.)• Preparation time for audits will increase to

ensure the risk-based requirements of each CEP Control Plan are properly incorporated into the audit plan

• In addition to auditing requirements, auditors should be looking for opportunities that can reduce the CP risk and can be evaluated for cost effective implementation



17

About the Author• Daryl Keppler is a Senior Consultant currently working as a part time

Quality Engineer in Honeywell’s Inspection & Audit (HIA) services business within Honeywell Technology Services, Inc. He has over 42 years experience in various engineering activities including:– 30 years in USAF/USMC performing duties as: an Acquisition Inspector;

Detachment Commander; Director of Engineering; Lead Systems/Design Engineer on Military, Agency and National command centers; and a Radio Telegrapher during a combat tour in Vietnam.

– 12 years as a Senior Consultant in the Aerospace Industry performing: Process assessments for DOD, DoE, NASA and commercial aerospace companies; Probabilistic Risk Assessments on Nuclear Safety studies for the DOD/DoE and two space shuttle return-to-flight issues; Failure Modes and Effects Analyses for the Missile Defense Agency and NASA manned space vehicles; and RMA assessments for NASA and DOD National Assets

• Daryl has Defense Acquisition Workforce Level III certifications in Program Management; Systems Planning, Research, Development and Engineering; and OT&E. He has a BS Degree in Applied Science and Engineering, an MSEE, and is a graduate of the Air War College.

Email address: [email protected]



18

About the Presenter• Bill Zint is Program Manager for Honeywell’s Inspection & Audit (HIA) services business

within Honeywell Technology Services, Inc., part of Honeywell Aerospace. HIA does

– Process/Product Audits (at customer or customer’s suppliers)

– Quality System Administration (e.g., Approved Supplier List management), System Setup

– Source Inspection, First/Last Article Inspection (including preparation or evaluation of AS9102 forms, audits, Net Inspect training/implementation)

– Supplier Process Controls: Establishing/Monitoring/Improving and Hardware Tracking/Expediting

– Counterfeit-Part Process/Procedure Review, Test-Lab/Distributor Audits, Detection Training, Inventory Risk Assessment

– IPC-610/620 Training

• Bill has held various leadership and technical positions in Engineering, Supply Management, Customer & Product Support, and Quality during his 25 years at Honeywell.

• Bill is a Honeywell-certified Six Sigma Black Belt, and achieved certifications as American Society for Quality (ASQ) Manager of Quality and Competent Toastmaster. Bill earned his Bachelor of Science Degree in Electrical Engineering from the University of Arizona, and his Master of Business Administration Degree from the University of Phoenix.

Email address: [email protected]

company confidential registration management committee 1 auditing the implementation of counterfeit...

Documents

parts audit considerations

reporting of counterfeit

organizations cep control

parts availability requirement

electronic parts avoidance

rmc workshop minneapolis

as5553 requirements

audit areas