| NODIS Library | Program Management(8000s) | Search |

NPR 8735.2C
Effective Date: March 12, 2021
Expiration Date: March 12, 2026
Printable Format (PDF)

Subject: Hardware Quality Assurance Program Requirements for Programs and Projects (Updated w/Change 1)

Responsible Office: Office of Safety and Mission Assurance

| TOC | ChangeHistory | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | Chapter7 | Chapter8 | AppendixA | AppendixB | AppendixC | AppendixD | AppendixE | AppendixF | AppendixG | ALL |

Chapter 5. Supply Chain Risk Management for Mission Acquisition Items

5.1 Requirements Flow Down

5.1.1 The Project Manager shall include requirements in a. through c. in the Project QA program plan for supply chain risk management (SCRM).

a. NF 1707, Special Approvals and Affirmations of Requisitions, is used for procurement strategy development with the assigned NASA procurement officer (i.e., CO or buyer) (for additional information, see NFS 1846.103, Contracting office responsibilities), regardless of the procurement value. This requirement cannot be flowed down to non-Government project offices. See NFS 1846.370, NASA contract clauses, for a required quality clause that is unique to human-rated missions.

b. Procurement officials are provided requirements language for procurements that provide for flow down of the project's Project QA program requirements to the lowest appropriate tier of the supply chain (for additional information for Government acquisitions, see Higher-Level Contract Quality Requirements, 48 CFR § 46.202-4, and NFS 1846, Quality Assurance). See Appendix C for considerations applicable to critical item procurements.

c. Where requirements flow down is not practical (e.g., international partner suppliers, use of spare units from another project, commercial off-the-shelf (COTS) items), quality conformance risk mitigations are defined and executed post-procurement or post-acceptance that are relevant for the item's technology, criticality, and prior usage history (for additional information, see Policy, 48 CFR § 46.102.f).

Note: Product investments beyond the procurement cost of a COTS item are necessary to characterize the item's design, reliability, or quality risks and to develop and implement strategies for mitigating those risks. Leveraging prior use data may provide cost reductions for characterization research when design and production homogeneity exist across production lots.

5.2 Minimum Quality Management System (QMS) Requirements for External Suppliers

5.2.1 External suppliers are all suppliers who provide mission development, mission hardware, mission hardware processing, or mission hardware deployment to NASA including federally funded research and development centers (FFRDCs), prime contractors, and subtier suppliers.

5.2.2 Project Managers shall include the QMS requirements for external suppliers, shown in a. through c. below, in the Project QA program (for additional information, see Contractor Responsibilities and Higher-Level Contract Quality Requirements, 48 CFR §§ 46.105.(a).(3), 202-4).

a. Suppliers of procured critical hardware systems (e.g., subassemblies, functional systems, mission payloads, spacecraft, aircraft, or launch systems) and launch services are compliant to AS9100D. These systems are considered critical and complex as these terms are defined in 48 CFR §§ 46.203.(b) and (c). Third-party certification to AS9100D is preferred over compliance to AS9100D.

b. Suppliers of procured piece parts determined to be critical items, or special process execution (e.g., plating, polishing, soldering, brazing) determined to be critical or services excluding launch services (e.g., machining, laboratory testing, transportation, and storage) determined to be critical, maintain a QMS that complies with one of the following:

(1) Compliance to or third-party certification to AS9100D (preferred).

(2) Compliance to or third-party certification to ISO 9001, Fifth Edition, Quality Management Systems - Requirements.

(3) Compliance to AS9003A, Inspection and Test Quality Systems, Requirements for Aviation, Space, and Defense Organizations.

(4) Compliance to or third-party certification to ISO/IEC 17025:2017, general requirements for the competence of testing and calibration laboratories (preferred for laboratory testing and calibration services).

c. The Project Manager may evaluate and use the following types of third-party process certifications as alternate equivalent approaches to satisfying the supplier QMS requirements in 5.2.2.b:

(1) Certification by Nadcap (reference https://sas.nasa.gov or https://www.eAuditnet.com).

(2) Certification by IPC for soldered assemblies or for printed circuit board manufacturing (reference https://ipcvalidation.org/certifications/qpl-qml-list).

(3) Qualified by the Defense Logistics Agency as indicated by listing on a qualified manufacturer list managed by the Department of Defense (DoD) (reference https://landandmaritimeapps.dla.mil/programs/qmlqpl/).

Note: QE and SCRM analyses will be necessary to determine when manufacturing process complexity for a given procured item demands that the supplier's QMS aligns to AS9100D rather than ISO 9001, Fifth Edition, AS9003A, or ISO/IEC/17025. An AS9100D-certified QMS is preferred though use of the other standards in 5.2.2 may be necessary and suitable due to the type of product or process being acquired, supply chain and market considerations, and project risk management considerations. AS9100D is designed for applicability to suppliers of critical and complex items and services acquired by the aviation, space, and defense industries. ISO 9001 Fifth Edition and AS9003A provide less stringent requirements than AS9100D though all three are considered suitable for acquisitions of critical but non-complex items. The use of the terms critical and complex is limited to their meaning as defined in the FAR and Appendix A herein.

5.3 Counterfeit Avoidance System

5.3.1 The Project Manager shall include in the Project QA program that the requirements in 3.1.1.d.(3) above will be flowed down to external suppliers.

5.3.2 See Reporting Nonconforming Items, 48 CFR § 46.317, for regulations and contract clauses used to require suppliers to control and report instances of suspected counterfeit items.

5.4 Procuring "Covered Articles"

The Project Manager shall ensure that NF 1707, section 2, is used when procuring IT items considered "covered articles" per NASA's Office of the Chief Information Officer-managed SCRM procedures, Section 514 (a) of the Consolidated Appropriations Act of 2020, and NPR 2810.1A, Security of Information Technology, regardless of the procurement value. The requirement to use NF 1707 cannot be flowed down to non-Government project offices.

5.5 Supplier Audits and Assessments

5.5.1 The Project Manager shall include in the Project QA program the audit and assessment requirements of a. through c.

a. Supplier audits or assessments are used to generate evidence of prime and sub-tier supplier risks that are related to the robustness of the supplier's QMS and to their design and control of special processes. For additional information, see AS9101F, Quality Management Systems Audit Requirements for Aviation, Space, and Defense Organizations, for the methodology for performing supplier QMS audits. See 4.3.5 for requirements to evaluate supplier risk prior to executing a procurement.

b. For audits and assessments conducted by the Government, the following apply:

(1) Audits and assessment results are shared with the supplier.

(2) Nonconformance findings are shared with the supplier after the project office or risk review board has evaluated their risk impact and determined if direction to the supplier is necessary.

(3) Audit findings alone are not sufficient for directing suppliers.

Note: To correct processes or products to resolve audit or assessment findings can create unintended negative programmatic impacts. The Project Manager and CO are stakeholders in decisions that can affect compliance with contract requirements and programmatic risk.

c. Audit and assessment results, audit scope, and supplier approval status, when used, are entered into https://sas.nasa.gov or submitted to the administrators via e-mail to jsc-sasAdmin@mail.nasa.gov for posting to the SAS Web site for Agency-wide availability.

5.5.2 The Project Manager shall define, in the Project QA program, when a third-party QMS or process certification, other second-party audit or assessment result(s) (including those found in https://sas.nasa.gov), second-party surveillance result(s), or other alternative sources of supplier quality and risk data (e.g., open source analyses) are considered acceptable as substitutes for a NASA-led or prime-contractor led audit or assessment. Examples of second-party auditors are partner agencies and NASA prime contractors who audit their subcontractors. QMS and process audit results that are older than three years may no longer be representative of current supplier quality management.

5.6 Government-Industry Data Exchange Program (GIDEP) and NASA Advisory Risk Screening

The Project Manager shall include the requirement in the Project QA program that the program or project will track and evaluate risk based on GIDEP program participation results (ref. NPR 8735.1) reported by suppliers.

5.7 Government Contract Quality Assurance (GCQA): Surveillance and Government Mandatory Inspection Points (GMIPs)

5.7.1 Conducting GMIPs is an inherently Government function that is performed on behalf of the Government acquiring activity as a part of contract administration without regard to the tier level of the supply chain (for additional information, see General, Government contract quality assurance at source, and Subcontracts, 48 CFR §§ 46.401.(a), 402, 405). The requirements in Chapter 7 apply for GCQA activities. The requirements in Chapter 8 apply only to NASA governmental project offices who delegate GCQA functions to the DCMA.

Note: While the supplier is often the primary source for identifying the timing of a MIP, due to their ownership of the production schedule and can be said to "request performance of a MIP," the MIP is selected by the project or the acquirer and the surveillance action is performed by the second-party inspector. Second-party quality surveillance and GCQA are provided in addition to, not as a substitute for, supplier responsibilities for assuring delivery of conforming products or services.

5.8 Federal Acquisition Regulations (FAR) References for Government Acceptance of Product

5.8.1 The requirements in this section apply only for Government acquisitions.

5.8.2 The Project Manager shall specify to the CO:

a. The location where the product will be accepted: source or destination (for additional information, see General and Place of acceptance, 48 CFR §§ 46.401.(d), 503).

b. When a material inspection and receiving report (for additional information, see DD Form 250, Material Inspection and Receiving Report) will be used in the product acceptance process. (For additional information, see NFS 1852.246-72, Material Inspection and Receiving Report.)

c. When Government QA verification is required prior to delivery of items between subcontractors in the supply chain or between subcontractors and the prime contractor (reference Subcontracts, 48 CFR § 46.405 and NFS 1846.671, Contract quality assurance on shipments between contractors).

| TOC | ChangeHistory | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | Chapter7 | Chapter8 | AppendixA | AppendixB | AppendixC | AppendixD | AppendixE | AppendixF | AppendixG | ALL |
| NODIS Library | Program Management(8000s) | Search |


This document does not bind the public, except as authorized by law or as incorporated into a contract. This document is uncontrolled when printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: https://nodis3.gsfc.nasa.gov.