Company Confidential Registration Management Committee 1 Auditing the Implementation of Counterfeit Electronic Parts Control Plan Requirements Bill Zint, Program Manager Honeywell Inspection & Audit (HIA) Daryl Keppler HIA Quality Engineer July 19, 2012 RMC Workshop Minneapolis, MN 19 – 20 July 2012

RMC Workshop Minneapolis, MN 19 – 20 July 2012 Registration Management Committee 2 Introduction The requirements for mitigating Counterfeit Parts (CP) threats to an organization’s product line are clearly delineated in AS5553*. Counterfeit Electronic Parts (CEP) Control Plans are “Risk Based.” –Per AS5553 (Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition): “The organization shall develop and implement a CEP Control Plan that documents its processes used for risk mitigation, disposition, and reporting of counterfeit parts.” AS5553 requirements are tailored to achieve a level of acceptable risk that balances likelihood, consequence and cost. Auditors need to understand that the acceptable level of risk can vary widely within an company, product line and components. *AS5553 accreditation rules currently being written

RMC Workshop Minneapolis, MN 19 – 20 July 2012 Registration Management Committee 3 Approach For purposes of this briefing, the following will be discussed: –basic requirements contained in AS5553 –some of the verifications that need to be addressed during the audit –some audit considerations based on the level of tailoring that is described in the organization’s CEP Control Plan. Additional information is found in the Notes section on some of the slides

RMC Workshop Minneapolis, MN 19 – 20 July 2012 Registration Management Committee 4 Audit Areas for CEP Control Plan CEP Control Plan documents an organization’s processes that address: –Parts Availability –Purchasing –Purchasing Information –Verification of Purchased Product –In Process Investigation –Material Control –Reporting

RMC Workshop Minneapolis, MN 19 – 20 July 2012 Registration Management Committee 5 Parts Availability Requirement: –The CEP Control Plan addresses processes that ensure availability of authentic parts throughout the product’s life cycle Verification: –Are new and existing parts management/procurement addressed in control plan? –Are obsolescence management processes implemented? –Are these processes periodically reviewed/revised? Audit considerations: –Have all parts been reviewed for life cycle availability? –Have alternate procurement options been established for Diminishing Manufacturing Sources and Material Shortages (DMSMS)?

RMC Workshop Minneapolis, MN 19 – 20 July 2012 Registration Management Committee 6 Purchasing Requirement: –Electronic parts should be purchased, whenever possible, directly from OCMs or from authorized suppliers. Verification: –Controlled process to assess risk of receiving CP from all suppliers –Current controlled list of approved suppliers based on risk –Flow down of requirements to all tiers of suppliers –Risk mitigation plan for procuring parts from other than OCMs –Documented traceability of all parts Audit considerations: –Are audit schedules for suppliers periodically reviewed and adjusted based on supplier part source procurement risk? –Ensure suppliers QMS contain documented processes to prevent CP from entering the supply chain

RMC Workshop Minneapolis, MN 19 – 20 July 2012 Registration Management Committee 7 Purchasing Information Requirement –Procurement contract language should include requirements which will help ensure that conforming, authentic materials are received Verification –Implementation of risk-based approach for buying parts from suppliers »Documented evidence of supplier’s procurement, quality processes and part heritage »Supplier’s compliance with buyer’s imposed procurement quality requirements and clauses Audit considerations: –Have appropriate levels of risk mitigation been used on parts without complete product traceability? –Is supplier’s deliverable data meeting contractual requirements for delivered parts?

RMC Workshop Minneapolis, MN 19 – 20 July 2012 Registration Management Committee 8 Verification of Purchased Product Requirement –Documented processes shall assure detection of counterfeit parts prior to formal product acceptance Verification –Implementation of risk-based approach for test and inspection of parts based on part heritage and sources of supply –Documented results of risk-based parts testing Audit considerations: –Risk based approach defines extent of testing required for product acceptance –Appropriate/approved levels of testing used for all parts –Control plan and contract clauses should be reviewed prior to audit for part testing requirements

RMC Workshop Minneapolis, MN 19 – 20 July 2012 Registration Management Committee 9 In Process Investigation Requirement –Documented processes for detection, verification, and control of in-process and in-service suspected counterfeit parts Verification –Implementation of CP processes for: »Detection of suspected counterfeit or nonconforming parts »Verification of counterfeit or nonconforming parts »Segregating suspected CP during confirmation testing

RMC Workshop Minneapolis, MN 19 – 20 July 2012 Registration Management Committee 10 In Process Investigation (Cont.) Audit considerations: –If CP or nonconforming parts have entered the supply chain: »Review results of buyer/seller investigation »Verify seller has implemented recommended corrective action(s) –Have Approved Vendor/Buyers Lists been re- evaluated? »Have resulting recommendations been implemented?

RMC Workshop Minneapolis, MN 19 – 20 July 2012 Registration Management Committee 11 Requirement –Documented process for ensuring nonconforming and CP do not re-enter supply chain under fraudulent circumstances Verification –Adherence to material control plan for nonconforming, suspected and confirmed CP –Implementation of internal disposition process »Quarantine procedures »Proper handling of nonconforming parts designated as scrap or surplus parts Material Control

RMC Workshop Minneapolis, MN 19 – 20 July 2012 Registration Management Committee 12 Audit considerations: »For nonconforming parts: Review scrap, surplus and return product processes »For suspected and/or confirmed CP: Ensure these parts are properly segregated until disposition has been approved Is access controlled? Has any additional testing been performed on the suspected parts—if so, has it been properly documented? Material Control (Cont.)

RMC Workshop Minneapolis, MN 19 – 20 July 2012 Registration Management Committee 13 Reporting Requirement –Timely notification to customers, government- reporting organizations (e.g., GIDEP), industry- supported organizations (e.g., ERAI), and law enforcement authorities for suspected and confirmed CP Verification –Implementation of reporting process that identifies: »Part information »Affected part or material »Description of failure/how identified as counterfeit »Identification of provider

RMC Workshop Minneapolis, MN 19 – 20 July 2012 Registration Management Committee 14 Reporting (Cont.) Audit considerations: –Reporting of suspected/confirmed CP is per the control plan and contractual requirements : »If procedures for reporting are required by control plan and/or contract, are they being followed? »Verify reports have been submitted in a timely fashion, received and accepted by designated agency (e.g., GIDEP, ERAI, Law Enforcement)

RMC Workshop Minneapolis, MN 19 – 20 July 2012 Registration Management Committee 15 Conclusion CP processes are risk-based, auditors should expect considerable variability within organizations and product lines CEP Control Plans may remain constant throughout the product life cycle but successful implementation of the plan will require evolving processes based on the changing CP threats Auditors will need to review the CEP Control Plan and all contractual documents prior to each audit—adjust auditing requirements accordingly

RMC Workshop Minneapolis, MN 19 – 20 July 2012 Registration Management Committee 16 Conclusion (Cont.) Preparation time for audits will increase to ensure the risk-based requirements of each CEP Control Plan are properly incorporated into the audit plan In addition to auditing requirements, auditors should be looking for opportunities that can reduce the CP risk and can be evaluated for cost effective implementation

RMC Workshop Minneapolis, MN 19 – 20 July 2012 Registration Management Committee 17 About the Author Daryl Keppler is a Senior Consultant currently working as a part time Quality Engineer in Honeywell’s Inspection & Audit (HIA) services business within Honeywell Technology Services, Inc. He has over 42 years experience in various engineering activities including: –30 years in USAF/USMC performing duties as: an Acquisition Inspector; Detachment Commander; Director of Engineering; Lead Systems/Design Engineer on Military, Agency and National command centers; and a Radio Telegrapher during a combat tour in Vietnam. –12 years as a Senior Consultant in the Aerospace Industry performing: Process assessments for DOD, DoE, NASA and commercial aerospace companies; Probabilistic Risk Assessments on Nuclear Safety studies for the DOD/DoE and two space shuttle return-to-flight issues; Failure Modes and Effects Analyses for the Missile Defense Agency and NASA manned space vehicles; and RMA assessments for NASA and DOD National Assets Daryl has Defense Acquisition Workforce Level III certifications in Program Management; Systems Planning, Research, Development and Engineering; and OT&E. He has a BS Degree in Applied Science and Engineering, an MSEE, and is a graduate of the Air War College. address:

RMC Workshop Minneapolis, MN 19 – 20 July 2012 Registration Management Committee 18 About the Presenter Bill Zint is Program Manager for Honeywell’s Inspection & Audit (HIA) services business within Honeywell Technology Services, Inc., part of Honeywell Aerospace. HIA does –Process/Product Audits (at customer or customer’s suppliers) –Quality System Administration (e.g., Approved Supplier List management), System Setup –Source Inspection, First/Last Article Inspection (including preparation or evaluation of AS9102 forms, audits, Net Inspect training/implementation) –Supplier Process Controls: Establishing/Monitoring/Improving and Hardware Tracking/Expediting –Counterfeit-Part Process/Procedure Review, Test-Lab/Distributor Audits, Detection Training, Inventory Risk Assessment –IPC-610/620 Training Bill has held various leadership and technical positions in Engineering, Supply Management, Customer & Product Support, and Quality during his 25 years at Honeywell. Bill is a Honeywell-certified Six Sigma Black Belt, and achieved certifications as American Society for Quality (ASQ) Manager of Quality and Competent Toastmaster. Bill earned his Bachelor of Science Degree in Electrical Engineering from the University of Arizona, and his Master of Business Administration Degree from the University of Phoenix. address: