I was posed with a question the other day: how to address Configuration Management in AS9120? In essence, the client was having a customer self-audit and wanted some suggestions as to how to answer the following question:
Describe how your firm manages parts obsolescence and manages configuration changes.
So since I have some AS9120 exposure, I saw this as an opportunity to offer a little wisdom.
What is Configuration Management?
A plausible definition of “Configuration Management” is here:
Configuration management (CM) is a process for establishing and maintaining consistency of a product’s performance, functional, and physical attributes with its requirements, design, and operational information throughout its life.[1][2] The CM process is widely used by military engineering organizations to manage changes throughout the system lifecycle of complex systems, such as weapon systems, military vehicles, and information systems.
https://en.wikipedia.org/wiki/Configuration_management
Example of Configuration Management
I have a story on this. I have an old junky Dodge Caravan, and the last time I replaced the brakes I found out that the rear brake pads require the parts for a 2004 model, whereas the rest of the car is a 2003. There is a configuration management process by which Chrysler Corporation kept track of what parts they put onto this poor thing. So, that is why usually I need to take the VIN down to the auto parts store to order parts. It’s because they have all of this recorded.
So the process by which Chrysler decides all of this and tracks it is their configuration management process.
So as it applies to this, it’s the process by which the decision to put these brakes on this poor car, makes sure it still stops properly. It’s also about the system to track the identification. Therefore if there is a post delivery issue they can track me down. For example, there are the dozen or so recall notices I get every year.
So for an OEM this is an important function.
How does this apply to AS9120?
AS9120 is for distributors of course. Configuration Management in AS9120 is a requirement for you, too, except in rare occasions.
The reality is that you, as a distributor, are affected by this mainly to the extent that you preserve the product and its identification. So, you can’t really declare it to be “not applicable” in most cases.
Some combination of supplier and customer actually determine the actual product definition, and performance attributes. Mostly you are distributing a product for a known supplier. It is they who design, produce and package the product. Your job in configuration management is mainly to preserve the product itself. Also, and also, maintain any lot numbers or other information needed by the custo9mers.
Sometimes you are performing logistics services. Your job may be to shop around a set of end use specifications, and it’s up to you to preserve the drawing, identification, inspection criteria and other controls. The originator of the drawing controls the performance, you hope.
How to Address Configuration Management in your QMS?
Here is the requirement:
“The organization shall plan, implement and control a process for configuration management as appropriate to the organization, and its products and services. In order to ensure the identification and control of physical and functional attributes thouughout the product life cycle. This process shall:
a. Control product identity and traceability to requirements, including the implementation of identified changes.
b. Ensure that the documented information, e.g. requirements, design, verification, validation and acceptance documentation is consistent with the attributes of the products and services.
Originally I had some statement in my QMS to the effect that we have an internal MRP system that manages product identification, lot numbers, and everything else. The inspection and product preservation processes ensure the integrity of the product while it is in the facility, or during drop shipping.
We further rely on the supplier and end user to communicate with each other to the extent needed to identify product changes in the system.
Configuration Management Reality
A couple of years ago, as an auditee, I was given a non-conformance by an overreaching auditor that thought my explanation of this was insufficient.
As part of the corrective action, I developed a four page document that described how, in the existing system, the incoming inspection, product identification, packaging, physical form, lot traceability, certificates of analysis, FIFO and other attributes were controlled in the already existing MRP system.
And also, how most of this was driven by either suppliers or customers. Unless they are bulk breakers, most of the time distributors only
It didn’t require implementation of any new procedure, nor did it involve any behavioral change.
There is no requirement in the standard for “documented information” of a configuration management process. I naturally thought my current contract review, order entry, incoming inspection, lot traceability, preservation and outgoing inspection systems would sufficiently describe this.
How to address Configuration Management Better.
Another auditor came through, and said my configuration process was overkill for AS9120. All I really needed to do, according to this less overreaching auditor, is put a statement in something like this:
Typically the configuration of the products, including specifications, identification, performance and other features is managed externally. This are done either by customers or suppliers. We, the organization, already have processes to maintain the identity, traceability lot numbers, and incoming and outgoing inspections to ensure it leaves in the same way as it arrives.
In cases where the configuration of a particular order changes, by request of either the supplier or customer, it goes though a normal order change process, which may include order modifications, issuance of new orders, or other means as specified in the order change process.
Parts Obsolescence in AS9120
This one is a bit easier. There is an underlying expectation, most of the time, that if a supplier makes a part obsolete, they will tell their distributors. They should, in theory, also tell their customers and end users.
Of course, there is no assurance that will happen.
But once it does, it should be a simple matter for a distributor to point to their “non conforming parts” process.
Clause 8.1.5 of the AS9120 standard requires a process for training, application of a “parts obsolescence monitoring program”, and other preventative measures.
In a general way, the distributor’s program for inventory control might be used to detect parts that are sitting around and gathering dust, whether they are obsolete or not.
If you are an AS9120 operation, you probably already have provisions in place for proper disposal of “unapproved parts” so as to render them unusuable.
Do you, an AS9120 distributor, need to have a written procedure on this? There is no requirement in the standard, but it would be advisable to include some statement in your system about how you are doing the activites in 8.1.5 activity, just to keep your conversation with the auditor more friendly.
Risk Based Auditing
It would be easy for an auditor to ask you for your “configuration management” and “unapproved parts” procedures. There is no requirement in the standard that you have one. It’s fairly easy to come up with a piece of paper that has this information.
But it would be even better if an auditor were to ask you for any complaints or returned products due to serial number discrepancies, or other similar configuration issues. If there aren’t any, maybe this is a low risk activity, and you and the auditor can spend your time more wisely.
A better auditor will know where to find the data. It’s better not to spend a lot of time on systems that are low risk. That would help me, as the client, to improve my system and take better care of my customers, which is what I want.
How to Address Configuration Management
So here is the bottom line on this.
In the AS9120 environment, the configuration management and obsolete parts activities have a strong external component.
In most modern companies, there are already systems in place to detect issues with these two functions. Among these are the contract review, identification, preservation, inspection and post-delivery functions.
Auditors might expect some piece of paper that describes the systems you have in place to control these things.
Risk-based thinking would tell you that if this is not a problem at your place, your existing systems are effective, and you would have objective evidence if that were the case. But, the auditor might be more interested in the piece of paper. Do with this information what you will.
If you have any additional contributions to this conversation, please feel free to comment.
Links and References
https://en.wikipedia.org/wiki/Configuration_management
