Manufacturers in the 21st-century supply chain have had the challenge of meeting changing quality and traceability requirements. Particularly in aaerospace and defense, wherein a faulty part can lead to injury or death, suppliers usually need to assure that every component delivered not only meets specifications but also has each production step clearly documented.
The challenge is multiplied when the standards change—which almost always means, “when they get tougher”—and complicated further for companies that supply to more than one OEM or industry and need to meet a variety of different quality and traceability practices.
Allison Giddens, co-president of Win-Tech, an AS9100-certified aerospace machine shop, knows the challenge well.
“A lot of companies make the effort to go from ISO certification to the more stringent AS9100 standard, and they find that AS is like ISO on steroids,” she said. “It’s tougher, even though it’s still about documentation and traceability within the manufacturing environment. There are a lot of new concerns in the production process to be aware of.”
For Win-Tech, it’s part of the cost of doing business. “The AS9100 credential means any company in the industry—or in other industries—know we maintain a high level of quality. They can take us seriously,” Giddens said.
But getting there wasn’t easy, she said, and for suppliers faced with multiple documentation and traceability requirements, it’s even harder.
Quality Assurance as a Service
The rise of cloud-based, Industry 4.0-level computing and networking technology is making these tasks easier to navigate.
Just as SaaS—Software as a Service—outsources the resource-consuming tasks of maintaining and updating computer software, third-party cloud-based systems are able to take on the responsibility of making sure a supplier is able to certifiably meet a range of quality requirements.
Hawkins Glass provides a good example.
The maker of ballistic glass assemblies for the U.S. military needed to be able to track serial numbers embedded into its glass as part of its quality documentation. It also had a labor-intensive manufacturing and inspection process that it needed to automate and integrate into its existing enterprise resource planning program (ERP). All inspection sheets had to be scanned, often manually due to the condition of the paper after all the steps were completed.
The company now uses two cloud-based programs, TIPQA and TIPSFE, from TIP Technologies.
TIPQA was first released in 1989 as one of the first commercial off-the-shelf (COTS) quality management solutions. It has evolved into a fully web-based solution.
TIPQA provides operational visibility into quality metrics, product lifecycle management, shop floor control and supplier quality collaboration. TIPQA also lets its users adapt to changing markets and quality requirements: Industry standards, such as ISO, DFARS, FAA and AS9100D, can be easily referenced and validated within the system, eliminating audit concerns.
Compliance with DoD requirements for counterfeit parts avoidance, mitigation and disposition can be tracked and maintained within the system.
By moving all of the inspection requirements and data capture to TIPQA, paper inspection sheets are a thing of the past, and a simple report of all serial numbers per shipment can be easily downloaded, saved, or provided to the customer.
“We have saved at least four hours a day or more on paperwork, Hawkins Glass CFO Angel Eller said. “Serial numbers are no longer transposed or undocumented. The system enforces the rule to scan the barcode for the serial numbers and backward checks to ensure validity.”
The TIPSFE Shop Floor Execution solution presents actionable data and enhanced operational visibility of shop-floor operations. It provides companies with real-time information that can be shared across the enterprise about work in process and lets teams communicate for better control over manufacturing operations though a single user interface.
This data is then synced with a customer’s ERP system for a complete picture of the production process. It provides a paperless delivery system mechanism with detailed routings, work instructions and inspection requirements to present a completely paperless traveler.
Visibility into operations and signoffs for manufacturing and quality processes ensures proper completion.
In the case of Hawkins Glass, serialization begins at the point of receipt as parts transfer from the ERP system into the TIPQA Receiving Inspection module. Product serialization is tracked and managed solely within TIPQA, as the complexities of doing so in the ERP were deemed too challenging.
Serialization continues as production assemblies commence with manufacturing orders and TIPQA performs automatic serialization of these assemblies, thus removing operator interaction requirements. By also leveraging TIPSFE solution, Hawkins is now capable of ensuring a consistent and accurate process flow.
“We are now confident in our serial number database and the information provided to the DOD and the primes. This has allowed us to remove all work instructions and diagrams from the shop floor, since the employee can see them right when they need them within the system. That was a big part of our meeting the NIST and CMMC Requirement for CUI security,” Eller said.
Cyber Danger Increases
Along with meeting evolving quality and efficiency expectations, suppliers are faced with another issue: The threat of cyber breaches.
The year 2020 ended with news that a massive cyber breach, presumed to have been engineered by Russia, penetrated deeply into multiple U.S. government and corporate facilities.
“This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks,” the government alert said. “It is likely that the adversary has additional initial access vectors and tactics, techniques and procedures [which] have not yet been discovered.”
The past year also saw the rollout of the new Defense Department Cybersecurity Maturity Model Certification program (CMMC), which calls for every part of the supply chain to become certified to a certain level—and to be prepared to have that level checked by third-party assessors.
And even before the discovery of that Russian breach, experts expected that such stringent requirements are likely to soon spread beyond the DoD to other government-contracted supply chains.
Caught between frighteningly capable adversaries on one side and a tighter regulatory environment on the other, many manufacturers find that they need to quickly develop high-level competency in cybersecurity.
It can be daunting.
Win-Tech’s Giddens pointed out that part of what makes it challenging is that it requires expertise completely outside what a business of its size and type has needed to develop in the past.
She contrasts it with the challenge of meeting aerospace quality certification requirements: “That move from ISO to AS is hard—but at least it’s still about getting better at your core competencies—stuff you’re already doing. Whereas meeting, say, CMMC Level Three calls for putting time and resources toward implementing these practices that have nothing to do with your core competency of manufacturing.”
Until recently, “cybersecurity” hasn’t meant much more than a general awareness that employees ought to avoid clicking strange links and to change their passwords occasionally, she said. “So, now, enterprise-wide, you’re going to have to devote time to learning something that is not your expertise or find somebody who does have it and depend on them—which has its own drawbacks.
And that makes CMMC a different kind of challenge than even tough aerospace quality requirements. “It’s always been about product quality and on-time deliveries and cost savings and process efficiency,” Giddens said. “It’s not been ‘Are you making sure that the Chinese can’t find the F-35 plans?’ I mean, that that’s not the conversation we’re used to.”
Giddens said she and her peers in the manufacturing supply chain understand the need for cybersecurity requirements. “But for smaller businesses, we’ve only got so many hats we can wear at a time. So, it’s a real challenge.”
Cybersecurity as a Service
As CMMC requirements push manufacturers to retool their security operations, many will look at the complexity of the task and at their in-house resources—and, in a decision that parallels that of users of quality-assurance-as-a-service providers, conclude that they’ll need to turn to external resources, such as managed security services, to help them dependably reach and maintain their required CMMC level.
“I’m getting two to four calls a week” from such companies, said Greg Powers, an account executive at NeoSystems, a managed-security provider. “These are sometimes companies who are excited to get a chance to get in on the defense project for the first time—and suddenly they have CMMC Level 3 being asked of them, and they have no idea what to do.”
NeoSystems begins with a new customer by giving them a basic education in the CMMC requirements, he said. The firm assess the manufacturer’s current cybersecurity practices and then designs and builds solution to meet its specific needs. Once the infrastructure is in place, Neosystems takes complete responsibility for managing the customer’s cybersecurity.
“We handle all of the CMMC Level 3 requirements, and take complete responsibility for cybersecurity compliance,” Powers said. “We’ll make sure the customer’s security program can successfully pass the CMMC audit.”
The service includes:
- Security program management: “We develop and maintain all of the required administrative security controls including policies, plans, assessments, and the compliance evidence needed for audit,” Powers said.
- Boundary protection: defense of the security perimeter with tightly managed firewalls, intrusion prevention systems, data loss prevention, anti-malware, web content filtering, email filtering, multifactor authentication and network management. “For cloud-based systems, we manage supported cloud services to maintain the security configuration needed for compliance,” he said.
- Endpoint protection: comprehensive compliance for endpoint devices—laptops, workstations, mobile devices and servers. “We establish a security-hardened baseline configuration, with backup, recovery and encryption, and we schedule and perform all necessary operating system and application updates,” Powers said.
- Vulnerability and configuration management: “We take responsibility for identifying and addressing potential security weaknesses and risks caused by software flaws and misconfiguration of the customer’s networks, servers, databases and applications,” he said.
- Managed detection and response: “We provide the technology and services necessary to meet the CMMC requirements for network, server, database and application log collection and monitoring, along with analysis and reporting—all of which are needed to identify and respond to potential cyber security threats and malicious activity,” he said.
But What About ‘Culture?’
In spite of the many advantages offered by third-party systems for quality and cybersecurity control, there are manufacturers who are wary—at least at first.
One reason for their reticence is that, from one angle, the reliance on external technology to “fix” problems sounds too easy.
Manufacturing has had a long and successful tradition of educating its workers to learn entirely new systems to keep an enterprise competitive.
For example, in the mid-1980s, Motorola introduced the Six Sigma system for process improvement while the Toyota Production System was popularizing the need for, and methodology of, lean manufacturing.
Since then, a similar approach has been taken to implementing ecology-driven “green manufacturing.”
In each case, the experts in each of these disciplines talk about building an enterprise-wide “culture of lean,” or quality or some other worthy concept.
The goal has been to instill understanding of the concept into every employee in the business.
As OEMs came to appreciate the value of these systems, they not only adopted them for their own enterprises but also exerted pressure on their suppliers to adopt them—and to be able to demonstrate their attainment by offering good parts on time and documenting their processes. Consider the various levels of lean certification or the system of achieving various levels of “belts” in Six Sigma—an echo of martial-arts training.
For champions of building a company-wide culture of quality or safety, key players in an enterprise need to put in the training—the education and hard work—needed to learn and implement a discipline. They need to do the equivalent of studying a martial in order to implement the discipline.
From this mindset, using a third-party service looks like skipping all of that and hiring a bodyguard. Where does continuous improvement come in?
But must one preclude the other?
Allison Giddens of Win-Tech doesn’t believe so.
“Using an externally derived system like those offered by, say, NeoSystems, doesn’t mean it isn’t necessary to make your team understand the issues of quality and cybersecurity,” she said.
“In fact, the two should go hand in hand: A shop-floor machine operator needs to understand the data on part variation he’s seeing, even though he doesn’t need to manually measure and write up documentation of it anymore. And he certainly needs to understand the dangers of, say, absentmindedly slipping the wrong flash drive into the laptop that’s running the program—even if we expect a cybersecurity system to catch the slip.”
She offered an analogy of the relationship between quality and safety knowledge and the systems provided by vendors like TIP Technologies and NeoSystems:
“Imagine you’re driving, and you get to a crowded intersection and there are no traffic signs or lights. Driver’s Ed taught you what’s supposed to happen. The person on the right goes first, and everybody takes turns. And if everybody knows that, we all get through the intersection and on our way safely.
“But that doesn’t mean that we wouldn’t all be better off with a working traffic light at the intersection.”