In the wake of the 2010 U.S. Department of Commerce's report, Defense Industrial Base Assessment: Counterfeit Electronics, there continues to be ongoing anti-counterfeiting collaboration from both government policy and enforcement agencies as well as the semiconductor and electronics industry. This year, final reports from SAE International's G-19 Counterfeit Electronic Components Committee are anticipated. Among the important outcomes of SAE's work was the AS 5553 Standard for Counterfeit Electronic Parts, Avoidance, Detection, Mitigation and Disposition. In order to  confidently screen and audit suppliers, requiring these industry recognized quality management standards (QMS) is essential. These standards inform what the industry recognizes as baselines for appropriate processes, procedures, knowledge and technical laboratory capabilities.

Among the most important standards, affiliations, and registrations are the following: ISO 9001, ISO 17025, and ISO 14001; ANSI ESD S20.20; CTI-CCAP-101; IDEA-STD-1010-A, IDEA-ICE-3000, and IDEA-QMS-9090-A; AS 5553 and AS 9120-A; GIDEP; CAGE codes; C-TPAT; ISA; IPC-A-610 and IPC J-STD-001.

Standards management certification offers an essential set of procedures that are the starting point for supplier best practices. Requiring and then auditing a supplier's certifications becomes all the more important when separating the wheat from the chaff. Due diligence is essential and should be performed regardless of whether the supplier is a Franchised Distributor (FD) or Independent Distributor (ID). First, one must understand what the different certifications and standards entail and what they offer when evaluating suppliers' anti-counterfeiting capabilities and QMS.

The following is an exchange between Bob Chesla, senior project engineer with Rockwell Automation, and Nora Gibbs, account executive with Smith & Associates, a global independent distributor. Their conversation highlights the importance, varying emphasis, and roles the different certification standards play in selecting best-in-class IDs and in the collaborative efforts to reduce counterfeit risk. The discussion focuses on understanding ID certifications from both a manufacturer's perspective and that of a global ID.

Q: Starting with the ISO, the most recognized body, which specific certification standards are important in qualifying an ID and why?

A: Chesla: Firstly, we should understand that standards are important baselines for evaluating and approving suppliers, but are only one piece of the puzzle that a purchaser should use in their qualification evaluation checklists. Approving an ID carries some unique conditions that may require a steep learning curve as well as an intensive investigative analysis. As a baseline, however, I think the most important of the ISO standards is ISO 9001. This standard addresses the fundamentals of a quality management system and should be a minimum requirement for anyone looking to approve a distributor. This certification indicates that a business conforms to a basic level of quality. It requires management of every process in an organization that impacts quality with the added benefits of increased quality awareness, consistency in operations, and process improvements. To have a QMS verified and certified by an independent third party confirms that procedures are in place to cover major processes and that they are being implemented and are effective.

A: Gibbs: I agree with Bob. The ISO 9001 sets the basic level of quality and should be expected of any business involved in procurement. But I would underline the word "basic" and say that ISO 9001 is essential, but a best-in-class supplier should go beyond this standard; it should be seen as the starting point. On-site auditing of a supplier is very important to make sure that the QMS is in place, understood and implemented across the organization. I would also add that for those suppliers who have on-site testing laboratories, having the ISO/IEC 17025 certification is also important. Labs must be qualified to make sure processes for testing and calibration are performed using standard methods, non-standard methods and laboratory-developed methods. This is accomplished through audits that assure efficiency and competence. Finally, the addition of the ISO 14001, Environmental Management Systems, confirms that proper attention is paid to environmental aspects that are impacted by a company's operations, applicable environmental regulations such as RoHS, REACH, WEEE, and that proper policies and procedures are in place and are effective in managing those environmental impacts.

Q: What is a certificate of compliance, and what is actually being certified, since it is not an industry standard? What assurances does a CoC hold for the purchaser?

A: Chesla: A CoC is a document that assures the procured parts are new, from a reliable, traceable source, and that they meet the form, fit and function of the OEM's specifications. In addition, a CoC assures the ID went through a formal quality supply chain process to confirm that those parts are what they say they are. This includes source evaluation, part inspection, and testing (both physical and electrical if necessary) to a standard such as IDEA-STD-1010 or equivalent. There are many generic CoCs in use, but I recommend developing one that states the needs of your company and is agreed to by the ID, including a return policy. CoCs can be easily counterfeited and should only be accepted from a trusted ID that has gone through your own company's qualification process.

A: Gibbs: As far as an ID is concerned, a CoC basically certifies that the part we are offering will perform in accordance with the manufacturer's specifications. Conforming to a CoC means that when an ID is offering a part that you need, you'll get exactly that part. If the part doesn't work as it should, (suspect part issues aside), that ID should be expected to exchange/return it, as long as the return is accompanied by a failure report. This failure report is a basic report that tells the ID why the part didn't work.

Q: ANSI / ESD 20:20 certification addresses the way components are handled and stored. Why should an ID have this certification?

A: Chesla: Electrostatic discharge [ESD] is the rapid transfer of an electrostatic charge between two objects of different potentials when they come into direct contact with each other. As the standard specifies, "Unprotected components as simple as diodes to complex hybrids can easily be damaged and become defective. The ANSI / ESD 20.20 standard covers the requirements necessary to design, establish, implement and maintain an ESD control program for organizations that manufacture, process, assemble, install, package, label, service, test, inspect or handle electrical or electronic parts, assemblies and equipment susceptible to damage by electrostatic discharges." Of foremost importance is that the ESD 20.20 program is certified by an independent party, and any organization involved with ESD sensitive components should be certified to this standard.

A: Gibbs: I agree completely with Bob. ANSI / ESD 20.20 is an absolute necessity for any business that handles unprotected components. At its essence, the ESD 20.20 certified program confirms that the processes are in place to properly handle components.  For example, the ESD 20.20 procedures would describe at what temperature electronic components should be stored, whether moisture sensors should be in use, heel straps used by employees to reduce static, and so on.

Q: When considering an ID as a supplier, what importance does IDEA affiliation & certification have?

A: Chesla: IDEA does not certify a company, but you can have your inspectors certified to an IDEA Standard. CCAP is the opposite; it will certify you as a company, but it does not certify your inspectors. Since an ID is not franchised by an OEM, I believe it is critical for an ID to have CCAP-101 certification or to have IDEA-ICE-3000 Certified Professional Inspectors certified to the IDEA-STD-1010 at all locations. Any external lab used by an ID must also meet these certifications. Inspecting and testing components from the open market has unique anti-counterfeit and quality requirements and these standards help address these. IDEA-STD-1010 documents the industry-accepted quality and inspection criteria for electronic components and includes definitions as well as full-color photographs for reference. IDEA is the leading resource for IDs to find relevant quality information and to participate in advancing industry ethics, ensuring customer satisfaction, establishing standards, and promoting education.

A: Gibbs: Yes, IDEA-STD-1010 is a cornerstone requirement for IDs today. The most common requests that I receive are for IDEA and CCAP certifications, namely the CCAP-101. These certifications are an additional layer to the ISO 9001 and AS9120, because they provide more ID-centric standards based on the different supply chain exposures. The latest IDEA certification to be released, IDEA-QMS-9090, addresses broad, commercial QMS issues and practices faced by IDs in the open market with a focus on improved anti-counterfeiting. When working with an ID, you should insist on ISO and AS certifications, and IDEA  membership.

Q: What does CCAP-101 certification entail and what value does it hold in evaluating an ID?

A: Chesla: Both IDEA and CCAP-101 have value. The CCAP-101 Certified Program has been developed to define mandatory practices for use by IDs to detect and avoid the delivery of counterfeit electronic components to their customers. Certification requires a third party on-site audit and carries an annual review process for recertification that considers the entire past year's history. CCAP-101 can provide important insight when reviewing the ID to best confirm industry standard anti-counterfeiting inspection and test requirements are being adhered to by the ID.

A: Gibbs: An ID with both IDEA and CCAP certifications tells the customer that both the technical laboratory inspectors as well as the company itself are certified, respectively. Sourcing from an ID with these certifications significantly reduces exposure to faulty or fraudulent components. Certified IDs are dedicated to visibility, collaboration and in safe-guarding the global semiconductor supply chain. IDEA has played an important role in promoting the value of rigorous ID certifications.

Q: What is AS9120-A certification, and does it offer any advantages to a manufacturer in the commercial, industrial or medical market? Does the aerospace industry require an ID to have this certification prior to any transactions?

A: Chesla: AS9120-A applies to the aerospace industry. It's based on ISO 9000 but with nearly 100 additional requirements. It is aimed primarily at product distributors rather than manufacturers or service providers of aircraft components. Although this certification is most likely not a mandate for non-aerospace customers, they would benefit from the extra requirements. AS9120 requires suppliers to focus on areas impacting product safety and reliability. Other focused areas are: traceability (from receipt to delivery), stringent control and availability of records, airworthiness certificates, evidence of conformance, and requirements for lot or batch splitting.

A: Gibbs: We know first-hand the long and careful process involved with AS9120 certification. This is an important criterion for best-in-class distributors because of the stringent QMS and anti-counterfeiting requirements.

Q: Recently we've heard so much about counterfeit product in numerous governments' defense equipment and stock, what value does a Commercial and Government Entity (CAGE) code and US Government Suppliers Lists hold when evaluating qualified IDs?

A: Chesla: At this point in time, a company does not have to go through a quality audit to be assigned a CAGE code and it does not mean a company is certified to any government standard. It simply means a supplier is allowed to bid on and receive government contracts.

A: Gibbs: Before a company can do business with the government, it must have a CAGE code that identifies contractors. To obtain a CAGE code, a company must complete the US Federal Government's Central Contractor Registration (CCR). CAGE Codes with a Status Code of "E" identify those contractors which are (1) Proposed for Debarment Action, (2) Suspended or (3) Debarred or are otherwise ineligible for receipt of government contracts. In all three cases, the contractor is considered to be ineligible for Federal Procurement Programs. The Excluded Parties List System (EPLS) is a database that can be accessed for additional information.

In summary, with the dominance of discussion around risk mitigation for counterfeit product, it is important to stop and think about how to leverage and demand more of existing QMS standards in addition to developing new strategies. Because counterfeiting is, unfortunately, not a new phenomenon there exists an important body of internationally recognized industry standards to guide procurement processes.

The best risk mitigation strategies come from open, collaborative and honest discussions along the supply chain. In evidence of the positive momentum along the wider semiconductor and electronics supply chain is the dedicated and serious participation by many different government and law enforcement bodies in-hand with component manufacturers distributors (IDs and FDs), among others.

Throughout the first half of this year, there has already been progress toward improved standards and collaboration through the conferences held by IDEA, ERAI, IHS, SAE's G-19 group, and CALCE, to name only a few. There is an exciting field of new standards, and it's expected that within five years the supply chain landscape could be very different, for the positive. Meanwhile, requiring and auditing for adherence to recognized QMS certifications, as a baseline from which business-specific practices can be based, is essential for risk management and anti-counterfeit practices.

Source: Smith & Associates, Rockwell Automation


Keywords: IT supply chain management, supply chain management IT, inventory control, supply chain risk management, supplier risk management, certifying supplier quality, quality management services