Confidential Process and Right-of-Entry

rsalba

Registered
Hello all, I have a difficult scenario and would like to tap the minds of the more experienced professionals on this forum for possible solutions. Because there are very few companies in this industry worldwide, I might be a little more vague than I would prefer.

My company has some some proprietary processes and capabilities that give it an edge on the global scale for this industry. We have two parts for our operation, the processing of raw material into a production ready purity (we will call this OP1), and the changing of that material into a customer's product (we will call it OP2). We regularly receive probes or attempts to get more information about the process from other organizations or countries about OP1, so we do not want to let anyone into our internal lab or to examine a few of the pieces of equipment. Unfortunately, an NDA would be insufficient to mitigate the risk.

We are intending to define our AS9100 scope to only include the processing of the production ready material into the customer's product(OP2). We will be measuring the material to determine it meets the requirements for OP2 before receiving it into inventory after OP1. My only concern is the requirement for right of entry, as we would not be able to allow anyone into certain parts of OP1, no matter who is asking.

Is this an unnecessary concern, or do you have any other simpler solutions to this issue?
 

Randy

Super Moderator
OK good question, but, how do you know and get assurance that your own people are trustworthy? Is it a promise on a piece of paper?
 

rsalba

Registered
OK good question, but, how do you know and get assurance that your own people are trustworthy? Is it a promise on a piece of paper?
Are you asking how we maintain information security within the lab? We do have a lengthy process for that, but I am not sure if I understand the relevance. We could not apply those controls to external auditors or visitors.
 
Last edited:

Randy

Super Moderator
Are you asking how we maintain information security within the lab? We do have a lengthy process for that, but I am not sure if I see the relevance. We could not apply those controls to external auditors or visitors.
Very simple, you're concerned about proprietary process and capabilities and the access and trustworthiness of visitors & auditors. What assurance do you have that your "lengthy process" for your people is actually valid? What would make an auditor less trustworthy than one of your people? Surely not the fact that your people went through a lengthy process. There are many here in this Forum that have probably gone through security process's far stricter than anything you can dream of, far exceeding a NDA.

Odds are the concern may be unnecessary. There are ways however that limited access can be made acceptable for certification purposes (done it many times myself as have others here I'm sure).
 

rsalba

Registered
Very simple, you're concerned about proprietary process and capabilities and the access and trustworthiness of visitors & auditors. What assurance do you have that your "lengthy process" for your people is actually valid? What would make an auditor less trustworthy than one of your people? Surely not the fact that your people went through a lengthy process. There are many here in this Forum that have probably gone through security process's far stricter than anything you can dream of, far exceeding a NDA.

Odds are the concern may be unnecessary. There are ways however that limited access can be made acceptable for certification purposes (done it many times myself as have others here I'm sure).
Ah, I see your point. I do not think you are wrong, my mentors in this field nearly all had top secret clearance and have seen a number of proprietary things. Heck, so have I.

That said, I also do not think I could convince the board and leadership to take the risk if there is literally any other option given the somewhat elaborate ways we have been probed already. Would you mind elaborating on the ways you have seen to limit access in an compliant manner for certification?
 

Quality-Nation

On Holiday
Hello all, I have a difficult scenario and would like to tap the minds of the more experienced professionals on this forum for possible solutions. Because there are very few companies in this industry worldwide, I might be a little more vague than I would prefer.

My company has some some proprietary processes and capabilities that give it an edge on the global scale for this industry. We have two parts for our operation, the processing of raw material into a production ready purity (we will call this OP1), and the changing of that material into a customer's product (we will call it OP2). We regularly receive probes or attempts to get more information about the process from other organizations or countries about OP1, so we do not want to let anyone into our internal lab or to examine a few of the pieces of equipment. Unfortunately, an NDA would be insufficient to mitigate the risk.

We are intending to define our AS9100 scope to only include the processing of the production ready material into the customer's product(OP2). We will be measuring the material to determine it meets the requirements for OP2 before receiving it into inventory after OP1. My only concern is the requirement for right of entry, as we would not be able to allow anyone into certain parts of OP1, no matter who is asking.

Is this an unnecessary concern, or do you have any other simpler solutions to this issue?
This, in the grand scheme of 3rd Party certifications, isn’t new. As long as you have chosen a CB which has been around a long time and is a well recognized name in the industry, they should be able to describe - to your satisfaction - how they will audit a “black box”
 

Randy

Super Moderator
Would you mind elaborating on the ways you have seen to limit access in an compliant manner for certification?
To elaborate could in itself be a breach, and like a few others here, my access, on a "need to know basis", could have been a tad higher than just TS, in fact to state that one has a clearance could create problems. So that unsaid, as the new guy above indicated, there are CB's that have been around the block a few times and they can meet things like a specific citizenship requirement (like US only), provide people that could pass a DoD security check (or other agency...we've a member here that spent so much time around nuclear stuff he probably glows at night....I'm sure his clearance was pretty steep and may still be so......Not my business). Others here like myself might have gone to untold numbers of primary manufacturers of "equipment, aircraft, munitions, support systems and such" as 3rd parties. (Most likely organizations more complex and larger than yours, quite possibly the largest in their sector as well like aviation and/or electronics).

What you are asking is not new, nor would it be unique to you. A recommendation...contact the security guys at other companies and ask them. For the most part you'll get 2nd, 3rd or even no hand experience or WAG's. (1st hand experience guys can't say much).
 

Sidney Vianna

Post Responsibly
Leader
Admin
We are intending to define our AS9100 scope to only include the processing of the production ready material into the customer's product(OP2). We will be measuring the material to determine it meets the requirements for OP2 before receiving it into inventory after OP1. My only concern is the requirement for right of entry, as we would not be able to allow anyone into certain parts of OP1, no matter who is asking.
Good news and bad news.

Good news: with so many CB’s out there, you will have no problem finding one that is willing to play this game with you and “lead you” to certification. If they are really “good”, they will wordsmith documents and scopes accordingly, in order to obfuscate the issue.

Bad news: unless OP1 (using your terminology) is a separate legal entity which could be deemed an external provider to OP2, the attempt to carve and scope out OP1 from an audit is a fraud.

Good luck
 

rsalba

Registered
Thank you everyone for your replies. I will ask our CB about how they would handle this matter, but I also would like to structure it as reasonably as possible for my own ethics.

Bad news: unless OP1 (using your terminology) is a separate legal entity which could be deemed an external provider to OP2, the attempt to carve and scope out OP1 from an audit is a fraud.
Is that the case? I thought defining the scope was largely up to the organization, and have seen numerous companies that define their scope as something like "mechanical assembly and wire harnesses", leaving the PCBA assembly outside of the scope. I was under the impression that as long as the other processes were clearly external to the defined scope it was within the guidelines of the standard. Since OP1 is clearly before and its output can be validated before acceptance into inventory of OP2, it seems to fit the same guidelines. I'd appreciate it if you could clarify what aspect of it is fraudulent, as my concern here was actually just the 8.4.3-l "right of access" clause.

In case it helps, it is my understanding that it is just the product exiting OP2 that our customers are currently requesting to have AS9100. There are no companies that do OP1 that have AS9100 certification, and as I understand it, there is no expectation for us to apply it there. It would be kind of like asking a lithium mine to have AS9100 cert.
 

Sidney Vianna

Post Responsibly
Leader
Admin
it if you could clarify what aspect of it is fraudulent
By your line of thought, an organization could limit the scope of certification to FINAL INSPECTION AND TESTING OF WHATEVER. All the upstream processes could be carved out and scoped out. That would be ludicrous.
 
Top Bottom