AS9100 revision D added a clause called “Prevention of Counterfeit Parts” which causes a lot of confusion in small machine shops who either don’t understand the requirements or think the clause may not apply to them. So here’s some good news and bad news.
The bad news first: the clause nearly applies to everyone in the aerospace industry, and is one of the trickier ones to justify as being “not applicable” to your organization. If you buy raw materials to make stuff, then yes, you have to implement this.
The good news is that it’s not that hard to comply with, anyway, so don’t worry about trying to wriggle away.
What’s Required
AS9100’s clause 8.1.4 on counterfeit part control appears a single sentence, without much context or meat to it:
The organization shall plan, implement, and control processes, appropriate to the organization and the product, for the prevention of counterfeit or suspect counterfeit part use and their inclusion in product(s) delivered to the customer.
The accompanying note provides a lengthy bulleted list of things you then “should” do (their word, not mine). Combined with the phrase “appropriate to the organization and the product” from the preceding requirement sentence, it becomes understandable why so many people think the entire clause is optional.
Unfortunately, that’s not quite how aerospace standards work. You have to go through some pretty significant factual gymnastics to argue that your raw materials couldn’t possibly be counterfeited, and therefore the clause is not “appropriate to your organization.” But unless you’re actually a company that counterfeits stuff, you can’t really be sure what counterfeiters are up to, so you can’t make a fully informed decision on the matter.
Worse, because these things go into airplanes and fighter jets and spacecraft, and because gravity exists purely to smash humanity’s dreams of flight into the nearest mountain, you don’t want to guess wrong.
So ignore any pretense that this is optional, and lay on, Macduff.
Reading the clause again, we see there are two main required actions:
- To prevent the use of counterfeit parts, and
- To prevent them from ending up in your products.
In both cases, the standard addresses “counterfeit” and “suspect counterfeit” parts; in reality, you’d really only ever be dealing with suspect counterfeit parts, because proving something is 100% counterfeit is probably not your area of expertise. And it’s irrelevant: you need only have sufficient evidence something might be counterfeit, and the rules are then triggered. So don’t get caught up on the terminology here.
Meet Your Two New Buddies
There are two indispensable standards you will have to get to know in order to properly comply with this clause, and depending on your scope of work, you may need either of them, or both at the same time.
The first is SAE AS5553 Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition. This standard outlines the industry requirements when dealing with potentially counterfeit electronic components, such as transistors, capacitors, stepper motors, hard drives, or anything that might go on a circuit board. Heck, even the circuit boards themselves. Many machine shops might never buy or use electronic components in their products, and if so, they can ignore this one. Companies that do electrical assembly, however, or include such components in their final product will have to get familiar with it.
The second is SAE AS6174 Counterfeit Materiel: Assuring Acquisition of Authentic and Conforming Materiel. This standard deals with all the other stuff, like raw materials such as stainless steel sheet, titanium, aluminum, plastics, teflons, etc. Notice the spelling of that word “materiel” – it’s not to be confused with “material,” which just means “stuff.” “Materiel” is a bit more specific, and essentially means stuff used by an organization. Because of this, nearly no one working in aerospace can ignore this one, unless the scope of your AS9100 work is consulting, training, or some service that doesn’t actually use raw materials.
So — again — you will see that either one of those likely applies to your scope of work. But if you’re a machine shop that also buys electronic components for assembly, both may apply.
But don’t worry, there’s more good news. Despite having completely different words in them, the two standards essentially lay out the same set of requirements. And those requirements match those of AS9100, leading you to “plan, implement, and control processes” to both prevent suspect parts from getting into your final product, and to prevent purchasing them in the first place.
Still, I urge you to buy these standards (whichever applies to you.) If you base your internal procedures on them, it’s always good to have the original core text handy.
To implement either (or both) of these, you will attack the counterfeit part problem at three specific steps in your company. And — more good news (it just keeps coming!) — none of these are particularly hard. They are:
- Purchasing – to prevent buying counterfeit products
- Receiving – to verify you haven’t received counterfeit products
- Inspection – to take a final look to ensure the other guys didn’t screw up, and use counterfeit products anyway
Step One: Purchasing Controls
Both AS5553 and AS6174 — as well as the note in AS9100 clause 8.1.4 — emphasize the need to put controls in place to prevent buying suspect counterfeit parts. Both standards have some overcaffeinated risk methodologies that they discuss, along with graphics, etc., to try and drive your thinking. But it’s far less complicated than you’d think.
The best thing you can do is to use known, reliable, and “famous” suppliers. This reduces the potential of counterfeit parts considerably, and you’ll see the standards try to push you in this direction anyway. Of course, this is not a guarantee that you’ll get “pure” products, but it’s definitely better to buy from Alcoa or Alro than a guy in the parking lot wearing a tracksuit and driving a truck that reads, “Russian Jimmy’s Mobile Aluminum Sales.” When buying electronic components, you want to go to the larger distributors, like Digi-Key, rather than some mom-and-pop shop down the corner with only two employees who — come on, let’s face it — cannot possibly have the “connections” to get authentic capacitors.
In this case, bigger is better. Larger, well-known suppliers have worked hard to develop their supply chains, in order to reduce the risk of leaking counterfeit products on the market. They also have a lot to lose if they screw up, so you get to benefit from their efforts.
So when evaluating suppliers (as part of AS9100 clause 8.4), this is how you should rank the selection process:
- BEST: Original manufacturers.
- CLOSE TO BEST: Official distributors authorized by the original manufacturers, and who can provide traceability back to the original manufacturer (heat lots, batch certifications, etc.)
- PRETTY DAMN GOOD: Well-known distributors with established reputations, a large customer base, and dense catalog offering.
- MEH: Smaller distributors of harder-to-find products, but still with some level of industry reputation and no negative press.
- NOT GREAT: Small companies without a known name, few if any references, and no discernible authentic sources of supply. (Pro tip: Miami is a hotbed for mom-and-pop fraudsters, so a Florida address is a red flag.)
- SHADY AS FUCK: Companies you never heard of, from countries you never heard of, bearing “certifications” you never heard of.
- AVOID AT ALL COSTS: Chateau Ste. Michelle Riesling.
You can create a complex risk assessment tool to rank potential suppliers (or, retroactively, justify your current ones), or you can just use this list as your basic logic gate. If you include some sort of priority listing like this in your purchasing procedure, and then ensure all your buyers adhere to it, you’re off to a great start.
Purchasing must then be sure to order the appropriate certificates along with each purchase. This ensures that no matter how good a supplier’s reputation is, you’ll still have a solid paper trail to prove things later. Such certificates can be certificates of analysis, certificates of conformity, heat lot certificates, test certificates, or anything else that proves what you eventually receive matches what you wanted.
To do this, you must include a requirement to provide such certifications in your purchase order details to the supplier. Don’t assume they will send it if you don’t call it out on the PO, or you will have no legal recourse if they fail to provide it. Worse, some suppliers offer a cheaper “uncertified” product line, and you could get lesser-grade material than you expected. So make sure those outgoing POs have all the necessary details.
Plus, a different clause in AS9100 requires you to flow down the demand for authentic materials to your suppliers on the PO. Specifically, clause 8.4.3 says you must flow down the “need to prevent the use of counterfeit parts” in whatever you’re buying. Now, this won’t apply when you’re buying pizza or handtools or materials that don’t go into the final product, but you may want to put a boilerplate statement on all outgoing POs anyway.
Step Two: Receiving Activities
Once you’ve vetted your suppliers to reduce the risk they might provide counterfeit product, and flowed down additional controls on your POs to help legally ensure it, you have to verify incoming items to make absolutely sure nothing slips in under the doormat. Your receiving inspectors become your line of defense in this effort.
Now, to be clear, it’s not expected that your receiving inspectors will be experts in forensic analysis or counterfeit testing experts. They need only report when something looks unusual.
For materiel (remember, the one with the weird spelling), this is a simple examination of incoming items for anything that looks out of place. They do this by asking a few standard questions:
- Do all items have the expected logos, branding, markings, and appearance?
- Does anything look different from prior receipts of the same materials?
- Are the required certificates included, and do they match the lot or batch numbers of the material received?
- Do the certificates themselves look as expected?
- Does anything — the product, packaging, or certificates — have unusual wording, fonts, errors, or misspellings that suggest they were prepared by someone other than the sender.
- Do the company names on packaging and certificates match the suppliers that the order was placed with?
For electronic components, your receiving personnel would do the same thing. Because the counterfeiting of electronic components is so rampant and mature, however, you will need to have some additional information to strengthen your defenses.
First, I recommend all such companies register with ERAI and utilize their database of currently known counterfeited components, for example. This will also provide you automated updates when new counterfeit component batches are found in the wild, so you can watch out for them. As an extra level of protection, ERAI also provides special training for receiving inspectors, through its INTERCEPT program, which can help immensely.
Next, for electronic components which have a high likelihood of being counterfeited, and come from higher risk sources, you may want to subject a sample to independent lab testing. This might include X-ray, microscopy or precision electrical inspections. Companies like NTS provide such services.
But the level of additional work you do for the electronic components will, again, be based on your level of risk and the potential financial damage that could occur should counterfeit parts be found in your products in the field. For many small companies, the simple visual inspections of products, packaging, and certification test reports will be sufficient.
Step Three: Inspection & Testing
Finally, train your QC inspectors to add visual inspection steps for potential counterfeit indicators during their normal QC inspections or tests. Again, have them look for anything out of the ordinary. If you encounter a failure during normal functional testing, you may want to review if the problem could be the result of any single component; if so, ask yourself if that component — as well as any others from that lot which you may have in inventory — could be counterfeit.
Reporting & Quarantine
Those three steps are essentially all that’s required. The two standards I mentioned will give you additional levels of detail to add if your particular risks are high in this area, of course.
But what if you do encounter something that appears to be suspicious? The key rule you must remember is that you cannot return it to the vendor. This is because your supplier may simply put the products back into their inventory, only to sell them to someone else. Furthermore, AS9100 specifically prohibits this under clause 8.7 for “Control of Nonconforming Outputs”:
Counterfeit, or suspect counterfeit, parts shall be controlled to prevent reentry into the supply chain.
Instead, you must report the problem to the supplier, but explain you cannot legally return it to them. If they demand to see the product, first offer to provide them photos, video, etc. At the most, you can return a portion or sample (a single capacitor, a sample piece, a cutting, etc.), but if so, document this heavily. Take photos of exactly what you are returning to the supplier, physically and permanently mark the product as SUSPECT COUNTERFEIT, and keep records of what you sent, on what date, and the point of contact at the supplier. This is to protect you later.
At the same time, you will have to notify the authorities. For electronic components, you may (again) want to contact ERAI for guidance, as they have formal ways to verify and update their databases. You may also have to notify FAA if any such product has been installed on aircraft, or may otherwise cause a flight hazard.
Keeping your company lawyer up to date on the matter can’t hurt, either, if you have one.
Of course, then purge your inventory of any similar products from the same vendor or lot, etc. Counterfeiters don’t simply make one fake product and stick that in a batch; they will nearly always counterfeit the entire batch, and many batches after that.
Conclusion
So as you can see, the requirements are not onerous and can be rolled into your normal supplier evaluation, purchasing, receiving, and inspection practices. Unless you’re dealing with a lot of high-risk electronic components, there should be no need for any third-party training.
AS9100 doesn’t require it, but I recommend writing one or more procedures to support these activities. The free Oxebridge AS9100 Template Kit has a sample “Counterfeit Part Control” procedure you can download here, if you get stuck (but you’ll need to customize it.)
As always, if you need help implementing AS9100 or getting ready for third-party certification, you can join our free Slack group, or submit a request for quote for implementation services.
Related Articles:
Implementing AS9100 Configuration Management in the Small Machine Shop
Plus, more free Guidance Documents here.
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world