Product Development for the Defense Market – Do Not Forget ITAR and EAR
The defense market offers commercial electronics suppliers compelling reasons to expand focus: additional revenue from same or variant products, longer customer contracts and diversification to cushion against commercial market swings. However, commercial companies should consider the added complexity of regulatory compliance and product lifecycle differences from the commercial market when considering how to adjust their product development processes for the defense market.
ITAR and EAR Compliance
Most product design and manufacturing companies in the defense market provide products subject to export regulations (see Figure 1), the International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR). This article provides an overview of the basic requirements for compliance, with the caveat that ITAR and EAR regulations are complex, and Arena Solutions is not offering legal advice or counsel for any reader. This article is not intended to supersede a company’s or individual’s responsibilities to understand and comply with the regulations.
The ITAR and EAR regulations govern the export of products to foreign countries and, perhaps more complex, they govern the technical data associated with the products, requiring an export license prior to disclosure to a foreign national. The full list of products governed by ITAR and EAR ranges from fabrics, tactical uniform gear and mechanical components to RF arrays, wireless platforms, antennas, radars, avionics systems and all things aerospace. If a product falls into the regulated space, processes, people and systems need to be in place to ensure regulatory compliance - regardless of the industry space, product volumes, timelines and product complexity.
Beyond export licenses for products, the regulations stipulate that any technical data controlled by ITAR or EAR be under export control, meaning technical data must not be exported at any point during design, production or any sustaining activities unless authorized by an export license. Practically, this means ITAR and EAR-regulated data must remain in the U.S. and only be accessible by U.S. persons. Data in transit or “at rest” must be encrypted, and access to any platform containing regulated product data must be controlled and restricted to U.S. persons.
These regulations ensure companies control all regulated technical data, including what is referred to as controlled unclassified information. The registered manufacturer defines what technical data in the product record is under export control, based on the product, how the government classifies the product and the particulars of the product of interest to the U.S. government. Depending on the circumstances, technical data can include file names, component descriptions, engineering drawings, specifications, test procedures and bills of materials. All restricted data must be controlled, including the standard policies and procedures for access, audit history and incident reporting. Access includes any method of access: via any operating system and any application, including access by IT to assist and maintain the systems where restricted data is stored. It specifies that all methods of sharing information be controlled, such as email, faxes and physical delivery.
Clearly, complying with these stringent regulations without sacrificing business agility can be an unwanted challenge for manufacturers.
The product development processes for commercial and defense products share much in common. Conceptually, teams take an idea from concept through design and test to validation, followed by new product introduction, production and support. Irrespective of the market, business concerns include cost, quality, time to market and supply chain logistics. For defense systems, the product development process needs to consider the following four areas and how they impact product development decisions: accountability, product lifecycle timing, product priorities and supplier qualification and management.
Accountability - The defense industry’s accountability burdens include ITAR or EAR export controls and the compliance programs and underlying policies to meet the regulations. Not everyone knows this also means customer audits for products, processes and systems, as well as financial aspects and supplier investigation. Some manufacturers pursue ISO 9001 and AS9100 certifications for competitive advantage or to gain customer contracts, which require additional audits. The environment is constantly changing, and programs, contracts and processes need to change to ensure compliance. Most companies entering the defense market find they need to expand team resources, which includes adding compliance specialists to help ensure the company meets regulatory and contractual customer requirements.
Product Lifecycle Timing - In the defense industry, the overall product lifecycle is longer than in commercial markets, largely due to the size and complexity of the end product. Products may fit into a much larger system or platform, such as an aircraft, navigation system, satellite, ground station or launch platform. Negotiations and design review approvals with the customer are typically slower. For export-controlled products, attention should be paid to the length of the product development, testing and production schedule, with obsolescence and serviceability top concerns. Teams should plan for the “natural” obsolescence of components during the longer life of the product, building in flexibility and tactics to address serviceability.
Product Priorities - As noted, defense products tend to be in service far longer than commercial products. Therefore, teams may need to weigh product design priorities differently than in a purely commercial business. Quality and serviceability become more important, as well as integration with any subsystems. With controlled technical data, expect more design review boards and more back and forth - not only with the customer and supply chain, but also subassembly suppliers and, potentially, the end customer.
If products are intended for dual markets, consider how to allow for these differences within the product development timelines for the defense market deliverables. Depending on the extent of both product and process variances for defense customers, the dual market product might be better split into separate product lines, one for each market.
Supplier Qualification and Management - With the long serviceability and planned part obsolescence, coupled with the export control requirements of the product and controlled technical data, supplier qualification requires attention (see Figure 2). Regulated requirements need to flow down to supply chain partners that may not be regulated, so closed-loop quality and change processes with security are required. Potential supply chain vulnerabilities occur every time designs or parts change hands. Plan for this in the company’s standard operating procedures (SOP) and ensure the systems and tools support compliance to these SOPs.
Tools for Defense Product Lifecycle Management
Those new to the defense market will likely establish teams and processes to address these four concerns. Equally important, companies should consider the systems used to manage product data throughout the product lifecycle. Remember, export-controlled data requires secure handling. ITAR and EAR regulations are complex and often contain cross-references to other regulations and standards, which may not be applicable for certain situations. As such, company management should confer with compliance officers and legal counsel to determine:
- If registration is required for ITAR, EAR or both (see Figure 3).
- What specific product data is under export control.
- Which requirements above and beyond specific regulations must also be met.
With any system solution, companies must determine how the regulations are being met, with a responsible owner assigned for each regulation requirement. This is critical, as solutions vary in approach and extent of meeting requirements. Tools which are used to support defense product development processes include (see Figure 4):
- Desktop applications, such as spreadsheets.
- Local or shared file servers and FTP sites.
- Homegrown databases.
- Industry-provided, on-premise product lifecycle management (PLM) systems.
- Commercial cloud (SaaS) PLM systems.
- Government-grade, secure cloud (SaaS) PLM systems.
While homegrown solutions such as desktop apps, spreadsheets and local file servers can suffice for a time, none of these enable scaling the business or optimizing processes across a business. Most were not designed to adequately address security and the location-based restrictions imposed by federal regulations; they create compliance risks with cost implications following a problem.
A dangerous assumption is if information is stored, accessed and collaborated on-site - within a LAN, WAN or VPN network - the company is complying with most ITAR and EAR regulations, because everything is “local.” This is not true. Regulations require demonstration of compliance regardless of where the solution resides.
The list of security elements to consider and evaluate is lengthy: handling printed drawings sitting on an engineer’s desk to digital files on an internal file server to uploaded data in an on-site system or a cloud application. Exporting controlled technical data can still occur within the U.S. if the data is transmitted or shared with foreign nationals in any form or format, whether oral, written, physical observation, paper, email, phone, fax or application.
Supporting Design Collaboration
Everyone working in product development talks about the importance of collaboration, as it is one of the primary ways to improve quality. Industry analysts, customer surveys and institutional research indicate that the opportunity for the most quality improvement occurs in design, the first part of the product’s life,1 and poor design quality most often occurs due to lack of collaboration on design requirements and issues found during product development.2
Given the longer lifecycle of most defense products, communication among the teams, availability and transparency of product data and a complete and auditable history of the product record are all necessary. Most defense products will outlast the individual team participants and any partner relationships.
When considering a solution for defense PLM, security controls must take the highest priority. However, do not stop there. Evaluate options to get the most collaboration capability and functional scope possible. Modern systems can provide more capability to support compliance with regulations, while producing the best products for customers - whether commercial or defense.
- S. Dowlatshahi, “Purchasing’s Role in a Concurrent Engineering Environment,” International Journal of Purchasing and Material Management, Vol. 28, No. 2, 1992, pp. 21–25.
- Y. Zhu, R. Alard, J. You and P. Schönsleben, “Collaboration in the Design-Manufacturing Chain: A Key to Improve Product Quality,” 2011, 10.5772/18694.