international aerospace quality group · stems skills shortage 5. export compliance 6. cyber...
TRANSCRIPT
© Verify, Inc. 2013
International Aerospace Quality Group
Performance Excellence Marketplace – Workshop
Challenges Facing the Global Supply Chain – What’s New?
Montreal, Canada
October 10, 2013
Sarah Willis
Director,
Global Marketing
Alan McIntosh
Company President
James Simmons
Director,
Business Technology
© Verify, Inc. 2013
Top 7: Supply Chain Challenges – IAQG picks the topics…. 2
1. Sequestration / Defense Spending Uncertainty
2. Supplier Capability to respond to Customer Flow Down
Requirements (PPAP etc.)
3. Supplier Capacity – Delivering Quality Product On-Time
4. STEMS Skills Shortage
5. Export Compliance
6. Cyber Security and Information Assurance
7. Counterfeit Parts
© Verify, Inc. 2013
Verify - Snapshot 3
Founded in 1976 – Supporting the IAQG since 2002 (Committee / PEM)
Privately Held – Debt Free
Headquartered in Irvine, California, United States
Global Office Locations
Supplier Performance Management Company
Specialize in Aerospace and Defense
Currently Operate in 43 Countries and over 6,000 Supplier Locations
A&D Field Resource Team > 2,000 Professionals
GLOBAL VISION: – a world where quality product
is always delivered on-time
© Verify, Inc. 2013
Where does Verify fit in the customer product lifecycle?
AftermarketProduct Design / Development Manufacturing / Production
Requirements Design ValidationSystems
Integration
Final Product
Delivery MRO
Sourcing
Manufacturing
Technical Resources
Engineering Support
Supplier Performance
Management
© Verify, Inc. 2013
Expanding our Supplier Performance Management Lifecycle
AftermarketProduct Design / Development Manufacturing / Production
Requirements Design ValidationSystems
Integration
Final Product
Delivery MRO
Sourcing
Manufacturing
SPM Lifecycle Elements
1. Identification,
Selection & Qualification
2. Requirements Flow
Down
3. Qualification & Pre-
Production Planning
4. Verification /
Validation
5. Surveillance &
Performance Monitoring
6. Performance
Improvement
Quality Assurance
Delivery Assurance
© Verify, Inc. 2013
QA
Systems Audit / Survey
Process Audit / Survey
Risk Assessment
DA
Capability Assessment
Capacity Assessment
QA
Quality Engineering
Corrective Action Management
DA
Project Management
Recovery / Improvement Plan
QA
Defective Parts Per Million (DPPM)
Corrective Action Management
Audits and Assessments
DA
On Time Delivery (OTD)
Alignment
QA
Procurement Specs & Drawings
Quality Notes / Clauses
DA
Part #, Qty, dates, etc.
QA
FAI
Product Audit
Production Part Approval Process
DA
Part Capability Assessment
Part Capacity Assessment
QA
Inspection
Delegation
DA
Delivery Status
WIP Status
Responsibilities for each SPM Lifecycle Element 6
1. Identification,
Selection &
Qualification
2. Requirements Flow
Down
3. Qualification & Pre-
Production Planning
4. Verification /
Validation
5. Surveillance &
Performance
Monitoring
6. Performance
Improvement
Quality Assurance
Delivery Assurance
SPM
Supplemental Resources >>>>>>> Fully Outsourced Managed Service
© Verify, Inc. 2013
TIER 1 SUPPLIERS
Supply Chain – Verify’s Unique Perspective
USA
Fwd FuselageUSA
Wheels / Brakes Italy
Center Fuselage
USA
Avionics S. Korea
Aft FuselageJapan
Wings
France
In-Flight Entertainment
Italy
Tail Fin
UK
Engines
TIER 2 SUPPLIERS
TIER 3 SUPPLIERS
Windows DoorsNose
Airframe Fasteners
Valves Turbines
Hydraulics Skin FrameSkin
Flap
7
1. Identification and Qualification
2. Requirements Flow Down
3. Qualification / Pre-Production Planning
4. Verification and Validation
5. Surveillance / Performance Monitoring
6. Performance Improvement
© Verify, Inc. 2013
Supply Chain Challenges – OEM / Tier-1 Perspective 8
Total Completed Surveys: 66Weighted
Score
1 Supplier Capacity: Delivering Quality Product On-Time 23.8%
2 Supplier Capability: Responding to Customer Flow Down Requirements 15.6%
3 Counterfeit Parts 14.1%
4 Cyber Security and Information Assurance 13.5%
5 Export Compliance 13.1%
6 Sequestration / Defense Spending Uncertainty 10.6%
7 STEMS Skills Shortage 9.3%
© Verify, Inc. 2013
Supply Chain Challenges – Sub-Tier Perspective 9
Total Completed Surveys: 101Weighted
Score
1 Supplier Capacity: Delivering Quality Product On-Time 20.8%
2 Counterfeit Parts 19.6%
3 Supplier Capability: Responding to Customer Flow Down Requirements 16.2%
4 Export Compliance 14.6%
5 Cyber Security and Information Assurance 13.1%
6 STEMS Skills Shortage 9.2%
7 Sequestration / Defense Spending Uncertainty 6.5%
© Verify, Inc. 2013
Supply Chain Challenges – Field Resources Perspective 10
Total Completed Surveys: 175Weighted
Score
1 Supplier Capacity: Delivering Quality Product On-Time 23.0%
2 Supplier Capability: Responding to Customer Flow Down Requirements 18.4%
3 Counterfeit Parts 16.1%
4 Cyber Security and Information Assurance 15.0%
5 Sequestration / Defense Spending Uncertainty 9.4%
6 Export Compliance 9.2%
7 STEMS Skills Shortage 8.9%
© Verify, Inc. 2013
Supply Chain Challenges – Survey Summary 11
OEMs / Tier-1 believe that SUPPLIER CAPACITY is the #1 Supply Chain Challenge
Sub-tiers also believe that SUPPLIER CAPACITY is the #1 Supply Chain Challenge
Field Resources believe that SUPPLIER CAPACITY is the #1 Supply Chain Challenge
Aggregated Top-3
1. Supplier Capacity
2. Supplier Capability
3. Counterfeit Parts
What does the IAQG believe?
© Verify, Inc. 2013
Supply Chain Challenges
1. Sequestration / Defense Spending Uncertainty
2. Supplier Capability – Responding to Customer Flow Down Requirements
3. Supplier Capacity – Delivering Quality Product On-Time
4. STEMS Skills Shortage
12
5. Export Compliance
6. Cyber Security and Information Assurance
7. Counterfeit Parts
© Verify, Inc. 2013
Supply Chain Challenges
1. Sequestration / Defense
Spending Uncertainty
13
© Verify, Inc. 2013
Sequestration / Defense Spending Uncertainty
EXAMPLE CHALLENGES
1. Shrinking Forecasts. Shrinking Revenues.
Shrinking Margins
2. Inability to Effectively Plan. Short Term
Focus.
3. Major Costs Pressures – Lay offs
4. Potentially leading to loss of supply chain
capability (talent) and capacity
5. National Security Considerations
EXAMPLE REACTIVE RISK MITIGATION
1. Minimally comply with customer
requirements
2. Cut costs and delay investments
EXAMPLE PROACTIVE RISK MITIGATION
1. Partnering with the customer, engineer
costs out of the product
2. Invest and upsell, take on higher value add
3. Acquire competitors, consolidate
4. Foreign Sales
5. Maintain and confirm baseline
order book with key suppliers
VERIFY OBSERVATION: Considerable number of customers and suppliers openly re-directing their
organization to focus less on Defense and Space and more on: Industrials; Medical; Security; CA
14
© Verify, Inc. 2013
Supply Chain Challenges
2. Supplier Capability -
Responding to Customer Flow
Down Requirements
15
© Verify, Inc. 2013
Supplier Capability:
Responding to Customer Flow Down Requirements
EXAMPLE CHALLENGES
1. Overselling system capabilities of a lower-tier
supplier
2. Sub-tiers don’t realize what they’ve signed up
for
3. Inadequate supplier qualification,
management, and measurement
4. Lack of Customer enforcement of flow down
requirements
POTENTIAL ROOT CAUSE
1. Poor alignment between Sales, R&D, and
Operations/Supply Chain Mgmt
2. Lack of a robust or meaningful contract
review process
3. Lack of customer resources or pricing /
schedule pressures
4. Lack of systematic approach/interpretation
of contract requirements flow down
5. Poor product or process qualification
VERIFY OBSERVATION: Our global network constantly reports issues on supplier capability across all tiers
16
POSSIBLE BEST PRACTICE SOLUTIONS:
1. Qualification of suppliers by commodity / capability / site (e.g. Design or Build to Print)
2. Supplier development process / RESOURCES with boots on the ground
3. Consistent deployment and enforcement / interpretation of requirements (e.g. AS9102)
© Verify, Inc. 2013
Boots on the Ground Case Study – Supplier Engagement 17
CHALLENGE
� Critical supplier
� Number of defects increased
across all value streams / part
numbers
� Substantial decrease in quality
rating
� Lack of substantive improvement
plan
� Lack of C/A follow-up and closure
� Supplier short-staffed
� Customer considering exit plan
SOLUTION
� Deployed Verify Engagement Team
₋ Led by Technical Lead
₋ Inspector
₋ Auditor / Trainer
� Verify Team worked in close
collaboration with the customer
and supplier
� Implemented product verification
across most critical value streams
� Closed out all open C/A. Opened
and implemented additional C/A
based on multiple audits
performed
� Trained supplier personnel
RESULT
� Zero escapes
� Visual controls implemented
through supplier facility
� All overdue C/As closed out
� 52 Opportunities for
Improvement (C/As)
implemented
� Four supplier personnel trained
to proper audit and C/A processes
� Consistent high quality ratings
CUSTOMER POST CHALLENGE FEEDBACK:
“(Supplier) has been diligent about non-conformances and root cause/corrective action. Their
paperwork errors have all but disappeared. We only received two paperwork defects
between April and July – zero hardware failures. They have implemented a quality clinic, their
SCAR responses are on-time and well executed. It is almost like a different company.”
© Verify, Inc. 2013
Supply Chain Challenges
3. Supplier Capacity – Delivering
Quality Product On-Time
18
© Verify, Inc. 2013
Supplier Capacity: Delivering Quality Product On-Time
EXAMPLE CHALLENGES
1. Lack of capacity planning/scheduling, both
internal (shop floor) & external (suppliers)
2. Lack of resources (Human or Capital) to
adequately ramp to customer requirements
3. A&D Industry lacks maturity for PPAP deployment
(continued reliance on FAI)
4. Inadequate supplier oversight/management
and/or qualification/measurement
5. Supplier accepts all customer orders and
commitment dates leading to = who has priority?
POTENTIAL ROOT CAUSE
1. No formal ERP/MRP platform. Insufficient use
of ERP/MRP
2. Financial constraints. Inability to
identify/attract qualified human resources
3. Lack of qualified / experienced resources
4. Insufficient supplier mgmt or engineering
resources to develop (or recover) a global
supply chain
5. Lack of aligned production control practices
VERIFY OBSERVATION: Verify customers consistently indicate supplier capacity constraints and delinquencies
19
POSSIBLE BEST PRACTICE SOLUTIONS:
1. Capability/Capacity assessment planning for suppliers to include financial/capital analysis
2. Extensive training and development of people (internal and at supplier)
3. Identification and retention of highly skilled technical resources (internal and at supplier)
4. Establish A&D industry best practice for PPAP (enhanced FAI)
© Verify, Inc. 2013
Driving Supplier Improvement – Delivery Assurance Case Study
Rationale: Proven team with extensive experience / online management tools
20
$0
$50,000
$100,000
$150,000
$200,000
$250,000
$300,000
$350,000
Past Due Wk 48 Wk 49 Wk 50 Wk 51 Wk 52 Wk 1 Wk 2 Wk 3 Wk 4 Wk 5
KPI DQ $ PLAN END of WEEK DQ $ Actual
REAL SUPPLIER EXAMPLE 2012-13
DELINQUENT QUANTITY & BURN-DOWN
© Verify, Inc. 2013
Supply Chain Challenges
4. STEMS Skills Shortage
21
© Verify, Inc. 2013
Talent Asset (STEM) Shortage
SUPPLY CHAIN RESOURCE AVAILABILITY CHALLENGE
1. Scarcity of college graduates studying STEM
(science, technology, engineering & mathematics)
thereby limiting the supply of potential recruits
2. Lack of qualified resources to develop talent
3. Ability to retain talent
4. Limited centralized industry focus to encourage
and develop talent
5. Limited (arduous) US work visa issuances
6. Emerging Markets attracting foreign and US
educated talent
7. Aggressive emerging markets supply chain =
luring customers with cost reduction promises
EXAMPLE REACTIVE RISK MITIGATION
1. Survive with current employees or
outsource overseas
2. Hire best available within cost constraints
to perform defined tasks
EXAMPLE PROACTIVE RISK MITIGATION
1. Encourage and plan for employees to
innovate improved products and
processes
2. Make employees truly engaged and
inspired stakeholders
3. Maximize quality with limited resources
“Too few STEM students and workers, according to a significant majority of technologists” 13 Sep 13 IEEE
22
© Verify, Inc. 2013
M
M
MB
BEFORE
Maximizing Quality with Limited Resources - Case Study
Performance
Improvement
Performance
Improvement
QualificationQualification
VerificationVerification
• Eliminate most receiving inspection
• More source inspection
• More delegation and self release
• Buy (outsource) inspection activity
• Strongly encourage Quality Management System (AS or
ISO) & National Aerospace & Defense Contractors
Accreditation Program (NADCAP) certifications
• Reduce QMS & Special Process compliance audits
• Increase product audits
• Reduce number of approved suppliers
• Strengthen supplier consequences for quarterly ratings
• Develop suppliers to achieve delegation
• Buy some help
AFTER
M
B
B
MB
Stra
teg
y
23
Tier-1 A&D Supplier
© Verify, Inc. 2013
24Maximizing Quality with Limited Resources - Case Study Results
BE
FOR
E
• Tier-1 A&D Supplier
• 430 suppliers
• 50% of product was dock to stock
-500 Material Deficiency Reports
(MDRs) per month for Material
Review Board (MRB)
AFT
ER
201 suppliers
98% of product is dock to stock
80% decrease in receiving inspection
40% decrease in source inspection
40% increase self release or
delegated
Inspection and audit costs were
decreased by 50%
Escapes to floor drastically reduced
Saved >$2 million hard cost annually
© Verify, Inc. 2013
Supply Chain Challenges
5. Export Compliance
25
© Verify, Inc. 2013
Export Control and Compliance Headlines 26
“Pennsylvania man sentenced to 42 months in prison for illegally exporting goods” --- January 2013
“$75 million in fines & penalties for hundreds of violations of export control
laws & regulations in dealings with China” --- June 2012
“Company has agreed to pay $8 million in civil penalties to resolve hundreds of alleged
violations of U.S. export control laws” --- April 2013
“University charged with export violations in connection with the export of atmospheric testing device
and related equipment” --- May 2013
“Defense Services company faces $79M U.S. Fine as Part of Investigation for ITAR violations”
“Company resolved civil charges of violating the Arms Export Control Act, agreeing to a $32 million settlement”
“Bureau of Industry & Security Imposes One of its Highest Fines Ever for Export Control to U.S. company & its Chinese subsidiary”
BIGGER COMPANY PENALTIES …..
“Technology company and State Department
settles alleged export control violations with a
$25M penalty” --- August 2013
“Company agrees to a $42 million settlement with the State Department for Export Control Violations”
© Verify, Inc. 2013
A&D Export Control and Compliance Relevance 27
International Traffic in Arms Regulations
ITAR
U.S. Department of State
Directorate of Defense Trade Controls
Export Administration Regulations
EAR
U.S. Department of Commerce
Bureau of Industry & Security
Defense articles and defense services listed on
United States Munitions List (USML)
Commercial and “dual use” items and technology
listed in Commerce Commodity List (CCL)
Most aerospace & defense companies work on U.S. origin items
that are on the United States Munitions or Commerce Commodity Lists
Many of these items are restricted by U.S. Export Control Compliance laws and regulations
A&D companies and individuals are regularly prosecuted for violations
of Export Control Compliance laws and regulations
© Verify, Inc. 2013
What are Exports and their Violation Penalties?
• Any article or service (including technical data) imported or
exported from the U.S. to a foreign destination/person is an export
– May be subject to controls and restrictions
• Controlled items include:
– Hardware (I.E. parts, materials, sub assemblies)
– Information (I.E. drawings, specifications, test data, calculations)
– Technologies (I.E. composites)
– Software (I.E. source codes)
• Current penalties for each violation of EAR and ITAR include
– Civil fines up to $500,000 per violation
– Criminal fines up to $1,000,000 and/or up to 20 years in prison
– Debarment from directly or indirectly supporting export regulated
activities
28
Hardware
Information
Technology
Software
© Verify, Inc. 2013
What is the Supply Chain Doing or Should IT be Doing?
• If there is a possibility that your company works with U.S. origin items that
are listed on the US Munitions List or Commerce Commodity List…..
1. Research regulations and assess your vulnerability to violations. Seek guidance.
2. Evaluate your current work:
• Is it covered by any of the US regulations?
• Do you import and/or export these items in any way?
3. Develop and implement an Export Control Compliance Program
4. Train your employees and conduct regular Export Control Compliance internal
audits/assessments
29
© Verify, Inc. 2013
Supply Chain Challenges
6. Cyber Security and
Information Assurance
30
© Verify, Inc. 2013
Cybersecurity Headlines 31
“Cyber-Attack Concerns Raised Over Boeing 787 Chip’s ‘Back Door’”
- The Guardian, May 2012
“Lockheed Says Cyber Attacks Up Sharply, Suppliers Targeted”
- Reuters, November 2012
“U.S. Supply Chain Cyber-Security Weaker, More Vulnerable
than Thought”
- Homeland Security News Wire, December 2010
“Our adversaries are very active in trying to introduce material
into the supply chain in ways that threaten our security”
- David Shield, Deputy Director, Defense Intelligence Agency, July 2013
© Verify, Inc. 2013
Anatomy of the Threat 32
Persistent Threat Tampering Theft Malicious SoftwareAdversarial -
Natural Disaster Poor Quality Poor ProcessesNon-Adversarial - User Error
© Verify, Inc. 2013
Anatomy of the Threat 33
Persistent Threat Tampering Theft Malicious SoftwareAdversarial -
Non-Adversarial - Natural Disaster Poor Quality Poor Practices User Error
© Verify, Inc. 2013
Non-Adversarial - Natural Disaster Poor Quality Poor Practices
Anatomy of the Threat 34
Persistent Threat Tampering Theft Malicious SoftwareAdversarial -
User Error
© Verify, Inc. 2013
Anatomy of the Threat 35
Persistent Threat Tampering Theft Malicious SoftwareAdversarial -
Non-Adversarial - Natural Disaster Poor Quality Poor Practices User Error
© Verify, Inc. 2013
Anatomy of the Threat 36
Persistent Threat Tampering Theft Malicious SoftwareAdversarial -
Natural Disaster Poor Quality Poor PracticesNon-Adversarial -
Th
rea
t V
ect
or
Simple Logic:1. Aerospace OEMs and Tier 1s are prime targets
2. OEMs and Tier 1s invest in security by necessity and contract flowdown
3. OEMs and Tier 1s rely on and exchange information with Tier 2-n suppliers
4. Tier 2-n suppliers do not have (and often cannot) afford the same level of
protection
=> Attack the sub-tiers to compromise the primes
User Error
© Verify, Inc. 2013
What We See
CHALLENGES
1. Structured, sound internal supply chain
cyber/IA programs are rare
2. Suppliers don’t receive, don’t understand, or
don’t comply with cyber/IA flow down
requirements
3. Free exchange of information is becoming
increasingly difficult
4. Suppliers subjected to frequent, inconsistent,
and time-consuming assessments
POTENTIAL ROOT CAUSES
1. Ownership (RAA) of supply chain cyber/IA is
unclear
2. Ad-hoc approaches to flow down and
enforcement by OEMs and Tier 1s; little
regulatory or contractual guidance
3. Information security (IT, IA, or other group)
must treat suppliers as external risks and
dictate policies accordingly
4. Lack of unifying and consolidating standards
or frameworks in this space
VERIFY OBSERVATION: Frequency of information security assessments increased 400% last year
37
POSSIBLE BEST PRACTICE SOLUTIONS:
1. Standardized supplier assessments / standardized measurement across the industry
2. Customer-supported or contractually-mandated implementation and/or remediation
3. Partnership between supply chain functions, enterprise risk management, and IT/IA on building a supply
chain cyber security and information assurance program
© Verify, Inc. 2013
The Challenge 38
Department of Defense. Distribution Statement A – Approved for public release; distribution is unlimited.
Logos are the trademark or copyright of their associated agency or standards body. Logos are included
for illustrative purposes only and are not intended to signify compliance, accreditation, etc.
© Verify, Inc. 2013
Where to Start 39
• Infuse cyber security and information assurance into every stage of the
supplier performance management lifecycle
• Standardize requirements and processes across the enterprise and then the
industry
Cyber and IA
Standard Cyber and IA Assessment
Risk Analysis and Management
Adopt Standards
Cyber and IA
Incident Response
Security Engineering
Incorporate into CI / PA
Cyber and IA
Incident Response
Monitoring
Information Sharing
Cyber and IA
Gov’t Flow Down
Industry Frameworks
Mandatory Controls
Cyber and IA
Vulnerability Assessment
Threat Assessment
Cyber and IA
Penetration Testing
Audit
1. Identification,
Selection &
Qualification
2. Requirements Flow
Down
3. Qualification & Pre-
Production Planning
4. Verification /
Validation
5. Surveillance &
Performance
Monitoring
6. Performance
Improvement
Cybersecurity
Information Assurance
SPM
It’s still about Supplier
Performance Management
© Verify, Inc. 2013
What’s Next 40
� Understand Ownership (Responsibility, Authority, Accountability)
� Procurement? Supplier Quality? Risk Management? IT or IA?
� Incorporate into Enterprise Supply Chain Management Processes
� Flow Down Requirements
� Qualify Suppliers (Match Rigor to Risk)
� Understand Emerging Standards, Regulations, and Frameworks
� US – NIST Cybersecurity Framework (draft release imminent)
� EU – EU Directive (currently in early stages)
� ISO 27036 – Information Security for Supplier Relationships (draft)
� AIAA Framework for Aviation Cybersecurity
� NAS 9924
� Perform a Threat and Vulnerability Assessment on your Supply Chain
� Join the Growing Discussion
© Verify, Inc. 2013
Supply Chain Challenges
7. Counterfeit Parts
41
© Verify, Inc. 2013
Counterfeit Parts
EXAMPLE CHALLENGES
1. Bait & Switch by Suppliers
2. Surplus parts and materials sold without
original documentation
3. Cost and Logistics of Inspection or Product
Testing
4. Long Product Life Cycle on A&D
POTENTIAL RISK MITIGATION
1. Improved Sourcing Strategies and Control.
2. Escrow of Intellectual Property
3. Outsourcing Inspection and Testing
Responsibilities
4. Longer Term Procurement Plans
Verify Observation: Noted increase in alerts on counterfeit parts. Inconsistency in
established policy and training from major customers.
42
POSSIBLE LONGER TERMS SOLUTIONS:
� Improved information sharing across the industry
� Anti-counterfeiting part-marking / packaging – cross industry cooperation
� Industry Leadership / Cooperation – Standardized Approach
© Verify, Inc. 2013
Verify – In Summation…….. 43
Broad – Capable – Proven Organization
Supporting Every Stage of our Customer’s Product Life Cycle
Working for 300 A&D Customers @ 6000 Global Suppliers
Supplier Capability – Supplier Capacity – Cyber Security
A&D Field Resource Team > 2,000 Professionals
Assuring and Improving Quality And Delivery Performance
SUPPORTING OUR GLOBAL VISION:–
“a world where quality product is always delivered
on-time……”