AQAP 2070

(Edition 1)

NATO MUTUAL GOVERNMENT QUALITY ASSURANCE (GQA)

PROCESS

AQAP 2070
(Edition 1)

(January 2004)

I ORIGINAL
 AQAP-2070
(Edition 1)

Page blank

II ORIGINAL
 AQAP 2070
(Edition 1)

NORTH ATLANTIC TREATY ORGANIZATION

NATO STANDARDISATION AGENCY (NSA)

NATO LETTER OF PROMULGATION

January 2004

1. AQAP-2070 (Edition 1) – NATO Mutual Government Quality Assurance (GQA)

Process is a NATO/PFP UNCLASSIFIED publication. The agreement of interested
Nations to use this publication is recorded in STANAG 4107.

2. AQAP-2070 (Edition 1) is effective on receipt. It supersedes AQAP 170

(Edition 2) which should be destroyed in accordance with the local procedure for the
destruction of documents.

3. It is permissible to distribute copies of this publication to Contractors and

Suppliers and such distribution is encouraged.

J. MAJ
Brigadier General, PLAR
Director, NSA

III ORIGINAL
 AQAP-2070
(Edition 1)

Page blank

IV ORIGINAL
 AQAP 2070
(Edition 1)
Record of Changes

Change Date Date Entered Effective Date By Whom Entered

V ORIGINAL
 AQAP-2070
(Edition 1)

TABLE OF CONTENTS1

Section…….………………………………………………………………………Page Number
1. INTRODUCTION ................................................................................................................................. 1
1.1 General 1
1.2 References 1
2. INTENT and SCOPE ............................................................................................................................ 1
3. CONCEPT OF OPERATION .............................................................................................................. 2
3.1 General Concept Information 2
3.2 Mutual GQA Process Flowchart 2
4. MUTUAL GQA PROCESS .................................................................................................................. 3
4.1 Delegation Preparation 3
4.1.1 Flowchart .......................................................................................................................... 3
4.1.2 Delegator Review of Contract Requirements (1).............................................................. 4
4.1.3 Incomplete or Conflicting Contract Requirements (2 and 3) ............................................ 4
4.1.4 Delegator Risk Identification (4) ..................................................................................... 4
4.1.5 Decision to Delegate GQA (5 and 6) ................................................................................ 4
4.1.6 RGQA Preparation (7) ...................................................................................................... 5
4.1.7 Electronic Transmission of the RGQA (8)........................................................................ 6
4.1.8 Additional Process Information ........................................................................................ 6
4.2 RGQA Acceptance and GQA Planning 7
4.2.1 Flowchart .......................................................................................................................... 7
4.2.2 RGQA Acknowledgement (1) .......................................................................................... 8
4.2.3 GQAR RGQA and Contract Review (2)........................................................................... 8
4.2.4 GQAR Risk Identification (3)........................................................................................... 9
4.2.5 Conflicting RGQA and Contract Requirements (4 and 5) ................................................ 9
4.2.6 RGQA Acceptance or Partial Acceptance (6 and 8) ......................................................... 9
4.2.7 RGQA Rejection (7) ....................................................................................................... 10
4.2.8 GQA Surveillance Planning (9) ...................................................................................... 10
4.2.9 Post Award Quality Assurance (QA) Meeting (10) ........................................................ 11
4.2.10 Sub-Supplier RGQA Determination (11) ....................................................................... 12
4.2.11 GQA Surveillance Plan (12 and 13) ............................................................................... 12
4.3 GQA Performance 13
4.3.1 Flowchart ........................................................................................................................ 13
4.3.2 Perform GQA Surveillance Activities (1)....................................................................... 13
4.3.3 Review of Supplier Quality Management Documentation (2)........................................ 14
4.3.4 Non-conformities (3, 4, 5 and 6).................................................................................... 14
4.3.5 GQA Surveillance Records and Analysis (7 and 8)........................................................ 14
4.3.6 GQA Completion (9 and 10).......................................................................................... 15
4.3.7 Significant Changes in Risk and Delegator Notification (11 and 12)............................. 15
4.3.8 Adjusting the GQA Plan (13).......................................................................................... 15
4.4 Notification of RGQA Completion 16
4.4.1 Flowchart ........................................................................................................................ 16
4.4.2 Preparation for Product Release (1) ............................................................................... 16
4.4.3 Certificate of Conformity (CoC) (2 and 3) ..................................................................... 16
4.4.4 Product Release (4) ......................................................................................................... 17
4.4.5 Notification of RGQA Completion (6) ........................................................................... 17

1
A number within ( ) corresponds to a flowchart block number.

VI ORIGINAL
 AQAP-2070
(Edition 1)

4.5 GQA Risk Information Feedback ................................................................................... 18

4.5.1 Flowchart ........................................................................................................................ 18
4.5.2 Delegator Risk Identification (1) .................................................................................... 18
4.5.3 Initial Risk Information Feedback (2)............................................................................. 19
4.5.4 Maintain Risk Information (3) ........................................................................................ 19
4.5.5 On-Going Risk Information Feedback (4) ...................................................................... 19
4.5.6 Significant Changes in Risk (5) ...................................................................................... 19
4.5.7 Risk Information Feedback at RGQA Completion (6) ................................................... 19
4.5.8 Additional Process Information ...................................................................................... 20
5. GQA SUPPORT PROCESSES .......................................................................................................... 20
5.1 Deviation Permits and Concessions 20
5.1.1 Flowchart ........................................................................................................................ 20
5.2 Customer Complaint Investigations 25
5.2.1 Flowchart ........................................................................................................................ 25
5.3 Sub-Supplier RGQA Process 28
5.3.1 Flowchart ........................................................................................................................ 28

ANNEXES

Annex A – Mutual GQA Acronyms & Definitions

Annex B – Mutual GQA Forms
Annex C – Mutual GQA Risk Identification and Classification
Annex D – Mutual GQA Surveillance Methods and Techniques
Annex E – Electronic RGQA Process

VII ORIGINAL
 AQAP-2070
(Edition 1)

Page blank

VIII ORIGINAL
 AQAP-2070
(Edition 1)
1. INTRODUCTION

1.1 General

1.1.1 Mutual GQA is the process by which NATO Nations provide each other, and
NATO organizations, Government Quality Assurance on defence contracts. The
appropriate National Authority in a supplying Nation provides, in its Nation, GQA
surveillance on behalf of and at the request of the acquiring Nation or NATO
organization.

1.1.2 Mutual GQA provides confidence to the acquiring Nation that, as related to
quality, the Supplier of the defence products is complying with the terms of the
contract being monitored through GQA. GQA is performed on those contractual
requirements posing risks to or required by law of the acquiring Nation.

1.2 References

a) Standardization Agreement (STANAG) 4107, Mutual Acceptance of

Government Quality Assurance and Usage of the Allied Quality Assurance
Publications.
b) ISO 9000:2000 Quality Management Systems – Fundamentals and
Vocabulary.
c) AQAP Contractual Documents.

2. INTENT and SCOPE

2.1 The intent of this document is to standardize and harmonize the process by which
the participating Nations request and supply GQA.

2.2 The Mutual GQA process described herein is implemented by authority of NATO
Standardization Agreement 4107, which has been ratified by each of the
participating member Nations. Unless otherwise indicated by reservation to
STANAG 4107, participating Nations will follow the Mutual GQA process, as
defined in this AQAP, when exchanging GQA.

2.3 The mutual GQA process emphasizes the identification and classification of risks
as a means of planning the GQA Surveillance activities. The feedback of risk
information between the Delegator and the Government Quality Assurance
Representative (GQAR) throughout the entire process will assure appropriate
GQA Surveillance.

2.4 The mutual GQA process described in this document becomes applicable after
the Government contract and/or derived subcontract is issued and where the
monitoring and mitigation of risk is required.

1
AQAP-2070
(Edition 1)
3. CONCEPT OF OPERATION

3.1 General Concept Information

3.1.1 Risk-based GQA surveillance is an effective means of aligning the appropriate

amount and type of Government resources with the risks related to a project or
contract. The objective is to perform the necessary GQA surveillance activities
with focus on the identified risk areas in order to achieve the required confidence
prior to the release of the product to the Acquirer.

3.1.2 Because of the uniqueness of the Mutual GQA process, identifying risks usually
requires the input of the Delegator and the GQAR. Both have access and insight
into the risk information necessary to focus and plan the GQA activity on those
systems, processes, and products that pose risks to the Acquirer.

3.2 Mutual GQA Process Flowchart

Mutual GQA Process Overview

Delegator

Delegation Preparation (Section 4.1)

Contract
(Input to Perform
GQA) Contract Risk RGQA RGQA to
Review Identification Preparation Delegatee
Communication

RGQA Acceptance and GQA Planning (Section 4.2)

Develop GQA RGQA and

RGQA Risk
Surveillance Surveillance Contract
Acceptance Identification
Plan Planning Review

GQA Performance (Section 4.3)

Perform Document Corrective Analysis of Adjusting

Surveillance Results Actions Data Surveillance
Delegatee

GQA Support Processes (Section 5.0)

Customer Deviation
Sub-Supplier
Complaint Permits /
RGQA
Investigations Concessions

Government
Confidence in GQA Risk Information Notification of RGQA
Conforming Product Feedback Completion
(Process Output) (Section 4.5) (Section 4.4)

Figure 3-1 Mutual GQA Process Overview

2
 AQAP-2070
(Edition 1)
3.2.1 The cross-functional flowchart at Figure 3-1 illustrates the main sections (shaded
areas) of the Mutual GQA process and its associated sub-processes. The
process consists of risk identification by the Delegator and a determination as to
whether the risks merit GQA surveillance. If GQA is necessary, a RGQA is
prepared and forwarded to the Delegatee. Upon receipt of the RGQA, the
GQAR also performs risk identification. This ensures all risks known to the
Delegator and GQAR are identified and used in planning the appropriate GQA
surveillance to protect the acquiring Government’s contractual interests. GQA
activities are based on the content of the RGQA and the contract.

3.2.2 The exchange of risk information, between the Delegator and GQAR, is key to the
Mutual GQA process. With the continuous sharing and feedback of risk
information, both the Delegator and GQAR will have greater insight into the
project or Supplier risks and the GQA surveillance activities being implemented to
mitigate or monitor those risks.

3.2.3 Requests for GQA shall only be sent to the appropriate National Authorities or
Focal Points identified in STANAG 4107 Annex A.

3.2.4 Participating Nations are responsible for managing the Mutual GQA process
within their respective Government Quality Assurance organizations and for
measuring, analyzing, and continuously improving their implementation of this
process.

4. MUTUAL GQA PROCESS

4.1 Delegation Preparation

4.1.1 Flowchart

C o n tra ct
C o n tra ct D e le g a to r In itia te s
D e le g a to r C o n tra ct R e q u ire m e n ts
(P ro ce ss In p u t) Y es A ctions to C o rre ct
R e vie w In co m p le te o r
C o n tra ct
1 C o n flictin g 3
2

No

P ro ce s s O u tp u t is F o rw a rd R G Q A to D e le g a to r R isk
th e R G Q A F o ca l P o in t Id e n tifica tio n P ro ce ss E n d s
8 4

GQA H a n d le R isks n o t
D e le g a to r
Yes D e le g a tio n No R e q u irin g G Q A U sin g
P re p a re s R G Q A
7
R e q u ire d N a tio n a l P ro ce d u re s
5 6

F ig u re 4 -1 D e le g a tio n P re p a ra tio n F lo w ch a rt

3
AQAP-2070
(Edition 1)
[Link] The flowchart at Figure 4-1 illustrates the Delegator’s responsibilities with regard
to the delegation preparation process. The process input is the contract and the
process output is the prepared RGQA. For simplicity, the word contract
represents Government Defence contracts and derived subcontracts.

4.1.2 Delegator Review of Contract Requirements (1)

[Link] The Delegator is expected to thoroughly review the contract prior to issuing the
RGQA to assure that information appropriate to GQA has been included and that
there are no incomplete or conflicting contract requirements. The Delegator
should assure the contract contains, as applicable, the following:

a) GQAR right of access into the Supplier’s or Sub-Supplier’s facility to perform

GQA;
b) Appropriate contractual AQAP or equivalent QMS requirements;
c) Appropriate contract technical requirements or reference thereto;
d) Certificate of Conformity requirements;
e) Instructions related to product release from the Supplier’s facility;
f) Procedures for dealing with requests for deviation permit and/or concession;
g) Requirements for Supplier generated plans, i.e. quality plans, risk
management plans, configuration management plans, etc.;
h) Design reviews, first article inspection and/or specific testing requirements;
i) Contract delivery schedule requirements; and
j) Legal/statutory requirements that could affect the contract.

4.1.3 Incomplete or Conflicting Contract Requirements (2 and 3)

[Link] The Delegator is to ensure that incomplete or conflicting contract requirements

are corrected by the Acquirer. If unable to do so prior to initiating the RGQA,
details of the incomplete or conflicting requirements and the actions being taken
by the Acquirer to resolve them should be included on the RGQA.

4.1.4 Delegator Risk Identification (4)

[Link] The Delegator shall identify and classify risks using the guidance at Annex C.

[Link] It is highly recommended that communication be established between the

Delegator and GQAR so that they can discuss the associated risks and planning
of GQA surveillance activities, especially for larger programs or for longer-term
delegations.

4.1.5 Decision to Delegate GQA (5 and 6)

[Link] The Delegator must decide if the risks identified require GQA surveillance. The
Delegator should determine whether STANAG 4107 is applicable without
restriction or whether national restrictions require the use of special bilateral MOU
or other such arrangements. For Sub-Supplier delegations refer to section 5.3.

4
 AQAP-2070
(Edition 1)
[Link] GQA at source of simple, low risk items or when the quality of the product can be
verified satisfactorily on receipt, should not normally be delegated. In such
circumstances, the Delegator should liaise with the Acquirer to ensure that
suitable arrangements for the conduct of receipt verification are in place. Risks
not requiring GQA surveillance should be handled in accordance with internal
national practices. If, at this point, there are no risks remaining that require GQA,
the process ends.

4.1.6 RGQA Preparation (7)

[Link] The Delegator initiates the RGQA by completing Part I of the RGQA form. The
RGQA form, along with guidance for its completion is provided at Annex B.

[Link] The Delegator should consider the following, as applicable:

a) The need to be provided with a copy of the GQA surveillance plan;

b) The need to authorize the GQAR to be involved with Supplier’s requests for
deviation permits or concessions;
c) The need for the GQAR to sign a Certificate of Conformity;
d) The need to provide instructions concerning the method of releasing product
from the Supplier’s facility;
e) The need for risk information feedback or periodic reports from the GQAR;
f) The need for the GQAR to become involved in first article inspection activities
or special testing requirements, in support of a contract requirement;
g) The need for GQAR observance of technical or design reviews (PCA, FCA,
etc) Note: It is important to notice that, depending on the contract, the
decisions concerning the technical aspects of design reviews are the
responsibility of the Supplier and/or the Acquirer;
h) The need to highlight risks associated with critical safety items, airworthiness,
submarine safety, etc., that could have a catastrophic impact;
i) The need to be provided with copies of sub-tier delegations, quality plans, etc;
j) The need to provide pre-contract award survey results to the GQAR; and
k) The need to notify the GQAR that the Supplier is contractually authorised to
accept minor non-conforming product on behalf of the Acquirer.

[Link] All risks identified during the risk identification process that require monitoring
through GQA surveillance should be documented on Part I of the RGQA. Where
possible, the Delegator should specify which section of the contract or technical
specification is associated with the risk shown on the RGQA. After identifying the
risk, classify it in accordance with the definitions provided in Annex A.

[Link] It is not necessary for the Delegator to identify the GQA surveillance methods or
techniques to be used during the performance of the GQA surveillance; the
GQAR, during the GQA surveillance planning, will identify the methods and
techniques best suited to handle and monitor the risks. Detailed instruction for
completion of the RGQA form can be found at Annex B.

5
AQAP-2070
(Edition 1)
[Link] The Delegator should identify any reports to be provided by the GQAR.
Reporting requirements should be kept to a minimum.

[Link] If the GQAR is to be requested to sign a Supplier’s CoC, the CoC must be a
contractual requirement. Further information concerning the CoC can be found in
section 4.4.

[Link] Where several contracts have been placed with the same Supplier, the Delegator
may request GQA on a facility-wide basis, which will encompass all of the
Delegator’s contracts at the Supplier’s facility. The Delegator and GQAR are
expected to coordinate and agree when the facility-wide approach is preferable.
In such cases, the Delegator and GQAR shall ensure that all incoming contracts
are reviewed to determine if the previously identified risks have changed or if
additional risks are present. Based on this review, the facility-wide delegation
should be revised as necessary.

4.1.7 Electronic Transmission of the RGQA (8)

[Link] Preferably, the Delegator should electronically transmit the RGQA, along with the
contract and supporting information, to the appropriate National Authorities or
focal points email address contained in STANAG 4107 Annex A. Instructions for
the electronic transmission of RGQA are provided at Annex E. If using hard copy,
the RGQA should be posted to the addresses provided in STANAG 4107.

[Link] In either case, the RGQA shall be sent in sufficient time with contractual schedule
in order to allow the GQAR to prepare for and perform the requested GQA.

[Link] In urgent situations where immediate GQA surveillance precludes preparation of

the RGQA, the Delegator should email or fax the Delegatee to request that GQA
is initiated immediately. The Delegator shall follow-up the request with a formal
RGQA as soon as possible.

4.1.8 Additional Process Information

[Link] Normally, evaluations of a Supplier’s complete QMS will not be requested.

However, where the Delegator identifies risks associated with specific contractual
elements of the QMS, appropriate GQA surveillance will be planned and
performed by the GQAR.

[Link] Situations may occur where significant quality problems have resulted in an
unacceptable level of risk to the project or contract. In such situations, the
Delegator should coordinate the additional risks or Acquirer’s concerns with the
Delegatee. The RGQA should be revised accordingly.

[Link] If the Delegator requires copies of RGQA issued by the GQAR to Sub-Suppliers,
the requirement should be clearly stated on the RGQA issued by the Delegator.

6
 AQAP-2070
(Edition 1)
[Link] The Delegator will not withdraw an active RGQA without having first consulted with the
Delegatee. Improper coordination or lack of management visibility when with drawing an
RGQA could adversely impact the project or contract.

[Link] Unless required otherwise, the GQA surveillance of the Supplier’s process for deviation
permits and concessions should be based on risk. If other arrangements are required
based on the Delegator’s national requirements, the details are to be provided on the
RGQA.

[Link] Where the Delegator requires copies of Quality Deficiency Reports (QDR) or other
corrective action requests issued by the GQAR, the requirement should be so stated on
the RGQA.

[Link] Where the Acquirer or contract identifies critical safety items, airworthiness items,
submarine safety items, etc., the Delegator will identify their contractual requirements on
the RGQA. The Delegator and Delegatee will discuss available national practices (GQA
surveillance methods and techniques) that might satisfy the needs of the Acquirer.

[Link] Acceptance of the product and certification of airworthiness are not a normal aspect of
the Mutual GQA process. As such, any related special requirements should be
coordinated with the Delegatee in advance of the RGQA.

4.2 RGQA Acceptance and GQA Planning

4.2.1 Flowchart

Focal Point
Receipt of RGQA Acknowledges GQAR RGQA and GQAR Risk
(Process Input) Receipt of the Contract Review Identification
RGQA 2 3
1

Incomplete or
Initiate GQA RGQA
Notify Delegator of Conflicting RGQA,
Surveillance Yes Acceptance No
RGQA Acceptance Risks, or Contract
Planning (full or in part)
9
8
6
Requirements
4

No Yes

Conduct Post
Formally Notify Clarify
Award QA Meeting
Process Ends Delegator in Requirements
with Supplier, if
Writing with Delegator
Necessary 7 5
10

Forward Plan to Process Output is the

Determine Sub-
Develop GQA Delegator, if Accepted RGQA and GQA
Supplier RGQA
Surveillance Plan Requested on Surveillance Plan
Needs
11
12 RGQA
13

Figure 4-2 RGQA Acceptance and GQA Planning Process

7
AQAP-2070
(Edition 1)
[Link] The flowchart at Figure 4-2 illustrates the Delegatee’s process for accepting the
RGQA and planning the GQA surveillance. The process input is the Delegator’s
RGQA and the process outputs are the accepted RGQA and the GQA
surveillance plan.

4.2.2 RGQA Acknowledgement (1)

[Link] The focal point should acknowledge receipt of the RGQA, without unnecessary
delay, preferably by return email message, but if unable to, by some other means.
The acknowledgement signifies that the RGQA has been received and is being
forwarded to the GQAR for review and acceptance.

4.2.3 GQAR RGQA and Contract Review (2)

[Link] In order to properly plan the GQA surveillance required by the RGQA, the GQAR
is expected to review the RGQA and accompanying contractual documentation
upon receipt. The review is to ensure the GQAR is knowledgeable of the
requirements of the contract as related to the requirements of the RGQA and will
assist the GQAR in planning the appropriate GQA surveillance.

[Link] This review is the responsibility of the GQAR. Particular emphasis should be
placed on the following, as applicable:

a) Assuring the GQAR has the necessary right of access to the Supplier or Sub-
Supplier’s plant for the purposes of performing the necessary GQA;
b) GQAR’s delegated authority with respect to deviation permits and/or
concessions;
c) Supplier’s authority concerning deviation permits and/or concessions;
d) Assuring the appropriate AQAP or equivalent QMS requirements have been
called up in the contract (reference STANAG 4107);
e) Product technical requirements, if provided;
f) Instructions concerning the GQAR’s responsibility with respect to a Certificate
of Conformity (CoC);
g) Assuring the Delegator has provided instruction on the RGQA concerning the
GQAR’s involvement in releasing the product from the Supplier’s facility;
h) Requirements for Supplier generated plans, i.e. quality plans, risk
management plans, configuration management plans, sub-tier delegations
etc.;
i) Requirements for first article inspections or special testing requirements;
j) GQAR’s involvement in technical or design reviews;
k) Requirements for risk information feedback;
l) Special reporting requirements;
m) Pre-contract award information; and
n) Special product designators such as Flight Critical, Submarine Safety Items,
or other national high emphasis designators.

8
 AQAP-2070
(Edition 1)
[Link] Where several contracts have been placed with the same Supplier, the GQAR
may wish to perform GQA surveillance on a facility-wide basis.
4.2.4 GQAR Risk Identification (3)

[Link] Using Part II of the RGQA form, the GQAR is expected to identify additional risks
that require monitoring through GQA surveillance, that have not already been
identified by the Delegator in Part I of the RGQA. The contractual reference
associated with the risk should be annotated on the RGQA. Where reference is
unavailable, rationale supporting the risk should be provided.

[Link] The GQAR is expected to identify and classify risks using the guidance at Annex
C.

[Link] The GQAR is encouraged to provide recommendations and/or comments

concerning the risks identified by the Delegator in Part I of the RGQA. It is not
necessary for the Delegator and GQAR to agree on the risk identification and/or
classification as their perspectives and accessibility to risk information is usually
different. However, where the GQAR possesses risk information that significantly
contradicts the risk identification and/or classification of the Delegator, the GQAR
is expected to contact the Delegator and provide supporting objective evidence
substantiating the identified risks or rationale for increasing or decreasing the risk
classification. Accurate risk information is valuable to project or contract
managers.

4.2.5 Conflicting RGQA and Contract Requirements (4 and 5)

[Link] The RGQA and associated contract requirements should be clear, complete, and
understood by the GQAR. If clarification is required, the GQAR is expected to
contact the Delegator. Where possible, the Delegator and GQAR should use
electronic means to expedite the resolution of issues.

4.2.6 RGQA Acceptance or Partial Acceptance (6 and 8)

[Link] Based on the review of the RGQA, contract and outcomes of the joint risk
identification, the GQAR determines if the RGQA can be accepted fully or in part.
The GQAR accepts the RGQA by completing Part II of the RGQA form and
returning the RGQA, without unnecessary delay, to the Delegator. By accepting
the RGQA, the GQAR agrees to perform GQA on all risks identified in Parts I and
II of the RGQA. The required RGQA form, with instructions, is provided at Annex
B.

[Link] Where the GQAR can only accept the RGQA in part, the GQAR shall notify the
Delegator to discuss alternatives for the requirements that cannot be accepted.
While issues are being resolved, the implementation of GQA should not be
delayed for those RGQA requirements that can be accepted by the GQAR.
Acceptance, in part, of a RGQA should be on an exception basis unless
reservations are posted in STANAG 4107.

9
AQAP-2070
(Edition 1)

[Link] The GQAR should notify the Supplier of the GQA surveillance to be performed.
Once the GQAR accepts the RGQA, the GQA surveillance will not be
discontinued without the coordination and concurrence of the Delegator.

4.2.7 RGQA Rejection (7)

[Link] If the GQAR cannot accept the RGQA, the GQAR shall formally notify the
Delegator, in writing, as soon as possible, explaining why the RGQA cannot be
accepted. The formal explanation will be attached to the RGQA when it is
returned to the Delegator. Rejection of a RGQA will only be on an exception
basis.

4.2.8 GQA Surveillance Planning (9)

[Link] The assigned GQAR is expected to have the necessary skills and competency at
his disposal to properly plan and perform the appropriate GQA surveillance. The
GQAR is expected to be knowledgeable of relevant industry and technical
practices, AQAPs and techniques used by the Supplier in fulfilment of the
contract requirements. Where the GQAR organization is unable to provide the
necessary skills and competencies the GQAR will request assistance from the
Delegator.

[Link] The GQAR will plan the necessary activities to satisfy the requirements of the
RGQA. It is the GQAR’s responsibility to determine the GQA surveillance areas,
methods or techniques best suited to mitigate or monitor the risks identified on
the RGQA. Figure 4-2-2 illustrates the concepts relating to GQA surveillance
planning. It also illustrates the GQA surveillance techniques that might be used
depending on the surveillance area and associated risks. Where higher-level
risks might require a combination of QMS, process and product surveillance,
moderate-level risks might require only process and/or product surveillance.
Lower-level risks might only require occasional product verifications. All GQA
surveillance to be performed by the GQAR in support of the RGQA is expected to
be documented on the GQA surveillance plan.

Delegator and Delegatee

Identified Risks

GQA Surveillance Areas

QMS Surveillance Process Surveillance Product Surveillance

GQA Surveillance Techniques

Formal Process Review Product

Quality Audits and Verification Verification

Figure 4-2-2 Concepts Relating to GQA Surveillance Planning

10
 AQAP-2070
(Edition 1)
[Link] During GQA surveillance planning, the GQAR should consider the status of the
Supplier’s QMS. Where GQA surveillance of the Supplier’s QMS has been
ongoing, then an initial quality documentation review by the GQAR is not normally
necessary. Based on risk, the GQAR is expected to plan for continuing quality
audits or reviews of the Supplier’s QMS to assure it continues to satisfy contract
requirements.

[Link] The GQA activities identified below are to be performed by the GQAR without the
need for specific tasking in the RGQA:

a) Reviewing the RGQA and contract requirements (4.2.3);

b) Generating the GQA surveillance plans (4.2.11);
c) Performing the GQA Surveillance (4.3.2);
d) Reviewing the Supplier Quality Management System documentation (4.3.3);
e) Establishing and maintaining GQA surveillance records (4.3.5);
f) Reviewing the results of GQA surveillance (4.3.5);
g) Adjusting the GQA surveillance and associated plans as risks change (4.3.8);
h) Initiating and processing of quality deficiency reports; including verification/
validation of preventive and corrective actions (5.2);
i) Initiating Sub-Supplier RGQA, as required (5.3);
j) Sharing and providing risk information feedback to the Delegator (4.5);
k) Conducting post-award QA meetings with the Supplier;
l) Verifying and Validating the Supplier’s objective quality evidence; and
m) Verifying and validating the Supplier’s investigations of customer complaints
on current delegations.

4.2.9 Post Award Quality Assurance (QA) Meeting (10)

[Link] When it is determined that the Supplier may not have a clear understanding of the
QA requirements of the contract, it is suggested that a post-award QA meeting be
initiated to clarify the requirements and resolve the misunderstandings. Either
the Delegator or GQAR may propose the post-award QA meeting. This meeting
enables the GQAR and Supplier to discuss, coordinate and clarify any
misunderstandings they may have with regard to their respective responsibilities.
The meeting also allows the GQAR to identify significant process audit/review
stages. If necessary, the GQAR should contact the Acquirer for advice.

[Link] The meeting should be used to identify and/or clarify such issues as:

a) QMS or inspection requirements;

b) Quality plans, CM plans, Software plans, R&M plans, or other contractually
required QA documentation or deliverable technical data;
c) GQA surveillance activity to be performed in support of the RGQA;
d) Procedures for dealing with requests for deviation permits and/or concessions;
e) Certificate of Conformity requirements;
f) Critical safety items, airworthiness items, submarine items, etc identified in the
contract;

11
AQAP-2070
(Edition 1)
g) GQAR involvement in design reviews, CM activities, testing, release of
product from the Supplier’s facility etc.; and
h) First article testing/Pre-production testing.

4.2.10 Sub-Supplier RGQA Determination (11)

[Link] Detailed information concerning the sub-Supplier GQA process is located at

section 5.3 of this document.

4.2.11 GQA Surveillance Plan (12 and 13)

[Link] The GQAR is expected to generate a GQA surveillance plan. When required by
contract, the Supplier’s QA plan should be taken into consideration when
developing the GQA surveillance plan. The plan should incorporate all of the
requirements of the RGQA and identify all of the GQA surveillance activities to be
performed by the GQAR to mitigate/monitor the identified risks and the GQA
reports to be issued. The GQA surveillance plan may be generated for each
individual RGQA received or may be combined on a project or facility-wide basis.
The GQA surveillance activities identified in the plan will be traceable back to the
risks identified on the RGQA.

[Link] Surveillance plans should be prepared in accordance with national practices. A

surveillance plan would typically include:

a) Identification of all risks from Parts I & II of the RGQA;

b) Identification of the specific systems (or elements thereof), processes and/or
products requiring GQA surveillance;
c) GQA surveillance methods or techniques to be used;
d) Scheduled completion dates of the surveillance;
e) Intensity of surveillance, i.e. lot sampling, 100%, etc.; and
f) Other GQA activities to be performed, identified on the RGQA

[Link] The content of the GQA surveillance plan is not limited to the above information.
The GQA Surveillance plan is a document that dynamically develops and evolves
as risk and Supplier activities change throughout the life of the contract. See
paragraph [Link].

[Link] When requested, a copy of the GQA surveillance plan will be provided to the
Delegator. Note: Requesting a copy of the plan should not be a common
occurrence on routine RGQAs. Where major programs or higher risks are
involved, it may be appropriate to request a copy of the plan.

12
 AQAP-2070
(Edition 1)
4.3 GQA Performance

4.3.1 Flowchart

GQA Surveillance Perform Planned Review Supplier Issue

Plan GQA Surveillance Quality Mgt Nonconformity Quality Deficiency
(Process Input) Yes
Activity Documentation Detected? Report
1 2 3 4

On-Going GQA
Supplier or
No GQA Completion Sub-Supplier
initiate Corrective
(Process Output) and Preventive
Revise/Adjust 10
Actions
Surveillance Plan as 5
Risk Change
13
Yes
No

Changes in
Risks or RGQA No
Nonconformity No Surveillance
Require Delegator Complete
Notification 9
11

Verify
Report Risk Supplier
Information Feedback Document GQA Corrective and
Analysis of
and/or Unsatisfactory Yes Surveillance Yes Preventive Actions
GQA Records
Condition to Delegator 8 Records Effectively
using Part III of RGQA 7 Implemented
12 6

Figure 4-3 GQA Performance Process

[Link] The flowchart at Figure 4-3 illustrates the GQA Performance Process. The
process input is the GQA surveillance plan and the process output is GQA
completion.

4.3.2 Perform GQA Surveillance Activities (1)

[Link] The GQAR will perform the GQA surveillance activity as planned (4.2.8) and
documented on the GQA Surveillance plan (4.2.11). GQA performance includes
such activities as review of Supplier QMS documentation, quality audits, process
reviews and/or verifications, product verifications/validations, Sub-Supplier
control, flow-down of data/contract conditions, and other GQA surveillance
activities as tasked on the RGQA. Annex D provides additional information on
GQA surveillance methods and techniques.

13
AQAP-2070
(Edition 1)
4.3.3 Review of Supplier Quality Management Documentation (2)

[Link] When contractually required, Suppliers develop documents associated with their
QMS. These documents might include a quality manual, quality plan,
configuration management plan, software quality plan, or other types of
contractually required Supplier developed documents or specifications.

[Link] The GQAR is expected to review the Supplier’s quality documentation to ensure it
satisfies the contractual documentation requirements. The review should provide
the GQAR with confidence that the QMS, from a documentation perspective,
meets the contract requirements and, if effectively implemented by the Supplier,
should achieve the planned results. Where the review indicates that the
documentation does not satisfy contract requirements, the nonconformity should
be brought to the Supplier’s attention for correction.

[Link] The review is typically performed as soon as practical after RGQA acceptance
and should be ongoing throughout the life of the contract as the Supplier makes
revisions to documentation. The review should initially focus on the risks
identified on the RGQA; however, the documentation review will not preclude the
implementation of the GQA surveillance identified on the GQA surveillance plan.

[Link] Where the contract requires formal Government acceptance or approval of QMS
documentation, the documentation must be sent to the Acquirer.

4.3.4 Non-conformities (3, 4, 5 and 6)

[Link] When contractual non-conformities associated with the Supplier’s QMS,

processes or products are detected by the GQAR, he will request the Supplier to
define and implement corrective actions. The method for requesting corrective
actions will be in accordance with national practices. Contract requirements
normally require the Supplier to initiate corrective and preventive action in
response to the identified non-conformities. The GQAR should verify that the
Supplier has effectively implemented appropriate corrective or preventive actions
to prevent recurrence of the nonconformity.

[Link] GQARs operating at the Sub-Supplier levels should not take any action or make
any statement that could be construed as interfering with the contractual
arrangements between the Suppliers and their Sub-Suppliers. If requested on the
RGQA, a copy of each QDR raised is to be forwarded to the Delegator. The
GQAR may also use Part III of the RGQA to notify the Delegator of the
unsatisfactory condition.

4.3.5 GQA Surveillance Records and Analysis (7 and 8)

[Link] The GQAR will record the results of all GQA surveillance activities performed in
support of the RGQA. Records should indicate the system, process, or product
audited, reviewed or examined, dates performed, results, and include details of

14
 AQAP-2070
(Edition 1)
any QDRs issued. Unless otherwise agreed on the RGQA, record retention
periods will be in accordance with national practices and at least until the
completion of the contract. Results of GQA surveillance activity will be available
upon request by the Delegator.

[Link] GQARs are expected to periodically analyze the GQA surveillance records to
identify unfavourable trends or conditions associated with the Supplier’s QMS,
processes, or product. Unfavourable trends should be shared with the Supplier
so that the Supplier can take appropriate corrective or preventive action. The
results of the analysis are expected to be used by the GQAR to adjust risk levels
and the GQA surveillance activity being performed. Where appropriate, the
results of the analysis should be shared with the Delegator.

4.3.6 GQA Completion (9 and 10)

[Link] The GQAR will notify the Delegator when the requested GQA is complete.
Unless agreed otherwise on the RGQA, the GQAR will notify completion using
Part III of the RGQA form.

4.3.7 Significant Changes in Risk and Delegator Notification (11 and 12)

[Link] If at any time during the GQA process, the GQAR identifies a significant change
in the levels of risk associated with the program or contract, the Delegator will be
notified using Part III of the RGQA form. A change in risk resulting in a change of
risk classification is considered significant. Such changes may result in
adjustments to the GQA surveillance plan or the RGQA.

4.3.8 Adjusting the GQA Plan (13)

[Link] The GQA surveillance plan is a dynamic document. The plan, and associated
GQA surveillance, should be adjusted as risk classifications change or as
confidence in the Supplier’s ability to meet contractual requirements changes.
The intensity or frequency of GQA surveillance activity should change
accordingly. Adjustments to the plan should be considered after the following:

a) Analysis of GQA surveillance records indicate favourable/unfavourable trends;

b) Analysis of Supplier data indicate favourable/unfavourable trends;
c) Identification of system, process, or product nonconformity that resulted in a
QDR being issued; and
d) Customer complaint investigations.

[Link] Where the Delegator requested the original GQA surveillance plan, the GQAR
should provide a copy of the revised plan to the Delegator.

15
AQAP-2070
(Edition 1)
4.4 Notification of RGQA Completion

4.4.1 Flowchart

Process Input is Delegatee Delegator Delegatee

Completed or Preparation for CoC Required Signs
On-going GQA Yes
Product Release per RGQA CoC
1 2 3

Yes
No

RGQA Complete Multiple

Notify Delegator Product Release
No Contract
6 by the Supplier
Deliveries 4
5

Figure 4-4 Notification of GQA Completion

[Link] The flowchart at Figure 4-4 illustrates the Notification of GQA Completion
process. The process input is the completed GQA or, in the case of multiple
contract deliveries, the on-going GQA and the output is the risk information
feedback to the Delegator.

4.4.2 Preparation for Product Release (1)

[Link] The GQAR should review the instructions provided on the RGQA concerning the
GQAR’s involvement, if any, in the release of the product from the Supplier’s
facility.

4.4.3 Certificate of Conformity (CoC) (2 and 3)

[Link] Within the context of Mutual GQA, the CoC is a dual-purpose form, the usage of
which must be a contractual requirement. It is used as a confirmation by the
Supplier to the Acquirer that apart from any identified and approved deviation
permits and concessions, the products conform to contract requirements. The
CoC is generated and completed by the Supplier.

[Link] When requested on the RGQA, the COC is signed by the GQAR to attest that,
within the provisions of STANAG 4107, AQAP-2070 and the RGQA, the supplies
identified on the CoC have been subjected to GQA. The GQAR signature on the
CoC does not mean acceptance of the supplies on behalf of the Delegator, does
not necessarily mean that the individual items have been inspected, nor does it
mean that airworthiness certification has been granted.

16
 AQAP-2070
(Edition 1)
[Link] An example of a suitable CoC form can be found at Annex B. Nations should
modify the example form to suit their own national interests. For example,
Nations may decide to separate the CoC into a two-part form to clearly distinguish
the Supplier’s Statement of Quality from the GQAR’s statement of GQA.

[Link] As the CoC is used by many NATO Nations to authorize payment to the Supplier,
the GQAR will only sign the CoC under the following conditions:
a) There is a contractual requirement for the Supplier to submit a CoC; and
b) The GQAR has been requested by the RGQA to sign the CoC

4.4.4 Product Release (4)

[Link] The GQAR is expected to comply with the instructions on the RGQA concerning
the GQAR’s involvement in releasing the product from the Supplier’s facility.
Acceptance of the product and certification of airworthiness are not a normal
aspect of the Mutual GQA process. As such, any related special requirements
should be coordinated with the Delegatee in advance of the RGQA.

4.4.5 Notification of RGQA Completion (6)

[Link] Using Part III of the RGQA form, the GQAR notifies the Delegator when the
RGQA is complete and provides the status of the risks that were monitored by the
GQA surveillance activity. These are the risks previously identified in Parts I & II
of the RGQA form. In addition, the GQAR may make recommendations to the
Delegator concerning future GQA requests with the same Supplier and/or
products. Notification of RGQA completion shall be provided to the Delegator in
addition to any CoC requirements. See Annex B for further instructions on the
completion of the RGQA form.

17
AQAP-2070
(Edition 1)

4.5 GQA Risk Information Feedback

4.5.1 Flowchart

Risk Information Feedback Process

Perform Risk
Identification and Maintain and Use
Delegator

Forward Initial Risk Information

or Feedback
Amended Part I of Received from
RGQA the
to Delegatee Delegatee
1 3

Update Risk
Information
Provide Provide
Perform Risk Feedback as Risks
On-Going Risk Information
Identification and Change
Risk Information Feedback
Forward Part II Significantly During
GQAR

Feedback and Forward

of RGQA to Performance of
to the Part III of RGQA
the Delegator at GQA Surveillance
Delegator to the Delegator
RGQA (i.e. Nonconformity
as Requested at RGQA
Acceptance is Identified by any
on RGQA Completion
2
4
Source) 6
5

Figure 4-5 Risk Information Feedback Process

[Link] The cross-functional flowchart at Figure 4-5 illustrates the GQA Risk Information
Feedback Process between the Delegator and GQAR. The process input is the
completed Part I of the RGQA and the output is the risk information feedback.
See Annex B for detailed information concerning completion of the form.

[Link] The risk information shared between the Delegator and GQAR is not to be shared
outside the Government organizations involved in the RGQA process. The
information is considered commercially sensitive and is to be used for GQA
planning purposes only.

[Link] The feedback of risk information, between the Delegator and the GQAR is
extremely important to the continued success of the Mutual GQA process.
Projects and contracts cannot be properly managed without this information. The
GQAR provides the risk information feedback at RGQA completion or on a
continuing basis as agreed with the Delegator, using Part III of the RGQA form.
The risk information feedback provides the status of the identified risks. The risk
information must be maintained by the Delegator to assist in RGQA planning for
future contracts with the same Supplier.

4.5.2 Delegator Risk Identification (1)

[Link] Prior to initiating the RGQA, the Delegator is encouraged to contact the GQAR to
discuss risks for inclusion on the RGQA, especially for larger programs or for

18
 AQAP-2070
(Edition 1)
longer-term delegations. Normally, GQA Risk information is first shared between
the Delegator and Delegatee when the RGQA is initiated and forwarded to the
Delegatee. When initially identifying risks on the RGQA, the Delegator should
consider any risk information that may have been provided by the GQAR on
previous contracts with the same Supplier. See Annex C for information
concerning Delegator risk identification.

4.5.3 Initial Risk Information Feedback (2)

[Link] During acceptance of the RGQA, the GQAR has the opportunity to provide risk
information feedback to the Delegator. Using Part II of the RGQA form, the
GQAR provides additional risks that require monitoring through GQA surveillance
and, provides comments or recommendations concerning the risks identified by
the Delegator.

4.5.4 Maintain Risk Information (3)

[Link] The Delegator may receive risk information from the GQAR at various times
throughout the life of the RGQA. The Delegator is responsible for maintaining the
GQA risk information and recommendations received from the GQAR. The GQA
risk information is used by the Delegator to revise or adjust current RGQA
requirements, as necessary, and for enhancing the quality of future risk-based
delegations associated with the Supplier.

4.5.5 On-Going Risk Information Feedback (4)

[Link] As requested on the RGQA, the GQAR provides on-going risk information
feedback to the Delegator. Using Part III of the RGQA form, the GQAR provides
the current status of the risks being monitored by the GQA surveillance. The
Delegator should only request on-going risk status reporting on longer-term GQA
delegations.

4.5.6 Significant Changes in Risk (5)

[Link] Typically, risk levels will change during the course of GQA activity or if/when new
risks are identified. These changes may result from the identification of non-
conformities, improvement or degradation of Supplier performance, changes in
contractual requirements, etc. In addition, when the GQAR considers such
changes significant, the Delegator should be notified of the event and of any
changes to the GQA surveillance activity resulting from the changes in risk levels.
Where significant new risks are involved, the Delegator should revise the RGQA
as necessary. Part III of the RGQA form is used for this notification. The GQAR
should revise the GQA surveillance plan accordingly.

4.5.7 Risk Information Feedback at RGQA Completion (6)

19
AQAP-2070
(Edition 1)
[Link] As a minimum, risk information feedback is provided at RGQA completion. Using
Part III of the RGQA form, the GQAR notifies the Delegator that the RGQA is
complete and provides the status of the risks that were monitored by the GQA
surveillance activity. These are the risks previously identified on the RGQA form
in Parts I and II. The GQAR may also make recommendations to the Delegator
concerning future GQA requests.

4.5.8 Additional Process Information

[Link] Whenever possible, risk information feedback should be transmitted electronically

between the GQAR and Delegator. However, where appropriate, feedback can
be verbal, extracts from written reports, etc.

5. GQA SUPPORT PROCESSES

5.1 Deviation Permits and Concessions

5.1.1 Flowchart

Supplier Requests Is
Deviation Permits or GQAR Concur
Verify
Concession Delegated Yes Minor with
Classification
(Process Input) Authority on 4 Application
1 RGQA 5
2

Major
Yes
No
Provide
Recommendations
Process Ends as Required by No
for GQAR RGQA
3 6

Provide Document
to Supplier to
Maintain Records
Forward to
and/or Provide
Acquirer as
Copy to Delegator
applicable per 8
Contract
7

Process Output is
Accepted/Rejected Verify Supplier’s
Major/Minor Adjust GQA
Corrective /
Application Surveillance Plan
Preventative
(Process Output) Accordingly
10
Actions
9

Figure 5-1 Deviation Permit and Concession Process

[Link] The flowchart at Figure 5-1 illustrates the Deviation Permit and Concession
process. The process input is the application for deviation permit or concession
presented by the Supplier and the process output is an accepted or rejected
major or minor application. The process is described in detail below.

20
 AQAP-2070
(Edition 1)
[Link] Because of differences in Acquiring Nations statutory requirements or national
policy and practices, the Delegator must identify on the RGQA whether the
GQAR is requested to concur or non-concur with each individual application for
deviation permit or concession requested by the Supplier or whether the GQAR is
to monitor the Supplier’s process by means of on-going audits based on process
risks. Where statutory requirements or national policy or practices stipulate the
GQAR’s involvement in the process, the Delegator will coordinate this activity with
the GQAR.

[Link] Where the Delegatee’s national practices do not stipulate the GQARs
involvement, the Supplier’s process for identifying, classifying, and sentencing
minor non-conformities should be monitored based on process risk.

[Link] Where the acquiring Nations statutory requirements or national policy or practices
prohibit the acceptance of deviation permits or concessions the Delegator should
clearly identify the prohibition on the RGQA. This will ensure the authority is not
inadvertently flowed down to other GQARs at the Sub-Supplier level.

5.1.2 Supplier Presents Deviation Permit or Concession (1)

[Link] The processing of deviation permits and concessions should be planned and
implemented in accordance with contractual requirements. The process starts
when the Supplier presents the application for deviation permit or concession to
the GQAR.

[Link] If a Supplier or Sub-Supplier is contractually required to prepare and process the

application in accordance with a specific contractual format or manner, the
Delegator should specify the format on the RGQA. If not identified on the RGQA,
a suitable format or manner will be coordinated with the Supplier. An example of
a suitable format is available at Annex B.

[Link] Unless specifically defined in the contract, Suppliers are typically responsible for:

a) Properly documenting the nonconformity;

b) Properly classifying the nonconformity as major or minor;
c) Identify and describe the consequences if the application for deviation permit
or concession is not granted;
d) Identifying the specific number of production units affected;
e) Identifying the specific service affected;
f) Identifying the specific time frames affected;
g) Identifying whether the nonconformity has occurred previously;
h) Identifying any restrictions placed on the product as a consequence of the
nonconformity;
i) Initiating appropriate preventive and corrective measures; and
j) Providing a disposition or sentencing the nonconformity

21
AQAP-2070
(Edition 1)
[Link] If the above are contractual requirements, the GQAR should verify that the
Supplier has taken the appropriate actions.

22
 AQAP-2070
(Edition 1)
5.1.3 GQAR Delegated Authority (2 and 3)

[Link] Government contracts require Suppliers to provide products that fully meet
contractual requirements. However, there may by circumstances when it is to the
Acquirer’s benefit to accept the delivery of the product that is non-conforming,
e.g. urgent operational commitments. The authority to concur or non-concur with
the Supplier’s application for minor deviation permits and concessions is typically
flowed down from the Acquirer to the GQAR at the Supplier’s facility. Within the
scope of the Mutual GQA process, this authority can be delegated between
Nations.

[Link] The Delegator must clearly identify, on the RGQA, the authority delegated to the
GQAR concerning the processing of Supplier or Sub-Supplier generated requests
for deviation permits or concessions. Whether at the Supplier or Sub-Supplier
level, the authority delegated to the GQAR is limited to minor non-conformities
(see definitions in Annex A). Within the context of the Mutual GQA Process, the
Acquirer retains approval authority for major non-conformities.

[Link] Where the Supplier is contractually authorised to accept minor non-conforming

product on behalf of the Acquirer, this will be clearly stated on the RGQA.

[Link] Where the Acquirer has specifically withheld authority from the GQAR to accept
minor or major nonconformity, this will be clearly stated on the RGQA. In these
cases, all requests for deviation permit or concession will be processed by the
Supplier or Sub-Supplier to the Acquirer for an acceptance decision. In such
situations, the GQAR’s involvement in the process is usually limited to providing
recommendations to the Acquirer.

[Link] The Delegator should provide clear instructions on the RGQA concerning the re-
delegation of authority associated with deviation permits and concessions to
GQARs at further sub-tier Supplier levels.

[Link] If, at any point, during the processing of minor or major deviation permits or
concessions, the GQAR feels that the required actions exceed their technical
expertise/competence, they shall notify their management. If necessary, the
Delegator should be notified so that appropriate support can be provided.

5.1.4 Verify Classification (4)

[Link] The GQAR should verify that the condition of non-conforming product is clearly
and accurately described on Supplier’s applications and that, in their professional
opinion, the nonconformity is properly classified. The frequency of the verification
activity will depend on the instructions received from the Delegator. In the
absence of specific instructions from the Delegator, the frequency should be
based on the risks associated with the Supplier’s process.

23
AQAP-2070
(Edition 1)
[Link] In the event that the application is inaccurately classified or other information on
the application is incorrect, the GQAR should reject the application and return it to
the Supplier for correction or require the Supplier to forward the application to the
Acquirer for action. In such cases, the GQAR should provide the Acquirer with
full details of the circumstances and recommendations.

5.1.5 Concur / Non-Concur with the Minor Application (5)

[Link] After verifying that the nonconformity condition is minor and after reviewing the
application for completeness, the GQAR will indicate concurrence or non-
concurrence with the application by signing the Supplier’s documentation. Unless
stated otherwise on the RGQA, this action applies to each application presented
by the Supplier.

[Link] Where the Delegator has delegated authority for a risk-based approach to GQA
surveillance of the Supplier’s deviation permit and concession process, the
concurrence or non-concurrence activity may be on a “lot” basis and include all
deviation permits and concessions processed over a specific and limited period of
time. The document used to indicate concurrence or non-concurrence must
reference the specific applications included in the “lot”.

5.1.6 Provide Comments and/or Recommendations on Major Applications (6 and 7)

[Link] When requested on the RGQA, the GQAR shall review the major application for
completeness and its stated impact, verify the classification of the nonconformity,
and, if possible, provide comments and/or recommendations on its acceptance or
rejection. The recommendations should be made on the form specified in the
contract or, in the absence of contractual direction, in accordance with national
practices.

[Link] The application should be returned to the Supplier for further processing with the
Acquirer in accordance with contract requirements. In certain circumstances, it
may be more appropriate for the GQAR to provide their comments or
recommendations directly to the Acquirer separately from the Supplier. It is the
Acquirer’s responsibility to approve or reject the major application.

5.1.7 Maintain Records (8)

[Link] Records of all GQAR actions pertaining to applications for major or minor
deviation permit or concession should be managed and maintained in accordance
with the national practices. Records should be made available to the Delegator
upon request.

[Link] The GQAR should notify the Delegator when an unfavourable trend develops
concerning deviation permits or concessions presented by the Supplier.
Likewise, the Delegator should be notified when the risks associated with the
process appear to be negligible.

24
 AQAP-2070
(Edition 1)

5.1.8 Verify Supplier’s Corrective / Preventive Actions (9)

[Link] The GQAR should ensure that the corrective and/or preventive actions identified
by the Supplier on the application have been effectively implemented.

5.1.9 Adjust GQA Surveillance Plan (10)

[Link] The GQAR’s GQA surveillance plan should be amended to reflect changes to risk
levels associated with the Supplier’s deviation permit or concession process.
This may also be applicable where the GQAR has not been delegated authority
on the RGQA.

5.2 Customer Complaint Investigations

5.2.1 Flowchart

Delegator Notifies GQAR

GQAR of Coordinates the Non- Verify Condition of
Customer Investigation with conforming Defective Product
Complaint the Supplier per Product Yes Upon Receipt at
(Process Input) Instructions Returned Supplier’s Plant
1 Received 3 4
2

No
Provide
Investigation GQAR Verifies
Provide GQA
Results and and Validates
Services Related
Summary of GQAR Supplier’s
to Warranty Claim
Verification and Investigation and
as Requested
7
Validation Findings Corrective Actions
to the Delegator 5
6

Adjust GQA Process Output is

Maintain GQA Report to
Surveillance Plan
Records Delegator
8
Accordingly
9

Figure 5-2 Customer Complaint Investigation

[Link] The flowchart at Figure 5-2 illustrates the customer complaint investigation
process. Non-conforming product that has been delivered to the customer is
typically reported via a customer complaint. The process input is the notification
from the Delegator that a customer has initiated a post delivery customer
complaint and the process output is the completed report to the Delegator. The
process is described in detail below.

25
AQAP-2070
(Edition 1)
5.2.2 Notification from the Delegator (1)

[Link] For current delegations, the Delegator shall notify the GQAR that non-conforming
product has been received from the Supplier and request that the GQAR verify
and validate the Supplier’s investigation and corrective/preventive actions. The
Delegator should provide the GQAR with a copy of the notification letter sent by
the Delegator or Acquirer to the Supplier informing the Supplier of the non-
conforming product.

[Link] For closed delegations, the Delegator will submit a new RGQA requesting that
the GQAR verify and validate the Supplier’s investigation and
corrective/preventive actions. The request should be made through the National
focal point of the supplying Nation.

5.2.3 Coordination with the Supplier (2)

[Link] It is the Acquiring Nation’s responsibility to notify the Supplier in writing that a
customer complaint has been generated. The Acquiring Nation should request
the Supplier to initiate an investigation and take the necessary
corrective/preventive actions. The Acquiring Nation should stipulate any special
requirements to the Supplier. The Supplier should be notified that the GQAR will
be involved in verifying and validating the Supplier’s investigation and subsequent
corrective/preventive actions.

[Link] When notified by the Delegator of the customer complaint, the GQAR will
coordinate the investigation with the Supplier. The Delegator will ensure the
Supplier is aware of any special requirements or instructions such as urgent
investigations and customer imposed due dates for completing the investigation
and submitting a report to the Acquirer.

5.2.4 Non-conforming Product Returned (3)

[Link] In many cases, the non-conforming product will usually be returned to the
Supplier as an exhibit to assist in the investigation. The Delegator should notify
the GQAR as to whether the non-conforming product is being returned to the
Supplier and whether the Supplier is to open the exhibit package in the presence
of the GQAR.

5.2.5 Product Condition Verification (4)

[Link] If the non-conforming product is to be opened by the Supplier in the presence of

the GQAR for verification of condition, and is opened without the GQAR being
present, the GQAR should inform the Delegator and seek advice on the actions to
be taken.

26
 AQAP-2070
(Edition 1)
5.2.6 Verification and Validation of Supplier’s Investigation (5)

[Link] The GQAR will verify and validate the Supplier’s investigation either
independently or in conjunction with the Supplier to determine the root cause of
the nonconformity. Where it is proven that the Supplier is responsible for the
nonconformity, the GQAR will verify the Supplier’s corrective /preventive actions
to prevent recurrence of the nonconformity and validate that the Supplier has
implemented the stated corrective measures. The Delegator should ensure that
the Supplier’s investigation addresses other previously delivered products and
products still being produced.

5.2.7 GQAR Report to the Delegator/Acquirer (6)

[Link] The GQAR will report to the Delegator in the format requested in the RGQA. If no
format is specified, the GQAR should provide a summary report to the Delegator
summarizing verification and validation efforts, actions taken with respect to
adjusting the GQA Surveillance plan, and any other pertinent information
concerning the customer complaint.

5.2.8 Support to Warranty Claims (7)

[Link] Except for the financial aspects, the Delegator may request the assistance of the
GQAR with GQA activity associated with warranty claims. The assistance might
include assuring the replacement part or item has been subjected to GQA and/or
that the replacement part or item is free of similar nonconformities as reported by
previous customer complaints.

5.2.9 Maintain GQA Records (8)

[Link] The GQAR should maintain records of all activity associated with the investigation
of the non-conforming product in accordance with national practices or as
requested on the RGQA by the Delegator. The records may be useful in identify
risks requiring monitoring through GQA. Copies of non-conformance report
should be made available to the Delegator upon request.

5.2.10 Adjust GQA Surveillance Plan (9)

[Link] If the product or similar products are still being produced by the Supplier, the
GQAR should consider the risks identified during the customer complaint
investigation and adjust the GQA surveillance plan accordingly.

5.2.11 Additional Process Information

[Link] The Acquirer and Supplier will coordinate arrangements concerning the Supplier’s
cost of investigations or product expended in the course of the investigation. The
GQAR shall not authorize the Supplier to incur costs without the expressed

27
AQAP-2070
(Edition 1)
written authorization of the Acquirer. All matters concerning costs will be referred
to the Delegator for coordination with the Acquirer.
5.3 Sub-Supplier RGQA Process

5.3.1 Flowchart

NATO Nation A
(Original Delegator)

Initiates RGQA to
Nation B NQAA
Focal Point
1

Non-NATO Nation

NATO Nation B Nation B GQAR Notifies

(Delegatee GQAR) Nation A Delegator of
Possible Need for GQA
Determines that in Non-NATO Nation. If
Sub-Supplier GQA Considered Necessary,
is Required the Nation A Delegator
2 Makes the Necessary
Arrangements for GQA
4

Is
Sub-Supplier in
No
NATO Nation
3

Yes
NATO Nation B
NATO Nation B
(Delegatee GQAR)
Is (Delegatee GQAR)
Prepares RGQA and Sub-Supplier
No Yes Processes the RGQA in
Sends it to NQAA Focal in Nation B
5 Accordance with
Point in the NATO Sub-
National Practices
Supplying Nation 6
7

Figure 5-3 Sub-Supplier RGQA Process

[Link] The flowchart at Figure 5-3 illustrates the NATO Sub-Supplier RGQA process and
is used as an example to demonstrate the various delegation scenarios that the
GQAR may encounter when considering GQA at the Sub-Supplier level.

5.3.2 GQA at the Sub-Supplier level is used to monitor elements of the Sub-Supplier’s
contractual QMS, processes, or product characteristics posing risks to the
Government Acquirer. Requests for GQA at a Sub-Supplier are limited to NATO
Nations that have ratified STANAG 4107.

5.3.3 It should be recognized that it is solely the responsibility of the Supplier to control
Sub-Suppliers, and that GQA actions at the Sub-Supplier level are not intended to
supplement or replace that responsibility. The GQAR at the Supplier level should
decide which risks can be monitored at the Supplier’s facility and which risk must
be monitored at the Sub-Supplier’s facility.

28
 AQAP-2070
(Edition 1)

5.3.4 If the Delegator requires notification or copies of requests for GQA issued by the
GQAR to further Sub-Suppliers, the requirement should be clearly stated on the
RGQA.

5.3.5 Planning for and issuing Sub-Supplier requests for GQA should be conducted
throughout the life of the RGQA and does not have to be completed prior to
development of the GQA surveillance plan. The GQAR is responsible for
managing the Sub-Supplier GQA effort, based on risk.

5.3.6 Once the GQAR at the Supplier’s facility determines that GQA at a Sub-Supplier’s
facility is necessary, the GQAR will notify the Supplier of the requirement. The
GQAR will ensure the subcontract reflects the requirement for GQA and that a
suitable QA requirement is in the subcontract. This is to ensure that the GQAR at
the Sub-Supplier level has access to the Sub-Supplier's facility and is given any
assistance required to perform the GQA

5.3.7 When requested on the RGQA, all QDRs initiated at the Sub-Supplier level will be
copied to the Delegator (originator of the RGQA) for the Supplier to take the
necessary corrective actions.

5.3.8 Original Delegator (1)

[Link] In this scenario, the original Delegator in Nation A has determined that GQA is
necessary at the Supplier level in NATO Nation B. The Delegator prepares and
processes the RGQA using the guidance and direction provided in this AQAP.
The RGQA is sent to the national focal point of Nation B.

5.3.9 Nation B GQAR (2 and 3)

[Link] In this scenario, the Nation B GQAR has determined that GQA is necessary at
the Sub-Supplier level.

5.3.10 Sub-Supplier in a non-NATO Nation (3 and 4)

[Link] If the Sub-Supplier is in a non-NATO Nation, the GQAR should notify the original
Delegator in Nation A of the possible need for GQA in the non-NATO Nation. If
considered necessary, the GQA arrangements shall be provided by the Nation A
Delegator.

5.3.11 Sub-Supplier within the same NATO Nation B (5 and 6)

[Link] Having determined that the Sub-Supplier is located within his/her own Nation, the
GQAR processes the RGQA in accordance with National practices for internal
delegations.

29
AQAP-2070
(Edition 1)
5.3.12 Sub-Supplier in another NATO Nation (5 and 7)

[Link] Having determined that the Sub-Supplier is located in another NATO Nation that
has ratified STANAG 4107, the GQAR prepares a risk-based RGQA using the
guidance and direction of section 4.1 of this AQAP. The RGQA is sent to the
national focal point in the sub-supplying NATO Nation.

5.3.13 All future sub-tier delegations follow the same process.

30
 AQAP-2070
(Edition 1)

Page blank

31
 Annex A to
AQAP-2070
(Edition 1)

Annex A

Mutual GQA - Acronyms & Definitions

A-1
Annex A to
AQAP-2070
(Edition 1)

Page blank

A-2
 Annex A to
AQAP-2070
(Edition 1)

Mutual GQA – Acronyms & Definitions

A.1 The following is a list of acronyms used throughout this AQAP.

CoC Certificate of Conformity

FAI First Article Inspection
FCA Functional Configuration Audit
GQA Government Quality Assurance
GQAR Government Quality Assurance
Representative
PCA Physical Configuration Audit
QDR Quality Deficiency Report
QMS Quality Management System
RGQA Request for Government Quality
Assurance

A.2 The definitions of ISO 9000:2000, “Quality Management Systems –

Fundamentals and Vocabulary” shall apply to this AQAP. Additional terms used
in this AQAP are defined below.

A.2.1 Acquirer

Governmental and/or NATO Organisation, that enters into a contractual

relationship with a Supplier, defining the product and quality requirements.

Note: Normally this is the customer organization that establishes the appropriate
contractual requirements, i.e., functional, technical, cost, schedule, quality, etc.

A.2.2 Certificate of Conformity

A document, signed by the Supplier, which states that the product conforms with
contractual requirements.

Note 1. There must be a contractual requirement for the Supplier to submit the certificate.
Note 2. Where the Delegator requires the GQAR to sign the Supplier’s CoC form the
Delegator should ensure the contract requires the use of a suitable CoC form
(reference example of suitable CoC form at Annex B).
Note 3. Where the GQAR has been requested on the RGQA to sign the CoC, the GQAR
signature indicates that the referenced supplies have been subject to GQA within
the provisions of STANAG 4107, AQAP-2070, and the agreed RGQA.

A-3
Annex A to
AQAP-2070
(Edition 1)
A.2.3 Delegator

The Delegator is the appropriate authority of a NATO Nation or Agency

requesting GQA in a NATO supplying Nation. This authority may be:

a) An Acquirer;
b) A Contracting Office;
c) A Procurement Office;
d) A Project Office;
e) A GQAR; or
f) Other Designated Authority.

A.2.4 Delegatee

The Delegatee is the appropriate authority of a NATO Nation performing GQA

after acceptance of the RGQA.

A.2.5 First Article Inspection/Test

Inspections or tests contractually required on products such as pre-production

models, samples, first lots, pilot lots, pilot models, etc. to verify that the Supplier’s
established processes are able to perform in accordance with the contractual
specifications and/or to validate a contractual manufacturing standard.

A.2.6 Government Quality Assurance

Government quality assurance is the process by which the appropriate National

Authorities establish confidence that the contractual requirements relating to
quality are met.

A.2.7 Government Quality Assurance Representative

Government Quality Assurance Representatives are the personnel with

responsibility for Government quality assurance (GQA), acting on behalf of the
Acquirer.

A.2.8 Government Quality Assurance Surveillance

The systematic and regular monitoring of the contractual elements of the

Supplier’s QMS, processes, and products to provide confidence to the acquiring
Nation that the Supplier is fulfilling the requirements of the contract.

Although each Nation’s national GQA practices and terminologies may differ
slightly or use different names, GQA surveillance methods or techniques typically
consist of audits, reviews, assessments, evaluations, examinations, etc.
Examination techniques might include testing, inspecting, witnessing, verifying,

A-4
 Annex A to
AQAP-2070
(Edition 1)

validating, or other techniques that provide objective evidence that contract

requirements are being satisfied.

For use in this AQAP, the terms quality audit, process review, and product
verification/validation will be used to generically identify GQA surveillance
associated with the Supplier's QMS, processes, and products, respectively.

Regardless of the name of the surveillance method or technique used by the

GQAR, the expected outcome of the surveillance is a determination as to the
extent to which the Supplier’s planned activities (QMS, processes, and products)
are realized and the planned results (quality products) are achieved.

A.2.9 Government Quality Assurance Surveillance Plan

GQAR’s planning document specifying the GQA activities to be performed in

support of the RGQA.

A.2.10 Nonconformity (Major/Minor)

Major – A nonconformity that is a departure from the specified technical or

functional requirements, which may affect:

a) Safety;
b) Reliability;
c) Maintainability;
d) Interchangeability;
e) Service/Storage Life;
f) Performance/Function;
g) Cost;
h) Health/Environment;
i) Appearance, where a factor;
j) Time, where a factor; or
k) Any other area that may reduce the ability to meet the specified requirements.

Minor - A nonconformity that is a departure not meeting the criteria of major.

A.2.11 Product

Result of activities, processes, and tasks. A product may include service,

hardware, processed materials, software or a combination thereof. A product
can be tangible (e.g. assemblies or processed materials) or intangible (e.g.
knowledge or concepts), or a combination thereof. A product can be either
intended (e.g. offering to customers) or unintended (e.g. pollutant or unwanted
effects).

A-5
Annex A to
AQAP-2070
(Edition 1)
A.2.12 Product Release

Within the context of the Mutual GQA Process, product release deals with the
methods by which the products are to be released by the supplier for delivery to
the destinations identified in the contract.

A.2.13 Quality Deficiency Report

Report or record initiated by Government personnel identifying nonconformity.

See ISO 9000:2000, 3.6.2 “Nonconformity.”

A.2.14 Quality Plan

A quality plan is a Supplier’s document that specifies which procedures and

associated resources shall be applied by whom and when to a specific project,
product, process, or contract requirement.

A.2.15 Request for Government Quality Assurance

The formal request by a Delegator to the appropriate authority of a NATO

supplying Nation requesting GQA to be performed on a Government defence
contract.

A.2.16 Risk

Within the context of Mutual GQA, risk consists of two main elements: 1) the
probability or likelihood of failing to achieve a particular outcome and, 2) the
consequence or impact of failing to achieve the particular outcome.

A.2.17 Supplier

Organisation that acts in a contract as the provider of products to the Acquirer.

A.2.18 Sub-Supplier

Provider of products to the Supplier.

Acquirer Supplier

Sub-Supplier

(Sub) Sub-Supplier

A-6
 Annex B to
AQAP- 2070
(Edition 1)

Annex B

Mutual GQA – Forms

RGQA Form – Usage Required

Deviation Permit / Concession Form – Example Only (may be modified)
Certificate of Conformity Form – Example Only (may be modified)

B-1
Annex B to
AQAP-2070
(Edition 1)

Page blank

B-2
 Annex B to
AQAP- 2070
(Edition 1)

NATO Request for Government Quality Assurance (RGQA)

and Risk Information Feedback Form

Part I – RGQA Information, Delegator Risk Identification, and Special Tasks

Government Quality Assurance (GQA) for the
1. Delegator RGQA No:
Referenced Defence Contract is Hereby Requested
by Authority of STANAG 4107. Revision Number:
2. From: (Delegator) 3. To: (Delegatee) (Appropriate National
Authority or Focal Point Listed in STANAG
4107)
Name: Name:
Organization: Organization:
Mailing Address: Mailing Address:

Telephone No: Telephone No:

Fax No: Fax No:
Email Address: Email Address:
4. Acquirer: 5. Supplier:

Name: Name:
Mailing Address: Mailing Address:

6. Government Contract No: 7. Subcontract / Purchase Order No:

8. Contract Modification No: 9. Estimated Contract Final Delivery Date:

10. Contractual Quality Assurance Requirements / Standards:

11. Product / Supplies Descriptions:

12. Attachments:
Copies of the Contract / Subcontract / Purchase Order to be Subjected
to GQA:
Technical Data and Quality Assurance Standards: Are Attached
Will be Furnished by the Supplier
Other Attachments (Specify Attachments):

B-3
Annex B to
AQAP-2070
(Edition 1)
13. Delegator Risk Identification:
The following risks require GQA. Where possible, reference the risk to the contract requirement or
specification.

(a) Risk:

Risk is considered High Moderate Low

(b) Risk:

Risk is considered High Moderate Low

(c) Risk:

Risk is considered High Moderate Low

(d) Risk:

Risk is considered High Moderate Low

(e) Risk:

Risk is considered High Moderate Low

(f) Risk:

Risk is considered High Moderate Low

(g) Risk:

Risk is considered High Moderate Low

(h) Risk:

Risk is considered High Moderate Low

(i) Risk:

Risk is considered High Moderate Low

(j) Risk:

Risk is considered High Moderate Low

(k) Risk:

Risk is considered High Moderate Low

Use continuation sheets as necessary

B-4
 Annex B to
AQAP- 2070
(Edition 1)

14. Special GQA Tasks:

(Check the applicable blocks and provide instructions as necessary):

(a) GQA Surveillance Plan

Provide information copy of GQA surveillance plan: Provide instructions as necessary:

(b) Deviation Permits/Concessions

GQAR is authorized to concur or non-concur with Supplier’s classification / disposition of minor
deviation permits and/or concessions .
GQAR is requested to provide comments and/or recommendations for major deviation permits
and/or concessions submitted by the Supplier for approval by the Acquirer . Provide contractual
reference and instructions as necessary:

(c) Certificate of Conformity

GQAR is requested to sign the Certificate of Conformity (CoC) .
For partial shipments and final shipments .
Provide copy of Completed CoC to Delegator
Provide the contractual reference.

(d) Product Release

Special instructions related to product release (if CoC is not used) Provide instructions for
product release.

(e) Reporting Issues

Using Part III of this form, report risk status on an on-going basis .
At RGQA Completion Only .
Special reporting is required as indicated below.
(Note: Special Reporting should be kept to the minimum necessary to satisfy customer
requirements.)

(f) Other Special Requirements:

15. Delegator Signature (Print Name if sent Electronically) Date (Required)

B-5
Annex B to
AQAP-2070
(Edition 1)

Part II – Delegatee Risk Identification, Recommendations, and RGQA Decision

16. Delegatee Risk Identification:

In addition to the risks identified by the Delegator in Part I, GQA will also be performed on the following
risks identified by the Delegatee. Where possible, reference the risk to the contract requirement or
specification.

(a) Risk:
Risk is considered High Moderate Low

(b) Risk:
Risk is considered High Moderate Low

(c) Risk:
Risk is considered High Moderate Low

(d) Risk:
Risk is considered High Moderate Low
(e) Risk:
Risk is considered High Moderate Low

(f) Risk:
Risk is considered High Moderate Low
Use continuation sheets as necessary
17. Delegatee recommendations or comments concerning risks identified by the Delegator in Part I.

Note: If alternative risks/tasks are being recommended to the Delegator in lieu of any of the
risks identified in Part I, coordination with the Delegator is required.
18. RGQA Decision by Delegatee:

RGQA accepted . GQA will be performed on those risks identified in Parts I and II of this RGQA.
RGQA not accepted . Formal response is provided on separate sheet.

19. Delegatee GQAR Details:

Name:
Organization:
Mailing Address:

Phone No.
Email Address:
Fax No.
20. Delegatee Signature (Signature not Required if Sent Electronically) Date

B-6
 Annex B to
AQAP- 2070
(Edition 1)

Part III – Delegatee Risk Status Reporting, Feedback, and Recommendations

21. Risk Information Feedback for RGQA #: , Revision # :

22. Type of Risk Status Report: 23. Attachments:
GQA Advisory Report CoC attached as requested by the Delegator
GQA is Ongoing Report attached as requested by the Delegator
GQA Surveillance Plan attached as requested by the
GQA is Complete
Delegator

24. All risks identified in Part I and Part II remain unchanged except as indicated below :
(a) Risk Associated with RGQA Risk # is considered High Moderate Low
Comments:

(b) Risk Associated with RGQA Risk # is considered High Moderate Low
Comments:

(c) Risk Associated with RGQA Risk # is considered High Moderate Low
Comments:

(d) Risk Associated with RGQA Risk # is considered High Moderate Low
Comments:

(e) Risk Associated with RGQA Risk # is considered High Moderate Low
Comments:

(f) Risk Associated with RGQA Risk # is considered High Moderate Low
Comments:

(g) Risk Associated with RGQA Risk # is considered High Moderate Low
Comments:

(h) Risk Associated with RGQA Risk # is considered High Moderate Low
Comments:

(i) Risk Associated with RGQA Risk # is considered High Moderate Low
Comments:

(j) Risk Associated with RGQA Risk # is considered High Moderate Low
Comments:

Use Continuation Sheet as necessary

B-7
Annex B to
AQAP-2070
(Edition 1)
25. Additional Risks or Recommendations:

26. Recommend Original RGQA Revision by the Delegator :

27. Quality Assurance Advisory Report:

With reference to STANAG 4107, unsatisfactory conditions pertaining to Government Quality
Assurance on the above contract and RGQA are reported as follows:

28. Delegatee GQAR: (Same as Block #19 ) 29. Delegatee GQAR Signature
Name:
Phone:

Email Address: Date:

B-8
 Annex B to
AQAP- 2070
(Edition 1)

B.1 Instructions for Completing RGQA Part I – RGQA Information,

Delegator Risk Identification, and Special Tasks
The Delegator provides the information in Part I.

B.1.1 Block #1 – Delegator RGQA No. and Revision No. – Each RGQA must
have a unique identification number assigned by the Delegator. If a revised
RGQA, enter the revision number for the RGQA. The revision number is
left blank for the original RGQA. First revision to the original RGQA will be
revision 1 etc.

B.1.2 Block #2 – From: (Delegator) – Self-Explanatory.

B.1.3 Block #3 – To: (Delegatee) – Self-Explanatory.

B.1.4 Block #4 – Acquirer – Self-Explanatory.

B.1.5 Block #5 – Supplier and Mailing Address – This will be the name and
address of the Supplier or Sub-Supplier where the actual GQA is to be
performed.

B.1.6 Block #6 – Government Contract No. – Enter the Government contract

No. that the RGQA supports.

B.1.7 Block #7 - Subcontract/Purchase Order No. - Enter the subcontract /

purchase order number. If the contract is a Basic Ordering Agreement
(BOA), enter the delivery order number against the BOA. Where known,
ensure the Government contract number is entered in Block #6.

B.1.8 Block #8 – Contract Modification No - If the RGQA is being revised

because of a contract modification, enter the modification number.

B.1.9 Block #9 – Estimated Contract Completion Date - Enter the estimated

date that the contract will be complete. This information will assist the
GQAR in planning the GQA.

B.1.10 Block #10 – List Contractual Quality Assurance Requirement /

Standards – Enter the specific contract QA requirements and/or standards
identified in the contract, i.e., AQAP, ISO, Military Standards etc. and
provide a contractual reference (page/paragraph).

B.1.11 Block #11 – Product / Supplies Descriptions: – Enter a brief description

of the product or the highest level of assembly for the product / supplies
being purchased. If multiple supplies are being purchased merely
reference the contract page where the complete listing can be found.

B-9
Annex B to
AQAP-2070
(Edition 1)
B.1.12 Block #12 – Attachments – Check the appropriate block to indicate
whether a copy of the contract, subcontract, or purchase order, as
applicable, is attached to the RGQA. Also, check the block to indicate
whether any technical data or contract QA standards are attached or will be
furnished by the Supplier.

B.1.13 Block #13 – Delegator Risk Identification – Enter all risks requiring
monitoring through GQA surveillance. If possible, the contract paragraph
or technical specification providing details associated with the risk should
be referenced. After identifying the risk, classify the risk as High,
Moderate, or Low.

B.1.14 Block #14 - Special Tasks – The Delegator selects those special tasks
considered necessary to satisfy requirements or to better manage the
contract. A brief explanation of each item is provided.

a) This item is used to request an information copy of the GQA

Surveillance plan. Check the box to indicate.

b) This item is used to identify the GQAR’s authority concerning minor and
major deviation permits and/or concessions submitted by the Supplier.
Provide reference to Supplier contractual authority and special
instructions as necessary.

c) This item is used to identify to the GQAR the requirement to sign a

Certificate of Conformity (CoC) for either partial or final shipments.
Provide reference to Supplier contractual requirement to submit a CoC.
The GQAR will not be requested to sign a CoC unless there is a
contractual requirement for the Supplier to sign a CoC.

d) This item is used to provide instruction to the GQAR relative to product

delivery. If the CoC is not used, the Delegator should provide direction
to the GQAR concerning the release of the product or supplies.

e) This item is used to provide the GQAR instruction concerning risk

information feedback using Part III of the form. Part III risk information
feedback should always be requested at GQA completion. If the
information is required on an on-going basis, the Delegator must
provide the details concerning the time frame for reporting. Any special
customer reporting requirements should also be identified. Reports
should be kept to a minimum and should utilize Part III of the form to the
greatest extent possible.

f) This item is used to identify any other special GQA task.

B-10
 Annex B to
AQAP- 2070
(Edition 1)

B.1.15 Block #15 – Delegator Signature and Date - The Delegator signs and
dates the RGQA. If the RGQA is sent electronically, the Delegator should
type his/her name in this block. The date is a required entry in all cases.

B.2 Instructions for Completing RGQA Part II – Delegatee Risk

Identification & RGQA Acceptance
The GQAR provides the information in this part.

B.2.1 Block #16 – Delegatee Risk Identification - Enter all additional risks
requiring monitoring through GQA surveillance. If possible, the contract
paragraph or technical specification providing details associated with the
risk should be referenced. After identifying the risk, classify the risk as
High, Moderate, or Low. See guidance on risk identification and
classification in Annex C.

B.2.1.1 If necessary, the GQAR risk identification may be performed after formal
acceptance of the RGQA and a revised copy of Part II forwarded to the
Delegator.

B.2.2 Block #17 – Recommendations or Comments Concerning Risk

Identified by the Delegator in Part I – Enter any recommendations or
comments concerning the risk information provided by the Delegator in Part
I of the RGQA.

B.2.3 Block #18 – RGQA Decision by the Delegatee – Enter the Acceptance or
Non-Acceptance decision.

B.2.4 Block #19 – Delegatee GQAR Details – Enter the requested information
associated with the GQAR that is responsible for performing the GQA.

B.2.5 Block #20 – Delegatee Signature and Date - The Delegatee GQAR signs
and dates the RGQA. If the RGQA is returned electronically, the Delegatee
GQAR should type his/her name in this block.

B.3 Instructions for Completing RGQA Part III – Delegatee Risk Status
Reporting
The GQAR provides the information in this part.

B.3.1 Block #21 – RGQA and Revision Number. Same as block #1.

B.3.2 Block #22 – Type of Risk Status Report – Check the appropriate blocks
to indicate whether the information being provided in Part III is a GQA
Advisory Report, GQA Ongoing risk status report or GQA Completion risk
status report.

B-11
Annex B to
AQAP-2070
(Edition 1)
B.3.3 Block #23 – Attachments – Self-Explanatory.

B.3.4 Block #24 – Risk Information Feedback – This block is used to provide
the Delegator risk information feedback on the status of the risks identified
in Part I, Block #13, Delegator Risk Identification and in Part II, Block #16,
Delegatee Risk Identification. Each risk identified in Part I and Part II is
numbered and lettered, i.e. 13a, 13b, 16a, 16b, etc. The risk numbers
provided in block #24 by the GQAR will correspond to risk numbers of
blocks 13 and 16.

B.3.4.1 If, since receiving the RGQA and performing the requested GQA, all risks
identified in Part I and Part II remain unchanged tick the “unchanged” block.
However, if, since receiving the RGQA and performing the requested GQA,
it is the GQAR’s professional opinion that any of the risks identified in Part I
or Part II have changed then tick the “except as indicated below” block.

B.3.4.2 If the risks have changed, they are either considered higher or lower since
the time the RGQA was accepted by the GQAR. Enter the risk number,
tick the applicable block concerning the change in the risk status (High,
Moderate, or Low), and provide comments based on the results of GQA
surveillance data as to why the identified risks have changed. For
example, Low - Continuous GQA surveillance of this risk indicates the
Supplier’s process and/or associated processes are well controlled and are
producing conforming supplies. No system, process, or product
nonconformities have been noted during GQA surveillance of this risk.
Another example, High - Continuous GQA surveillance of this risk
indicates the Supplier’s process and/or associated processes are not
always well controlled and/or are not continuously producing conforming
supplies. Nonconformities and/or defects have been noted during GQA
surveillance of this risk.

B.3.5 Block #25 – Additional Risks or Recommendations – Enter any

additional risks identified since RGQA Acceptance or since the last report.
Based on the results of the GQA performance and/or changes in the risks
as indicated in block #24, provide suggested changes to the current RGQA
or for future GQA requests. Any other recommendations to the Delegator
can be provided in this block.

B.3.6 Block #26 – Recommend Original RGQA Revision by the Delegator.

Self-Explanatory.

B.3.7 Block #27 – Quality Assurance Advisory Report. Enter information

related to unsatisfactory conditions or nonconformities discovered during
GQA surveillance. Block #24, Risk Information Feedback, should also be
updated whenever an unsatisfactory condition is reported.

B-12
 Annex B to
AQAP- 2070
(Edition 1)

B.3.8 Block #28 – Additional Remarks. Self-Explanatory.

B.3.9 Block #29 – Delegatee GQAR Name/Phone/Email Address – Self-

Explanatory.

B.3.10 Block #30 and #31 – Delegatee GQAR Signature and Date - The GQAR
signs/dates the RGQA. If the RGQA is sent electronically to the Delegator,
the Delegatee GQAR should type his/her name.

B-13
Annex B to
AQAP-2070
(Edition 1)
B.4 Example of Suitable Form for Application of Deviation Permit /
Concession

APPLICATION FOR Supplier's Ref. No.

DEVIATION PERMIT /
CONCESSION Sub-Supplier's Ref. No.
1. The granting of this deviation permit or concession is strictly limited to this specific application and is not to be regarded as a precedent.
2. If a Sub-Supplier prepares the application, it must be signed and submitted by the Supplier, unless otherwise agreed.
3. If any variation in cost due to the deviation permit or concession is to be charged or credited to the Government, full allowance is to be
made for the disposal of any scrap or redundant materiel.

PART 1 – To be Completed by the Supplier

1. Supplier (Name and Address) 2. Sub-Supplier (Name and Address)

3. Contract No. 4. Sub-Contract No.

5. Identification of Materiel or Component (Including Part Number)

6. Specification/Drawing No. 7. (a) Quantity/Period (b) Serial No./ Batch No. / Lot No.

8. Description and Impact of Nonconformity (corrective and/or preventive actions) (Continue in block #18)

9. Reference Previous 10. Cause of Nonconformity 11. Cost to Acquirer will be:
Deviation Permits and/or
Concessions Increased
Decreased
Unchanged
12. Is Nonconformity 13. Affected Characteristics 14. Contract Amendment Required
Considered
Major Performance Environment
Minor Safety Interchangeability
Indicate in the product
characteristics affected in Reliability Maintainability
Block #13. Service Life Performance
15. Effect on Contractual Delivery date: 16. Identify the Design Authority:

17. Engineering Authority Approval 17. Production Authority Approval 18. Quality Authority Approval

Signature and Date Signature and Date Signature and Date

19. Is Supplier the Design Authority: Yes No 20. Name of Supplier Representative Submitting the
Application:

Signature and Date

Signature and Date

B-14
 Annex B to
AQAP- 2070
(Edition 1)

21. Description and Impact of Nonconformity (Continuation from Block #8)

PART 2: TO BE COMPLETED BY GQAR and/or Sub-Tier GQAR

22. Remarks or Comments

23. Signature and Date of GQAR

24. Signature and Date of Sub-Tier GQAR (if applicable)

PART 3: DECISION

25. GQAR or Acquirer’s Decision

Date...................... Signature ..................................................................................................Title/Rank ..............................

B-15
Annex B to
AQAP-2070
(Edition 1)
B.5 Example of Suitable Certificate of Conformity (CoC)

1. Supplier Serial No.

Certificate of Conformity – Part I

2. Supplier (Include Name, Address, Email etc.): 3. Contract Number:

4. Contract Modification Number:

5. Approved Deviations and/or Concessions: 6. Acquirer (Include Name, Address, Email etc.):

7. Deliver Address: 8. Applicable to:

Partial Delivery Number:
Final Delivery Number:
8. Contract Item # 9. Product Description or Part # 10. Quantity 11. Shipment Document 12. Undelivered
Quantity

13. Remarks or Comments:

14. Supplier Statement of Quality:

It is certified that apart from the approved deviation permits/concessions noted in block #5 above,
the products listed above conform in all respects to the contract requirements.
Date: Supplier Name and Title: Supplier Signature:

B-16
 Annex B to
AQAP- 2070
(Edition 1)

1. Supplier CoC Serial No.

Certificate of Conformity – Part II

2. Supplier:

3. Contract Number: 4. Contract Modification Number:

5. Remarks or Comments:

6. Government Quality Assurance Representative Statement of GQA:

This is to confirm that the supplies identified in Part I of the CoC have been subjected to Government Quality
Assurance within the provisions of STANAG 4107, AQAP-2070, and the agreed RGQA.
Date: GQAR Information: GQAR Signature:

Name:

Phone Number:

Email Address:

B-17
Annex B to
AQAP-2070
(Edition 1)

Page blank

B-18
 Annex C to
AQAP-2070
(Edition 1)

Annex C

Mutual GQA - Risk Identification and Classification

C-1
Annex C to
AQAP-2070
(Edition 1)

Page blank

C-2
 Annex C to
AQAP-2070
(Edition 1)

Mutual GQA - Risk identification and Classification

C.1 Purpose of this Annex

C.1.1 This Annex is a tool designed to assist the Delegator and Delegatee in
identifying and classifying risks that require GQA surveillance. It is not the
intent of this annex to provide an extensive tutorial on risk management.
The annex focuses on risk identification and classification in the context of
the mutual exchange of GQA between Nations. The objective is to improve
the quality of the RGQA and establish a foundation for the GQA process.

C.1.2 The annex recognizes that the amount of risk information available to the
Delegator will vary depending on the initiation point of the RGQA and the
national procurement management practices of the delegating Nation.

C.1.3 Risk-based GQA is an effective means of aligning the appropriate amount

and type of Government resources with the risks presented by the project,
contract, or Supplier. The objective is to perform the necessary surveillance
activities, focusing on identified risk areas in order to achieve the required
confidence prior to releasing the product to the customer.

C.1.4 It must be taken into account that the GQAR must obtain confidence that
the Supplier will deliver quality products. The Delegator must have
confidence that the GQA performed by the GQAR will comply with the
expectations expressed in the RGQA. The end users represented by project
or contract offices must have confidence in the GQA processes.

C.2 RGQA Point of Initiation and Availability of Risk Information

C.2.1 Defence procurement systems and practices differ from Nation to Nation,
and, within each Nation, may differ depending on the type of procurement.
Defence procurements may be initiated at the project level or contract level,
while the management or oversight of the procurement may be at the
project level, contract level, organizational level, functional level or any
combination thereof.

C.2.2 Because of the various national procurement practices, requests for GQA
may be initiated by project offices, national procurement offices, embassy
procurement offices, contract management offices, quality assurance
offices, etc. The degree or amount of risk information available to the
Delegator will vary depending on the RGQA point of initiation.

C-3
Annex C to
AQAP-2070
(Edition 1)
C.2.3 It is recognized that, in some situations, risk information may not be
available to the Delegator or that the Delegator does not possess the
technical expertise to identify the risks. In these situations, the lack of risk
information, coupled with other national interests, may be, in fact, the risk to
the Acquiring Nation.

C.2.4 Having no risk information available and/or possessing no expertise to

identify risk, the Delegator is still allowed to delegate GQA based on a best
judgement of a probability that an unknown risk might exist/occur later or if
the impact of a failure is high. In either case, the Delegator may delegate in
order to have the GQAR confirm or invalidate the risk, especially risks
associated with the Supplier's performance. Delegating without specific risk
information should be on an exception basis.

C.2.5 If the Delegator identifies no specific risks and, at the same time, the GQAR
identifies no specific risks, the Delegator and GQAR may agree not to
perform GQA surveillance or may agree to perform GQA at a low level. For
longer-term contracts, it is advised that GQA surveillance is performed at a
level capable of detecting increases in low risks or identifying new risks that
may present themselves.

C.3 Risk

C.3.1 Within the context of Mutual GQA, risk is the potential inability to achieve
project or contract objectives within defined performance, schedule, or cost
requirements. In addition to risk identification, risk is generally considered
to have two main elements: 1) the probability or likelihood of failing to
achieve a particular outcome and 2) the consequence or impact of the
failure to achieve the outcome.

Risk

1) Probability or likelihood 2) Consequence or impact

Figure C-1 Elements of Risk

C.3.2 Because of the uniqueness of the Mutual GQA process, identifying risks
associated with a project, contract, or Supplier usually requires the
consolidated input of the Delegator and the Delegatee. Generally, the
Delegator should have greater access and insight into project and contract
risks while the Delegatee should have greater access and insight into
Supplier performance risks. With the continuous sharing of risk information,

C-4
 Annex C to
AQAP-2070
(Edition 1)

both the Delegator and Delegatee will have insight into both the contract
and Supplier risks at the system, processes, and product level.

C.4 Risk Communication

C.4.1 The need for input from both the Delegator and Delegatee in identifying
risks emphasizes the need for early and continuous communication and
feedback of risk information between the Delegator and Delegatee.
Communication and information exchanged between Delegator and
Delegatee will directly impact the level of confidence obtained.

C.4.2 The Mutual GQA Process and the RGQA form described in this document
provide the Delegator and GQAR the opportunity to share risk information
at:

a) The time of RGQA initiation, by the Delegator;

b) The time of RGQA Acceptance, by the Delegatee; and

c) The time of RGQA completion, by the GQAR.

C.5 Mutual GQA Risk Management Concept

C.5.1 Risk management is the act or practice of dealing with risk. As shown in
figure C-2, it includes identifying, planning, handling, monitoring, and
adjusting risk-handling options as risks change.

Mutual GQA Risk Management Concept

Risk Risk Risk Risk

Identification Planning Handling Monitoring

GQA Program
Delegator Delegatee GQA
GQA Adjustment
Risk Risk Surveillance
Performance and Risk
Identification Identification Planning
Feedback

Risk Documentation

Figure C-2 Mutual GQA Risk Management Concept

C-5
Annex C to
AQAP-2070
(Edition 1)
C.5.2 There are many risk models available for use and each Nation or
organization’s model may differ slightly from the model shown above.
Some models may use different names for the elements of risk
management while others may assign specific responsibilities to specific
organizations or individuals; however, the basic concepts of managing risks
will be similar. The risk model shown in figure C-2 is typical of many other
models. The concept of risk management can be implemented at any stage
of the acquisition or procurement cycle, depending on each Nation’s
practices for managing their projects or contracts.

C.5.3 Risk identification is the process of examining the project, contract, and
Supplier, including related systems, processes, or products to identify and
document the associated risks. Within the Mutual GQA process, the risk
knowledge base is shared between the Delegator and the Delegatee;
therefore, the responsibility for risk identification is likewise shared between
the Delegator and Delegatee. See figures C-3 and C-4 for further details
concerning the risk identification concept.

C.5.4 Risk planning is the process of developing and documenting an organized,

comprehensive, and interactive strategy for carrying out risk management,
which includes assigning adequate resources. Within the Mutual GQA
process, the strategy and methods for carrying out risk management are
documented between the completed RGQA form, the GQAR GQA
surveillance plan, and the risk information feedback to the Delegator.

C.5.5 Risk handling is the process that implements the strategy and methods in
order to set the risk at acceptable levels given program or contract
constraints and objectives. Within the Mutual GQA process, the actual
performance of GQA, the information generated as a result of the GQA, and
the actions taken by the Supplier to mitigate risks identified as a result of the
GQA all constitute a collective risk handling effort. The Delegatee will
normally identify the GQA surveillance methods and techniques best suited
to handle or monitor the risks identified by the Delegator and Delegatee.

C.5.6 Risk monitoring is the process that systematically tracks and evaluates the
performance of risk-handling actions against established requirements. The
process includes changing risk handling options to match changes in risk
levels or employing new risk handling options if current ones are ineffective.
Within the Mutual GQA process, records reflecting the results of the GQA
activity should be established, maintained, and the data analyzed by the
GQAR. Based on the results, the GQA surveillance activity should be
adjusted accordingly. New risk handling methods or changes in current
GQA surveillance activity shall be reflected on the GQA surveillance plan.

C-6
 Annex C to
AQAP-2070
(Edition 1)

C.5.7 Risk documentation is the process that records, maintains, and reports the
various risk management activities. Within the Mutual GQA process, this is
accomplished by documenting the identified risks on the RGQA form by the
Delegator and GQAR, by documenting the risk handling methods on the
GQA surveillance plan, by documenting the results of the GQA activity, by
providing risk information feedback to the Delegator, by providing reports to
the Delegator or customer, as required.

C.6 Delegator Risk Identification

C.6.1 Figure C-3 below depicts the concept of risk identification by the Delegator.
The information is provided as a memory jogger to assist the Delegator with
risk identification during the preparation of the RGQA. The sources of risk
information available to the Delegator at Figure C-3 should not be
considered all inclusive. The information suggested by Figure C-3 for
review by the Delegator should be readily available and should not require
extensive investigation to acquire or analyze.

Contract Review
See Section 4

Customer Feedback Project Office

Risk Information gained from the If the contract is managed by a
customers or users of products project office, project risk
previously produced by the information may be available from
supplier, i.e. customer complaints the project risk manager

Contract Pre-Award Surveys Key Product Characteristics

Delegator Product elements or features which, if not
Risk information (or lack thereof) that
properly controlled, can have an adverse
may have been identified during contract Risk Identification impact on the product or on contract
pre-award QA surveys or QA audits
performance, schedule, or cost requirements

Delegatee Risk Feedback Key Systems and Processes

Risk information and recommendations Systems or processes which, if not properly
received from the delegatee on controlled, can have an adverse impact on
previously completed RGQA or the the product or on contract performance ,
current RGQA schedule, or cost requirements

RGQA Preparation
Identified risks based on
contract requirements

Figure C-3 Concepts Relating to Delegator Risk Identification

C.6.2 Contract Review. The contract is the overarching requirements document

and, as such, shall contain or reference the technical requirements and
appropriate QMS requirements (reference STANAG 4107). The contract
shall provide, either directly or by reference, the GQAR right of access into
the Supplier’s plant. The Delegator shall review the contract to identify risks
that could have an adverse impact on the project or contract should a failure

C-7
Annex C to
AQAP-2070
(Edition 1)
or nonconformity occur. Additional information on contract review is
available in section 4.1 of this document.

C.6.3 Project office. If a project office manages the contract, the Delegator should
contact the project manager or project risk manager to determine if project
level risks have been identified that might be monitored through GQA
surveillance. If required by contract, the Suppliers Risk Management Plan
might be a source of risk information to consider.

C.6.4 Key Product Characteristics. If possible, the Delegator, through information

received from the project office, contract review, or knowledge of the
product, should identify key product characteristics. These characteristics
are those product elements or features, which, if not properly controlled, or
should they fail, could have an adverse impact on the product or on contract
performance, schedule or cost requirements. The risks could be inherent in
the product or the manufacture of the product. Key product characteristics
are traceable to contract technical requirements, normally through technical
specifications and/or drawings.

C.6.5 Key Systems and Processes. If possible, the Delegator, through

information received from the project office, contract review, or knowledge
of the product, should identify those key processes, which, if not properly
controlled could have an adverse impact on the product or on contract
performance, schedule or cost requirements. Key systems and processes
shall be traceable to contract requirements, QMS requirements, or technical
specifications.

C.6.6 Delegatee Risk Feedback. The Delegator should review risk feedback
information received from the GQAR on previous occasions for the Supplier.
The accumulated risk information and recommendations can be used to
determine the risks on the current RGQA.

C.6.7 Contract Pre-award Surveys. If available, the Delegator shall review the
information from pre-award surveys to determine if risks were identified
during the survey that should be monitored by GQA Surveillance.

C.6.8 Customer Feedback. If available, the Delegator shall review information

received from the Acquirers or customers of products previously produced
by the Supplier. Acquirer or customer complaints from the past may provide
risk information relevant to the current contract.

C.7 RGQA Preparation.

C.7.1 Information concerning RGQA preparation is contained in section 4.1.

C-8
 Annex C to
AQAP-2070
(Edition 1)

C.8 Delegatee Risk Identification

C.8.1 Figure C-4 below depicts the concept of risk identification by the GQAR.
The information is provided as a memory jogger to assist the GQAR in risk
identification during the acceptance of the RGQA. The information provided
at Figure C-4 should not be considered all inclusive of risk information
sources available. The sources of information suggested by the figure for
review by the GQAR should be readily available and should not require
extensive investigation to acquire or analyze.
RGQA from Delegator
Risk information provided by the
Delegator on the RGQA

Customer Feedback
Risk Information obtained from the Contract Review
customers or users of the Supplier,
See Paragraph 4.2.3
i.e. customer complaints

System or Process Certification Supplier Past Performance

Systems or processes which, based on the
Risk information associated with 2nd or 3rd Delegatee supplier’s performance on previous contracts,
party certifications, product or process
certification, use of product testing
Risk Identification are likely to have an adverse impact on the
product or on contract performance, schedule,
laboratories, etc.
or cost requirements

Key Product Characteristics Supplier Inexperience

Systems or processes which, based on the
Product elements or features which, if not
supplier’s inexperience, can have an
properly controlled, can have an adverse
adverse impact on the product or on
impact on the product or on contract
contract performance , schedule, or cost
performance, schedule, or cost requirements
requirements
GQA Surveillance Plan
GQA methods and techniques
used to monitor the identified risk
are determined by the Delegatee

Figure C-4 Concepts Relating to Delegatee Risk Identification

C.8.2 Contract Review. The contract is the overarching requirements document

and, as such, shall contain or reference the technical requirements and
appropriate QMS requirements. The contract shall provide, either directly or
by reference, the GQAR right of access into the Supplier’s plant. All GQA
surveillance performed by the GQAR shall be traceable to contract
requirements. The GQAR shall review the contract and, where available,
the contract technical specification package to become familiar with the
technical requirements of the contract associated with the risks identified on
the RGQA. Additional information on contract review is available in section
4.2 of this document.

C.8.3 RGQA from the Delegator. The RGQA shall identify those risks that are
considered by the Delegator to require GQA Surveillance in order to
mitigate them.

C-9
Annex C to
AQAP-2070
(Edition 1)
C.8.4 Supplier Past Performance. The GQAR should be extremely
knowledgeable of the Supplier’s system and process capabilities from
having performed GQA on other defence contracts with the Supplier. The
GQAR shall use this knowledge and information to identify additional
system or process risks, which, based on the Supplier’s past performance,
are likely to have an adverse impact on the product or on the contract
performance, schedule, or cost requirements.

C.8.5 Supplier Inexperience. Based on experience gained from performing GQA

on previous occasions, the GQAR should be knowledgeable of the
Supplier’s capabilities and should be able to easily identify those contractual
systems, processes, and products with which the Supplier has little
experience. Supplier inexperience or lack of capability will pose a risk and
could have an adverse impact on the product, or contract performance,
schedule, or cost requirements.

C.8.6 Key Product Characteristics. Based on experience gained from performing

GQA on other defence contracts for like or similar products, the GQAR
should be knowledgeable of key product characteristics, which, if not
properly controlled, or should they fail, could have an adverse impact on the
product or on contract performance, schedule or cost requirements. The
risks could be inherent in either the product or its manufacture. Key product
characteristics shall be traceable to contract technical requirements,
normally through technical specifications and/or drawings.

C.8.7 System or Process Certification. Based on experience gained from

performing GQA on other defence contracts with the Supplier, the GQAR
should be knowledgeable of any system or process certifications that the
Supplier may possess. Information associated with 2nd or 3rd party
certifications, product or process certification, product testing laboratories,
etc. are useful sources of information in identifying additional risks and in
planning the GQA surveillance.

C.8.8 Customer Feedback. If available, the GQAR shall review feedback

information received from all previous Acquirers or customers of like or
similar products previously produced by the Supplier. This may include
Acquirer or Customer complaints.

C.9 GQA Surveillance Plan.

C.9.1 Information concerning the GQA Surveillance plan is contained in section

4.2. Note: If required by contract, the Supplier’s risk management plan can
be a useful source of risk information for comparison and should, to the
extent appropriate, form the basis for the activities in the GQA Surveillance
plan.

C-10
 Annex C to
AQAP-2070
(Edition 1)

C.10 Risk Classification

C.10.1 Risk classification is a means of communicating the degree of probability

and consequence associated with a particular risk. This information is
shared between the Delegator and GQAR to assist in planning an
appropriate level of GQA Surveillance to be applied to a particular risk.

C.10.2 The risk classification information is considered commercially sensitive and

is to be used for GQA planning purposes only. The information is not to be
shared by anyone other than the mutual GQA participants.

C.10.3 The Delegator and the GQAR classify risks using the following definitions.

High Risk

It is highly probable or highly likely, that a system, process, or product

nonconformity will occur. A system or process is not in control or
performance data (GQA or Supplier) casts significant doubt on the ability of
the system or process to meet requirements; and/or

The consequence or impact of a system, process, or product nonconformity

would create a hazardous or unsafe condition for personnel using,
maintaining, or otherwise depending on the contracted supplies; or, the
consequence or impact would be the Supplier’s failure to meet critical
project and/or contract performance, schedule, or cost requirements.

Moderate Risk

It is probable or likely that a system, process, or product nonconformity will

occur. There is considerable process variance or the trend is adverse.
Performance data (GQA or Supplier) casts doubt on the ability of the
system or process to consistently meet contract requirements; and/or

The consequence or impact of a system, process, or product nonconformity

would create an adverse effect on the usability, reliability or maintainability
of the contracted supplies; or, the consequence or impact would be the
Supplier’s inability to meet significant project- and/or contract performance,
schedule or cost requirements.

Low Risk

It is unlikely that system, process, or product nonconformity will occur.

There is normal process variance, but no adverse trends. Performance
data (GQA or Supplier) casts little doubt on the ability of the system or
process to consistently meet contract requirements; and/or

C-11
Annex C to
AQAP-2070
(Edition 1)
The consequence or impact of a system, process or product nonconformity
would have little or no adverse effect on the usability, reliability, or
maintainability of the contracted supplies; or the consequence or impact
would have little or no effect on the Supplier’s ability to meet project and/or
contract performance, schedule or cost requirements.

C.10.4 A low risk, by definition, would normally not require continuous GQA
surveillance; however, the GQAR needs to be aware of its presence. The
low risks should be identified on the RGQA so that the GQAR can
occasionally monitor or validate their status to ensure they remain low.
This approach is recommended for longer-term contracts, facility-wide
delegations or repetitive/continuous delegations with the same Supplier
where periodic risk verification/validation is appropriate.

C.11 RGQA Decision

C.11.1 Information concerning the RGQA decision (Acceptance or Non-

Acceptance) is contained in section 4.2.

C.12 Risk Information Feedback

C.12.1 Information concerning the risk information feedback is contained in section

4.5.

C.13 Mutual GQA Risk Identification and Classification Process Summary

C.13.1 The cross-functional flowchart at Figure C-5 depicts the Mutual GQA risk
identification and classification process. The flowchart is divided to show the
activities associated with the Project Office, Delegator, Delegatee, and the
Supplier. The process is summarized below the flowchart.

C-12
 Annex C to
AQAP-2070
(Edition 1)

Mutual GQA Risk Identification and Classification

Project Mgt Delegator Delegatee QAR Supplier

Project Managed Non-Project Managed Review Risk

Contract (Risk Contract (No Risk Information from the
Information Available) Information Available) Delegator and Perform
1 1 Contract Review for
GQA Planning
Purposes (Risk
Identification)
7
Review Project Risk
Information
Project Office Provides (if applicable or
Risk Information to the available) and Perform Perform Delegatee Risk
Delegator Contract Review for the Identification and
2 Applicability of GQA Classification
(Risk Identification) 8
3

Perform Delegator Acceptance of RGQA

Risk Identification and 9
Classification
4

GQA Planning and

Preparation of
Probability of Unknown
Surveillance Plan
Risk or Critical Impact
5 (Risk Planning)
10

Supplier Plans and

Prepare, Issue, or Implements
Perform GQA
Revise RGQA Corrective Measures
(Risk Handling)
(Risk Planning) 11
as Necessary
6 (Risk Monitoring)
12

Update Surveillance
RGQA Process
Plan, as Necessary
Complete
17 (Risk Monitoring)
13

Notification of RGQA
Receive Notification of
Receive Risk Completion and Risk
RGQA Completion and
Information Feedback Information Feedback
Risk Information
from Delegator or, if an on-going
Feedback or On-going
(If Project RGQA, on going Status
Status Reports
Managed Contract) Reports
(Risk Monitoring)
16
15 (Risk Monitoring)
14

Figure C-5 Mutual GQA Risk Identification

C-13
Annex C to
AQAP-2070
(Edition 1)

C.14 Project Management

C.14.1 Project Managed Contracts. If the contract being considered for Mutual
GQA surveillance is a project-managed contract, the Delegator should
contact the project management office or project risk manager (if one is
assigned) to determine if project or contract risks have been identified. The
project office should be able to provide risk information relevant to
contractual systems, processes or products requiring GQA surveillance.
The project office should also identify any special GQA reporting
requirements. This risk information should be included on the RGQA. On
completion of the RGQA or contract, all risk information feedback provided
by the GQAR should be forwarded to the project office.

C.14.1.1 If project level risk information is not available, the Delegator should
proceed with risk identification as described in paragraph C.6, to determine
if other risks are present that would require monitoring through GQA. Lack
of immediate access to project level risk information will not preclude the
preparation and issuance of the RGQA if considered necessary by the
Delegator. If necessary, the RGQA can be revised at a later date when the
risk information becomes available.

C.14.2 Non-Project Managed Contracts. If the contract being considered for

Mutual GQA surveillance is non-project managed, i.e. managed by a
national procurement office, embassy procurement office, contract
management office, quality assurance office, etc. overarching project or
contract level risk information will not be available. In such cases, the
Delegator should proceed with risk identification as described in paragraph
C.6 to determine if other risks are present that require monitoring through
GQA.

C.15 Delegator Actions.

C.15.1 Review of Project Risk Information - The Delegator should review the
project office risk information, if available, to determine which risks can be
monitored through Mutual GQA. The Delegator should specify any unique
reporting requirements, mandatory surveillance requirements, or any unique
requirements to be delegated on the RGQA. Project risks requiring
Government actions outside the scope of Mutual GQA shall be brought to
the attention of the project office and not delegated to the GQAR.

C.15.2 Contract Review. The contract shall be thoroughly reviewed to identify

contractual requirements posing risks to the Acquiring Government. The
review may highlight system and process risks as well as product
characteristics requiring monitoring through GQA. Additional information on
contract review can be found at section 4.1 and paragraph C.5.2.

C-14
 Annex C to
AQAP-2070
(Edition 1)

C.15.3 Risk Identification and Classification - The Delegator shall review all
sources of risk information identified in Figure C-3 to identify risks requiring
monitoring through GQA. Detailed information concerning risk identification
and classification can be found in paragraphs C.6 and C.10.

C.15.4 Probability of Unknown Risk or High Impact – There may be circumstances

where the risk information highlighted at Figure C-3 may not be available to
the Delegator, or where the Delegator may not possess the technical
expertise to identify the risks. In these situations, if the Delegator believes
there is a strong probability or likelihood of unknown risks or that the
consequence or impact of nonconformity would be adverse to the project or
contract, the Delegator may issue the RGQA without risk information to the
Delegatee.

C.15.4.1 In such cases, the Delegator should indicate in the product description of
the RGQA (block #11) the details of the procurement and its importance to
the Acquirer stating that no specific risks were identified at this time but that
the GQAR’s comments and risk identification are welcome. The GQAR
should perform the requested risk identification (insert risk information into
Part II of the RGQA) and accept the RGQA.

C.15.5 Prepare, issue, or revise the RGQA. Instructions for preparing and issuing
the RGQA can be found in Section 4.1.

C.16 Delegatee Actions

C.16.1 Review RGQA Risk Information. In order to properly plan the GQA
surveillance methods and techniques, the GQAR shall review the risk
information provided by the Delegator on the RGQA. Attention should be
given to reporting requirements, mandatory surveillance requirements, or
unique GQA requirements. Requests for surveillance outside the scope of
Mutual GQA should be brought to the immediate attention of the Delegator.

C.16.2 Contract Review. The contract shall be thoroughly reviewed to identify

contractual requirements posing risks requiring monitoring through GQA.
The review may highlight system or process risks as well as risks to key
product characteristics. Additional information on contract review can be
found at section 4.2.

C.16.3 Risk Identification and Classification. The GQAR shall review all sources of
risk information identified in Figure C-4 to identify systems, processes or
key product characteristics with risks that require monitoring through GQA.
Detailed information concerning risk identification and classification can be
found in paragraphs C.8 and C.10.

C-15
Annex C to
AQAP-2070
(Edition 1)
C.16.4 Acceptance of the RGQA. Detailed information concerning acceptance of
the RGQA can be found in Section 4.2.

C.16.5 Risk Information Feedback. Detailed information concerning risk

information feedback can be found in Section 4.5.

C.17 Examples of Risks

C.17.1 The concept charts C-3 and C-4 provide general sources of risk information
that might be available to the Delegator and Delegatee. The intent of
section C.17 is to provide examples of risk information for each source
identified on the concept charts. The examples are provided as a memory
jogger only and do not limit the Delegator or Delegatee in any way. The
examples are provided to assist the Delegator and Delegatee during the risk
identification process. There are various types or kinds of risks that may
present themselves in a project or contract and they are too numerous to
capture in a single comprehensive listing.

C.17.2 Project / Contract Risks –These might include risks associated with the
following:

Supplier business management

Project or contract schedules or milestones
Environmental concerns
Poor or misidentified project or contract requirements
Evidence of repetitive project planning
Major capital investments
Political interests or visibility
Multinational interests
Joint development and production
Lack of performance milestones or turn-key projects
Multiple decision making within Government organization
Numerous International suppliers
Project interface and/or project office interface
Integrated logistics support requirements

C.17.3 Key Product Characteristics Risks–These might include risks associated

with the following:

Interface of hardware / software

Software development
Special materials
Critical dimensions
Reuse of hardware / software – re-verification of capabilities
Key performance characteristics
Key hardness materials

C-16
 Annex C to
AQAP-2070
(Edition 1)

Product requiring special testing

Pressure requirements
Weight and balance requirements
Requirements or performance that might become conflicting during
design
Commercial / military integration
Special preservation requirements
Special packaging requirements
Special materials pouring requirements

C.17.4 Key Systems, Processes, and Certifications Risks –These might include
risks associated with the following:

Elements from QMS

Sub-Supplier control
Special or unique manufacturing process requirements (welding, heat
treatment, non-destructive testing, soldering, etc.)
Personnel qualifications
Lack of certifications (systems and/or products)
Integration and/or implementation of deliverable data or plans
Use of commercial off-the-shelf equipment
Clean room requirements
Special tooling requirements
Special calibration requirements
Tool control requirements
Aircraft towing or movement / handling
Contractual flight operations or flight test

C.17.5 Previous Risk Information Feedback - –This might include the following:

Risk updates, information, and/or recommendations provided by the

Delegatee on previous delegations for the same type of products and/or
Supplier (could include QMS, process, or product risks)

C.17.6 Pre-Award Survey Risks –This might include the following

Risk information identified during contract pre-award QA-surveys or QA

audits (could include QMS, process, or product risks)

C.17.7 Customer Feedback Risks –These might include risks associated with the
following:

Customer complaints
Product failure reports
Independent laboratory reports

C-17
Annex C to
AQAP-2070
(Edition 1)
Prototype failure reports
Warranty claims
Uncooperative relationships between Supplier/Acquirer or other
customers
Product problems identified by industry sources

C.17.8 Supplier Past Performance Risks –These might include risks associated
with the following:

Risks based on knowledge or experience of previous contracts (could

include QMS, process, or product risks)
Failure to properly implement previous corrective action requests

C.17.9 Supplier inexperience - Systems or processes which, based on the

Suppliers inexperience, could have an adverse impact on the product or on
contract performance, schedule or cost requirements.

C-18
 Annex D to
AQAP-2070
(Edition 1)

Annex D

GQA Surveillance Methods and Techniques

D-1
Annex D to
AQAP-2070
(Edition 1)

Page blank

D-2
 Annex D to
AQAP-2070
(Edition 1)

GQA Surveillance Methods and Techniques

D.1 Purpose of this Annex

D.1.1 The purpose of this Annex is to provide the GQAR with support and
examples of GQA surveillance methods and techniques that might assist
in the planning and performance of GQA. Although each Nation may use
different terminology (see annex A) for the methods or techniques shown, it
is expected that the GQAR’s approach will be along the lines of the
information contained in this annex.

D.2 Flowchart

GQA Planning
and
Performance

Product Verification/ Process Review and

Formal Quality Audit Other GQA Activities
Validation Verification/Validation

Verify Evidence
Review Process Audit Planning
of Product GQA Records
Inputs and Preparation
Conformance

Review Process Audit Opening

Verify or Outputs Meeting
Validate
Supplier Tests Supplier Corrective
and Inspections Actions and GQAR
Review
Audit Adjustments of GQA
Processes and
Performance Surveillance Plans,
Procedures
as Necessary
(see Figure 4-3)
Verify or Validate
Independently Audit Closing
Process
or Concurrently Meeting
Conformance

Issue Quality Deficiency

Document Document
Audit Report Report (QDR) as
Observations Observations
Necessary

Figure D-1 GQA Methods and Techniques

D-3
Annex D to
AQAP-2070
(Edition 1)
D.2.1 The cross-functional flowchart at Figure D-1 illustrates GQA surveillance
methods and techniques that could be used by the GQAR to mitigate or
monitor the risks identified on the RGQA.

D.3 GQA Planning and Performance

D.3.1 The objective of performing GQA surveillance is for the GQAR to determine
the extent to which the Supplier’s planned activities (systems and
processes) are being realized and that the planned results (quality
products) are being achieved. The scope of GQA surveillance should be,
to the maximum extent possible, proportionate with the risks identified by
the Delegator and Delegatee on the RGQA.

D.3.2 GQA surveillance areas typically include the Supplier’s QMS, processes,
and products. GQA surveillance methods and techniques to be used
include formal quality audits, process reviews and verifications and/or
product verifications. GQA activities shall, through verification and
validation of objective evidence provided by the Supplier, provide
assurance and confidence to the GQAR and the Acquirer that the Supplier
is providing or producing contractually conforming products. The methods
being used are expected to be included in the GQA Surveillance plan.

D.4 Performance of Formal Quality Audits

D.4.1 Auditor Skills and Responsibility

The auditor is expected to conduct the audits in a professional manner.

The auditor should have sufficient personal attributes to enable him to lead
quality audits and to act properly and professionally during the conduct of
the audits. Auditors should avoid compromising the audit by discussing
audit details with the Supplier during an audit. The auditor must have:

a) Integrity, and is independent and objective;

b) Authority to do a proper job;
c) Received proper training; and
d) Gained audit experience under the supervision of a competent lead
auditor.

D.4.1.1 The auditor is expected to have knowledge, skills and experience of the
following areas:

a) QMS principles, methods, tools and terminology;

b) Audit principles, procedures and techniques;
c) Basic technical characteristics of processes and products (sector
specific); and
d) Specific contract requirements.

D-4
 Annex D to
AQAP-2070
(Edition 1)

D.4.2 Planning and Preparation

D.4.2.1 Quality Audits are effective way of verifying that the Supplier’s QMS,
elements of the QMS, or large cross-functional processes, are
implemented. The technique provides for a systematic, independent and
documented process. A prerequisite to the Quality Audit is a successful
evaluation of the QMS or process documentation. If the results of the
evaluation show that either the QMS or the process documentation are
deficient or inadequate, the audit process should normally be suspended
until the deficiency or inadequacy has been resolved. Processes that have
undergone significant changes should be audited subsequent to those
changes. Large, cross-functional processes require more in-depth
planning and coordination of functional resources.

D.4.2.2 The GQAR should initiate audit planning and prepare an audit plan. The
plan should be approved by the appropriate authority within the GQA
organization. Initial contact with the Supplier’s organisation should clarify,
and to the extent possible, agree on the audit plan. The following aspects
should be considered during audit planning, where applicable:

a) Define the objectives and scope of the audit;

b) Estimate the length of time for each phase of the audit;
c) Specify audit locations and dates for the audit;
d) Identify the lead auditor and team members;
e) Identify the QMS elements/processes to be audited;
f) Identify the documents and records that will be reviewed;
g) Identify the functions to be audited;
h) Identify the responsible Supplier personnel expected to be present
during the audit;
i) Identify when audit meetings will be held with the Supplier’s senior
management;
j) Identify who will get the final audit report and when it will be ready;
k) Identify the audit team members roles (if several auditors led by
GQAR/Lead auditor); and
l) Prepare working documents, such as a checklist (used to verify and
validate implementation of QMS elements and processes) and forms
(use to record observations and collect evidence). Gather information
necessary, such as copies of procedures, plans, reports, documents
etc.

D.4.3 Opening Meeting

D.4.3.1 Start the Quality audit by having an opening meeting with the Supplier’s
management and responsible personnel. This meeting should facilitate the
following:

D-5
Annex D to
AQAP-2070
(Edition 1)
a) Introduction of the audit team;
b) Introduction of the Supplier’s management team and the Supplier’s
QMS;
c) Clarification of the audit scope, objectives, agenda and schedule;
d) Clarification of how the audit will be carried out; and
e) Confirmation that the Supplier is ready to support the audit process.

D.4.4 Audit Performance

D.4.4.1 Collect audit evidence by interviewing personnel, reading documents,

reviewing manuals, studying records, reading reports, scanning files,
analyzing data, observing activities, examining conditions etc. in order to
verify QMS or process conformity. Evidence collected through interviews
should be confirmed by a more objective means.

D.4.4.2 Indications that point to possible nonconformities should be thoroughly and

completely investigated.

D.4.4.3 Auditors must study the evidence and document their observations.
Auditors must perform the following:

a) Study their observations and make a list of key nonconformities. They

must ensure that nonconformities are supported by objective evidence
and have traceability (cross-reference) to the documentation under
review;
b) Draw conclusions about how well the QMS, policies, and processes are
achieving its objectives; and
c) Present the evidence, observations, conclusions and nonconformities to
the Supplier’s management before preparation of the audit report.

D.4.5 Closing Meeting

D.4.5.1 Conduct a closing meeting with the Supplier’s management and

responsible personnel. This meeting should:

a) Present non-conformities and observations;

b) Give the timeline for the audit report;
c) Give the timeline for the corrective action response; and
d) Give a general conclusion about how well the QMS is being
implemented.

D-6
 Annex D to
AQAP-2070
(Edition 1)

D.4.6 Quality Audit Report

D.4.6.1 Prepare the final audit report. The audit report should be dated and signed
by the GQAR/Lead auditor. As a minimum, the report should include the
following elements:

a) The detailed audit plan;

b) Identify the audit team members;
c) Identify the Supplier personnel present during the audit;
d) Identify the evidence that was collected;
e) Identify conclusions that were drawn;
f) Identify nonconformities;
g) Identify how well the QMS complies with contract requirements;
h) Identify the ability of the QMS to achieve its objectives; and
i) Quality Deficiency Reports shall be issued with the report.

D.4.6.2 The lead auditor shall formally submit the audit report to the Supplier
requesting a proposed preventive and/or corrective action plan within the
agreed timeframe.

D.4.6.3 Additional information concerning audits can be found in ISO 19011.

D.4.7 Follow-up Preventive and/or Corrective actions

D.4.7.1 The Supplier is required to take the necessary preventive and/or corrective
actions in order to conform to contract requirements. The GQAR must
evaluate the proposed Supplier corrective action plan and the timeframes.
The evaluation must consider whether the nonconformity may have a
negative impact or consequence during the time taken to implement the
proposed actions.

D.4.7.2 Follow-up audits or other methods should be performed by the GQAR as

necessary to verify and validate that the agreed actions were taken and are
effective. The GQAR is expected to review risk information as detailed in
Annex C and revise the GQA surveillance plan as risks change.

D.5 Process Reviews and/or Verifications

D.5.1 For many processes, it is often more practical and appropriate for the
GQAR to perform process reviews and/or verifications as part of the day-to-
day activities rather than formal quality audits. This method is efficient in
determining the effectiveness of a Supplier’s processes. The technique
provides the GQAR insight into the Supplier’s process inputs, controls and
outputs. The technique does not require a formal audit plan, formal
opening, closing meeting, or a formal audit report.

D-7
Annex D to
AQAP-2070
(Edition 1)
D.5.2 The review or verification will include:

a) Coordination with the Supplier prior to starting the activity;

b) Verification that the contractual technical requirements or Supplier-
imposed requirements are properly transmitted to the appropriate level
and into the appropriate engineering, manufacturing, inspection, or
testing media;
c) Process inputs and associated controls against the contractual or
Supplier-imposed requirements to assure the process will generate the
desired outcomes. Process inputs typically include, as applicable,
equipment, materials, people skills, environmental controls, and
methods;
d) Establishing whether or not the product or outcome of the process
meets the established acceptance criteria and that the process controls
appear adequate to consistently produce conforming products or
outcomes; and
e) Recording the results and observations made on appropriate GQAR
records.

D.5.3 Depending on the process, the review may not necessarily verify all
elements of the process at the same time. The GQAR might find it more
effective to breakdown the process into segments. These could be
reviewed individually so that the entire process is reviewed over a period of
time to ensure the Supplier maintains control of identified risks.

D.5.4 Supplier’s Processes which might be subject to Reviews and or

Verifications if applicable are:

a) Manufacturing or production processes;

b) Non-conformance process (Non-conformance processing and
classification);
c) Process regarding analysis of contractual requirements;
d) Process regarding functional and physical audit configuration;
e) Process regarding final inspection/test and documentation check;
f) Process regarding first article inspections review; and
g) Process regarding specific tests or trials and their records
(environmental trials, flight test…).

D.6 Product Verification/Validation

D.6.1 Product verifications/validations are performed to provide assurance and

confidence that the product consistently meets its specified requirements,
to verify that the Supplier’s ability to measure, inspect or test product and/or
process outputs, and to confirm that the Supplier is adequately detecting
and rejecting non-conforming product. Product verifications are typically

D-8
 Annex D to
AQAP-2070
(Edition 1)

performed subsequent to the Supplier’s inspection, testing, or recording

activities (evidence of conformance).

D.6.2 Product verifications might include testing, inspecting, witnessing, or other

means of verification and validation that the product meets contractual
requirements. Product verifications can be used by the GQAR at any point
or area during the manufacturing process to ensure conformity to
requirements. Product verifications are performed independent or
concurrently with/of the Supplier’s inspections and tests. It may be more
advantageous or feasible for the GQAR to witness actual Supplier
inspections and/or tests. Where Supplier data (records) are used as the
primary verification technique, the GQAR is expected to occasionally verify
or validate the performance data.

D.6.3 Although not all inclusive, product verification might be used to assure the
following:

a) Supplier performed tests, including records;

b) Supplier’s inspection of product characteristics and performance,
including records;
c) Supplier’s manufacturing and fabrication processes;
d) Independent third-party laboratory testing;
e) Supplier’s process output data, including records;
f) Supplier’s classification/disposition of product nonconformities
(deviation permits and concessions);
g) Supplier’s processing of specification changes;
h) Supplier’s performance of physical / functional configuration audits and
their outputs;
i) Supplier’s receipt inspection activities and there documentation;
j) Supplier’s First Article Inspection, if specifically tasked; and
k) Contract specific tests and related documentation/records (Factory
Acceptance Tests, Site Acceptance Tests, Flight Acceptance Tests
etc.).

D.6.4 During the performance of product verifications, the GQAR is expected to

look for coherency and traceability between documentation and/or records
and the actual performance measurements of the product. It is the
Supplier’s responsibility to demonstrate that product characteristics and
requirements are within the stated acceptance criteria. A common
technique is for the Supplier to perform the tests, inspections, validations
etc. and that the GQAR witnesses, if necessary, the Supplier’s
examination. This approach ensures the Supplier uses the proper
measuring equipment and personnel, accurately records the results, and
verifies whether they are within contract requirements or parameters.

D-9
Annex D to
AQAP-2070
(Edition 1)
D.6.5 Inputs such as functional requirements, drawings, specifications, etc. must
be thoroughly reviewed prior to the verification. Output data, e.g. records,
reports, nonconformities, etc. are expected to be reviewed for appropriate
content and results. Output data shall provide objective evidence that
product characteristics and stated tolerances are being met. Normally,
Supplier’s product examinations must be performed using calibrated
measuring equipment, tools, test equipment, approved documentation and
procedures, competent operators etc. as appropriate.

D.7 Nonconformities

D.7.1 Nonconformities identified by the GQAR shall be brought to the attention of

the Supplier for preventive and/or corrective actions in accordance with
national practices. A report might be provided to the Supplier if additional
information is necessary. Verification of the Supplier’s preventive and /or
corrective actions may be necessary to ensure the actions have been
effectively implemented. See section 4.3 (GQA Performance) for additional
information.

D.8 Additional Information

Type/Methods Formal Quality Process Product Evaluation of Quality

Audit Review and Verifications Documentation
Verifications See NOTE in 8.1
Quality System X X X
Processes X X X X
Products X
Documentation X X X

Table D-2 Selection of the appropriate method

D.8.1 Table D-2 illustrates where the different GQA surveillance methods or
techniques might be used during the GQA surveillance activities. The
actual methods and techniques adopted will be influenced by the risk
associated with the system, process, or product.
NOTE: Evaluation of Quality Documentation is contained in section 4.3
(GQA Performance) and is normally a prerequisite to performing audits,
reviews or verifications.

D-10
 Annex D to
AQAP-2070
(Edition 1)

D.9 GQA Activities in Design and Development

D.9.1 The purpose of this paragraph is to act as a memory jogger for the GQAR
when performing GQA surveillance activities during design and
development of systems and products. Design and development of
complex defence systems and products normally involves a high degree of
risks to the Acquirer. This paragraph therefore gives some advice to the
GQAR on areas or processes that through experience are considered
important in achieving confidence to the Supplier’s performance. These
potentially high-risk areas and processes may therefore need to be
subjected to extensive GQA Surveillance during design and development.

D.9.2 Verification/Validation of Product

D.9.2.1 Three areas of the Supplier processes that should be subject to GQA
Surveillance through the different baselines is explained below;

a) Specification/Documentation Reviews (see Figure D-3 marked “a”);

b) Configuration Management Process, (see Figure D-3 marked “b”; and
c) Test and Acceptance Process (see Figure D-3 marked “c”).

D-11
Annex D to
AQAP-2070
(Edition 1)

System Definition (I) System Acceptance (V)

- System Requirement Specification - System Acceptance (c)

System Requirements Review (a) System Acceptance Review (a)
- System Design Specification - System Test (c)
System Requirements Review (a) Preliminary Acceptance Review (a)
System Design Review (a) - Installation Test (c)
Test Readiness Review (a)

Specification Baseline Product Baseline

System Design (II) System Verification (IV)

- Subsystem Specification - Installation
Preliminary Design Functional Configuration Audit (b)
Preliminary Design Review (a) System Verification Review (a)
- Detail System Specification System Integration Review (a)
Detailed System Design - Production
Critical Design Review (a) Production Readiness Review (a)
Detail Design Review (a) First Article Inspection (c)
Software Specification Review (a) - Integration Test (c)
- Test Specification

Functional Baseline
Implementation (III)
- Subsystem Development
Systems Integration
Physical Configuration Audit (b)
- Subsystem Test (c)

Figure D-3 Typical Design and Development Concepts

D.9.3 Figure D-3 illustrates typical design and development concepts.

Configuration management reviews, test and acceptance reviews and other
required reviews will differ from contract to contract. The contractual
terminology may also vary form contract to contract. This model is provided
as an example only.

D.9.4 Verification/Validation of Specification/Documentation Reviews

D.9.4.1 During the engineering process, it is important for the GQAR to validate
that Suppliers implement their stated processes. The GQAR is expected to
verify that the different specified reviews (see figure D-3) are performed,
that they are properly documented and that the Supplier properly deals with
action items. It is important to verify/validate (sample basis) that the
outputs from different engineering processes conform to, and are traceable
to, their respective requirements (inputs) that are applicable. Output

D-12
 Annex D to
AQAP-2070
(Edition 1)

documents from one baseline become the input the next baseline, and so
on. Critical Design Review is an example of a typical review to be
performed on Detail System Specification prior to release and acceptance
of the functional baseline. The purpose is to verify/validate that the
requirements specified in the Specification Baseline are fulfilled. It is
important to notice that the decisions concerning the technical aspects of
design reviews are solely the Acquirers responsibility.

D.9.5 Configuration Management (CM) Process

D.9.5.1 During the engineering process, it is important for the GQAR to validate
that the CM processes are implemented. The GQAR is expected to verify
that configuration items (CIs) are properly identified and documented from
specification baseline through functional baseline to the product baseline
(see figure D-3). The GQAR is expected to verify that configuration control
(engineering changes, deviation permits and concessions) is traceable only
to the approved baseline and that the formal configuration status
accounting is updated. The GQAR is expected to verify that configuration
audits detailed in the CM-plan are performed, documented and that action
items are properly dealt with. As an example, the GQAR may, if
appropriate, verify or validate Supplier performance of physical
configuration audit on the systems integration and /or functional
configuration audit on the installation.

D.9.6 Test and Acceptance Process

D.9.6.1 During the engineering process and production it is important for the GQAR
to verify that documentation, including test specifications on each baseline,
is developed by the Supplier and approved as a prerequisite for testing.
Typically tests to be verified or validated as appropriate are (see figure D-
3); integration test to validate that the product conforms to the detail system
design, system test to validate that the product conforms to the system
requirements and formal system acceptance test to validate that the
product conforms to the requirements specifications (contractual level).

D-13
Annex D to
AQAP-2070
(Edition 1)

Page blank

D-14
 Annex E to
AQAP-2070
(Edition 1)

Annex E

Electronic RGQA Process

E-1
Annex E to
AQAP-2070
(Edition 1)

Page blank

E-2
 Annex E to
AQAP-2070
(Edition 1)

Electronic RGQA Process

E.1 Purpose of this Annex

E.1.1 Electronic transmission of Requests for Government Quality Assurance

(RGQA) dramatically reduces the total Mutual GQA processing cycle times.
The purpose of this procedure is to define and standardize the Electronic
RGQA (E-Delegation) process.

E.1.2 Electronic transmission of RGQA`s is the Mutual GQA standard practice for
sending RGQA`s. The traditional practice of sending the RGQA by postal
system may be used as the alternative method.

E.1.3 Classified information will not be exchanged at any time as part of the
electronic delegation process. Such information will continue to be
exchanged in accordance with national procedures currently in place.

E.2 Structure of the Electronic Delegation

Email Message
to
RGQA Focal Point of the
Appropriate National
Authority or Focal Point
(STANAG 4107)

Attachment #1 Attachment #2

Electronic RGQA Electronic Contract

(Microsoft Word or (PDF or Microsoft
PDF File) Word File)

Figure E-1 Structure of Electronic RGQA

E.2.1 Figure E-1 shows the structure of the E-delegation. The E-delegation
consists of an electronic message (email) with an electronic copy of the
RGQA and an electronic copy of the contract or purchase order as
attachments. The E-delegation is sent to the Appropriate National Authority
or Focal Point listed in annex A to STANAG 4107. Each Nation is
responsible for keeping its focal point Email address current. The subject
block of the email message should read: NATO RGQA from (enter Nation
name) for Contract Number (enter contract number).

E-3
Annex E to
AQAP-2070
(Edition 1)
E.3 Preparation of the E-delegation

E.3.1 The E-delegation should be prepared using the electronic RGQA form.
Instructions for completing the form are found in Annex B of this AQAP. The
primary and preferred software application for electronic RGQA is Microsoft
Word. Do not protect the electronic RGQA as the Delegatee must be able to
use the form to indicate acceptance and provide risk information back to the
Delegator. In the event that Microsoft Word is not available, Adobe Acrobat
is the alternate software application for scanning the RGQA. No other
software applications should be used. Use of Adobe Acrobat is a
disadvantage, in that the Delegatee cannot enter a response on the
electronic RGQA form before returning the form to the Delegator.

E.3.2 The minimum software requirements are Microsoft Word 97, Adobe Acrobat
4.0, and an appropriate file compression program.

E.3.3 It is not necessary to electronically sign the RGQA, merely state that the
Delegator signed the original and type the Delegator’s name. The Delegator
(the person who’s name appears at the bottom of the RGQA form) should
also provide an Email address where he/she can be contacted. This will
greatly improve communication of concerns or issues associated with the
RGQA.

E.3.4 If possible, attach an electronic copy of the contract or purchase order. The
primary and preferred software application for the electronic copy of the
contract or purchase order is Adobe Acrobat. In the event that Acrobat is not
available, Microsoft Word is the alternative software application. No other
software applications should be used. In the case of the electronic copy of
the contract, use of Microsoft Word is a disadvantage, in that unless the
document is protected, it could be altered.

E.3.5 File size restrictions may prevent the attachment of the electronic copy of the
contract to the email message. Contracts containing colours or large
amounts of graphics will greatly increase the size of the file. For contracts
without graphics, a contract of 100 pages should not present a problem in
transmitting via email. If necessary, the contract can be divided into parts,
scanned, and sent in as a series of attachments. An alternative method is to
use a data compression software.

E.3.6 If it is not possible to electronically transmit the contract, a hard copy of the
contract should be sent to the Appropriate National Authority or Focal Point
via the traditional postal system. The RGQA should still be sent
electronically and the RGQA should request the GQAR to use the Supplier’s
copy of the contract until the hard copy of the contract arrives via the postal
system. If this poses a problem, the Delegator should be informed as soon
as possible. To avoid confusion, it is important that the Delegator clearly

E-4
 Annex E to
AQAP-2070
(Edition 1)

references the contract to the previously submitted E-delegation. A copy of

the previously submitted email message should accompany the hard copy
contract.

E.4 Receipt and Acknowledgement of the E-delegation

E.4.1 Upon receipt of the E-delegation, it should be reviewed by the Delegatee to

ensure all attachments have been received. If the E-delegation is
incomplete, the Delegatee should immediately notify the Delegator via return
Email message.

E.4.2 The Delegatee should immediately electronically acknowledge receipt of the

E-delegation via return email message. This acknowledgement signifies that
the RGQA has been received and is being forwarded to the Delegatee
GQAR for action and/or acceptance of the RGQA.

E.4.3 The RGQA should be processed internally by the Delegatee in accordance

with national practices. The ability to communicate electronically within the
national QA organizations will significantly decrease the total cycle time of
the Mutual GQA process and will foster the communication of issues,
concerns, and risk information directly between the Delegator and the
Delegatee. Communications by email also provide a record of the
communication.

E.4.4 The Delegatee should not delay in acting on the RGQA pending receipt of
the contract. GQARs should be instructed to use the Supplier’s copy of the
contract until the hard copy arrives via the postal system. When the hard
copy of the contract is received by the Delegatee, it should be forwarded
quickly to the GQAR.

E.5 Decision on an E-delegation

E.5.1 Acceptance/non-acceptance of the RGQA should be provided to the

Delegator using the electronic RGQA form. Acceptance/non-acceptance
should be accomplished as soon as possible after receipt of the electronic
RGQA. Acceptance signifies that the RGQA has been reviewed, the work
has been accepted, and the GQA will be performed in accordance with the
instructions of this AQAP and the RGQA. It is not necessary to follow-up the
RGQA acceptance via hard copy via the postal system.

E.5.2 A Non-Acceptance of an E-delegation shall be followed up by formal letter

via the postal system.

E-5
Annex E to
AQAP-2070
(Edition 1)
E.5.3 In some cases, it may not be possible to acknowledge acceptance of an E-
delegation within a few working days. This might be the case with large
contracts requiring extensive GQA planning. In such cases, the Delegatee
should electronically notify the Delegator of the delay and the circumstances.

E.5.4 It is extremely important that the email address of the GQAR that will be
performing the actual GQA surveillance is provided. This will foster direct
communication and risk information feedback between the Delegator and the
Delegatee.

E.6 Notification of RGQA Completion

E.6.1 Notification of GQA completion should be provided to the Delegator using

the electronic RGQA form. The notification of completion should include the
risk information feedback required in Part III of the electronic RGQA form. If
possible, any required reports should accompany the completed RGQA. If
reports are sent separately via the postal system, this should be indicated on
the completed electronic RGQA.

E-6