If you are entering defence supply chains, whether through subcontractors, integrators or public procurement, the AQAP 2110 standard will almost inevitably come into play. It is based on ISO 9001:2015, but adds NATO-style discipline: contract-oriented planning, controlled changes, stricter supplier oversight, and readiness for Government Quality Assurance (GQA).
We offer practical changes that companies in Kazakhstan, Uzbekistan, Georgia and Kyrgyzstan most often need in order to implement AQAP 2110 without unnecessary bureaucracy and paperwork.
How AQAP 2110 differs from ISO 9001 (and why it matters)
ISO 9001 provides the backbone of a quality management system, while AQAP adds requirements that are critical for defence supply chains: stronger contract control and more evidence.
In brief:
- the customer’s or GQAR representative’s right to participate in controls and inspections;
- mandatory contract-specific plans (Quality Plan, risk plan, and sometimes a CM plan);
- stricter traceability and change management across the supply chain.
1) The contract becomes the primary document (rather than the general quality policy)
Under AQAP, the logic is straightforward: you must not only deliver quality, but also demonstrate it against every contract requirement. For this reason, a Quality Plan is prepared for the project before work begins, including acceptance criteria, inspections/tests, and a requirements compliance matrix; the customer/GQAR may reject it.
A useful practice is to create a “contract file” (electronic), containing the requirements, correspondence, changes, test records, acceptance certificates, and all quality-related decisions.
2) Appoint a GQA owner and arrange access for audits
AQAP requires management to appoint a representative for GQA matters with the authority to resolve quality issues and report directly to top management. In addition, access to sites, documents, and verification activities must be provided where this is required by the contract.
3) Risk management is not a presentation, but a real plan
Risks are considered already at the contract review stage and are updated throughout the project, including risks relating to external suppliers. The risk management plan is submitted to the customer/GQAR, and it may be rejected.
To make the system work effectively, include at least three layers in the risk register: requirements (technical specification/specifications), execution (equipment, competence, special processes), and suppliers (lead times, quality, component substitutions).
4) Configuration and changes: every version must be controlled
One of AQAP’s key reinforcements is configuration management: identification, change control, status accounting, configuration audit, and a contract-specific CM plan.
If you produce a product/hardware/software, answer two questions in writing: “What do we define as a version?” and “Who is authorised to change a version, and how do we confirm compliance after the change?”
5) Suppliers: requirements must be flowed down through the chain
Purchasing components on the basis of “it was fine yesterday” is not acceptable here. Contract requirements must be included in procurement documents, together with a clause stating that the work may be subject to GQA; at the same time, inspections at external providers do not remove your responsibility.
Before the list, here is a short checklist that usually delivers a quick effect:
- qualification of critical suppliers and their periodic re-evaluation;
- incoming inspection and clear acceptance criteria;
- rules for substituting materials/components (what is equivalent and what is not);
- traceability requirements and the “quality package” (certificates, test records, calibration documents).
Once these points have been implemented, you will usually notice that “firefighting” in production or in the project becomes a set of predictable tasks.
6) Documents and records: if it is not recorded, it is difficult to prove
AQAP requires you to define in advance which records will serve as objective evidence of conformity (plans, records, inspection/test results, calibrations, training, non-conformities) and to ensure access to contract-related documented information.
What AQAP 2110 certification looks like in practice
In most cases, AQAP 2110 certification is built on top of an already functioning QMS in accordance with ISO 9001 — this provides a strong foundation (see the page: ISO 9001:2015 Quality Management System).
A practical preparation route usually includes:
- a GAP analysis against AQAP 2110;
- a pilot on one contract (Quality Plan + risk plan + CM);
- an internal audit using checklists (the approach from the article How to Prepare for an Internal ISO Audit).
What to do right now
Start with a pilot project: prepare a Quality Plan, set up a risk register and a change management process, and update your procurement procedures. Then scale this approach across the remaining contracts.
System Management supports AQAP 2110 implementation across the CIS, from diagnostics through to preparation for the external audit. As a reference for the stages, you may look at the article How to get an ISO certificate in Kazakhstan.