Industry Expectations for Distributors Aaron Gemeny Boeing Supplier Quality Representative IAQG OP Assessor July 22, 2016

AS9120 Intended Application Top management shall demonstrate leadership and commitment with respect to customer focus by ensuring that: This standard is intended for use by organizations that procure parts, materials, and assemblies and resell these products This standard is not intended for organizations that maintain or repair products, or for organizations that perform work that affect or could affect product characteristics or conformity. The boundaries are clear The expectation is that Distributors work within the boundaries of the Standard

AS9120 Intended Application Examples of work that falls outside the boundaries Manufacturing or processing of any sort Direction to a supplier regarding methods to machine, process, or manufacture Actual examples of AS9120 scope statement that appear to be beyond applicability of the Standard ...with associated value add processes ...distributor and provider of added services for aerospace materials ...and subsequent processing as required

Customer Focus Top management shall demonstrate leadership and commitment with respect to customer focus by ensuring that: customer and applicable statutory and regulatory requirements are determined, understood, and consistently met Robust Contract Review Competence in the subject Access to requirements and specifications Verification of product supplied to customers

Customer Focus Top management shall demonstrate leadership and commitment with respect to customer focus by ensuring that: the risks and opportunities that can affect conformity of products and services and the ability to enhance customer satisfaction are determined and addressed; Risk identification Visibility into the supply chain GIDEP alerts Risk mitigation Action plans and follow up

Customer Focus Top management shall demonstrate leadership and commitment with respect to customer focus by ensuring that: the focus on enhancing customer satisfaction is maintained; product and service conformity and on-time delivery performance are measured and appropriate action is taken if planned results are not, or will not be, achieved. Review of customer scorecards during Management Review Communication of performance to customer requirements throughout the organization Robust Improvement plans

Competence The organization shall: determine the necessary competence of person(s) doing work under its control that affects the performance and effectiveness of the quality management system; Understand the needs of your business Evaluate each process and its requirements and interactions

Competence The organization shall: ensure that these persons are competent on the basis of appropriate education, training, or experience; where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken Assure that personnel have the skills to effectively do the job Continually evaluate and assure skills are keeping pace with Industry!

Prevention of Counterfeit Parts The organization shall plan, implement, and control processes, appropriate to the organization and the product, for the prevention of counterfeit or suspect counterfeit part use and their inclusion in product(s) delivered to the customer. Counterfeit Parts are considered a significant risk in the Industry Additional requirements flow down could include AS5553 Fraudulent/Counterfeit Parts; Avoidance, Detection, Mitigation, and Disposition AS9120 includes a note on risks that the organization’s counterfeit prevention process “should” consider

Prevention of Counterfeit Parts NOTE: Counterfeit part prevention processes should consider: training of appropriate persons in the awareness and prevention of counterfeit parts; application of a parts obsolescence monitoring program; controls for acquiring externally provided product from original or authorized manufacturers, authorized distributors, or other approved sources; requirements for assuring traceability of parts and components to their original or authorized manufacturers; verification and test methodologies to detect counterfeit parts; monitoring of counterfeit parts reporting from external sources; quarantine and reporting of suspect or detected counterfeit parts.

Prevention of Suspected Unapproved Parts The organization shall plan, implement, and control a process appropriate to the organization and the product that identifies and prevents the release of unapproved and suspected unapproved parts. Counterfeit Part An unauthorized copy, imitation, substitute, or modified part (e.g., material, part, component), which is knowingly misrepresented as a specified genuine part of an original or authorized manufacturer. Unapproved Part A part that was not produced or maintained in accordance with approved or acceptable data and applicable statutory, regulatory, and customer requirements.

Prevention of Suspected Unapproved Parts Suspected unapproved parts prevention processes should consider: training of appropriate persons in the awareness and identification of suspected unapproved parts; requirements for assuring traceability of parts and components to an authorized source; inspection processes to detect suspected unapproved parts; monitoring of suspected unapproved parts reporting from external sources; quarantine and reporting of suspected unapproved parts in accordance with applicable requirements from the competent authority or customers, as required. Auditors are expected to follow the audit trails regarding the traceability of parts to an authorized source Review training program for prevention of suspected unapproved parts to assure compliance

Review of the Requirements for Products and Services The organization shall ensure that it has the ability to meet the requirements for products and services to be offered to customers. The organization shall conduct a review before committing to supply products and services to the customer, to include: requirements specified by the customer, including the requirements for delivery and post-delivery activities; statutory and regulatory requirements applicable to the products and services; This review shall be coordinated with applicable functions of the organization. Robust Contract Review Competence in the subject Access to requirements and specifications

Review of the Requirements for Products and Services The organization shall ensure that it has the ability to meet the requirements for products and services to be offered to customers. The organization shall conduct a review before committing to supply products and services to the customer, to include: Example of NCR issued to CB CB Client (Distributor - ACME Chemicals) is not reviewing qualified products lists (QPLs) when issuing purchase contracts to its suppliers. The Client is relying on its suppliers to review the QPL and be listed on the QPL without verification by the Client. The CB auditor followed the audit trail; however, did not issue a NCR. The lack of QPL review during the purchasing processes is a nonconformance related to the requirements of AS9120A clause 7.2.2 Review of Requirements related to the Product and 7.4.3 Verification of Purchased Product

Control of Externally Provided Processes, Products, and Services The organization shall ensure that externally provided processes, products, and services conform to requirements. The organization shall be responsible for the conformity of all externally provided processes, products, and services, including from sources defined by the customer. The organization shall identify and manage the risks associated with the external provision of processes, products, and services, as well as the selection and use of external providers. The Distributor is responsible for the products procured and provided to its customer The Distributor is expected to identify and mitigate risks

Control of Externally Provided Processes, Products, and Services The organization shall maintain a register of its external providers that includes approval status (e.g., approved, conditional, disapproved) and the scope of the approval (e.g., product type, process family, authorized approval to distribute); periodically review external provider performance including process, product and service conformity, and on-time delivery performance; Identifying and evaluating risk define the necessary actions to take when dealing with external providers that do not meet requirements; Risk mitigation by taking action to improve the performance of its supply base

Type and Extent of Control take into consideration: the potential impact of the externally provided processes, products, and services on the organization’s ability to consistently meet customer and applicable statutory and regulatory requirements; the effectiveness of the controls applied by the external provider; the results of the periodic review of external provider performance Recurring theme of identifying risk and taking action to mitigate risk

Type and Extent of Control Verification activities of externally provided processes, products, and services shall be performed according to the risks identified by the organization. These shall include inspection or periodic testing, as applicable, when there is high risk of nonconformities including counterfeit parts. the expectation is that is more than a review of the Certificate of Conformance the standard requires inspection or testing to mitigate any identified high risks Distributor verification activities should be appropriate to the product and product risk. Remember, the distributor is responsible for compliance to the contract. Ask the Distributor how their organization identifies a high risk The Distributor should be able to provide evidence of inspection or testing to mitigate high risks

Information for External Providers The organization shall ensure the adequacy of requirements prior to their communication to the external provider. The organization shall communicate to external providers its requirements for: the processes, products, and services to be provided including the identification of relevant technical data (e.g., specifications, drawings, process requirements, work instructions); the need to: use customer-designated or approved external providers, including process sources (e.g., special processes); notify the organization of nonconforming processes, products, or services and obtain approval for their disposition; prevent the use of suspected unapproved, unapproved, and counterfeit parts the expectation is that QPL requirements are flowed to sub-tiers Notification of nonconformances are communicated up through the supply chain including NoEs for delivered product

Guidance provided by the IAQG Questions relating to specific clauses in the standard Does 9120 allow for a distributor to contract/outsource the manufacturing of product to an external provider? When a distributor takes on selection of a manufacturing source or outsources the manufacturing themselves, they have taken on control of the manufacturing process, and as such, are inherently adding value – this is outside of the scope of 9120. Distributors may coordinate regulatory controlled processes (e.g.  repair/overhaul from regulatory- approved repair stations), or may coordinate customer-designated processes from approved sources (e.g. special processes) – this is within the scope of 9120. What constitutes ‘splitting’ within the context of 9120:2016? (3.7) 9120:2016 defines splitting as “The division of product either physically or by batch quantity, without affecting the product characteristics or conformity.”  The issue that comes up often is the word “physically” which draws some question about what limits of work may be performed on a product which is why the qualifier was added that product conformity or characteristics were not to be affected during any splitting operations.  The terms of doing “kitting” or the process of taking large batches of products and breaking them down into smaller shipping quantities is the traditional role of a Distributor. In practical terms there is an example of a raw material provider that may have large lengths or bar or sheet or tube of materials from a mill; or a provider of liquids or adhesives that are delivered in large containers; or of wire where the manufacturer provides large spools of product.  Customers may desire smaller quantities than what is on hand, so the Distributor may ‘cut, saw or other method (but not a special process)’ to divide the product into smaller units which will not affect the material’s conformity or product characteristics.

Guidance provided by the IAQG Questions relating to specific clauses in the standard Is Design and Development “applicable” to Distributors in 9120:2016? (8.3) ISO 9001:2015 has changed so that it would be inclusive of service oriented organizations.  Since Distributors could be a “service provider” beyond just the providing of products to customers, it may be appropriate for an organization to include this clause (see question 15 above).  Distributors may have services that they “design and develop” for customers, hence the expectation would be evidence of compliance from the aspect of the distributor’s delivery of that service. This can be dependent on the size and type of services a distributor provides. The applicability of 8.3 is dependent on the complexity of the services a distributor provides to the customer. Refer to ISO 9001: 2015 Annex A.5. What is meant by the “consequences of obsolescence” (8.5.1)? For the purpose of this of the Standard, "consequences of obsolescence” requires the distributor to consider the obsolescence of their inventory (e.g. shelf-life expired product, one-way interchangeable part numbers, product revision/configuration levels, beyond cure-date limits for packaging materials) and the consequences these scenarios could have if unintended use or sale occurs. For example, a means of demonstrating control of obsolescence includes; maintaining batch/lot control, labeling protocols, shelf-life control processes, inventory cycle-audit processes. What does product safety mean in the 9120 standard (3.6)? Product safety is defined in 9120 section 3 as: “Maintaining the state of product so that it is able to perform to its designed or intended purpose without causing unacceptable risk of harm to persons or damage to property.” Product safety is included in the following clauses: 7.3 (awareness), 8.1 (operational planning and control), 8.4.3 (information for external providers).  Each of these clauses speaks to the organizational responsibility to ensure employee awareness of maintaining the product in a condition so as not to affect adverse harm to persons using the product and any potential harm that could occur during the product’s use.  (e.g. ESD, FOD, shelf-life controls, storage and handling conditions).

Summary of Expectations Follow the audit trails Assure that the boundaries of the AS9120 certification are respected Keep customer focus in mind Review of customer scorecards / metrics Verification of product supplied to customers The Distributor must conduct a thorough Review of Requirements Robust contract review Access to requirements and specifications Assure that distributor personnel have the required competency in their field

Summary of Expectations Focus on Prevention of Counterfeit Parts The Distributor is expected to identify and mitigate risks in their supply chain Ask the Distributor how their organization identifies a high risk They should be able to provide evidence of inspection or testing to mitigate high risks QPL requirements need to be flowed to sub-tier suppliers No soft grading Follow the guidance provided by the IAQG

Where to go to get additional Information IAQG - http://www.sae.org/iaqg/ AAQG - http://www.sae.org/aaqg/ SCMH - http://www.sae.org/iaqg/ FAQ - http://www.sae.org/iaqg/organization/9120.htm Sector Document Representative - http://www.sae.org/iaqg/organization/9120.htm