NATO MUTUAL GOVERNMENT QUALITY ASSURANCE (GQA) PROCESS

Transcription

1 AQAP 2070 NATO MUTUAL GOVERNMENT QUALITY ASSURANCE (GQA) PROCESS AQAP 2070 (January 2004) I ORIGINAL

2 Page blank II ORIGINAL

3 AQAP 2070 NORTH ATLANTIC TREATY ORGANIZATION NATO STANDARDISATION AGENCY (NSA) NATO LETTER OF PROMULGATION January NATO Mutual Government Quality Assurance (GQA) Process is a NATO/PFP UNCLASSIFIED publication. The agreement of interested Nations to use this publication is recorded in STANAG is effective on receipt. It supersedes AQAP 170 (Edition 2) which should be destroyed in accordance with the local procedure for the destruction of documents. 3. It is permissible to distribute copies of this publication to Contractors and Suppliers and such distribution is encouraged. J. MAJ Brigadier General, PLAR Director, NSA III ORIGINAL

4 Page blank IV ORIGINAL

5 Record of Changes AQAP 2070 Change Date Date Entered Effective Date By Whom Entered V ORIGINAL

6 TABLE OF CONTENTS 1 Section. Page Number 1. INTRODUCTION General References 1 2. INTENT and SCOPE CONCEPT OF OPERATION General Concept Information Mutual GQA Process Flowchart 2 4. MUTUAL GQA PROCESS Delegation Preparation Flowchart Delegator Review of Contract Requirements (1) Incomplete or Conflicting Contract Requirements (2 and 3) Delegator Risk Identification (4) Decision to Delegate GQA (5 and 6) RGQA Preparation (7) Electronic Transmission of the RGQA (8) Additional Process Information RGQA Acceptance and GQA Planning Flowchart RGQA Acknowledgement (1) GQAR RGQA and Contract Review (2) GQAR Risk Identification (3) Conflicting RGQA and Contract Requirements (4 and 5) RGQA Acceptance or Partial Acceptance (6 and 8) RGQA Rejection (7) GQA Surveillance Planning (9) Post Award Quality Assurance (QA) Meeting (10) Sub-Supplier RGQA Determination (11) GQA Surveillance Plan (12 and 13) GQA Performance Flowchart Perform GQA Surveillance Activities (1) Review of Supplier Quality Management Documentation (2) Non-conformities (3, 4, 5 and 6) GQA Surveillance Records and Analysis (7 and 8) GQA Completion (9 and 10) Significant Changes in Risk and Delegator Notification (11 and 12) Adjusting the GQA Plan (13) Notification of RGQA Completion Flowchart Preparation for Product Release (1) Certificate of Conformity (CoC) (2 and 3) Product Release (4) Notification of RGQA Completion (6) A number within ( ) corresponds to a flowchart block number. VI ORIGINAL

7 4.5 GQA Risk Information Feedback Flowchart Delegator Risk Identification (1) Initial Risk Information Feedback (2) Maintain Risk Information (3) On-Going Risk Information Feedback (4) Significant Changes in Risk (5) Risk Information Feedback at RGQA Completion (6) Additional Process Information GQA SUPPORT PROCESSES Deviation Permits and Concessions Flowchart Customer Complaint Investigations Flowchart Sub-Supplier RGQA Process Flowchart ANNEXES Annex A Mutual GQA Acronyms & Definitions Annex B Mutual GQA Forms Annex C Mutual GQA Risk Identification and Classification Annex D Mutual GQA Surveillance Methods and Techniques Annex E Electronic RGQA Process VII ORIGINAL

8 Page blank VIII ORIGINAL

9 1. INTRODUCTION 1.1 General Mutual GQA is the process by which NATO Nations provide each other, and NATO organizations, Government Quality Assurance on defence contracts. The appropriate National Authority in a supplying Nation provides, in its Nation, GQA surveillance on behalf of and at the request of the acquiring Nation or NATO organization Mutual GQA provides confidence to the acquiring Nation that, as related to quality, the Supplier of the defence products is complying with the terms of the contract being monitored through GQA. GQA is performed on those contractual requirements posing risks to or required by law of the acquiring Nation. 1.2 References a) Standardization Agreement (STANAG) 4107, Mutual Acceptance of Government Quality Assurance and Usage of the Allied Quality Assurance Publications. b) ISO 9000:2000 Quality Management Systems Fundamentals and Vocabulary. c) AQAP Contractual Documents. 2. INTENT and SCOPE 2.1 The intent of this document is to standardize and harmonize the process by which the participating Nations request and supply GQA. 2.2 The Mutual GQA process described herein is implemented by authority of NATO Standardization Agreement 4107, which has been ratified by each of the participating member Nations. Unless otherwise indicated by reservation to STANAG 4107, participating Nations will follow the Mutual GQA process, as defined in this AQAP, when exchanging GQA. 2.3 The mutual GQA process emphasizes the identification and classification of risks as a means of planning the GQA Surveillance activities. The feedback of risk information between the Delegator and the Government Quality Assurance Representative (GQAR) throughout the entire process will assure appropriate GQA Surveillance. 2.4 The mutual GQA process described in this document becomes applicable after the Government contract and/or derived subcontract is issued and where the monitoring and mitigation of risk is required. 1

10 3. CONCEPT OF OPERATION 3.1 General Concept Information Risk-based GQA surveillance is an effective means of aligning the appropriate amount and type of Government resources with the risks related to a project or contract. The objective is to perform the necessary GQA surveillance activities with focus on the identified risk areas in order to achieve the required confidence prior to the release of the product to the Acquirer Because of the uniqueness of the Mutual GQA process, identifying risks usually requires the input of the Delegator and the GQAR. Both have access and insight into the risk information necessary to focus and plan the GQA activity on those systems, processes, and products that pose risks to the Acquirer. 3.2 Mutual GQA Process Flowchart Mutual GQA Process Overview Delegator Contract (Input to Perform GQA) Contract Review Delegation Preparation (Section 4.1) Risk Identification RGQA Preparation RGQA to Delegatee Communication Develop Surveillance Plan RGQA Acceptance and GQA Planning (Section 4.2) GQA Surveillance Planning RGQA Acceptance GQA Performance (Section 4.3) Risk Identification RGQA and Contract Review Delegatee Perform Surveillance Document Results Corrective Actions GQA Support Processes (Section 5.0) Analysis of Data Adjusting Surveillance Sub-Supplier RGQA Customer Complaint Investigations Deviation Permits / Concessions Government Confidence in Conforming Product (Process Output) GQA Risk Information Feedback (Section 4.5) Notification of RGQA Completion (Section 4.4) Figure 3-1 Mutual GQA Process Overview 2

11 3.2.1 The cross-functional flowchart at Figure 3-1 illustrates the main sections (shaded areas) of the Mutual GQA process and its associated sub-processes. The process consists of risk identification by the Delegator and a determination as to whether the risks merit GQA surveillance. If GQA is necessary, a RGQA is prepared and forwarded to the Delegatee. Upon receipt of the RGQA, the GQAR also performs risk identification. This ensures all risks known to the Delegator and GQAR are identified and used in planning the appropriate GQA surveillance to protect the acquiring Government s contractual interests. GQA activities are based on the content of the RGQA and the contract The exchange of risk information, between the Delegator and GQAR, is key to the Mutual GQA process. With the continuous sharing and feedback of risk information, both the Delegator and GQAR will have greater insight into the project or Supplier risks and the GQA surveillance activities being implemented to mitigate or monitor those risks Requests for GQA shall only be sent to the appropriate National Authorities or Focal Points identified in STANAG 4107 Annex A Participating Nations are responsible for managing the Mutual GQA process within their respective Government Quality Assurance organizations and for measuring, analyzing, and continuously improving their implementation of this process. 4. MUTUAL GQA PROCESS 4.1 Delegation Preparation Flowchart Contract (Process Input) Delegator Contract Review 1 Contract Requirements Incomplete or Conflicting 2 Yes Delegator Initiates Actions to Correct Contract 3 No Process Output is the RGQA Forward RGQA to Focal Point 8 Delegator Risk Identification 4 Process Ends Delegator Prepares RGQA 7 Yes GQA Delegation Required 5 No Handle Risks not Requiring GQA Using National Procedures 6 Figure 4-1 Delegation Preparation Flowchart 3

12 The flowchart at Figure 4-1 illustrates the Delegator s responsibilities with regard to the delegation preparation process. The process input is the contract and the process output is the prepared RGQA. For simplicity, the word contract represents Government Defence contracts and derived subcontracts Delegator Review of Contract Requirements (1) The Delegator is expected to thoroughly review the contract prior to issuing the RGQA to assure that information appropriate to GQA has been included and that there are no incomplete or conflicting contract requirements. The Delegator should assure the contract contains, as applicable, the following: a) GQAR right of access into the Supplier s or Sub-Supplier s facility to perform GQA; b) Appropriate contractual AQAP or equivalent QMS requirements; c) Appropriate contract technical requirements or reference thereto; d) Certificate of Conformity requirements; e) Instructions related to product release from the Supplier s facility; f) Procedures for dealing with requests for deviation permit and/or concession; g) Requirements for Supplier generated plans, i.e. quality plans, risk management plans, configuration management plans, etc.; h) Design reviews, first article inspection and/or specific testing requirements; i) Contract delivery schedule requirements; and j) Legal/statutory requirements that could affect the contract Incomplete or Conflicting Contract Requirements (2 and 3) The Delegator is to ensure that incomplete or conflicting contract requirements are corrected by the Acquirer. If unable to do so prior to initiating the RGQA, details of the incomplete or conflicting requirements and the actions being taken by the Acquirer to resolve them should be included on the RGQA Delegator Risk Identification (4) The Delegator shall identify and classify risks using the guidance at Annex C It is highly recommended that communication be established between the Delegator and GQAR so that they can discuss the associated risks and planning of GQA surveillance activities, especially for larger programs or for longer-term delegations Decision to Delegate GQA (5 and 6) The Delegator must decide if the risks identified require GQA surveillance. The Delegator should determine whether STANAG 4107 is applicable without restriction or whether national restrictions require the use of special bilateral MOU or other such arrangements. For Sub-Supplier delegations refer to section

13 GQA at source of simple, low risk items or when the quality of the product can be verified satisfactorily on receipt, should not normally be delegated. In such circumstances, the Delegator should liaise with the Acquirer to ensure that suitable arrangements for the conduct of receipt verification are in place. Risks not requiring GQA surveillance should be handled in accordance with internal national practices. If, at this point, there are no risks remaining that require GQA, the process ends RGQA Preparation (7) The Delegator initiates the RGQA by completing Part I of the RGQA form. The RGQA form, along with guidance for its completion is provided at Annex B The Delegator should consider the following, as applicable: a) The need to be provided with a copy of the GQA surveillance plan; b) The need to authorize the GQAR to be involved with Supplier s requests for deviation permits or concessions; c) The need for the GQAR to sign a Certificate of Conformity; d) The need to provide instructions concerning the method of releasing product from the Supplier s facility; e) The need for risk information feedback or periodic reports from the GQAR; f) The need for the GQAR to become involved in first article inspection activities or special testing requirements, in support of a contract requirement; g) The need for GQAR observance of technical or design reviews (PCA, FCA, etc) Note: It is important to notice that, depending on the contract, the decisions concerning the technical aspects of design reviews are the responsibility of the Supplier and/or the Acquirer; h) The need to highlight risks associated with critical safety items, airworthiness, submarine safety, etc., that could have a catastrophic impact; i) The need to be provided with copies of sub-tier delegations, quality plans, etc; j) The need to provide pre-contract award survey results to the GQAR; and k) The need to notify the GQAR that the Supplier is contractually authorised to accept minor non-conforming product on behalf of the Acquirer All risks identified during the risk identification process that require monitoring through GQA surveillance should be documented on Part I of the RGQA. Where possible, the Delegator should specify which section of the contract or technical specification is associated with the risk shown on the RGQA. After identifying the risk, classify it in accordance with the definitions provided in Annex A It is not necessary for the Delegator to identify the GQA surveillance methods or techniques to be used during the performance of the GQA surveillance; the GQAR, during the GQA surveillance planning, will identify the methods and techniques best suited to handle and monitor the risks. Detailed instruction for completion of the RGQA form can be found at Annex B. 5

14 The Delegator should identify any reports to be provided by the GQAR. Reporting requirements should be kept to a minimum If the GQAR is to be requested to sign a Supplier s CoC, the CoC must be a contractual requirement. Further information concerning the CoC can be found in section Where several contracts have been placed with the same Supplier, the Delegator may request GQA on a facility-wide basis, which will encompass all of the Delegator s contracts at the Supplier s facility. The Delegator and GQAR are expected to coordinate and agree when the facility-wide approach is preferable. In such cases, the Delegator and GQAR shall ensure that all incoming contracts are reviewed to determine if the previously identified risks have changed or if additional risks are present. Based on this review, the facility-wide delegation should be revised as necessary Electronic Transmission of the RGQA (8) Preferably, the Delegator should electronically transmit the RGQA, along with the contract and supporting information, to the appropriate National Authorities or focal points address contained in STANAG 4107 Annex A. Instructions for the electronic transmission of RGQA are provided at Annex E. If using hard copy, the RGQA should be posted to the addresses provided in STANAG In either case, the RGQA shall be sent in sufficient time with contractual schedule in order to allow the GQAR to prepare for and perform the requested GQA In urgent situations where immediate GQA surveillance precludes preparation of the RGQA, the Delegator should or fax the Delegatee to request that GQA is initiated immediately. The Delegator shall follow-up the request with a formal RGQA as soon as possible Additional Process Information Normally, evaluations of a Supplier s complete QMS will not be requested. However, where the Delegator identifies risks associated with specific contractual elements of the QMS, appropriate GQA surveillance will be planned and performed by the GQAR Situations may occur where significant quality problems have resulted in an unacceptable level of risk to the project or contract. In such situations, the Delegator should coordinate the additional risks or Acquirer s concerns with the Delegatee. The RGQA should be revised accordingly If the Delegator requires copies of RGQA issued by the GQAR to Sub-Suppliers, the requirement should be clearly stated on the RGQA issued by the Delegator. 6

15 The Delegator will not withdraw an active RGQA without having first consulted with the Delegatee. Improper coordination or lack of management visibility when with drawing an RGQA could adversely impact the project or contract Unless required otherwise, the GQA surveillance of the Supplier s process for deviation permits and concessions should be based on risk. If other arrangements are required based on the Delegator s national requirements, the details are to be provided on the RGQA Where the Delegator requires copies of Quality Deficiency Reports (QDR) or other corrective action requests issued by the GQAR, the requirement should be so stated on the RGQA Where the Acquirer or contract identifies critical safety items, airworthiness items, submarine safety items, etc., the Delegator will identify their contractual requirements on the RGQA. The Delegator and Delegatee will discuss available national practices (GQA surveillance methods and techniques) that might satisfy the needs of the Acquirer Acceptance of the product and certification of airworthiness are not a normal aspect of the Mutual GQA process. As such, any related special requirements should be coordinated with the Delegatee in advance of the RGQA. 4.2 RGQA Acceptance and GQA Planning Flowchart Receipt of RGQA (Process Input) Focal Point Acknowledges Receipt of the RGQA 1 GQAR RGQA and Contract Review 2 GQAR Risk Identification 3 Initiate GQA Surveillance Planning 9 Notify Delegator of RGQA Acceptance 8 Yes RGQA Acceptance (full or in part) 6 No Incomplete or Conflicting RGQA, Risks, or Contract Requirements 4 No Yes Conduct Post Award QA Meeting with Supplier, if Necessary 10 Process Ends Formally Notify Delegator in Writing 7 Clarify Requirements with Delegator 5 Determine Sub- Supplier RGQA Needs 11 Develop GQA Surveillance Plan 12 Forward Plan to Delegator, if Requested on RGQA 13 Process Output is the Accepted RGQA and GQA Surveillance Plan Figure 4-2 RGQA Acceptance and GQA Planning Process 7

16 The flowchart at Figure 4-2 illustrates the Delegatee s process for accepting the RGQA and planning the GQA surveillance. The process input is the Delegator s RGQA and the process outputs are the accepted RGQA and the GQA surveillance plan RGQA Acknowledgement (1) The focal point should acknowledge receipt of the RGQA, without unnecessary delay, preferably by return message, but if unable to, by some other means. The acknowledgement signifies that the RGQA has been received and is being forwarded to the GQAR for review and acceptance GQAR RGQA and Contract Review (2) In order to properly plan the GQA surveillance required by the RGQA, the GQAR is expected to review the RGQA and accompanying contractual documentation upon receipt. The review is to ensure the GQAR is knowledgeable of the requirements of the contract as related to the requirements of the RGQA and will assist the GQAR in planning the appropriate GQA surveillance This review is the responsibility of the GQAR. Particular emphasis should be placed on the following, as applicable: a) Assuring the GQAR has the necessary right of access to the Supplier or Sub- Supplier s plant for the purposes of performing the necessary GQA; b) GQAR s delegated authority with respect to deviation permits and/or concessions; c) Supplier s authority concerning deviation permits and/or concessions; d) Assuring the appropriate AQAP or equivalent QMS requirements have been called up in the contract (reference STANAG 4107); e) Product technical requirements, if provided; f) Instructions concerning the GQAR s responsibility with respect to a Certificate of Conformity (CoC); g) Assuring the Delegator has provided instruction on the RGQA concerning the GQAR s involvement in releasing the product from the Supplier s facility; h) Requirements for Supplier generated plans, i.e. quality plans, risk management plans, configuration management plans, sub-tier delegations etc.; i) Requirements for first article inspections or special testing requirements; j) GQAR s involvement in technical or design reviews; k) Requirements for risk information feedback; l) Special reporting requirements; m) Pre-contract award information; and n) Special product designators such as Flight Critical, Submarine Safety Items, or other national high emphasis designators. 8

17 Where several contracts have been placed with the same Supplier, the GQAR may wish to perform GQA surveillance on a facility-wide basis GQAR Risk Identification (3) Using Part II of the RGQA form, the GQAR is expected to identify additional risks that require monitoring through GQA surveillance, that have not already been identified by the Delegator in Part I of the RGQA. The contractual reference associated with the risk should be annotated on the RGQA. Where reference is unavailable, rationale supporting the risk should be provided The GQAR is expected to identify and classify risks using the guidance at Annex C The GQAR is encouraged to provide recommendations and/or comments concerning the risks identified by the Delegator in Part I of the RGQA. It is not necessary for the Delegator and GQAR to agree on the risk identification and/or classification as their perspectives and accessibility to risk information is usually different. However, where the GQAR possesses risk information that significantly contradicts the risk identification and/or classification of the Delegator, the GQAR is expected to contact the Delegator and provide supporting objective evidence substantiating the identified risks or rationale for increasing or decreasing the risk classification. Accurate risk information is valuable to project or contract managers Conflicting RGQA and Contract Requirements (4 and 5) The RGQA and associated contract requirements should be clear, complete, and understood by the GQAR. If clarification is required, the GQAR is expected to contact the Delegator. Where possible, the Delegator and GQAR should use electronic means to expedite the resolution of issues RGQA Acceptance or Partial Acceptance (6 and 8) Based on the review of the RGQA, contract and outcomes of the joint risk identification, the GQAR determines if the RGQA can be accepted fully or in part. The GQAR accepts the RGQA by completing Part II of the RGQA form and returning the RGQA, without unnecessary delay, to the Delegator. By accepting the RGQA, the GQAR agrees to perform GQA on all risks identified in Parts I and II of the RGQA. The required RGQA form, with instructions, is provided at Annex B Where the GQAR can only accept the RGQA in part, the GQAR shall notify the Delegator to discuss alternatives for the requirements that cannot be accepted. While issues are being resolved, the implementation of GQA should not be delayed for those RGQA requirements that can be accepted by the GQAR. Acceptance, in part, of a RGQA should be on an exception basis unless reservations are posted in STANAG

18 The GQAR should notify the Supplier of the GQA surveillance to be performed. Once the GQAR accepts the RGQA, the GQA surveillance will not be discontinued without the coordination and concurrence of the Delegator RGQA Rejection (7) If the GQAR cannot accept the RGQA, the GQAR shall formally notify the Delegator, in writing, as soon as possible, explaining why the RGQA cannot be accepted. The formal explanation will be attached to the RGQA when it is returned to the Delegator. Rejection of a RGQA will only be on an exception basis GQA Surveillance Planning (9) The assigned GQAR is expected to have the necessary skills and competency at his disposal to properly plan and perform the appropriate GQA surveillance. The GQAR is expected to be knowledgeable of relevant industry and technical practices, AQAPs and techniques used by the Supplier in fulfilment of the contract requirements. Where the GQAR organization is unable to provide the necessary skills and competencies the GQAR will request assistance from the Delegator The GQAR will plan the necessary activities to satisfy the requirements of the RGQA. It is the GQAR s responsibility to determine the GQA surveillance areas, methods or techniques best suited to mitigate or monitor the risks identified on the RGQA. Figure illustrates the concepts relating to GQA surveillance planning. It also illustrates the GQA surveillance techniques that might be used depending on the surveillance area and associated risks. Where higher-level risks might require a combination of QMS, process and product surveillance, moderate-level risks might require only process and/or product surveillance. Lower-level risks might only require occasional product verifications. All GQA surveillance to be performed by the GQAR in support of the RGQA is expected to be documented on the GQA surveillance plan. Delegator and Delegatee Identified Risks GQA Surveillance Areas QMS Surveillance Process Surveillance Product Surveillance GQA Surveillance Techniques Formal Quality Audits Process Review and Verification Product Verification Figure Concepts Relating to GQA Surveillance Planning 10

19 During GQA surveillance planning, the GQAR should consider the status of the Supplier s QMS. Where GQA surveillance of the Supplier s QMS has been ongoing, then an initial quality documentation review by the GQAR is not normally necessary. Based on risk, the GQAR is expected to plan for continuing quality audits or reviews of the Supplier s QMS to assure it continues to satisfy contract requirements The GQA activities identified below are to be performed by the GQAR without the need for specific tasking in the RGQA: a) Reviewing the RGQA and contract requirements (4.2.3); b) Generating the GQA surveillance plans (4.2.11); c) Performing the GQA Surveillance (4.3.2); d) Reviewing the Supplier Quality Management System documentation (4.3.3); e) Establishing and maintaining GQA surveillance records (4.3.5); f) Reviewing the results of GQA surveillance (4.3.5); g) Adjusting the GQA surveillance and associated plans as risks change (4.3.8); h) Initiating and processing of quality deficiency reports; including verification/ validation of preventive and corrective actions (5.2); i) Initiating Sub-Supplier RGQA, as required (5.3); j) Sharing and providing risk information feedback to the Delegator (4.5); k) Conducting post-award QA meetings with the Supplier; l) Verifying and Validating the Supplier s objective quality evidence; and m) Verifying and validating the Supplier s investigations of customer complaints on current delegations Post Award Quality Assurance (QA) Meeting (10) When it is determined that the Supplier may not have a clear understanding of the QA requirements of the contract, it is suggested that a post-award QA meeting be initiated to clarify the requirements and resolve the misunderstandings. Either the Delegator or GQAR may propose the post-award QA meeting. This meeting enables the GQAR and Supplier to discuss, coordinate and clarify any misunderstandings they may have with regard to their respective responsibilities. The meeting also allows the GQAR to identify significant process audit/review stages. If necessary, the GQAR should contact the Acquirer for advice The meeting should be used to identify and/or clarify such issues as: a) QMS or inspection requirements; b) Quality plans, CM plans, Software plans, R&M plans, or other contractually required QA documentation or deliverable technical data; c) GQA surveillance activity to be performed in support of the RGQA; d) Procedures for dealing with requests for deviation permits and/or concessions; e) Certificate of Conformity requirements; f) Critical safety items, airworthiness items, submarine items, etc identified in the contract; 11

20 g) GQAR involvement in design reviews, CM activities, testing, release of product from the Supplier s facility etc.; and h) First article testing/pre-production testing Sub-Supplier RGQA Determination (11) Detailed information concerning the sub-supplier GQA process is located at section 5.3 of this document GQA Surveillance Plan (12 and 13) The GQAR is expected to generate a GQA surveillance plan. When required by contract, the Supplier s QA plan should be taken into consideration when developing the GQA surveillance plan. The plan should incorporate all of the requirements of the RGQA and identify all of the GQA surveillance activities to be performed by the GQAR to mitigate/monitor the identified risks and the GQA reports to be issued. The GQA surveillance plan may be generated for each individual RGQA received or may be combined on a project or facility-wide basis. The GQA surveillance activities identified in the plan will be traceable back to the risks identified on the RGQA Surveillance plans should be prepared in accordance with national practices. A surveillance plan would typically include: a) Identification of all risks from Parts I & II of the RGQA; b) Identification of the specific systems (or elements thereof), processes and/or products requiring GQA surveillance; c) GQA surveillance methods or techniques to be used; d) Scheduled completion dates of the surveillance; e) Intensity of surveillance, i.e. lot sampling, 100%, etc.; and f) Other GQA activities to be performed, identified on the RGQA The content of the GQA surveillance plan is not limited to the above information. The GQA Surveillance plan is a document that dynamically develops and evolves as risk and Supplier activities change throughout the life of the contract. See paragraph When requested, a copy of the GQA surveillance plan will be provided to the Delegator. Note: Requesting a copy of the plan should not be a common occurrence on routine RGQAs. Where major programs or higher risks are involved, it may be appropriate to request a copy of the plan. 12

21 4.3 GQA Performance Flowchart GQA Surveillance Plan (Process Input) Perform Planned GQA Surveillance Activity 1 Review Supplier Quality Mgt Documentation 2 Nonconformity Detected? 3 Yes Issue Quality Deficiency Report 4 On-Going GQA Revise/Adjust Surveillance Plan as Risk Change 13 No GQA Completion (Process Output) 10 Yes No Supplier or Sub-Supplier initiate Corrective and Preventive Actions 5 Changes in Risks or Nonconformity Require Delegator Notification 11 No RGQA Surveillance Complete 9 No Report Risk Information Feedback and/or Unsatisfactory Condition to Delegator using Part III of RGQA 12 Yes Analysis of GQA Records 8 Document GQA Surveillance Records 7 Yes Verify Supplier Corrective and Preventive Actions Effectively Implemented 6 Figure 4-3 GQA Performance Process The flowchart at Figure 4-3 illustrates the GQA Performance Process. The process input is the GQA surveillance plan and the process output is GQA completion Perform GQA Surveillance Activities (1) The GQAR will perform the GQA surveillance activity as planned (4.2.8) and documented on the GQA Surveillance plan (4.2.11). GQA performance includes such activities as review of Supplier QMS documentation, quality audits, process reviews and/or verifications, product verifications/validations, Sub-Supplier control, flow-down of data/contract conditions, and other GQA surveillance activities as tasked on the RGQA. Annex D provides additional information on GQA surveillance methods and techniques. 13

22 4.3.3 Review of Supplier Quality Management Documentation (2) When contractually required, Suppliers develop documents associated with their QMS. These documents might include a quality manual, quality plan, configuration management plan, software quality plan, or other types of contractually required Supplier developed documents or specifications The GQAR is expected to review the Supplier s quality documentation to ensure it satisfies the contractual documentation requirements. The review should provide the GQAR with confidence that the QMS, from a documentation perspective, meets the contract requirements and, if effectively implemented by the Supplier, should achieve the planned results. Where the review indicates that the documentation does not satisfy contract requirements, the nonconformity should be brought to the Supplier s attention for correction The review is typically performed as soon as practical after RGQA acceptance and should be ongoing throughout the life of the contract as the Supplier makes revisions to documentation. The review should initially focus on the risks identified on the RGQA; however, the documentation review will not preclude the implementation of the GQA surveillance identified on the GQA surveillance plan Where the contract requires formal Government acceptance or approval of QMS documentation, the documentation must be sent to the Acquirer Non-conformities (3, 4, 5 and 6) When contractual non-conformities associated with the Supplier s QMS, processes or products are detected by the GQAR, he will request the Supplier to define and implement corrective actions. The method for requesting corrective actions will be in accordance with national practices. Contract requirements normally require the Supplier to initiate corrective and preventive action in response to the identified non-conformities. The GQAR should verify that the Supplier has effectively implemented appropriate corrective or preventive actions to prevent recurrence of the nonconformity GQARs operating at the Sub-Supplier levels should not take any action or make any statement that could be construed as interfering with the contractual arrangements between the Suppliers and their Sub-Suppliers. If requested on the RGQA, a copy of each QDR raised is to be forwarded to the Delegator. The GQAR may also use Part III of the RGQA to notify the Delegator of the unsatisfactory condition GQA Surveillance Records and Analysis (7 and 8) The GQAR will record the results of all GQA surveillance activities performed in support of the RGQA. Records should indicate the system, process, or product audited, reviewed or examined, dates performed, results, and include details of 14

23 any QDRs issued. Unless otherwise agreed on the RGQA, record retention periods will be in accordance with national practices and at least until the completion of the contract. Results of GQA surveillance activity will be available upon request by the Delegator GQARs are expected to periodically analyze the GQA surveillance records to identify unfavourable trends or conditions associated with the Supplier s QMS, processes, or product. Unfavourable trends should be shared with the Supplier so that the Supplier can take appropriate corrective or preventive action. The results of the analysis are expected to be used by the GQAR to adjust risk levels and the GQA surveillance activity being performed. Where appropriate, the results of the analysis should be shared with the Delegator GQA Completion (9 and 10) The GQAR will notify the Delegator when the requested GQA is complete. Unless agreed otherwise on the RGQA, the GQAR will notify completion using Part III of the RGQA form Significant Changes in Risk and Delegator Notification (11 and 12) If at any time during the GQA process, the GQAR identifies a significant change in the levels of risk associated with the program or contract, the Delegator will be notified using Part III of the RGQA form. A change in risk resulting in a change of risk classification is considered significant. Such changes may result in adjustments to the GQA surveillance plan or the RGQA Adjusting the GQA Plan (13) The GQA surveillance plan is a dynamic document. The plan, and associated GQA surveillance, should be adjusted as risk classifications change or as confidence in the Supplier s ability to meet contractual requirements changes. The intensity or frequency of GQA surveillance activity should change accordingly. Adjustments to the plan should be considered after the following: a) Analysis of GQA surveillance records indicate favourable/unfavourable trends; b) Analysis of Supplier data indicate favourable/unfavourable trends; c) Identification of system, process, or product nonconformity that resulted in a QDR being issued; and d) Customer complaint investigations Where the Delegator requested the original GQA surveillance plan, the GQAR should provide a copy of the revised plan to the Delegator. 15

24 4.4 Notification of RGQA Completion Flowchart Process Input is Completed or On-going GQA Delegatee Preparation for Product Release 1 Delegator CoC Required per RGQA 2 Yes Delegatee Signs CoC 3 Yes No RGQA Complete Notify Delegator 6 No Multiple Contract Deliveries 5 Product Release by the Supplier 4 Figure 4-4 Notification of GQA Completion The flowchart at Figure 4-4 illustrates the Notification of GQA Completion process. The process input is the completed GQA or, in the case of multiple contract deliveries, the on-going GQA and the output is the risk information feedback to the Delegator Preparation for Product Release (1) The GQAR should review the instructions provided on the RGQA concerning the GQAR s involvement, if any, in the release of the product from the Supplier s facility Certificate of Conformity (CoC) (2 and 3) Within the context of Mutual GQA, the CoC is a dual-purpose form, the usage of which must be a contractual requirement. It is used as a confirmation by the Supplier to the Acquirer that apart from any identified and approved deviation permits and concessions, the products conform to contract requirements. The CoC is generated and completed by the Supplier When requested on the RGQA, the COC is signed by the GQAR to attest that, within the provisions of STANAG 4107, and the RGQA, the supplies identified on the CoC have been subjected to GQA. The GQAR signature on the CoC does not mean acceptance of the supplies on behalf of the Delegator, does not necessarily mean that the individual items have been inspected, nor does it mean that airworthiness certification has been granted. 16

25 An example of a suitable CoC form can be found at Annex B. Nations should modify the example form to suit their own national interests. For example, Nations may decide to separate the CoC into a two-part form to clearly distinguish the Supplier s Statement of Quality from the GQAR s statement of GQA As the CoC is used by many NATO Nations to authorize payment to the Supplier, the GQAR will only sign the CoC under the following conditions: a) There is a contractual requirement for the Supplier to submit a CoC; and b) The GQAR has been requested by the RGQA to sign the CoC Product Release (4) The GQAR is expected to comply with the instructions on the RGQA concerning the GQAR s involvement in releasing the product from the Supplier s facility. Acceptance of the product and certification of airworthiness are not a normal aspect of the Mutual GQA process. As such, any related special requirements should be coordinated with the Delegatee in advance of the RGQA Notification of RGQA Completion (6) Using Part III of the RGQA form, the GQAR notifies the Delegator when the RGQA is complete and provides the status of the risks that were monitored by the GQA surveillance activity. These are the risks previously identified in Parts I & II of the RGQA form. In addition, the GQAR may make recommendations to the Delegator concerning future GQA requests with the same Supplier and/or products. Notification of RGQA completion shall be provided to the Delegator in addition to any CoC requirements. See Annex B for further instructions on the completion of the RGQA form. 17

26 4.5 GQA Risk Information Feedback Flowchart Risk Information Feedback Process GQAR Delegator Perform Risk Identification and Forward Initial or Amended Part I of RGQA to Delegatee 1 Maintain and Use Risk Information Feedback Received from the Delegatee 3 Perform Risk Identification and Forward Part II of RGQA to the Delegator at RGQA Acceptance 2 Provide On-Going Risk Information Feedback to the Delegator as Requested on RGQA 4 Update Risk Information Feedback as Risks Change Significantly During Performance of GQA Surveillance (i.e. Nonconformity is Identified by any Source) 5 Provide Risk Information Feedback and Forward Part III of RGQA to the Delegator at RGQA Completion 6 Figure 4-5 Risk Information Feedback Process The cross-functional flowchart at Figure 4-5 illustrates the GQA Risk Information Feedback Process between the Delegator and GQAR. The process input is the completed Part I of the RGQA and the output is the risk information feedback. See Annex B for detailed information concerning completion of the form The risk information shared between the Delegator and GQAR is not to be shared outside the Government organizations involved in the RGQA process. The information is considered commercially sensitive and is to be used for GQA planning purposes only The feedback of risk information, between the Delegator and the GQAR is extremely important to the continued success of the Mutual GQA process. Projects and contracts cannot be properly managed without this information. The GQAR provides the risk information feedback at RGQA completion or on a continuing basis as agreed with the Delegator, using Part III of the RGQA form. The risk information feedback provides the status of the identified risks. The risk information must be maintained by the Delegator to assist in RGQA planning for future contracts with the same Supplier Delegator Risk Identification (1) Prior to initiating the RGQA, the Delegator is encouraged to contact the GQAR to discuss risks for inclusion on the RGQA, especially for larger programs or for 18

27 longer-term delegations. Normally, GQA Risk information is first shared between the Delegator and Delegatee when the RGQA is initiated and forwarded to the Delegatee. When initially identifying risks on the RGQA, the Delegator should consider any risk information that may have been provided by the GQAR on previous contracts with the same Supplier. See Annex C for information concerning Delegator risk identification Initial Risk Information Feedback (2) During acceptance of the RGQA, the GQAR has the opportunity to provide risk information feedback to the Delegator. Using Part II of the RGQA form, the GQAR provides additional risks that require monitoring through GQA surveillance and, provides comments or recommendations concerning the risks identified by the Delegator Maintain Risk Information (3) The Delegator may receive risk information from the GQAR at various times throughout the life of the RGQA. The Delegator is responsible for maintaining the GQA risk information and recommendations received from the GQAR. The GQA risk information is used by the Delegator to revise or adjust current RGQA requirements, as necessary, and for enhancing the quality of future risk-based delegations associated with the Supplier On-Going Risk Information Feedback (4) As requested on the RGQA, the GQAR provides on-going risk information feedback to the Delegator. Using Part III of the RGQA form, the GQAR provides the current status of the risks being monitored by the GQA surveillance. The Delegator should only request on-going risk status reporting on longer-term GQA delegations Significant Changes in Risk (5) Typically, risk levels will change during the course of GQA activity or if/when new risks are identified. These changes may result from the identification of nonconformities, improvement or degradation of Supplier performance, changes in contractual requirements, etc. In addition, when the GQAR considers such changes significant, the Delegator should be notified of the event and of any changes to the GQA surveillance activity resulting from the changes in risk levels. Where significant new risks are involved, the Delegator should revise the RGQA as necessary. Part III of the RGQA form is used for this notification. The GQAR should revise the GQA surveillance plan accordingly Risk Information Feedback at RGQA Completion (6) 19

28 As a minimum, risk information feedback is provided at RGQA completion. Using Part III of the RGQA form, the GQAR notifies the Delegator that the RGQA is complete and provides the status of the risks that were monitored by the GQA surveillance activity. These are the risks previously identified on the RGQA form in Parts I and II. The GQAR may also make recommendations to the Delegator concerning future GQA requests Additional Process Information Whenever possible, risk information feedback should be transmitted electronically between the GQAR and Delegator. However, where appropriate, feedback can be verbal, extracts from written reports, etc. 5. GQA SUPPORT PROCESSES 5.1 Deviation Permits and Concessions Flowchart Supplier Requests Deviation Permits or Concession (Process Input) 1 Is GQAR Delegated Authority on RGQA 2 Yes Verify Classification 4 Minor Concur with Application 5 No Process Ends for GQAR 3 Major Provide Recommendations as Required by RGQA 6 No Yes Provide Document to Supplier to Forward to Acquirer as applicable per Contract 7 Maintain Records and/or Provide Copy to Delegator 8 Process Output is Accepted/Rejected Major/Minor Application (Process Output) Adjust GQA Surveillance Plan Accordingly 10 Verify Supplier s Corrective / Preventative Actions 9 Figure 5-1 Deviation Permit and Concession Process The flowchart at Figure 5-1 illustrates the Deviation Permit and Concession process. The process input is the application for deviation permit or concession presented by the Supplier and the process output is an accepted or rejected major or minor application. The process is described in detail below. 20

29 Because of differences in Acquiring Nations statutory requirements or national policy and practices, the Delegator must identify on the RGQA whether the GQAR is requested to concur or non-concur with each individual application for deviation permit or concession requested by the Supplier or whether the GQAR is to monitor the Supplier s process by means of on-going audits based on process risks. Where statutory requirements or national policy or practices stipulate the GQAR s involvement in the process, the Delegator will coordinate this activity with the GQAR Where the Delegatee s national practices do not stipulate the GQARs involvement, the Supplier s process for identifying, classifying, and sentencing minor non-conformities should be monitored based on process risk Where the acquiring Nations statutory requirements or national policy or practices prohibit the acceptance of deviation permits or concessions the Delegator should clearly identify the prohibition on the RGQA. This will ensure the authority is not inadvertently flowed down to other GQARs at the Sub-Supplier level Supplier Presents Deviation Permit or Concession (1) The processing of deviation permits and concessions should be planned and implemented in accordance with contractual requirements. The process starts when the Supplier presents the application for deviation permit or concession to the GQAR If a Supplier or Sub-Supplier is contractually required to prepare and process the application in accordance with a specific contractual format or manner, the Delegator should specify the format on the RGQA. If not identified on the RGQA, a suitable format or manner will be coordinated with the Supplier. An example of a suitable format is available at Annex B Unless specifically defined in the contract, Suppliers are typically responsible for: a) Properly documenting the nonconformity; b) Properly classifying the nonconformity as major or minor; c) Identify and describe the consequences if the application for deviation permit or concession is not granted; d) Identifying the specific number of production units affected; e) Identifying the specific service affected; f) Identifying the specific time frames affected; g) Identifying whether the nonconformity has occurred previously; h) Identifying any restrictions placed on the product as a consequence of the nonconformity; i) Initiating appropriate preventive and corrective measures; and j) Providing a disposition or sentencing the nonconformity 21

30 If the above are contractual requirements, the GQAR should verify that the Supplier has taken the appropriate actions. 22

31 5.1.3 GQAR Delegated Authority (2 and 3) Government contracts require Suppliers to provide products that fully meet contractual requirements. However, there may by circumstances when it is to the Acquirer s benefit to accept the delivery of the product that is non-conforming, e.g. urgent operational commitments. The authority to concur or non-concur with the Supplier s application for minor deviation permits and concessions is typically flowed down from the Acquirer to the GQAR at the Supplier s facility. Within the scope of the Mutual GQA process, this authority can be delegated between Nations The Delegator must clearly identify, on the RGQA, the authority delegated to the GQAR concerning the processing of Supplier or Sub-Supplier generated requests for deviation permits or concessions. Whether at the Supplier or Sub-Supplier level, the authority delegated to the GQAR is limited to minor non-conformities (see definitions in Annex A). Within the context of the Mutual GQA Process, the Acquirer retains approval authority for major non-conformities Where the Supplier is contractually authorised to accept minor non-conforming product on behalf of the Acquirer, this will be clearly stated on the RGQA Where the Acquirer has specifically withheld authority from the GQAR to accept minor or major nonconformity, this will be clearly stated on the RGQA. In these cases, all requests for deviation permit or concession will be processed by the Supplier or Sub-Supplier to the Acquirer for an acceptance decision. In such situations, the GQAR s involvement in the process is usually limited to providing recommendations to the Acquirer The Delegator should provide clear instructions on the RGQA concerning the redelegation of authority associated with deviation permits and concessions to GQARs at further sub-tier Supplier levels If, at any point, during the processing of minor or major deviation permits or concessions, the GQAR feels that the required actions exceed their technical expertise/competence, they shall notify their management. If necessary, the Delegator should be notified so that appropriate support can be provided Verify Classification (4) The GQAR should verify that the condition of non-conforming product is clearly and accurately described on Supplier s applications and that, in their professional opinion, the nonconformity is properly classified. The frequency of the verification activity will depend on the instructions received from the Delegator. In the absence of specific instructions from the Delegator, the frequency should be based on the risks associated with the Supplier s process. 23