Company Confidential Registration Management Committee (RMC) Effective Auditing of Purchasing & Subtier Supplier Control Processes Boston, MA July , 2011 Tim Lee, BCA Supplier Quality Manager & IAQG OPMT Chairman Sidney Vianna, DNV Business Assurance & AAQG Secretary 1 Auditor Workshop Boston, MA July 21-22, 2011

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 Voice of the Customer George Buswell, Director BCA Supplier Quality Regional Operations Why the added focus on Subtier Supplier Control? Observations Expectations

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 Why the added focus on Subtier Supplier Control? Boeing’s business model High Level Systems Integrator Deeper Supply Chain More complicated incoming product Higher percentage of defects attributable to subtier suppliers

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 Observations – What I have seen Failure to understand contract requirements Ineffective incoming inspections Poor execution of FAI Unwarranted delegation of inspection authority

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 Expectations – CB Oversight Be above reproach in complying with requirements Focus on effectiveness - Take it personally - Go the extra mile

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 AS9100 Rev C Criteria Control of Records - The documented procedure shall define the method for controlling records that are created by and/or retained by suppliers Risk Management - The organization shall establish, implement and maintain a process for managing risk to the achievement of applicable requirements, that includes as appropriate to the organization and the product Control of Work Transfers - The organization shall establish, implement and maintain a process to plan and control the temporary or permanent transfer of work (e.g., from one organization facility to another, from the organization to a supplier, from one supplier to another supplier) and to verify the conformity of the work to requirements Purchasing Process - The organization shall ensure that purchased product conforms to specified purchase requirements. The organization shall be responsible for the conformity of all products purchased from suppliers, including product from sources defined by the customer. The organization shall evaluate and select suppliers based on their ability to supply product in accordance with the organization's requirements. Criteria for selection, evaluation and re- evaluation shall be established Purchasing Information - Purchasing information shall describe the product to be purchased, including, where appropriate………… Verification of Purchased Product - The organization shall establish and implement the inspection or other activities necessary for ensuring that purchased product meets specified purchase requirements.

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 AS9101 Rev D Audit Requirements 0.2 Auditing Approach - When evaluating an organization’s quality management system, there are basic questions that should be asked of every process, for example: Is the process identified and appropriately defined? Are responsibilities assigned? Are the processes implemented and maintained? Is the process effective in achieving the desired results? Special Processes - b) Monitoring, Measurement, and Control of Special Processes - For outsourced special processes, the audit team shall verify that the organization’s supplier control process addresses these items accordingly. In addition, the audit team shall review the use of customer-designated sources, as required Identifying and Recording of Audit Findings - The audit team shall record detailed objective evidence (e.g., reviewed procedures, shop orders, training records, products, verification records). The objective evidence shall be recorded on a standardized form [i.e., OER (see Appendix A)] or on the CB’s own documentation. In this case, the CB document shall meet the intent of the OER. The results of effectiveness shall be recorded on the PEAR (see Appendix C) for each audited product realization process. Appendix A - Objective Evidence Record (OER) 7.4 Purchasing - Questions 219 through 250 Additional Information 9100 Support

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 “Focus on the Process” If you audit subtier supplier control processes independently there is a risk of overlooking the interrelationships. Audit results may not add value. Examples of Control of Purchasing Processes Project Planning Risk Analysis Supplier Selection Purchasing Supplier Quality Surveillance & Performance Purchased Product Inspection Records Management Supplier Customer

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 “Focus on the Process” If you audit subtier supplier control processes independently there is a risk of overlooking the interrelationships. Audit results may not add value. Examples of Control of Purchasing Processes Project Planning Risk Analysis Supplier Selection Purchasing Supplier Quality Surveillance & Performance Purchased Product Inspection Records Management Supplier Customer

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 “Focus on the Process” Focus on auditing using a “Process approach” and the “hand offs” Examples of Interrelationships - Control of Purchasing Processes Project Planning Risk Analysis Supplier Selection Purchasing Supplier Quality Purchased Product Inspection Records Management Project Planning Risk Analysis Supplier

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 “Focus on the Process” If you audit subtier supplier control processes independently there is a risk of overlooking the interrelationships. Audit results may not add value. Examples of Control of Purchasing Processes Project Planning Risk Analysis Supplier Selection Purchasing Supplier Quality Surveillance & Performance Purchased Product Inspection Records Management Supplier Buy DecisionsProduct InfoResults All Processes interact and process performance is dependent on effective “handoffs” Customer Audit Trail

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 Planning for an “Effective” subtier supplier control audit Sidney Vianna, DNV Business Assurance & AAQG Secretary Audit Planning: Provide guidance on planning an effective subtier supplier control audit Audit Conduct: Establish audit trails, Know what to look for, focus on customer unique requirements, use lessons learned

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 Planning for an “Effective” subtier supplier control audit Audit Planning An effective audit requires upfront planning prior to conduct. You must have an understanding of the client’s processes How much product is purchased? Raw material, COTS or complete end item Inspection and Verification methods How does supplier performance drive decisions

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 Audit Planning Do not forget the value stream approach to effective auditing: INPUT Customer who has a need OUTPUT Customer who has a need met Input Step 1 Step 2 Step 3 Step “N” Output

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 Audit Planning Other methods may apply: Strategy Risk analysis Planning the activities Decisions Review information Improvement Reporting Collect and analyse data Operations and recording Top management Process owners Policy Objectives Resources Participants V cycle approach to auditing Top management Process owners Participants

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 Planning for an Effective Audit Focus on the parts of the purchasing processes that relate to subtier control For example, OASIS feedback loops, customer requirements, key characteristics management, critical items, outsourced processes, work transfers, notification of changes, reporting of nonconformities, doc control transmittal to subtier suppliers, etc… Obtain process approach information and use this when planning the audit and establishment of audit trails

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 OASIS feedback loops From AS9101D

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 Understand Subtier Control Requirements “…flow down to the supply chain the applicable requirements including customer requirements,”

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 Remember: For the subtier supplier to be able to perform adequate 7.2, the organization must perform 7.4 well… In other words, without adequate purchasing information by a customer, contract and product requirements review will suffer…

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 Customer requirements It starts at contract review The organization must perform effective contract review, including special attention to Customer Specific Requirements, as it relates to subtier control. As a CB auditor, you must verify that “flown down-able” requirements are identified and the interface between review of requirements and purchasing is effective.

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 Customer requirements (sub-tier)

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 Customer requirements (sub-tier)

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 Customer requirements (sub-tier)

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 Key characteristics & Critical Items

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 Review of Supplier Performance Are levels of control, e.g., increased incoming inspection, supplier audit, source inspection, etc. based on the periodic review of supplier performance? Is data on supplier performance available? (AS9100C 8.4.d) Is Risk being considered when selecting and using suppliers? (AS9100C f)

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 Notification of NC’s AS9131 might be invoked Customers may have specific reporting requirements

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 Notices of change notify the organization of changes in product and/or process, changes of suppliers, changes of manufacturing facility location and, where required, obtain organization approval First Article Inspection FAI AS9102 Requirement

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 Outsourced processes The organization has to demonstrate that it exercises sufficient control to ensure that this process is performed according to the relevant requirements of AS9100, and any other requirements of the organization’s quality management system. The nature of this control will depend on the importance of the outsourced process, the risk involved, and the competence of the supplier to meet the process requirements. Based on the nature of the control, it should consider the processes referred to quality management system for management activities, provision of resources, product realization and measurement, analysis and improvement. Control MUST go beyond stipulation of requirements in a P.O. The outsourced organization does not necessarily have to have a certified Quality Management System, but it has to demonstrate the capability of the previously mentioned processes.

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 Outsourced processes Remember that outsourced processes go beyond manufacturing processes and can include design development, verification and validation testing, prototyping, software development, warehousing and distribution, packaging (crating), etc… Flowdown of requirements is CRITICAL. Special processes must be validated and revalidated as necessary.

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 Work transfers Work transfers also present a challenge related to subtier supplier control. Especially because, many times, the transfer is done to a sister plant (within the same organization). AS9100C The organization shall establish, implement and maintain a process to plan and control the temporary or permanent transfer of work (e.g., from one organization facility to another, from the organization to a supplier, from one supplier to another supplier) and to verify the conformity of the work to requirements. AS g) notify the organization of changes in product and/or process, changes of suppliers, changes of manufacturing facility location and, where required, obtain organization approval

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 Planning for an Effective Audit The type and extent of control applied to the supplier and the purchased product shall be dependent upon the effect of the purchased product on the subsequent product realization or the final product. Criteria for selection, evaluation and re-evaluation shall be established.

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 Reflection – What have we learned That’s right it’s time for a:

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 Quiz As you audit an organization’s supplier evaluation process, you notice that the only type of oversight they do onto their suppliers is an annual, one-page, self-directed survey, with basic questions about their QC program. Some of the products this organization buys contain Critical Items. Is this method of subtier supplier control adequate?

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 Quiz Organization XYZ (a build to print shop) accepted a contract from an AAQG Member Company to manufacture a Pulley Bracket Assembly that also included a casting detail part. Since the organization did not have capability to produce castings, they planned to purchase this detail part. The source selection team decided to use a local casting supplier they have used in the past for their John Deere tractor contracts. “They have an excellent quality rating!” Note: The casting required NDT (Penetrant Inspection and Radiographic Inspection) prior to part acceptance. Can a commercial subtier supplier be used to fabricate this product? Why or Why not? Any concerns? What flowdown requirements would you expect to see in the contract to this subtier?

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 Quiz Client Acme Tool and Die has accepted a contract from an AAQG Member Company to manufacture a chrome plated shaft part. The member company has included an AS9102 FAI requirement in the contract. Since the organization did not have capability to chrome plate the part, they planned to use an approved plating source and perform the FAI inspection activity after receipt of the part from the subtier. What flowdown requirements would you expect to see in the contract to this subtier? Any issues with the FAI being completed after processing?

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 Quiz Upon review of ABC’s management review records the CB auditor noted that they had completed an improvement project in their Receiving Inspection Department. The problem statement related to improvement of flow time and assuring timely delivery of purchased product to the shop floor. When asked about performance, the QA Manager stated: “We hired a sharp QE that helped us implement statistical sampling inspection strategy and a new supplier delegation program”. “We implemented these two changes and we reduced our bottlenecks by 95%” “The product doesn’t sit in a box on the dock, it goes straight to the shop floor” Do these methods conform to AS9100? What are some of the audit trails you would follow to verify conformance?

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 Lessons Learned Change is constant and this includes Client’s purchasing activities and changes at their subtier suppliers Outsourcing due to Cost Pressures increase risk (Use of Foreign Sources) Quality representatives may not be actively involved in the purchase contract process, therefore adequate quality requirements may not be flowed to suppliers. The organization’s supplier quality team may not be conducting contract reviews with their subtier suppliers to ensure that the subtier supplier understand requirements. Additional focus on three critical areas will help an organization mitigate the potential risk for Non-conforming Product being received from a subtier. They include: Requirements Flow down- Requirements are understood and flowed down to the appropriate levels of the supply chain, including critical subtier suppliers Supplier Selection- Suppliers must have the right capability and capacity to understand and perform the work and/or manage their subtiers (tier 2, 3,4) to do so Verification of Purchased Product- Organization must perform regular oversight of their suppliers to verify requirements are being meet, including a review of the Supplier’s subtier control process

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 Auditor Resources Supply Chain Management Handbook Chapter 2 Contracts Reqmts Flowdown Chapter 8 Supplier Quality ISO 9001 Auditing Practices Group Auditing the Procurement and Supply Chain Processes Customer Web sites Boeing - Doing Business SCMH 9001 Practices Boeing Doing Business

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 Summary Upfront planning is key to success Focus on the “process” Use results data to drive your audit trail Understand customer flow down expectations Add value to the organization by conducting an effective subtier supplier control audit Continue the “Learning Journey” use the resources

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 Good Luck! May “The Force” be with you…..

Registration Management Committee (RMC) Boston, MA July 21-22, 2011 Good Luck! May “The Force” be with you…..