Еконтроль
Back to Resources

AQAP 2110 Documentation Checklist: What Ukrainian Defense Manufacturers Need to Prepare (2026)

35-point AQAP 2110 documentation checklist: quality policy, procedures, records, configuration cards. Ready-to-use template for defense manufacturers. BV partner.

Published June 29, 202614 min read
AQAP 2110 documentation checklist for Ukrainian defense manufacturer

Overview: what documents AQAP 2110 actually requires

AQAP 2110 documents aren't a fixed list with numbers — they're an evidence base proving your processes are under control. The AQAP 2110 Edition D Version 1 standard doesn't say "you must have these 47 specific procedures with these exact titles." It says something different: your quality management system must demonstrate that you control product configuration, trace batches, manage suppliers, react to non-conformances, and assess risks. How exactly you document that is your decision.

In practice, for a typical Ukrainian defense manufacturer — from a drone maker with 50 people to a serial ammunition producer with 300 — the typical documentation package looks like this: 30-50 core documents plus hundreds of records per year. Documents fall into 4 levels: strategic documentation, system procedures, work instructions, records. The first three levels are created once and reviewed periodically. The fourth level — records — is generated daily and accounts for 80% of total documentation volume by file weight.

The main principle to keep in mind: documentation must describe real work. Not "exist for the auditor," not "look pretty," not "copy the standard." Describe what you actually do. If a procedure says one thing and the operator does another — that's a non-conformance, even if both options are technically fine. An auditor checks not the paper, but whether the paper matches reality. Honestly, it's better to have a simpler procedure people actually follow than a glossy 40-page one nobody reads. For a deeper look at the standard itself, see our complete AQAP 2110 guide.

The 4 levels of AQAP 2110 documentation

Level 1 (strategy): quality policy, objectives, QMS scope, process map — 5-8 documents, owned by the CEO. Level 2 (procedures): how you manage configuration, traceability, suppliers, CAPA, audits — 10-15 documents, owned by quality. Level 3 (work instructions): routing cards, control plans, test instructions — 20-100 documents, owned by production. Level 4 (records): journals, reports, traveler cards, configuration cards — hundreds per year, generated daily. The first three levels are the "rules of the game," the fourth is the "trace of the game."

Level 1: Strategic documentation

The top of the pyramid. There aren't many documents here — usually 5-8 — but these set the direction for the entire quality management system. Without them AQAP 2110 doesn't move forward, because from day one the auditor will ask: "show me the quality policy," "where are your objectives," "what's your QMS scope." The owner of this level is top management — in small companies, the CEO personally.

Quality Policy. One page, signed by the CEO, with a current date. It must include direct statements about the defense sector: "we produce military-purpose goods," "our commitment is to traceability of every batch," "we comply with AQAP 2110 and applicable national regulations." A boilerplate "we strive for quality" policy doesn't work — the auditor wants to see that the CEO understands the context of defense manufacturing.

Quality Objectives. Measurable, with KPIs, with a named owner and deadlines. Examples: "share of non-conforming items — no more than 0.5% per year," "CAPA response time — no more than 14 days," "100% of operators of critical processes complete annual competency revalidation." Generic goals like "continuously improve quality" don't count.

QMS Scope Statement. A 1-2 page document that clearly describes which sites, which processes, which products are covered by the system. It's important to state what's excluded from the scope and why. For example, if you only do assembly and outsource design — this must be explicitly recorded.

Organizational Context. SWOT, PESTLE or another analysis with a stakeholder register. Defense-specific: stakeholders must include the MoD, DoT (Defense Procurement Agency), regulators, and where applicable — foreign customers. Among threats — regulatory change risks, problems importing critical components, cybersecurity risks.

Top-level Process Map. A graphical or tabular map of the core production processes with interconnections — from order intake to shipment. The map flags critical control points, which are then detailed in procedures and work instructions.

LevelDocumentsTypical countOwner
1. Strategic documentationQuality policy, objectives, scope, organizational context, process map5-8 documentsCEO + Quality Manager
2. Procedures (system-level)Configuration management, traceability, CAPA, supplier management, audits10-15 documentsQuality Manager + process owners
3. Work instructionsRouting cards, control plans, test instructions20-100 documentsProcess engineer + production head
4. RecordsJournals, reports, traveler cards, configuration cardsHundreds per yearOperators, inspectors, QA

Level 2: Procedures (system-level documents)

The heart of the system. If strategic documentation is "where we're going," procedures are "how we work systematically." For a typical defense manufacturer, the set usually includes 10-15 system procedures. Some duplicate ISO 9001 requirements, others are specific to the defense sector and AQAP 2110.

Control of Documented Information. How documents are created, who approves them, how versions are controlled, how obsolete copies are removed from workplaces, how the electronic archive is maintained. It's a basic procedure, but many manufacturers fail right here — when the foreman's desk has one version of an instruction and the system already has another.

Configuration Management Plan. A defense-specific procedure often written as a standalone plan. It describes how the baseline configuration is defined, how changes are introduced, who approves them, and how status accounting is maintained. For a drone manufacturer this covers firmware, hardware revisions, and software versions. For an ammunition manufacturer — control of formulations, powder suppliers, and process parameters.

Traceability Procedure. The second critical defense procedure. Describes forward + backward traceability: how to trace from a finished product down to each component (which supplier, which batch, what receipt date), and the reverse — from a component batch, see which finished products used it. For AQAP 2110, serial-level traceability is mandatory for critical characteristics.

Supplier Management. How the Approved Supplier List is maintained, what the supplier evaluation criteria are, how re-evaluation works, how complaints and supplier response are handled. Defense addition: counterfeit parts prevention procedure — preventing counterfeit electronic components, especially for critical items.

Incoming Inspection. What's checked at receipt, against which parameters, in what sample size, how results are documented, how non-conforming batches are handled.

Non-Conformance Management and CAPA. NCR register, root cause analysis procedure (8D, Ishikawa, FTA — your choice), corrective action procedure, effectiveness verification. This is the block the auditor inspects in every second project — because in most manufacturers it's just formal.

Internal Audits. Annual audit program (plan), audit execution procedure, auditor competence requirements, report format. For AQAP 2110 — mandatory coverage of all processes within a 12-month cycle.

Management Review. Frequency (minimum once per 12 months), agenda, inputs (audit results, KPIs, CAPA, customer complaints), outputs (decisions, resources, objectives for the next period), minutes.

Change Management (product and documents). Procedure for introducing changes to design, technology, suppliers. A mandatory step is assessing the change's impact on quality and safety, getting approval, and informing the customer when needed.

Calibration Program. Measuring equipment register, calibration program, intervals, owners, what to do with overdue instruments, how to handle results obtained with an out-of-calibration instrument.

Level 3: Work instructions (operational documents)

The shift from "how we work systematically" to "how exactly a specific operation is performed." This level has the largest document count and sits closest to the operators. Depending on product complexity, the number of work instructions ranges from 20 (for simple production) to 100+ (for serial manufacturers of complex equipment). The owner of this level is process engineers and production heads.

Work Instructions. A step-by-step instruction for a specific workstation or operation. What, with what, in what sequence, at what parameters. Photographs or diagrams for critical steps are mandatory. The instruction must be written so a new operator, after a brief briefing, can perform the operation without errors.

Routing Cards / Travelers. Sequence of operations with equipment, tooling, control points, and expected results for each operation. For defense manufacturing, the traveler often also includes space for marking completion of each operation — becoming both a document and a record at the same time.

Control Plans. A systematic description of what, when, how and with what is inspected at each operation. For critical characteristics — frequency of inspection, method, instrument, acceptance limits, responsible party, action on deviation. The control plan is the bridge between manufacturing documentation and quality records.

Test Instructions. A separate group for products that go through testing (in defense, that's almost always). A detailed description of test conditions, sequence of actions, acceptance criteria, report format. For a UAV manufacturer these are flight test instructions. For an ammunition manufacturer — range firing test instructions.

Workplace Instructions. Workstation-specific documents: safety rules, tool layout, list of allowable deviations, first actions on a non-conformance. The most useful format is short visual cards that hang directly at the workstation and are updated together with the technology.

In practice, this is exactly the level where manufacturers economize the most — and then lose on the audit. The economy looks like "the engineer remembers, the operator knows, why bother writing." The auditor arrives, picks up a second-shift operator who's seeing the product for the first time after vacation — and in 5 minutes it's clear the instructions are missing. So the rule: every critical operation must have a current, operator-read, workplace-available instruction.

Level 4: Records (the largest volume)

The largest documentation level by volume. By file weight and number of units, records account for 80-95% of all manufacturer documentation. These aren't static documents — they're the trace of the quality management system's daily work. For an active defense manufacturer we're talking about hundreds of new records per year; for a serial producer — thousands. Owners are operators, inspectors, the quality department. But the auditor inspects this level most thoroughly — because it's the only proof the system doesn't only exist on paper.

Production Records. Operation execution journals (who, when, on what equipment), batch acceptance reports, completion marks on travelers. For serial production — records from equipment (logs of soldering stations, oven thermal profiles, test bench data). For AQAP 2110 these records must be retained for at least the product's life plus the warranty period.

Quality Control Records. Measurement reports (with actual values, not "within tolerance"), test results, conclusions about batch conformity, marks of deviations and how they were handled. Each record must be signed by an inspector and dated. Records without a signature and date don't exist in the auditor's eyes.

Traceability Records. Traveler cards for the product from the first operation to shipment. Serial numbers with a register in ERP or PLM. Linking of critical component batches to specific products. Without these records, the very idea of traceability is impossible.

Configuration Records. Configuration cards for each baseline product version, configuration change history, customer approvals of substantial changes. Details about configuration cards are in the next section, because this is an AQAP 2110-specific document.

CAPA Records. Non-conformance register for the full period (minimum last 12 months readily accessible), root cause reports in 8D or Ishikawa format, register of corrective actions with owners and deadlines, effectiveness verification records at 30/60/90 days.

Training Records. Orders authorizing operators for critical processes, training protocols with participant signatures and outcome scoring, competency matrix with last evaluation dates, qualification cards.

Internal Audit Records. Annual audit program, plans for specific audits, checklists, audit reports, register of non-conformances from audits, corrective action plans, records of execution verification.

Management Review Records. QMS review meeting minutes, input data presentations, management decisions with owners and deadlines, verification of decisions from the previous cycle.

Retention: for most records — minimum 10 years; for critical defense products — for the product's life plus 10 years after decommissioning. Electronic format is acceptable provided there's a backup procedure, role-based access control, and record integrity preservation. Baseline requirements for the AQAP series are formalized in public documents of the NATO Standardization Office and national publications by the Bundeswehr — for example, the Bundeswehr AQAP documents listing.

Need a tailored AQAP 2110 documentation package?

Free 30-minute session with documentation gap assessment and roadmap. Bureau Veritas partner in Ukraine.

Get consultation

AQAP 2110-specific documents (not in ISO 9001)

Manufacturers who already have ISO 9001 in place often think: "we already have everything, AQAP 2110 is the same standard plus a bit." That's partly true, but there are 7-8 documents that don't exist in ISO 9001 (or are described only superficially) and are mandatory in AQAP 2110. This is exactly where most companies coming from civilian manufacturing into the defense sector fail. For a deeper breakdown of the differences, see our AQAP 2110 vs ISO 9001 differences article.

Configuration Identification Card. A document for each baseline product version. Contains: configuration identifier, list of components with their versions and suppliers, technical characteristics, customer approval for critical changes. For a drone manufacturer it's a complete specification for a specific model linked to firmware and hardware revision.

Configuration Management Plan. A standalone plan, not just a procedure. Describes the entire configuration management system for a specific product or product family: how the baseline is defined, which changes require customer approval, how status accounting is maintained, how configuration audits are organized. A Configuration Management Plan template is available in IEEE 828 — you can adapt it.

Quality Plan. A document tied to a specific contract. Describes: customer-specific quality requirements, assigned personnel, control points, specific tests, frequency of customer reporting, format of documentation delivered with the product. Often a Quality Plan is a mandatory part of the contract's technical scope.

First Article Inspection Report (FAIR). A detailed report on the first product unit (or first batch) that has gone through the full production cycle. It confirms the technology is ready for serial production. The FAIR format is described in AS 9102 — in the defense sector it's often used outside aerospace too. Details about integration with AS systems are in our article on integration with AS 9100.

Counterfeit Parts Prevention Plan. A document about the system for preventing counterfeit components. Especially relevant for electronics and critical mechanical parts. Includes: approved sources list, authenticity verification procedure, suspicious batch handling procedure, counterfeit-recognition training for personnel.

NCR Registers Linked to Batch. Unlike ISO 9001, where the NCR log is general, in AQAP 2110 non-conformances must be linked to a specific product batch. This is needed so that if a defect is found in one unit, you can quickly understand whether other units in the same batch are affected.

Risk Register with Defense Categories. ISO 9001 requires risk-based thinking but doesn't name specific categories. AQAP 2110 adds defense-specific risks: use of COTS components (commercial, not military-grade), supplier risks (especially for critical components), regulatory change risks, cybersecurity risks of production infrastructure, downtime risks from supplier shortages.

DocumentISO 9001 requirementAQAP 2110 requirementWhy the difference
Product Configuration CardNot requiredMandatory for each baseline versionDefense customer has the right to know the exact configuration of each shipped unit
Configuration Management PlanNot requiredMandatory plan for products with changesDefense contracts run for years, configuration changes must be managed
Contract-Specific Quality PlanNot requiredOften mandatory per contractEvery defense contract has specific quality requirements that need to be captured
First Article Inspection ReportNot requiredMandatory for new productsFirst batch confirms the technology is ready for serial production
Counterfeit Parts Prevention PlanNot requiredMandatory for electronicsCounterfeits can critically affect military equipment reliability
NCR Linked to BatchGeneral NCR registerMandatory linkage to specific batchDefense recall must be fast and surgical
Defense Risk RegisterGeneral risk-based thinkingCategories: COTS, suppliers, regulations, cybersecurityDefense environment has risks absent from civilian manufacturing

Documentation mistakes that most often fail the audit

A list of mistakes from real customer audits and certification audits. Each of these shows up in at least half of the projects we've worked on over the last two years. Knowing them in advance can save you a rework cycle and prevent a lost contract.

1. Outdated documents — the version at the workstation differs from the one in the system. A classic. The foreman's desk has the 2024 instruction, the system has the 2025 version, and the engineer has been working off a verbal agreement with the shop manager for ages. The auditor walks up to the workstation, sees the date on the instruction, looks in the system — and immediately records a non-conformance. This is the mistake that trips up the most manufacturers, because it requires daily discipline: when you update a procedure, you physically remove all previous copies from workstations.

2. Records missing or signed retroactively. The auditor asks to see acceptance test reports for the last 6 months. Turns out the April-May records "got lost," and the ones that exist were obviously signed in the same handwriting on a single day. Retroactive signing isn't a mistake, it's falsification — and for a defense auditor that's fatal. Better to honestly say "we weren't recording this" than to backfill in retrospect.

3. Configuration card doesn't track actual changes. The card was created at the time of certification; since then there were 3 changes of electronics supplier and 2 firmware updates, but the card was never updated. The auditor pulls a specific shipped unit, looks at its actual configuration — and it doesn't match the card. Conclusion: there's no configuration management system, only the illusion of one.

4. Non-conformances closed without root cause investigation. The NCR register exists, but the "cause" field has the standard "operator error" or "material defect," and the "corrective action" field has "conducted additional briefing" or "changed supplier." The auditor asks: "what share of your NCRs over the past year was attributed to operator error?" If it's 80% — that means RCA isn't being done, and CAPA is just formal record-keeping. For more on inspection prep, see our MoD customer audit preparation article.

5. English documentation missing for the NATO customer. A manufacturer is preparing for an export contract with the Polish MON or Canadian DND; all procedures are in Ukrainian, key records too. The foreign auditor says "give it to me in English." The team spends weeks translating, the contract slips. If you're planning NATO-compatible supply, key documents (Quality Plan, Configuration Management Plan, FAIR, core procedures) must be ready in both languages at once — Ukrainian for internal use, English for foreign auditors.

For manufacturers just entering the defense sector, the most useful read is our article on drone manufacturer certification — it lays out the typical path. There's also our summary of the three core standards for quality in the defense industry. If your context is the broader defense industry with multiple product lines, documentation will be more complex, but the principles are the same.

The most critical documentation mistake

A discrepancy between document versions instantly destroys the auditor's trust in the entire system. If a 2024 instruction is at the workstation while the 2025 version sits in the electronic archive, the auditor concludes: "the document control system doesn't work." After that, every subsequent document gets double-scrutinized. So the rule: when you update a procedure, physically remove all previous copies from workstations and put up the new one. No exceptions, no "we'll swap it later."

FAQ — Common questions about AQAP 2110 documents

Answers to the questions that come up most often from quality managers and document controllers on initial calls. If your question isn't here — a consultation is free, and we'll add it to the next revision.

For budget and timeline planning across the full cycle, see our breakdown of AQAP 2110 certification cost. We usually start documentation work with a readiness diagnostic, then move into management system implementation, and finish with audit support. Ekontrol is a Bureau Veritas partner in Ukraine since 2014, with defense specialization since 2022.

Tags