Aerospace and defence tolerate zero traceable failures. An unidentified part on a turbofan engine, a component exported without ITAR verification, an incomplete First Article Inspection record for a Tier 1 supplier — the consequences range from losing certification to aircraft recalls, or even criminal prosecution under US law. In this sector, ERP is not a stock optimisation tool: it is a critical regulatory compliance system.
This guide analyses the ERP requirements specific to aerospace and defence, compares the leading solutions on the market, and provides a selection framework for Tier 2 and Tier 3 suppliers.
Why Aerospace & Defence Has Unique ERP Requirements
Safety Criticality: Zero Tolerance for Traceability Failures
In automotive manufacturing, a non-conformance detected in production causes a line stoppage and a delivery delay. In aerospace, the same non-conformance on a structural component, an actuator, or a hydraulic system can result in the loss of an aircraft and its passengers. This difference in criticality translates directly into requirements placed on information systems.
An aerospace ERP must be able to answer the following questions in real time:
- Which raw material batch was used to manufacture this specific component?
- Which operators performed each manufacturing step, using which calibrated equipment?
- Did this component pass all its quality inspections — with what results, validated by which qualified inspector?
- If a non-conformance is detected on an aircraft in service, which other aircraft contain components from the same batch?
This bidirectional traceability at the unit serial number level — not just by batch — is the minimum functional baseline to operate in this sector.
Non-Negotiable Industry Standards
AS9100D is the quality management standard of reference for the global aerospace industry, published jointly by the International Aerospace Quality Group (IAQG), SAE International, and BSI (AS9100D:2016, Quality Management Systems — Requirements for Aviation, Space, and Defense Organizations, SAE International). It extends ISO 9001:2015 with aerospace-specific requirements: operational risk management, configuration management, critical characteristics management, and supplier monitoring. Every Tier 1 supplier to Airbus, Rolls-Royce, BAE Systems, or Leonardo must hold AS9100D certification. This requirement is progressively cascading to Tier 2 and Tier 3 suppliers.
What AS9100D requires from an ERP:
- Documented configuration management: every change to a part, bill of materials, or process must be versioned, authorised, and traceable in the system.
- Critical characteristics management: parts with safety-related Key Characteristics require enhanced controls that the ERP must automatically trigger.
- Formalised CAPA process: Corrective Action / Preventive Action must be managed in a documented workflow, with assigned deadlines and owners.
- Supplier traceability: the ERP must integrate Approved Vendor List (AVL) qualifications and block procurement from uncertified or suspended suppliers.
DO-178C (DO-178C, Software Considerations in Airborne Systems and Equipment Certification, RTCA) defines software development requirements for safety-critical embedded systems. It does not directly affect a production ERP, but suppliers developing avionics equipment must demonstrate traceability between system requirements, code, and tests — which implies ERP/PLM integration.
MIL-STD-882E (MIL-STD-882E, Department of Defense Standard Practice — System Safety, US DoD) mandates system safety analysis on defence equipment. The ERP must be able to associate each component with its risk analysis results and safety requirements.
Export Controls: ITAR and EAR
ITAR (International Traffic in Arms Regulations, 22 CFR Parts 120–130, US Department of State) is the US regulation controlling the export of defence articles, technologies, and services. It is administered by the Directorate of Defense Trade Controls (DDTC) within the State Department.
What many IT leaders outside the US do not realise: ITAR applies to non-US companies the moment they handle, manufacture, or export articles or technologies listed on the United States Munitions List (USML), or incorporate components of US origin subject to ITAR. A UK precision engineering firm machining a part from a US-origin alloy or process technology may be subject to ITAR even without a single American customer.
EAR (Export Administration Regulations, 15 CFR Parts 730–774, US Department of Commerce, BIS) covers exports of dual-use technologies — civil and military. Its scope is broader than ITAR and encompasses everything from telecommunications equipment to composite materials used in civil aviation.
What an ERP must do for export control compliance:
- Automated third-party screening: every customer, supplier, broker, and end recipient must be verified in real time against sanctions and restricted entity lists (Denied Parties List, Entity List, OFAC SDN List). Manual periodic checks are not enough — a company can be added to a sanctions list between two reviews.
- Export licence management: the ERP must associate applicable export licences to each order, track their validity, and block shipments if a licence has expired or is insufficient.
- Technical data access audit trail: ITAR mandates controls on who accesses technical data subject to the regulation. The ERP must maintain an immutable audit log of all access to ITAR-controlled BOMs, drawings, and specifications.
ITAR Data Hosting: A Cloud Imperative
ITAR-controlled data cannot legally be hosted outside US territory without a specific export authorisation (Technical Assistance Agreement or Manufacturing License Agreement). For European companies using a SaaS ERP hosted in the US or in Europe, data residency is a critical question.
In the UK and across the EU, companies working on classified defence programmes may be subject to sovereign data hosting requirements. UK defence suppliers operating under MOD classified contracts typically need UK-hosted infrastructure. In France, defence-related data may fall under SecNumCloud certification requirements (ANSSI, SecNumCloud v3.2 framework), mandating that data be hosted and administered exclusively within France, outside the reach of US extra-territorial laws (Cloud Act, FISA).
Configuration Management: Tracking Revisions Across 40 Years
An Airbus A320 remains in service for 25 to 30 years. A military aircraft can exceed 50 years of active service (the B-52 is the extreme example). Over that lifespan, the BOMs, drawings, and specifications for parts evolve dozens of times. Configuration management means knowing at all times the exact state of every aircraft in service: which part revisions it carries, which modifications have been incorporated, and which documented deviations exist from the reference configuration.
This capability is absent from most general-purpose ERPs. It requires tight integration between the ERP, the PLM (Product Lifecycle Management) system, and the MRO (Maintenance, Repair & Overhaul) platform.
Critical ERP Capabilities for Aerospace & Defence
Serial-Number Traceability (SN) and First Article Inspection (FAI)
Unlike other industries where batch-level traceability suffices, aerospace requires traceability at the individual serial number level. Each part receives a unique identifier that follows it throughout its life: manufacturing, inspection, installation on an aircraft, maintenance, removal, scrapping, or re-certification.
First Article Inspection (FAI) is the process by which a supplier demonstrates, on the first article produced in a series, that its process meets the customer’s requirements. The standard AS9102B (First Article Inspection Requirement, SAE International) defines the content and format of FAI reports. The ERP must automatically compile the FAI dossier from production data, inspection results, and material certificates.
Non-Conformance Management and Integrated AS9100 CAPA
The non-conformance management module must be native to — or deeply embedded in — the ERP, not a separate add-on. It must manage:
- creation of a non-conformance from a production order or quality inspection, with automatic identification of affected parts and batches;
- automatic quarantine of suspect parts;
- a CAPA workflow with assigned owners, mandated deadlines, and documented evidence of effectiveness;
- long-term archiving of non-conformance records (minimum 10 years in aerospace, often the full aircraft service life).
See our full guide on quality management and CAPA in ERP for detailed functional requirements.
Approved Vendor List (AVL) Management
The AVL is the list of suppliers qualified for each part reference. In aerospace, purchasing raw material or a component from a supplier not on the AVL is a major non-conformance — even if the product is technically identical. The ERP must:
- automatically block purchase orders to suppliers not qualified for the relevant reference;
- notify quality managers when a supplier approval is approaching expiry;
- track supplier quality audits and surveillance results.
PLM Integration and Technical Revision Management
The ERP alone is not enough: it must interface with the customer’s PLM (Teamcenter at Airbus and Boeing, ENOVIA at Dassault Systèmes, NX Teamcenter at Rolls-Royce) to receive BOM and drawing revisions. This integration is the digital thread ensuring the production ERP always works from the latest authorised revision of a part.
Aerospace & Defence ERP Landscape
SAP S/4HANA Defense & Security: The Choice of Prime Contractors
SAP offers a dedicated vertical for defence and aerospace — SAP Defense & Security — built on S/4HANA. It is used by prime contractors and large groups including Airbus, Thales, BAE Systems, and Leonardo. The solution natively covers government project management, phase-based cost control (earned value management), configuration management, and integration with Integrated Logistic Support (ILS) systems.
Strengths: comprehensive functional coverage; ITAR and EAR compliance through the SAP GTS (Global Trade Services) module for automatic third-party screening; native integration with SAP PLM and SAP MII for shopfloor connectivity.
Limitations: licence and integration costs are prohibitive for SMEs and mid-market companies (S/4HANA A&D projects typically start at several million euros); complex parameterisation; heavy dependency on specialist SAP partners.
Target profile: prime contractors, large groups with revenue above £500M, companies already in the SAP ecosystem.
Oracle Cloud ERP Aerospace & Defense Edition
Oracle offers a specialised edition of its Cloud ERP for the A&D sector, used by Lockheed Martin and Dassault Aviation among others. It integrates defence project management with earned value management, government contract management (FAR/DFARS compliance for US government contracts), and advanced traceability.
Strengths: advanced project planning engine; government budget allocation management; ITAR compliance via the Oracle Export Management module.
Limitations: solution primarily designed for the North American market (FAR/DFARS standards); more limited adoption in Continental Europe; high cost.
Target profile: companies with government defence contracts; organisations with FAR/DFARS reporting obligations.
Infor CloudSuite Aerospace & Defense: The Mid-Market Leader
Infor CloudSuite Aerospace & Defense, built on the Infor LN ERP (formerly BAAN LN), is the reference solution for mid-market aerospace subcontractors. It is used by hundreds of Tier 1 and Tier 2 suppliers across Europe and North America.
Strengths: native serial-number traceability; integrated FAI module (automated First Article Inspection from the production order); advanced configuration management with links between BOMs and technical revisions; integrated ITAR/EAR export control module (automatic denied-party screening); AS9100 non-conformance and CAPA management; native interface with Teamcenter and Catia for the digital thread.
Limitations: SaaS hosting raises data residency questions for companies subject to UK OFFICIAL-SENSITIVE or French SecNumCloud requirements; user interface undergoing modernisation.
Target profile: Tier 1 and Tier 2 suppliers, mid-market companies with 200 to 3,000 employees, organisations with AS9100D and ITAR requirements.
IFS Cloud: The MRO and Military Maintenance Reference
IFS Cloud is particularly recognised for its MRO (Maintenance, Repair & Overhaul) capabilities and is used by numerous airlines, armed forces, and military maintenance subcontractors. Rolls-Royce, UK MOD, and defence forces in Australia and the Nordic countries have chosen IFS for fleet management and sustainment supply chain.
Strengths: airworthiness management; full maintenance history tracking per aircraft; integration of Service Bulletins and Airworthiness Directives; CAMO (Continuing Airworthiness Management Organisation) management; very strong military MRO coverage.
Limitations: less depth on the discrete aerospace manufacturing side compared to Infor A&D; more MRO-oriented than discrete aeronautical manufacturing.
Target profile: MRO subcontractors, military maintenance companies, fleet managers, sustainment logistic operators.
Microsoft Dynamics 365 with A&D Extensions
Microsoft Dynamics 365 Finance + Supply Chain Management is not a native A&D solution, but specialist integrators — including Sunrise Technologies — have developed sector-specific extensions for aerospace. The solution benefits from native integration with the Microsoft ecosystem (Azure, Power BI, Teams) and ITAR screening via connectors to specialist solutions (Amber Road, Visual Compliance).
Strengths: rapid adoption thanks to the familiar Microsoft interface; more accessible licensing costs; Power BI integration for AS9100 reporting.
Limitations: the A&D layer is not native but added through partner extensions, creating maintainability risk for customisations; serial-number traceability and configuration management are less mature than Infor or IFS.
Target profile: aerospace manufacturing SMEs (20 to 200 employees), companies already in the Microsoft ecosystem, Tier 3/4 suppliers with AS9100 requirements but without complex ITAR constraints.
Epicor Kinetic: The Tier 3 and Tier 4 Choice
Epicor Kinetic (formerly Epicor ERP) is positioned for discrete manufacturing SMEs, including Tier 3 and Tier 4 aerospace subcontractors. It offers serial-number traceability, quality modules with non-conformance management, and CAD tool integration.
Strengths: faster deployment than SAP or Infor; accessible licensing for SMEs; modernised interface (cloud-native since Epicor Kinetic); solid traceability level for Tier 3/4.
Limitations: basic ITAR/EAR module (often requires a third-party tool for screening); limited configuration management compared to A&D specialists; weak MRO coverage.
Target profile: Tier 3 and Tier 4, SMEs with 20 to 300 employees, mechanical subcontractors without direct ITAR obligations.
2026 Solution Comparison
| Solution | Target Size | Native AS9100 | ITAR/EAR Module | Unit SN Traceability | MRO / Airworthiness |
|---|---|---|---|---|---|
| SAP S/4HANA Defense & Security | Large enterprise £500M+ | Yes (heavy config) | Yes (SAP GTS) | Yes | Partial (via PM) |
| Oracle Cloud ERP A&D Edition | Mid-market & enterprise | Yes | Yes (Export Mgmt) | Yes | Partial |
| Infor CloudSuite A&D | Mid-market 200–3,000 employees | Yes (native) | Yes (native) | Yes (native) | Partial |
| IFS Cloud | Mid-market & enterprise | Yes | Via partners | Yes | Excellent (native) |
| Microsoft D365 + A&D extensions | SME 20–200 employees | Via extensions | Via connectors | Yes | Limited |
| Epicor Kinetic | SME 20–300 employees | Partial | Via third party | Yes | Weak |
ITAR in Practice: What Your ERP Must Be Able to Do
Automatic Screening Against Sanctions Lists
The DDTC maintains a list of restricted entities for arms exports. The BIS publishes the Entity List and the Denied Persons List. OFAC maintains the SDN List (Specially Designated Nationals). These US lists are complemented by EU Council sanctions lists and UK OFSI asset freeze lists.
A ITAR-compliant ERP must automatically verify every customer, supplier, broker, and ultimate end user against all of these lists — at each entity creation and at each order. A periodic manual check is insufficient: a company can be added to a sanctions list between two reviews.
Controlling Access to ITAR Technical Data
ITAR mandates that access to regulated technical data (drawings, specifications, classified manufacturing processes) be controlled and documented. In an ERP, this translates to:
- BOM and technical document access rights restricted to cleared personnel;
- an immutable (tamper-proof) audit log of all access to ITAR-controlled data;
- nationality-based access controls (certain ITAR data may only be accessible to US nationals or holders of a specific licence).
Cloud Implications for ITAR Data
ITAR data cannot legally be hosted outside US territory without a specific export licence. For companies using a SaaS ERP hosted in the US or Europe, the following configurations are viable:
- US-hosted ERP with ITAR data localisation: ITAR data is stored on US servers, administered exclusively by US nationals. Some SaaS solutions offer dedicated ITAR-compliant environments.
- On-premises or sovereign hosting: for companies subject to national defence hosting requirements (UK MOD classified contracts, French DGA programmes), a sovereign cloud or self-hosted infrastructure is the only option compatible with applicable regulations.
Selection Criteria for Tier 2/3 Suppliers
When evaluating ERP solutions for a mid-market aerospace subcontractor, six criteria should be assessed as a priority:
1. Native AS9100D coverage: does the ERP natively cover AS9100 (configuration management, critical characteristics, CAPA, FAI) — or does it require parameterising generic functions? Heavy configuration creates technical debt and risk with every version upgrade.
2. Integrated ITAR/EAR module: is denied-party screening native, with automatic list updates? Or does it require a third-party connector (Visual Compliance, Amber Road, Descartes Denied Party Screening)?
3. Unit serial-number traceability: does the ERP manage traceability at serial-number level (not just by batch), including purchased items, manufactured sub-assemblies, and finished products?
4. PLM integration: does the ERP have certified connectors with the customer’s PLM (Teamcenter, Catia/ENOVIA, NX) to receive BOM and technical revision updates?
5. Automatable FAI module: can the FAI dossier be assembled automatically from production and quality control data, in AS9102B format?
6. Hosting and data residency: where is the data hosted? Can the vendor provide hosting compliant with UK OFFICIAL-SENSITIVE, EU sovereign cloud, or French SecNumCloud requirements for defence contracts?
Implementation Roadmap: 5 Specifics of Aerospace ERP Deployment
1. Validate ITAR cloud compliance before signing anything. Before committing to a SaaS vendor, obtain written confirmation of data location, security accreditations (FedRAMP for US vendors, CyberEssentials Plus / ISO 27001 for UK, SecNumCloud for French defence market), and nationality-based access control procedures.
2. Involve the Quality Manager and CISO from day one. An aerospace ERP is as much a quality system as it is a management tool. The Quality Manager validates AS9100 requirements; the CISO validates ITAR access control requirements. Both functions must be in the project team from the outset.
3. Plan a documentary AS9100 validation phase. Going live with an aerospace ERP requires documentary qualification: ERP-related quality procedures must be validated, operator and inspector training documented, and acceptance test results archived. This phase is routinely underestimated and can add 3 to 6 months to a project.
4. Migrate at least 10 years of traceability history. Airworthiness requirements mandate that traceability records be kept for the full service life of the aircraft. When migrating to a new ERP, the migration of existing traceability data (serial numbers, quality inspections, material certificates) is a critical workstream. Allocate dedicated quality resources for it.
5. Train quality teams first — non-conformance and CAPA modules before anything else. Shop-floor adoption of quality modules is often the determining success or failure factor in an aerospace ERP implementation. A CAPA module unused by operators creates a false sense of AS9100 compliance while letting non-conformances propagate unchecked.
Conclusion: Choose an ERP That Speaks Aerospace
Aerospace and defence is the only sector where an inadequate ERP can expose company directors to criminal liability — through an undetected ITAR violation or a traceability failure on a safety-critical component. For Tier 2 and Tier 3 suppliers, the choice between Infor CloudSuite A&D, IFS Cloud, Microsoft Dynamics 365 with extensions, and Epicor Kinetic must be driven by the complexity of ITAR obligations, the required depth of configuration management, and the data sovereignty constraints imposed by prime contractors.
To go deeper on quality requirements, see our CAPA and non-conformance management in ERP guide and our analysis of ERP in the automotive industry and its parallels with aerospace.
To validate an adoption hypothesis, start with a 3-month proof of concept on a single target process (component traceability, CAPA, or ITAR screening). Typical budget: £12,000 to £25,000. Output: a Go/No-Go decision backed by concrete data — not a spreadsheet full of vendor promises.
