Subtier Control Presentation

Presentation Title Will Appear Here

Effective Auditing of Purchasing & Subtier Supplier Control Processes

Boston, MAJuly 21 - 22, 2011

Tim Lee, BCA Supplier Quality Manager & IAQG OPMT ChairmanSidney Vianna, DNV Business Assurance & AAQG Secretary1Auditor WorkshopBoston, MAJuly 21-22, 2011Company ConfidentialRegistration Management Committee (RMC)Registration Management Committee (RMC)Registration Management Committee (RMC)Registration Management Committee (RMC)Boston, MAJuly 21-22, 2011Voice of the Customer

George Buswell, Director BCA Supplier QualityRegional Operations

Why the added focus on Subtier Supplier Control?

Observations

Expectations

Registration Management Committee (RMC)Registration Management Committee (RMC)Boston, MAJuly 21-22, 2011Why is subtier supplier control so important?Growing reliance on subtier suppliersGreater than 60% of end item product is purchasedNot just tier 1 but the entire supply chain (2, 3, 4)ObservationsBoeing NOE issues - Focus on preventionBoeing ExpectationsWhat Boeing expects of our suppliersRequest for supportGet tough - No soft gradingAllow sufficient time to audit purchasing processesWe are in it together "Working Together"

Why the added focus on Subtier Supplier Control?

Boeings business modelHigh Level Systems IntegratorDeeper Supply ChainMore complicated incoming product

Higher percentage of defects attributable to subtier suppliersRegistration Management Committee (RMC)Registration Management Committee (RMC)Boston, MAJuly 21-22, 2011Why is subtier supplier control so important?Growing reliance on subtier suppliersGreater than 60% of end item product is purchasedNot just tier 1 but the entire supply chain (2, 3, 4)ObservationsBoeing NOE issues - Focus on preventionBoeing ExpectationsWhat Boeing expects of our suppliersRequest for supportGet tough - No soft gradingAllow sufficient time to audit purchasing processesWe are in it together "Working Together"

Observations What I have seen

Failure to understand contract requirementsIneffective incoming inspectionsPoor execution of FAI Unwarranted delegation of inspection authority


Expectations CB Oversight

Be above reproach in complying with requirementsFocus on effectiveness - Take it personally - Go the extra mile


AS9100 Rev C Criteria

4.2.4 Control of Records - The documented procedure shall define the method for controlling records that are created by and/or retained by suppliers.

7.1.2 Risk Management - The organization shall establish, implement and maintain a process for managing risk to the achievement of applicable requirements, that includes as appropriate to the organization and the product

7.1.4 Control of Work Transfers - The organization shall establish, implement and maintain a process to plan and control the temporary or permanent transfer of work (e.g., from one organization facility to another, from the organization to a supplier, from one supplier to another supplier) and to verify the conformity of the work to requirements.

7.4.1 Purchasing Process - The organization shall ensure that purchased product conforms to specified purchase requirements.

The organization shall be responsible for the conformity of all products purchased from suppliers, including product from sources defined by the customer.

The organization shall evaluate and select suppliers based on their ability to supply product in accordance with the organization's requirements. Criteria for selection, evaluation and re-evaluation shall be established.

7.4.2 Purchasing Information - Purchasing information shall describe the product to be purchased, including, where appropriate

7.4.3 Verification of Purchased Product - The organization shall establish and implement the inspection or other activities necessary for ensuring that purchased product meets specified purchase requirements.Registration Management Committee (RMC)Registration Management Committee (RMC)Boston, MAJuly 21-22, 2011Subtier supplier control begins in advance of issuing a purchase contract. Need to manage riskWork transfer now include supplier to supplierOrganization is responsibleMust monitor supplier performance and select suppliers base on their ability.Purchase information to be clear and concise.Describe other activities.

AS9101 Rev D Audit Requirements

0.2 Auditing Approach - When evaluating an organizations quality management system, there are basic questions that should be asked of every process, for example: Is the process identified and appropriately defined? Are responsibilities assigned? Are the processes implemented and maintained? Is the process effective in achieving the desired results?

4.2.2.8 Special Processes - b) Monitoring, Measurement, and Control of Special Processes - For outsourced special processes, the audit team shall verify that the organizations supplier control process addresses these items accordingly. In addition, the audit team shall review the use of customer-designated sources, as required.

4.2.2.5 Identifying and Recording of Audit Findings - The audit team shall record detailed objective evidence (e.g., reviewed procedures, shop orders, training records, products, verification records). The objective evidence shall be recorded on a standardized form [i.e., OER (see Appendix A)] or on the CBs own documentation. In this case, the CB document shall meet the intent of the OER.

The results of effectiveness shall be recorded on the PEAR (see Appendix C) for each audited product realization process.

Appendix A - Objective Evidence Record (OER)7.4 Purchasing - Questions 219 through 250

Additional Information

9100SupportRegistration Management Committee (RMC)Registration Management Committee (RMC)Boston, MAJuly 21-22, 2011Focus on the ProcessIf you audit subtier supplier control processes independently there is a risk of overlooking the interrelationships. Audit results may not add value.

Examples of Control of Purchasing Processes

Project PlanningRisk Analysis

Supplier SelectionPurchasing

Supplier QualitySurveillance &Performance

Purchased Product Inspection

RecordsManagementSupplier

Customer

Registration Management Committee (RMC)Registration Management Committee (RMC)Boston, MAJuly 21-22, 2011Focus on the ProcessIf you audit subtier supplier control processes independently there is a risk of overlooking the interrelationships. Audit results may not add value.







Customer

Registration Management Committee (RMC)Registration Management Committee (RMC)Boston, MAJuly 21-22, 2011Focus on the Process

Focus on auditing using a Process approach and the hand offs

Examples of Interrelationships - Control of Purchasing Processes



Supplier Quality


RecordsManagementProject PlanningRisk AnalysisSupplier

Registration Management Committee (RMC)Registration Management Committee (RMC)Boston, MAJuly 21-22, 2011Focus on the ProcessIf you audit subtier supplier control processes independently there is a risk of overlooking the interrelationships. Audit results may not add value.







Buy DecisionsProduct InfoResults All Processes interact and process performance is dependent on effective handoffs

Customer

Audit TrailRegistration Management Committee (RMC)Registration Management Committee (RMC)Boston, MAJuly 21-22, 2011Emphasis on sequence of operations and handoffs.Every organization is unique and range from complex to simple processes. The concept is the same.Planning for an Effective subtier supplier control audit

Sidney Vianna, DNV Business Assurance & AAQG Secretary

Audit Planning: Provide guidance on planning an effective subtier supplier control audit

Audit Conduct: Establish audit trails, Know what to look for, focus on customer unique requirements, use lessons learned

Registration Management Committee (RMC)Registration Management Committee (RMC)Boston, MAJuly 21-22, 2011Planning for an Effective subtier supplier control audit

Audit PlanningAn effective audit requires upfront planning prior to conduct.

You must have an understanding of the clients processes

How much product is purchased?Raw material, COTS or complete end item

Inspection and Verification methods

How does supplier performance drive decisions

Registration Management Committee (RMC)Registration Management Committee (RMC)Boston, MAJuly 21-22, 2011Audit PlanningDo not forget the value stream approach to effective auditing:

INPUTCustomer who has a needOUTPUTCustomer who has a need metInputStep

1Step

2Step

3Step

NOutputRegistration Management Committee (RMC)Registration Management Committee (RMC)Boston, MAJuly 21-22, 2011Audit PlanningOther methods may apply:

StrategyRisk analysisPlanning the activitiesDecisions Review informationImprovement

ReportingCollect and analyse data Operations and recordingTop managementProcess ownersPolicyObjectivesResourcesParticipantsV cycle approach to auditingTop managementProcess ownersParticipantsRegistration Management Committee (RMC)Registration Management Committee (RMC)Boston, MAJuly 21-22, 2011Planning for an Effective AuditFocus on the parts of the purchasing processes that relate to subtier controlFor example, OASIS feedback loops, customer requirements, key characteristics management, critical items, outsourced processes, work transfers, notification of changes, reporting of nonconformities, doc control transmittal to subtier suppliers, etcObtain process approach information and use this when planning the audit and establishment of audit trailsRegistration Management Committee (RMC)Registration Management Committee (RMC)Boston, MAJuly 21-22, 2011OASIS feedback loopsFrom AS9101D

Registration Management Committee (RMC)Registration Management Committee (RMC)Boston, MAJuly 21-22, 2011Understand Subtier Control Requirementsflow down to the supply chain the applicable requirements including customer requirements, Registration Management Committee (RMC)Registration Management Committee (RMC)Boston, MAJuly 21-22, 2011Remember:For the subtier supplier to be able to perform adequate 7.2, the organization must perform 7.4 wellIn other words, without adequate purchasing information by a customer, contract and product requirements review will sufferRegistration Management Committee (RMC)Registration Management Committee (RMC)Boston, MAJuly 21-22, 2011Customer requirementsIt starts at contract review The organization must perform effective contract review, including special attention to Customer Specific Requirements, as it relates to subtier control. As a CB auditor, you must verify that flown down-able requirements are identified and the interface between review of requirements and purchasing is effective.

Registration Management Committee (RMC)Registration Management Committee (RMC)Boston, MAJuly 21-22, 2011Customer requirements (sub-tier)

6081 SOFTWARE QUALITY PROGRAM PLAN REQUIREMENTS



Registration Management Committee (RMC)Registration Management Committee (RMC)Boston, MAJuly 21-22, 2011Key characteristics & Critical Items

Registration Management Committee (RMC)Registration Management Committee (RMC)Boston, MAJuly 21-22, 2011Review of Supplier PerformanceAre levels of control, e.g., increased incoming inspection, supplier audit, source inspection, etc. based on the periodic review of supplier performance? Is data on supplier performance available? (AS9100C 8.4.d) Is Risk being considered when selecting and using suppliers? (AS9100C 7.4.1.f)

Registration Management Committee (RMC)Registration Management Committee (RMC)Boston, MAJuly 21-22, 2011Notification of NCs

AS9131 might be invokedCustomers may have specific reporting requirementsRegistration Management Committee (RMC)Registration Management Committee (RMC)Boston, MAJuly 21-22, 2011Notices of changenotify the organization of changes in product and/or process, changes of suppliers, changes of manufacturing facility location and, where required, obtain organization approvalFirst Article InspectionFAI AS9102 Requirement

Registration Management Committee (RMC)Registration Management Committee (RMC)Boston, MAJuly 21-22, 2011Outsourced processesThe organization has to demonstrate that it exercises sufficient control to ensure that this process is performed according to the relevant requirements of AS9100, and any other requirements of the organizations quality management system. The nature of this control will depend on the importance of the outsourced process, the risk involved, and the competence of the supplier to meet the process requirements. Based on the nature of the control, it should consider the processes referred to quality management system for management activities, provision of resources, product realization and measurement, analysis and improvement. Control MUST go beyond stipulation of requirements in a P.O.The outsourced organization does not necessarily have to have a certified Quality Management System, but it has to demonstrate the capability of the previously mentioned processes.Registration Management Committee (RMC)Registration Management Committee (RMC)Boston, MAJuly 21-22, 2011Outsourced processesRemember that outsourced processes go beyond manufacturing processes and can include design development, verification and validation testing, prototyping, software development, warehousing and distribution, packaging (crating), etcFlowdown of requirements is CRITICAL.Special processes must be validated and revalidated as necessary.

Registration Management Committee (RMC)Registration Management Committee (RMC)Boston, MAJuly 21-22, 2011Work transfersWork transfers also present a challenge related to subtier supplier control. Especially because, many times, the transfer is done to a sister plant (within the same organization). AS9100C 7.1.4 The organization shall establish, implement and maintain a process to plan and control the temporary or permanent transfer of work (e.g., from one organization facility to another, from the organization to a supplier, from one supplier to another supplier) and to verify the conformity of the work to requirements.AS91007.4.2g) notify the organization of changes in product and/or process, changes of suppliers, changes of manufacturing facility location and, where required, obtain organization approvalRegistration Management Committee (RMC)Registration Management Committee (RMC)Boston, MAJuly 21-22, 2011Planning for an Effective AuditThe type and extent of control applied to the supplier and the purchased product shall be dependent upon the effect of the purchased product on the subsequent product realization or the final product.Criteria for selection, evaluation and re-evaluation shall be established.Registration Management Committee (RMC)Registration Management Committee (RMC)Boston, MAJuly 21-22, 2011Reflection What have we learnedThats right its time for a:

Registration Management Committee (RMC)Registration Management Committee (RMC)Boston, MAJuly 21-22, 2011QuizAs you audit an organizations supplier evaluation process, you notice that the only type of oversight they do onto their suppliers is an annual, one-page, self-directed survey, with basic questions about their QC program. Some of the products this organization buys contain Critical Items.Is this method of subtier supplier control adequate?

Registration Management Committee (RMC)Registration Management Committee (RMC)Boston, MAJuly 21-22, 2011Quiz Organization XYZ (a build to print shop) accepted a contract from an AAQG Member Company to manufacture a Pulley Bracket Assembly that also included a casting detail part. Since the organization did not have capability to produce castings, they planned to purchase this detail part. The source selection team decided to use a local casting supplier they have used in the past for their John Deere tractor contracts. They have an excellent quality rating! Note: The casting required NDT (Penetrant Inspection and Radiographic Inspection) prior to part acceptance. Can a commercial subtier supplier be used to fabricate this product? Why or Why not? Any concerns?What flowdown requirements would you expect to see in the contract to this subtier?

Registration Management Committee (RMC)Registration Management Committee (RMC)Boston, MAJuly 21-22, 2011QuizClient Acme Tool and Die has accepted a contract from an AAQG Member Company to manufacture a chrome plated shaft part. The member company has included an AS9102 FAI requirement in the contract. Since the organization did not have capability to chrome plate the part, they planned to use an approved plating source and perform the FAI inspection activity after receipt of the part from the subtier. What flowdown requirements would you expect to see in the contract to this subtier?

Any issues with the FAI being completed after processing?

Registration Management Committee (RMC)Registration Management Committee (RMC)Boston, MAJuly 21-22, 2011QuizUpon review of ABCs management review records the CB auditor noted that they had completed an improvement project in their Receiving Inspection Department. The problem statement related to improvement of flow time and assuring timely delivery of purchased product to the shop floor. When asked about performance, the QA Manager stated: We hired a sharp QE that helped us implement statistical sampling inspection strategy and a new supplier delegation program.We implemented these two changes and we reduced our bottlenecks by 95% The product doesnt sit in a box on the dock, it goes straight to the shop floor

Do these methods conform to AS9100?

What are some of the audit trails you would follow to verify conformance?

Registration Management Committee (RMC)Registration Management Committee (RMC)Boston, MAJuly 21-22, 2011Lessons LearnedChange is constant and this includes Clients purchasing activities and changes at their subtier suppliers

Outsourcing due to Cost Pressures increase risk (Use of Foreign Sources)

Quality representatives may not be actively involved in the purchase contract process, therefore adequate quality requirements may not be flowed to suppliers.

The organizations supplier quality team may not be conducting contract reviews with their subtier suppliers to ensure that the subtier supplier understand requirements.

Additional focus on three critical areas will help an organization mitigate the potential risk for Non-conforming Product being received from a subtier. They include: Requirements Flow down- Requirements are understood and flowed down to the appropriate levels of the supply chain, including critical subtier suppliersSupplier Selection- Suppliers must have the right capability and capacity to understand and perform the work and/or manage their subtiers (tier 2, 3,4) to do soVerification of Purchased Product- Organization must perform regular oversight of their suppliers to verify requirements are being meet, including a review of the Suppliers subtier control processRegistration Management Committee (RMC)Registration Management Committee (RMC)Boston, MAJuly 21-22, 2011Auditor ResourcesSupply Chain Management Handbook

Chapter 2 Contracts Reqmts FlowdownChapter 8 Supplier Quality

ISO 9001 Auditing Practices Group

Auditing the Procurement and Supply Chain Processes

Customer Web sites

Boeing - Doing Business

SCMH

9001Practices

BoeingDoing Business

Registration Management Committee (RMC)Registration Management Committee (RMC)Boston, MAJuly 21-22, 2011SummaryUpfront planning is key to success

Focus on the process

Use results data to drive your audit trail

Understand customer flow down expectations

Add value to the organization by conducting an effective subtier supplier control audit

Continue the Learning Journey use the resources

Registration Management Committee (RMC)Registration Management Committee (RMC)Boston, MAJuly 21-22, 2011

Good Luck!

May The Force be with you..

Registration Management Committee (RMC)Registration Management Committee (RMC)Boston, MAJuly 21-22, 2011

Good Luck!

May The Force be with you..

Registration Management Committee (RMC)Registration Management Committee (RMC)Boston, MAJuly 21-22, 20117.4 Purchasing

9100 Change & Rationale7

7.1.4 Control of Work Transfers

"Work Transfer" clause moved from 7.5.1.4. The rationale is that "Work Transfer"

can occur at anytime during product realization. These requirements, originally

included as clause 7.5.1.4, have been significantly expanded to-

apply to transfers throughout the whole lifecycle (not just for Production)

require that the work transfer process includes the planning of proposed moves

cover permanent (as well as temporary) transfers include moves from one supplier to

another and moves from one of the organizations facilities to another.7.4 Purchasing

7.4.1 Purchasing Process

The clause has been reworded to simplify and clarify the originally intended wording no additional requirements have been included. "Quality" changed to "conformity" in alignment with ISO text (ref. 6.2.1, 6.2.2)

The new note emphasizes that the organization should obtain and use as much reliable

supplier quality (e.g. audit, OASIS, on time/on quality) data as possible when making a

selection decision and provides a number of examples where this data might be found.

The last sentence points out that accountability for supplier remains the responsibility

of the organization, independent of where this performance data was obtained.

Added requirements that outline the conditions for using a supplier depends on its

approval status, the results of supplier performance reviews are to be used to establish

supplier controls and risk management will be utilized in determining and selecting

suppliers.

a) Clause 7.4.1 a) now requires inclusion of supplier status in the supplier register,

examples of supplier scope are also provided.

b) The new text of clause b) improves the wording of the previous version to state that it

is the results of the review (rather than the records) that are used to establish the level

of controls to be used.

e) This revised clause requires the organization to treat supplier approval as a defined

(but not necessarily documented) process and to define the responsibilities and

authorities for each activity in that process.

f) Clause f) provides a link to the new clause 7.1.2- addressing risk when selecting and

using suppliers..4.2 Purchasing Information7.4.2 Purchasing Informationd) editorial change only the identification and revision status replaces the name

or other positive identification, and applicable issues of also inspection now is

inspection/ verification to recognize the difference between the 2 terms (See ISO

9000:2005) and that both can apply to this paragraph the intent of d remains the

same: to clearly identify the flow-down data in the purchasing info.

e) Paragraph scope (not intent) has been expanded slightly to specifically recognize

statistical techniques for product acceptance and requirements for critical items

including key characteristics as part of the product/acceptance requirements that need

to be flowed on the purchasing documents (if they exist) for the product being

procured.

f) inspection now is inspection/ verification to recognize the difference between

the 2 terms (See ISO 9000:2005) and that both terms can apply to this paragraph the

intent of f remains unchanged.

g) was significantly revised editorially to make it easier to understand and incorporate

former paragraphs h and j under the requirements for the supplier to act under

certain circumstances (i.e. if parts are nonconforming, if certain changes occur, and

when mandated to flow requirements down to sub-tiers ). Material change to this

paragraph is the addition of change of suppliers, and change of manufacturing

facility location to the list of notification required in the purchasing information if the

organization deems it appropriate per 7.4.2 lead paragraph.

h) This is an added requirement to prescribe in the purchasing documentation supplier

records retention requirements. This addition is complementary (and the execution

portion) to paragraph 4.2.4 requirement that the required records procedure define

the method for controlling records that are created by and/or retained by suppliers.

Presumably, once described per 4.2.4, the organization will need to notify the supplier

of those requirements in the purchasing documentation (this paragraph) for their

execution.

i) Clarification revision that the right of access only applies to the applicable areas

where the product is realized and to all the applicable records (not necessarily the

records storage areas or other areas of a facility not germane to product realization).

At any level of the supply chain replaces involved in the order for clarification.

7.4.3 Verification of Purchased ProductThe subject has been changed from a requirement to a Note because the need for

customer verification would be a contractual requirement and additional to those

requirements contained in 9100.

Changed to a guidance note. No shall statement existed, so a note is more appropriate.

"Quality" changed to "conformity" in alignment with ISO text (ref. 6.2.1, 6.2.2). Test

reports changed to test records to provide flexibility for the stakeholders.

The clause has been significantly reworded adding text that is more specific and

proactive. Requirements have been added to identify and record product issued

pending completion of verification to allow recall and replacement. This replaces

positive recall.

Deleted the requirement to validate supplier test reports. Test reports are a tool and

prescriptive, suggesting a "how to" and are not applicable to all stakeholders and for

all types of products. Often misinterpreted. An item for consideration in risk

management.

Deleted contractual language. Covered in clause 4.1.

Subtier Control Presentation

Documents

Transcript of Subtier Control Presentation