



PAGE 1 (31)

Company Confidential

Approved 4.0

Nokia Supplier Requirements

Global Directive

Approver CMO, NET & INS Sourcing Management Creator NSR Update Facilitators and Task Force Status Approved Document ID CMO NQY00067 Document ID NET 6-88865


This document is proprietary to Nokia and contains Nokia confidential information. It may only be delivered to Nokia Suppliers after Nokia’s NDA or another comparable confidentiality agreement is signed between Nokia and the Supplier. Suppliers must treat this document as confidential Nokia material and distribute it only within their organization to personnel who are bound to maintain its confidentiality and then only on a need-to-know basis.

Status Handled by Proposal P Hansen

Comments Proposal for management implementation decision

Clarification of requirements with CMO Legal CMO S&P Head Approval

INS Indirect Sourcing Approval Sign Off reviews

Final wording & previewed by CMO Comms

Change History:

Vsn Date 3.90 25-09-2006

3.91 11-12-2006 Proposal P Hansen 3.92 14-12-2006 Approve 3.93 04-01-2007 Approve 3.94 17-01-2007 4.0 19-03-2007 Approve V Taipale

Approved by:


04-10-2006 14-12-2006 04-01-2007

Business Owner NET Sourcing Board

Jean-Francois Baril CMO Global Sourcing & Procurement Graham England INS Indirect Sourcing

Copyright © 2006 Nokia Corporation


PAGE 2 (31)

Company Confidential Approved 4.0


INTRODUCTION……………………………………………………………………………………………………………………………………..3 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18.

MANAGEMENT RESPONSIBILITY..................................................................................................................5 MANAGEMENT SYSTEM ELEMENTS...............................................................................................................9 HUMAN RESOURCE MANAGEMENT............................................................................................................10 ENVIRONMENTAL MANAGEMENT..............................................................................................................12 RISK MANAGEMENT....................................................................................................................................13 CORPORATE SECURITY................................................................................................................................14 INTELLECTUAL PROPERTY RIGHTS AND LIABILITY..................................................................................18 PRODUCT SAFETY, SECURITY AND LIABILITY...........................................................................................18 PRODUCT LIFE CYCLE MANAGEMENT.........................................................................................................19 PROGRAM QUALITY PLANNING..................................................................................................................20 PRODUCT DEVELOPMENT............................................................................................................................21 SUPPLIER MANAGEMENT AND PURCHASING............................................................................................24 MANUFACTURING PROCESS DESIGN AND DEVELOPMENT........................................................................25 DEMAND / SUPPLY MANAGEMENT..............................................................................................................25 MATERIALS CONTROL..................................................................................................................................27 PRODUCTION PROCESS MANAGEMENT......................................................................................................27 INSPECTION AND TEST MANAGEMENT IN PRODUCTION.........................................................................29 PRODUCT MAINTENANCE, CARE AND END-OF-LIFE MANAGEMENT.........................................................30

Copyright © 2006 Nokia Corporation




The purpose of the Nokia Supplier Requirement (NSR) is threefold:

Firstly: to communicate Nokia’s supplier requirements to potential and existing suppliers in Nokia’s supply chain and to other relevant stakeholders.

Secondly: as the basis for supplier qualification and business risk analysis Thirdly: as the basis for continuous Supplier development and improvement.

The NSR shall apply to any direct or indirect product or service provided by Supplier to Nokia Corporation.

Structure and link to Agreement

The requirements are defined in the following eighteen (18) sections; each containing a number of sub-requirements. Unless otherwise stated below the Supplier shall comply with all requirements specified in this NSR.

Certain requirements are written in italics, which indicates a recommended practice and shall be binding on Supplier as a requirement only if so agreed between the Supplier and Nokia in a supply agreement or otherwise (the Agreement)

Nokia and the Supplier may agree in writing that some of the mandatory requirements will not be applied to the Supplier because of the scope of the Supplier’s business.

The Supplier shall at all times be responsible for compliance with the NSR in order to continuously improve Nokia’s business capabilities, performance and competitiveness. This responsibility also applies to Supplier’s sub-contractors and other sub-suppliers in Nokia supply chain. Upon request, Supplier shall demonstrate to Nokia its conformance with the NSR and the effective operations of Supplier’s management systems. The Supplier shall make all necessary management system enhancements to account for changes to the scope of its business with Nokia.

Supplier shall report to Nokia immediately in writing any material deviations or shortcomings in its ability to comply with the NSR.

NSR Assessment and verification

Nokia shall have the right to verify the Suppliers’ compliance to the NSR and the Supplier shall provide Nokia with all necessary support and access to its and its sub-contractors and sub-suppliers premises as well as to relevant documentation as may be necessary to verify such compliance.

The Supplier’s conformance to these requirements shall be verified as necessary by means of Supplier surveys, Supplier self-appraisals, and/or assessments done by Nokia or third party. Nokia shall in its sole discretion determine the applicable verification method(s) based on Nokia’s business risk analyses.

In order for a Supplier to pass the NSR Supplier Assessment and receive an assessment of “accepted”, all applicable requirements shall be fulfilled to Nokia’s satisfaction; otherwise the result shall be deemed “not accepted” and Supplier shall not pass the Supplier Assessment.

Copyright © 2006 Nokia Corporation

PAGE 3 (31)

Company Confidential

Approved 4.0


PAGE 4 (31)

Company Confidential

Approved 4.0

In the case of “not accepted” result, the Supplier must provide to Nokia a Corrective Action Plan (CAP) as

soon as reasonably possible for Nokia’s review and approval. The Supplier shall implement the approved CAP within the agreed time and submit a Corrective Action Report (CAR) to Nokia when everything has been corrected. CAR may be sufficient proof of the implementation of the actions only if so accepted by Nokia; otherwise, a partial on-site corrective action verification assessment may be required.

Nokia will inform the Supplier in writing about assessment result and subsequent acceptance of CAP, CAR and non-conformance removal.

Additional information

Additional information for direct material suppliers is available at NGSW (Nokia Global Supply Web), which contains the Supplier Manual with a detailed set of requirements for such suppliers. Access to NGSW Supplier Manual further information or clarification of these NSRs is available for all suppliers by contacting their Nokia representative.

Nokia may issue new versions of NSR. Such versions shall replace this document when they have been communicated to the respective Supplier.

Copyright © 2006 Nokia Corporation


PAGE 5 (31)

Company Confidential

Approved 4.0

Nokia Supplier Requirements



This chapter specifies requirements regarding Supplier’s business visions, goals, policies and strategies, guiding policies and the processes, guidelines and practical arrangements that management has implemented to ensure that the visions and goals can be achieved. [ISO9001, ISO14001 and SA8000 related requirements]

1.1 Business vision and strategy

Supplier shall have an understanding of the current status of the company and its business

environment, a vision of where management would like the company to be in the future and a strategy on how to develop the company in line with the vision. Management shall have an appropriate plan showing how to achieve the vision and the strategic objectives.

1.1.1 Strategy process

Supplier should have a strategy process for creation, cross-organizational sharing, communication and efficient implementation and follow-up of its strategy. The strategy process should involve key stakeholders from the organization as needed for jointly agreed targets and commitments.

The strategy process should be based on a proper analysis of business environment, competition and value chain, to capture key (internal and external) stakeholders, as well as key business opportunities and related risks.

1.1.2 Stakeholder analysis

The strategy process should include a stakeholder analysis to identify and analyze key (internal and external) stakeholders in Supplier’s business value chain (to identify key business opportunities and the risks involved in these opportunities).

1.1.3 Business intelligence

The strategy process should include business intelligence activities to identify and analyze the competition in Supplier's business value chain (to identify business visions, scenarios, strategic options and related business opportunities and risks).

1.2 Strategy communication, implementation and follow-up

Supplier shall set targets for communication, implementation and follow-up of the strategy.

1.2.1 Strategy based targets and rewards

Key strategic targets should be linked to management incentives, with matching actions and metrics for efficient follow-up.

1.2.2 Business opportunity based risk management

Supplier should use business opportunity based risk management to identify gaps (such as quality, process, capacity or competence gaps) against the chosen strategy.

1.3 Business metrics and controls

Supplier shall have a set of Key Performance Indicators (KPIs) and a monitoring and control system giving management visibility on the progress towards the key strategic targets. The system shall cover all relevant strategic targets and views, from different parts of the organization, in a balanced manner. 1.3.1

Measurement, analysis and improvement management

Supplier shall have a system for measurement, analysis and management of improvement that includes its business models and relevant stakeholder views [ISO9001].

Copyright © 2006 Nokia Corporation



Product and service performance related metrics

Supplier shall have quality or performance related metrics applicable to the product or service delivered to Nokia. An agreement on how to monitor an agreed subset of these metrics and a definition of alarm limits should be included in the Agreement.

PAGE 6 (31)

Company Confidential Approved 4.0

1.3.3 Process performance related metrics

Supplier shall, at relevant phases of the processes, collect metrics that support performance management, process control and improvement. The metrics should be linked to key performance indicators derived from strategy.

1.3.4 Continuous Improvements

The Supplier shall look for opportunities for performance improvements and implement appropriate improvement projects. The Supplier shall use appropriate continuous improvement measures and methodologies.

1.3.5 Continuous Improvement Indicators

Supplier should have a system for monitoring KPIs to support continuous performance improvement management. Continuous Improvement Indicators (CIIs) should be defined to measure process efficiency in the business processes used with Nokia.

1.3.6 Business scorecard

Supplier shall have a way (such as balanced scorecard or dashboards) to monitor its key strategic targets. Targets shall be balanced to give an overall view of performance. Progress shall be scored, reported and reviewed regularly

1.4 Operational review

Management shall conduct, at regular intervals, operational reviews to ensure continuous improvement. Reviews shall be assessing product success and problems, suitability and efficiency of processes, operations, opportunities for improvement and needs for change, including policies and objectives. Records from operational reviews shall be maintained.

1.5 Guiding policies

Supplier shall have in place guiding policies for all key aspects and activities as required by the scope of its business and collaboration in use. Management shall ensure that the policies are communicated, understood and implemented at all levels of the organization. 1.5.1


Supplier shall have a quality policy, defining how Supplier understands and manages quality.

1.5.2 Risk management

Supplier shall have a risk management policy, defining how Supplier manages various types of risks (business risks, health and safety risks, fire etc). The policy shall promote proactive identification, analysis, control and monitoring of all types of risks. The policy shall also promote actions to proactively minimize the probability of interruption-type risks and to minimize the impacts in case risks materialize.

1.5.3 Intellectual Property Rights

Supplier shall have an intellectual property rights (IPR) policy, defining how Supplier manages IPR related risks, and, when

applicable, covering inventions and patent filings. The objective of this policy shall be to protect Supplier and its customers from materializing IPR risks in a preventive and verifiable manner. The policy shall cover third party patent matters, especially

specifying how to avoid infringing third party patents, as well as assets like free or open-source software (FOSS) and copyright matters. Where applicable, it shall also cover the risk of leaking IPRs owned by Supplier or a customer, such as Nokia, to third parties, either directly or as a part of grant-back obligations or similar by Supplier itself.

Copyright © 2006 Nokia Corporation



Product safety, security and liability

Supplier shall have a product safety, security and liability policy, defining how Supplier manages safety, security and liability risks relevant to the product or service it delivers to Nokia. Management shall ensure that the policy is communicated to and understood by the personnel involved.

PAGE 7 (31)

Company Confidential Approved 4.0

1.5.5 Company values and business conduct

Supplier shall have an ethical conduct policy, such as a code of conduct, defining how Supplier understands and manages the ethical impacts of its business operations and reflecting its company values and culture. The policy shall reflect respect for human rights and demonstrate commitment to them, ethical business conduct and to continuous improvement.

Management shall ensure all relevant personnel is trained in and aware of the ethical conduct policy and related practices and risks and shall be able to provide evidence of employee awareness. Records of training shall be kept.

1.5.6 Environment

Supplier shall have an environmental policy, defining how Supplier manages environmental issues related to its business. The policy shall state a commitment to environmental protection, pollution prevention, compliance with environmental legislation and continuous improvement. Management shall be able to provide evidence of employee awareness.

1.5.7 Human resources

Supplier shall have a Human Resources (HR) policy(ies), defining how Supplier manages its employees. The policy shall be

applicable locally and globally, as relevant, and ensure employees are treated with respect and dignity and in compliance with local labour law and recognized international labour standards (i.e. ILO and relevant UN conventions). The policy(ies) shall cover, for example, recruitment and exit, occupational health and safety and equal opportunity. Where applicable, it shall cover also

temporary labor and employees working outside Supplier’s premises (e.g., at Nokia’s premises). Management shall ensure that the associated HR processes are communicated and understood by HR personnel.

1.5.8 Information security and confidentiality

Supplier shall have an information security and confidentiality policy, defining how Supplier manages information security risks when connecting to or communicating with Nokia or concerned third parties. Management shall ensure that the policy is communicated to and understood by the personnel involved.

1.6 Management systems

Supplier shall have a management policy and a management system that ensures effective planning, management and control of performance and product or service quality throughout the company. The management system shall conform to the requirements of some internationally recognized standard relevant to its business area (e.g., ISO9001, ISO16949, TL9000, BABT340 or CMMI). 1.6.1

Management system certification

Supplier’s management system shall be certified as compliant with ISO9001 or stronger internationally recognized standard relevant to Suppliers business area and scope (e.g. ISO16949, TL9000, BABT340 or CMMI) for the Nokia related business.

1.7 Organization and responsibilities

Supplier shall have organizations with adequate resources and defined owners, roles and

responsibilities for all its management systems (built around key business processes). Supplier shall ensure that all required business and support functions are working together to plan and review the business. Past experiences shall be used to identify risk and opportunities for further improvement.

1.8 Contract review system

Supplier shall have a contract review system ensuring that customer requirements are properly converted into company internal product or service requirements. The contract review system shall consider requests for quotation, purchase agreements, purchase orders, internal plans and

specifications, as appropriate. It shall ensure that requirements are adequate, defined and documented,

Copyright © 2006 Nokia Corporation


that any differences between customer and internal requirements are resolved, that the requirements are feasible, that all relevant risks are identified and analyzed and that both parties, including their R&D and sourcing stakeholders, share a common understanding of the requirements.

Supplier shall have a system to handle amendments to contracts, including correct transfer of contract change information to the concerned functions within Supplier’s organization and supply chain. Supplier shall maintain records of contract reviews.

PAGE 8 (31)

Company Confidential Approved 4.0

1.9 Business Contacts

Supplier shall nominate necessary business contact persons to cover Nokia business needs, i.e., a Nokia business owner plus key representatives on all relevant collaboration levels. Supplier shall document the contacts as part of the Agreement or of a program quality plan, preferably as a contact matrix identifying also the roles of the contact persons.

1.9.1 Account management

Supplier should have an account management organization taking care of customer interfaces and relationships including contract reviews, creation of customer account plans (describing the customer’s business, strategy, values and basic data needed for

relationship management), definition of customer categories (e.g., key customers), service levels and roles and responsibilities needed to provide customer categories with the agreed service levels.

The account management organization should have enough authorization and competence to design and customize services, initiate and run competence building projects and take ownership of customer case projects.

1.9.2 Collaboration resources Supplier should have, when applicable, structures, resources and ability to collaborate with other associated service providers in adjacent or overlapping areas. Examples of such areas are security issues and tools, helpdesk sharing and / or integration etc. Associated roles and responsibilities should be defined in the Agreement.

1.10 Customer satisfaction program

Supplier shall have an active customer satisfaction program evaluating product or service quality

through customer ratings, customer surveys, interviews etc. Management shall take action based on the results of the program.

1.11 Legal compliance

Supplier shall comply with all applicable local, national and international legislation relating to Supplier’s products, operations and activities. Management shall be well-informed about and continuously monitor the development of the legislation related to its business area.

1.12 Financial control and funding

Supplier shall provide, on request, audited and consolidated financial statements to Nokia within three months after the end of the fiscal year and be prepared to discuss them with Nokia. Supplier shall explain and show, on request, the internal control processes and control points of its financial operations. Supplier shall also provide, on request, principal information about treasury, financial control functions, management, ownership and organizational structure.

1.12.1 Accounting standards

Financial statements should be audited and available, preferably according to recognized accounting standards such as IFRS (Europe), US GAAP (USA), UK GAAP (UK) and PRC GAAP (China) to ensure the reliability of the financial statements.

1.12.2 Budgets and business plan

Supplier should provide, on request, budgets and long-term business plans to Nokia.

Copyright © 2006 Nokia Corporation



Capacity and business suitability

Supplier’s premises shall be capable of properly accommodating the production (or service) volumes (including flexibility) required. Premises shall be suitable for business and include, as relevant, clean areas, isolated areas with access control, climate control etc.

PAGE 9 (31)

Company Confidential Approved 4.0


This chapter specifies requirements regarding how Supplier ensures that products / services are of good quality and that policy and all necessary processes are defined, in place and followed. [ISO9001 related requirements].

2.1 Documentation management

Supplier shall have a documentation management system providing a classification (process, product, administrative etc documents) of its business management documents and their hierarchy, plus document control functions for approval of documents prior to issue, reviewing and updating

documents, localization of documents and information, prevention of use of obsolete information, and identification and controlled distribution of documents provided by Nokia and third parties.

2.2 Management of records

Supplier shall define internal and external records, demonstrating continuous compliance with customer and legal requirements and evidence of effective and traceable business operation (e.g., review, audit and meeting minutes and material and product tests and inspection data). Supplier shall define responsibilities to collect, store, maintain and dispose of such records. All records shall be legible, easily identifiable and retrievable. Repository and retention times of records shall be defined.

2.3 Quality planning

Supplier shall conduct product, service or project specific quality assurance activities to ensure that the deliverables meet customer requirements. Quality assurance activities shall be performed according to a documented plan.

2.4 Internal audits

Supplier shall conduct internal audits using qualified auditors in accordance with procedures and action plans. Audits shall check whether processes and plans are in place and followed, resources and efforts are planned, managed and monitored, progress and changes are managed, recorded and visible, corrective actions are monitored etc. Audits shall be planned taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits. Management shall review audit findings, plan corrective actions, follow up the timely closing of open actions and verify the effectiveness of corrective actions.

2.5 Corrective and preventive actions

Supplier shall have a system for initiating corrective and preventive actions, with input coming from sources such as design reviews and assessments, operational reviews, internal audits, employee suggestions, incoming inspections, in-process monitors, product qualifications and tests, customer complaints and field failures. Management shall verify the effectiveness of corrective and preventive actions.

Copyright © 2006 Nokia Corporation


PAGE 10 (31)

Company Confidential Approved 4.0


This chapter specifies requirements regarding how Supplier ensures that the human resources, needed to develop and produce the deliverables, are available and managed in accordance with internationally recognized principles of corporate responsibility.

[SA8000, OHSAS18001 and PCMM related requirements]

3.1 Workforce planning and recruiting

Supplier shall have a system to ensure the availability of workforce for current and future business needs, in a sustainable and ethical manner, at both organizational and unit level. 3.1.1

Resource planning

Supplier shall ensure that resources are available to meet both current and future business needs according to company strategy. Resource planning shall be conducted at both organizational / global and unit / local levels. In particular, underage workers or false apprenticeship schemes must not be used.

3.1.2 Recruiting and exit procedures

Supplier shall ensure that competent and eligible individuals are recruited and appointed to open positions, according to competence, with equal opportunity and on a voluntary basis. Supplier shall check the eligibility of candidates and that they exceed the minimum legal age of employment.

Upon employment, individuals shall be provided with a work contract/agreement/offer letter, basic induction training and not be required to give financial deposits or deposit original identity documents. Forced labor must not be used. Employees shall be free to leave the company after giving reasonable notice.

Supplier shall ensure that exit procedures are compliant with local legislation, international labor standards and applicable collective agreements.

3.2 Non-disclosure and confidentiality agreements

Supplier shall ensure that employees working with Nokia products or projects or having access to Nokia specific knowledge, information or data, or to Nokia facilities, have signed a Non-Disclosure Agreement (NDA). Supplier shall ensure that the employees fully understand its practical implications.

3.3 Occupational health and safety protection

Supplier shall ensure that physical and mental working conditions allow employees to perform their tasks safely and efficiently. Supplier shall have procedures for identifying, minimising and preventing hazards. They shall be implemented as, for example, safety instructions, work procedures, preventive maintenance, employee training, identification of potential hazards and appropriate safety devices, personal protective equipment and clothing, hearing protectors, chemical control or machine safeguarding.

Supplier shall nominate and train persons responsible for the occupational health of employees. Supplier shall have specific procedures in place for employees under the age of 18 (young workers). Supplier shall assume responsibility for the occupational health of employees working off-site (e.g., at customer premises).

3.4 Occupational health and safety response

Supplier shall have occupational health and safety procedures to prepare for and respond to emergency situations involving occupational health and safety risks. Supplier shall record and investigate

emergency situations. Management shall encourage employees to report accidents and take action upon these records and reports.

Copyright © 2006 Nokia Corporation



Employee amenities

Supplier shall ensure that employees are provided with access to potable water and clean toilet facilities. Canteen facilities and food preparation areas shall be clean and safe, and food shall be provided at reasonable cost. Employee dormitories shall be clean, safe (equipped with, e.g., fire

extinguishers and exits), adequately ventilated and/or heated, shall provide reasonable personal space and shall be provided at reasonable cost.

PAGE 11 (31)

Company Confidential Approved 4.0

3.6 Competence and development

Supplier shall ensure that employees have the education, training and competences required for their position and tasks.

3.6.1 Competence analysis

Supplier should periodically conduct competence analyses to identify the knowledge and skills/competences required to perform the organization’s business activities according to short- and long-term strategic goals.

3.6.2 Competence development

Supplier shall ensure that employees, at all levels and with equal opportunity, have the education, training and competence they need for their positions and tasks. Supplier shall develop training plans based on competence analyses and implement them to enhance and develop workforce capabilities.

Supplier shall maintain a training register, detailing the training employees have received.

3.6.3 Nokia specific training and certification

Supplier shall ensure, on request, that personnel allocated to Nokia work have the necessary training on Nokia policies, products, processes and guidelines and, if needed, have necessary licenses and certificates. Supplier shall ensure such licenses and

certificates are valid in terms of time and scope. Supplier, providing services at Nokia facilities, including (Nokia's) customer sites, shall ensure that its personnel act in accordance with Nokia values and Code of Conduct.

3.7 Working time and time off

Supplier shall ensure that employees can perform assigned tasks efficiently without exceeding the maximum working hours as defined by local labor laws or applicable collective agreements. Supplier shall ensure that employees have at least one day off per seven-day week, and that overtime work is voluntary. Holidays (e.g., public holidays) and leaves of absence (e.g., medical or parental) shall comply with local labor laws or applicable collective agreements.

3.8 Compensation and benefits

Supplier shall provide all employees (permanent, temporary, apprentices and contract workers) with fair compensation (wages / salaries) meeting or exceeding local legal and industry minimum standards, for regular as well as overtime work. Supplier shall also provide employees with benefits to reward contributions, skills and behavior considered vital to success. Compensation and benefits shall be aligned with relevant company policies.

3.9 Fair treatment

Supplier shall ensure that employees at its facilities are treated with respect and dignity, equal

opportunity and are safe from abuse, harassment or bullying of any kind (e.g., physical, verbal, mental, sexual, racial, cultural, age or disability related). Supplier shall ensure company rules / guidelines are communicated to employees. Supplier shall ensure that disciplinary procedures prohibit physical punishment and do not support financial deductions, or the threat thereof.

Copyright © 2006 Nokia Corporation


PAGE 12 (31)

Company Confidential Approved 4.0

3.10 3.11 4. 4.1 4.2 3.9.1

Performance management

Supplier should have a system to manage employee performance. Supplier should ensure individual objectives are derived from

company strategy and policies. Supplier should ensure performance is evaluated fairly and objectively, against defined criteria and on a periodic basis, to identify ways to improve performance.

Communication and coordination

Supplier shall ensure that information relevant to employees (about, e.g., business activities, changes and results) is communicated across the organization. Supplier shall ensure employees can share such information fast enough to be able to align their activities efficiently.

Supplier shall respect the right of all employees to form and join trade unions of their choice and to bargain collectively, and in cases this is restricted by law, facilitate parallel means to ensure that individuals or groups are able to raise concerns to the attention of the management.

3.10.1 Employee satisfaction

Supplier should have the means to evaluate and improve employee satisfaction. A company of substantial size (i.e. headcount

exceeding 100) should have an employee satisfaction program based on employee opinion surveys and should take action based on the results of the program.

Feedback and complaint channels

Supplier shall have a system through which employees can give feedback or complain about unethical conduct, unfair treatment or practices, violation of company values, policies and procedures, or improvement ideas and suggestions.

Management shall, when appropriate, act upon this feedback and handle it confidentially and

anonymously. Management shall ensure that there are no adverse consequences as a result of giving feedback.


This chapter specifies requirements regarding Supplier’s ability to manage environmental impacts of its business operations, throughout the supply chain, and to minimize them. [ISO14001 related requirements].

Environmental management system

Supplier shall have an environmental management system (EMS) ensuring effective planning, operation and control of environmental aspects. The EMS shall satisfy the requirements of ISO14001 or other internationally recognized standards. Supplier shall be well-informed about environmental legislation and applicable regulations and be able to provide evidence of compliance. The EMS shall include a continuous improvement program. 4.1.1

EMS certification

Supplier’s EMS shall be certified as compliant with ISO14001 or Eco-Management and Audit Scheme (EMAS).

Raw material content data management

Supplier shall comply with material restrictions, set by applicable law and Nokia, and continuously maintain records of full raw material content data (materials, substances and compounds) of products supplied to Nokia or of materials used in implementing the services provided to Nokia. These records (including any updates) shall be provided to Nokia in a format specified by Nokia.

Copyright © 2006 Nokia Corporation


PAGE 13 (31)

Company Confidential Approved 4.0


4.4 5. 5.1 Waste management

Supplier shall manage any waste generated from its operations or from products or customer’s assets in its possession, or reaching end-of-life or being classified as waste according to legal requirements and good environmental practices. Supplier shall establish and maintain procedures ensuring compliance with its waste management obligations. Supplier shall primarily investigate ways to reduce waste generation and secondarily ways to promote reuse (of non-Nokia-proprietary material) and recycling. Nokia proprietary material must not be reused without prior consent from Nokia.

Supplier shall record information about waste management (i.e. how much and where waste is reused, recycled, energy recovered, sent to landfill etc) and provide this information to Nokia on request.

Programs for improving environmental performance

Supplier shall identify and measure the environmental consequences and impacts of its operations and products / services and run continuous improvement programs to address these impacts. These programs shall promote efficient use of energy and materials, avoid use of hazardous materials, promote waste minimization and improve treatment and control of waste emissions affecting air, water and soil. Supplier shall be able to provide supporting evidence.


This chapter specifies requirements regarding Supplier’s ability to manage risks, i.e. to identify, analyze, manage and monitor foreseeable risks that when materializing will probably / eventually cause damage or loss to Nokia.

Risk management system

Supplier shall have a risk management system (RMS) for effective identification, analysis, control and monitoring of risks associated with its business and operations, including the timely implementation of agreed-upon preventive actions for risk mitigation. The RMS shall cover business risks such as strategic, financial, operational, commercial, technical, quality and schedule risks including external risks such as geographical dependencies, natural hazards, export control and product liability, as relevant. Supplier shall apply similar professional risk management requirements to their own supply network related to Nokia business.

Supplier shall notify Nokia immediately if a risk that can impact Nokia seems likely to materialize.

5.1.1 Definition of risk management responsibilities and practices

Supplier business and line management should be responsible that risks are identified against longer term business (including

operations) objectives, used assumptions and short term targets. Risk evaluation metrics and risk acceptance constraints (i.e., what is not acceptable) should be justified. Status of risks and actions should be reviewed on regular basis.

Responsibilities on each important risk should be agreed on (risk ownership, action owners). Supplier should agree with Nokia on important risks and mitigation actions that affected directly Nokia business. Supplier should agree with Nokia on when and where the status of key risks and agreed actions are monitored, and communicate related individual and management/forum roles and/or tasks within the organization, as relevant.

5.1.2 Review of objectives

Relevant employees of Supplier should be well-informed about key stakeholders and their priorities and goals in order to be able to identify and prioritize the risks effectively..

5.1.3 Risk identification and analysis

Supplier should systematically identify, document and communicate all risks that may endanger the achievement of the objectives. Supplier should analyze the probability and impact of identified risks and select the most important risks for a closer analysis to form the basis for making decisions and effective actions meeting management expectations. Supplier should, for the risks classified as serious, e.g. analyze risk root causes (i.e., what causes the risk) in order to understand where risk management may be most relevant and risk mitigation most efficient.

Copyright © 2006 Nokia Corporation


PAGE 14 (31)

Company Confidential Approved 4.0

5.2 6. 6.1 5.1.4

Managing risks

Risk management should be integral part of management practices and daily work, e.g. implementing actions according to

management decisions on specific risks and in general according to applicable policies, guidelines and operating instructions. Risk owners role should be to e.g. ensure that decisions are made objectively and implemented as agreed, and action owners role should be e.g. to ensure that agreed actions are taken, and consult/inform the risk owner about the risk status on regular basis - regular risk reporting should be in place to ensure transparency to the risk situation and decisions through out the suppliers organization. Supplier should nominate risk action owners for key risks and agree on, document and communicate control actions, and notify Nokia in advance if the risk may impact Nokia. Supplier should evaluate the effectiveness of risk control actions.

5.1.5 Risk monitoring

Supplier’s organization should review the changes at important risk actions and communicate the key changes and new decisions to the key stakeholders.

Business continuity / contingency

Supplier shall have systematic approach to protect itself and Nokia from disruptions in its business with Nokia. Supplier shall have plans and arrangements, based on risk analysis and stakeholders expectations, covering critical business operations and processes for delivery to Nokia, e.g., the production lines, IT systems and the data contained therein.

For all sub-supplier-provided software, Supplier shall have in place escrow agreements with its sub-suppliers that allows for access to the relevant source code if necessary.


This chapter specifies requirements regardingdata associated with Nokia or Nokia’s products cannot, under any circumstances, inadvertently or how Supplier ensures that knowledge, information and maliciously, be accessed by any third party. [ISO17799, MNSR & CCSS related requirements].

Security management

Supplier shall have security policies and guidelines ensuring that agreed security requirements are met. Supplier shall periodically review and continuously improve security related processes, procedures, instructions and methods.

Supplier’s management shall assign security responsibilities and review the implementation of security within the organization.

6.1.1 Security organization

Supplier should have a documented security organization with explicitly defined authority, reporting, responsibilities, and escalation principles and procedures.

Supplier should nominate a security coordinator responsible for acting as a liaison between its internal organizations and Nokia’s security organizations.

6.1.2 Security incident management

Supplier shall report to Nokia on security breaches and incidents related to Nokia work or that might affect Nokia. Supplier shall have adequate arrangements to detect and prevent further damage caused by incidents.

6.1.3 Security awareness

Supplier shall provide continuous security training for its personnel. Security introduction shall be part of the induction program and cover at least confidentiality of customer information, information security and safety issues.

Copyright © 2006 Nokia Corporation



Premises security

Supplier shall take measures to protect its personnel and to prevent unauthorized access, damage and interference to business, premises and information. 6.2.1

Physical access control

PAGE 15 (31)

Company Confidential Approved 4.0

Supplier shall have a physical access control system (or equivalent), where an individual audit trail can be tracked. The system shall cover at least the areas where Nokia work is conducted or Nokia information is stored or processed. Only access control cards dedicated to a named individual can be used (no collective or shared key cards). Malfunctions shall be reported to the person in charge of the system.

Log information and reports shall be given only to specified persons on a need-to-know basis.

6.2.2 Intrusion detection system with alarm transmission

Supplier shall have an intrusion detection system covering the areas where Nokia work is conducted or Nokia information is stored or processed. The system shall provide detailed alarm information and cover adjacent and other easily accessible areas. The system shall be protected against tampering, be regularly tested, and be well-documented. All alarm lines shall be continuously supervised. Setting, unsetting and alarm information shall be available at an alarm-receiving center where an event log shall be kept and monitored regularly.

6.2.3 Video surveillance

Supplier shall have a closed circuit TV system (CCTV) covering at least the entrances to and exits from areas where Nokia work is conducted or Nokia information stored. The quality of the monitoring cameras shall be good enough to enable identification of single persons. Recording procedures shall be documented and shall be available for security personnel on duty. Only named and approved persons shall have access to the recorded material. The recorded material shall be stored in accordance with local legislation and preferably kept for at least 30 days.

6.2.4 Guarding

Supplier’s premises shall be guarded at least outside office hours.

All assignment instructions shall be documented and made available for guards on duty. Alarm response forces shall cover the site around the clock.

6.2.5 Visitor management

Supplier shall ensure that every visitor is registered and accompanied by an employee of Supplier when entering the premises. Supplier shall have a documented visitor policy.

Supplier shall ensure that visitors can access areas where Nokia information is handled only when authorized by Nokia.

6.2.6 Cleaning and maintenance

Supplier shall ensure that cleaning is carried out during office hours or in supervised conditions only. Supplier shall provide cleaning personnel with documented rules for handling classified documents. All cleaning personnel shall sign a NDA. Keys to offices and intrusion detection system codes shall not be given to cleaners.

All employees of a maintenance company shall sign a NDA. Supplier shall be fully aware of access rights and keys given to maintenance personnel. Maintenance in Nokia project areas shall be done under supervision.

6.2.7 Server room

Supplier shall provide an electronic access control system or equivalent to limit physical access to the server room. Access shall be granted only when needed. The supplier shall ensure that the server room has adequate fire protection such as a CO2 portable fire extinguisher or an automatic fire extinguishing system depending on the size and the criticality of the information on the servers. The server room shall be kept clean and without extra fire load. It is recommended that the server room has uninterruptible power supply (UPS) equipment to ensure continuity during power outages.

6.2.8 Fencing of factories and warehouses

Supplier shall ensure that fences enclosing factories and warehouses are monitored by a CCTV system or equivalent controls that allow Supplier’s security personnel to observe the perimeter fencing and arrange for appropriate response.

Copyright © 2006 Nokia Corporation



Customs-Trade Partners against Terrorism (import into US only)

Supplier shall be eligible for Customs-Trade Partners Against Terrorism (C-TPAT) certification (carriers, ports, terminals, brokers, consolidators etc - according to C-TPAT program requirements).

PAGE 16 (31)

Company Confidential Approved 4.0

6.3 Emergency procedures

Supplier shall have procedures for emergency situations such as evacuation of premises in case of

natural disasters and fire. Emergency procedures shall be included in induction and training programs. 6.3.1

Emergency response plan

Supplier shall have a documented and implemented emergency procedure including an evacuation and rescue plan as well as one or several nominated persons in charge of emergency issues. Periodic evacuations and rescue drills shall be arranged and the result of such exercises be recorded.

Supplier shall take necessary steps to prevent and detect emergency situations by means of fire and smoke alarm systems, sprinklers etc. Applicable personnel for example in the form of an emergency response team shall be trained to deal with emergencies.

6.3.2 Fire safety

Supplier shall ensure that fire safety arrangements (including fire doors, fire extinguishers, fire detection/extinguishing systems etc) comply with national legislation.

6.4 Personnel security

Supplier shall ensure that employees working for or providing services to Nokia are reliable and

professional and that neither commencing nor termination of employment implies any risks to Nokia. 6.4.1

Background checking

Supplier shall ensure that the reliability and professional aptitude of its employees be verified before assigning them to provide any services to Nokia (by, e.g., vetting, verifying the accuracy of the curriculum vitae or résumé including the academic records and previous employments). Performing security clearance is recommended if possible.

Supplier shall have a procedure to train employees to understand the requirements related to the services provided to Nokia.

6.4.2 Starting and ending employment

Supplier shall have employment entry and exit procedures (including, e.g., assured disabling of access to Nokia information). Supplier shall inform Nokia immediately when an employee working in a Nokia project is leaving the company.

6.5 Information security

Supplier shall ensure that all sensitive Nokia information is classified and that classified Nokia information cannot be inadvertently or maliciously accessed by any third party. 6.5.1

Information security policy

Supplier shall have a written information security policy that is well communicated to all employees and which defines at least high-level roles and responsibilities in the area of security.

6.5.2 Information ownership, classification and handling

Supplier shall ensure that confidentiality, integrity and availability of Nokia related information is adequately protected Supplier shall isolate Nokia information from its own and from other customers’ information so that only authorized users can access the Nokia information.

Supplier shall have an information classification scheme based on information sensitivity (e.g., company confidential, confidential, secret) to ensure that the information receives an appropriate level of protection and is available only to authorized individuals. The information classification shall be ubiquitous, e.g. appear on every page of every document. Information ownership shall also be indicated. The scheme shall be communicated to the personnel.

Supplier shall have an information security awareness program covering at least handling of customer data.

Copyright © 2006 Nokia Corporation


Supplier shall provide appropriate lockable storage cabinets for Nokia project information. If stored on-site, prototype information and backup tapes shall be kept in a fire-proof safe.

PAGE 17 (31)

Company Confidential Approved 4.0

6.5.3 Prototype handling

Supplier shall, if handling or processing Nokia prototypes, sign a product loan agreement (PLA) for each Nokia device. The PLA requirements shall be communicated to all concerned employees. The prototype handling process shall be documented and a named person responsible for keeping track of where the prototypes are.

The prototypes shall be stored in a locked cabinet or safe depending on the sensitivity of the prototype.

6.6 IT security

Supplier shall ensure that all security mechanisms deny access to its IT systems until specifically granted. Supplier shall follow the principle of least privilege. 6.6.1


Supplier shall, together with Nokia, define how Supplier can access Nokia information via internet. The internet connection shall be protected adequately (by, e.g., using a leased line or an encrypted connection). The implementation of the connection shall comply with the Collaborator Connectivity Security Standard (CCSS).

6.6.2 User account and access management

Supplier shall have a process for managing user accounts and access to its IT systems. This process shall define at least policies for approving, creating and terminating user accounts and access.

Supplier shall have a policy for password management, requiring at least a minimum length of 8 characters, a mix of upper and lower case letters, symbols and numbers to be used, prohibiting passwords that can be easily guessed (e.g., dictionary words), enforcing password change every 90 days, prohibiting reuse of old passwords, triggering lock-out after 5 failed login attempts and refusing shared accounts or passwords.

Supplier shall handle and deliver user credentials (such as user name and password) with the utmost care, as highly sensitive information.

Supplier shall apply for and acquire personal accounts for access to Nokia systems from Nokia.

6.6.3 Encryption of devices

Supplier shall ensure that all laptops containing sensitive Nokia information are encrypted. The encryption shall cover the whole hard disk. It is recommended to encrypt the hard disks of desktops containing sensitive Nokia information.

In addition, portable devices like USB memory sticks and other removable media shall be encrypted if they contain sensitive Nokia information.

6.6.4 Platform protection

Supplier shall ensure that systems used to provide services to Nokia are properly hardened. Nokia has the right to review the hardening standards upon request. It is recommended to utilize the hardening guidelines of the vendor.

If the hardening is performed by another organization, Supplier shall check the hardening and not accept a platform that is not properly hardened.

Supplier shall update and maintain step-by-step installation and configuration guidelines for all systems within its responsibility and ensure these guidelines are up-to-date.

Supplier shall have a vulnerability management process to ensure that all platforms are kept up-to-date against security vulnerabilities.

6.6.5 Malicious code protection

Supplier shall have an automated and up-to-date malicious code protection system covering all workstations and servers. Supplier shall not intentionally or negligently introduce malicious code into the computing environment. If malicious code is detected, that affects or may affect the work performed for Nokia, Supplier shall immediately notify Nokia and take necessary steps to mitigate the consequent risk and be responsible for recovering operational efficiency and data affected.

Copyright © 2006 Nokia Corporation


PAGE 18 (31)

Company Confidential Approved 4.0

7. 7.1 7.2 7.3 8. 8.1 6.6.6

Backup measures

To minimize business interruptions and assure business continuity, Supplier shall take periodical backups as agreed and store them in a fireproof and access controlled environment (on-site and off-site). Backups shall also be tested regularly in order to assure proper restore functionality.

6.6.7 Email

Supplier shall ensure that the email traffic between Supplier and Nokia, containing non-public Nokia information, is protected to assure its confidentiality and integrity. When transferring email over internet, the preferred way is to use end-to-end encryption with PGP.

When agreed with Nokia, TLS (Transport Layer Security) may be used to protect email transfer over internet. The use of TLS shall include an agreement that both sides monitor that TLS is continuously enabled on the concerned email gateways and that Supplier’s internal email arrangements are audited to provide sufficient protection for Nokia information.


This chapter specifies how Supplier’s IPR policy is implemented.

IPR policy implementation

Supplier shall ensure all relevant personnel are trained in and aware of the IPR policy and related practices and risk management procedures. Records of training shall be kept and archived for the relevant risk period.

IPR policy conformance

Supplier shall verify conformance with the IPR policy through audits, reviews or similar methods.

IPR of free and open-source software

Supplier must not include any free or open-source software (FOSS) in products / services delivered to Nokia without Nokia’s written consent. Supplier may include third party proprietary intellectual property, including patents, copyrights, designs and trade secrets, in the products only to the extent Supplier is authorized to grant Nokia the rights agreed in the agreement with Nokia.


This chapter specifies requirements regarding Supplier’s ability to manage potential risks associated with safety and security incidents or exposures or injury or damage caused by a product or service. Product safety and security is understood mainly as a proactive effort, starting with planning and designing the product for minimum vulnerability to security related risks.

Product safety, security and liability management

Supplier shall have a procedure to proactively communicate any potential product safety, security or liability related issues to Nokia. Supplier shall nominate person(s) responsible for product safety and security and in so doing shall ensure that proactive as well as reactive aspects are covered.

Supplier shall have clearly defined processes to promptly manage product safety, security and liability issues, such as delivery stops and recalls required by Nokia.

The implementation of these processes shall regularly be assessed and continuously monitored.

Copyright © 2006 Nokia Corporation


PAGE 19 (31)

Company Confidential Approved 4.0


8.3 8.4 8.5 8.6 9. 9.1 Product safety and security training and awareness

Supplier shall ensure that all new employees receive induction in product safety and security awareness and practices. Supplier shall have a product safety and security awareness training program to ensure its employees are aware of proactive and reactive product safety and security requirements and practices. The program shall cover at least Supplier’s own procedures and practices.

Product security communication

Supplier shall, on request, report to Nokia about its product security policy, mitigating actions, remaining risks and open actions.

Liability protection

Supplier shall, on request, provide evidence that it has taken or will take all necessary steps to protect Nokia against potential product or service liability risks.

Supplier shall ensure that only non-hazardous and safe materials and components, approved by relevant authorities, are used in its products or services.

Liability insurance

Supplier shall have a valid insurance for professional liability, for finished components and products or services, worldwide, with no exclusions for any geographic area, as appropriate to the nature of the collaboration with Nokia.

Product traceability

Supplier shall have capability to ensure that a product can be traced back to its original manufactured batch and to an individual delivery / purchase order, and (critical) raw materials and/or components can be traced back through the supply chain. Supplier shall have a documented traceability system providing two-way end-to-end traceability. 8.6.1

End-to-end traceability

For specified products and parts, Supplier shall maintain two-way end-to-end traceability from individual component batches

through production phases, to batch or individual serial numbers of products delivered for individual delivery or purchase order as specified in separate requirements. Traceability data shall be available on request and stored as a record, as specified in Nokia’s traceability requirements


This chapter specifies requirements regarding Supplier’s capability for product development with

different focuses (e.g., design for manufacturability, design for care, design for environment), covering nonetheless the whole product life-cycle including end-of-life treatment where applicable. [CMMI etc related requirements]

Product management

Supplier shall have the capability for managing a product or product family through the whole product life cycle, including product upgrades, full uninstall and End-of-Life (EoL) treatment, as applicable. Product management shall be performed according to a documented process.

Supplier shall have the capability to correct identified defects and manage products in terms of

manufacturability, cost efficiency, reliability etc. Product maintenance shall be performed according to a documented process.

Copyright © 2006 Nokia Corporation


PAGE 20 (31)

Company Confidential Approved 4.0

9.2 9.3 9.4 9.5 9.6 9.7 9.8 10. 10.1 Supplier shall have the capability to monitor and gather customer needs and to derive product upgrades based on this information. Product enhancement shall be performed according to a documented process.

Architecture planning and implementation

Supplier shall have the capability to plan architecture and manage its implementation. Architecture planning and implementation shall be performed according to a documented process.


Supplier shall have the capability to work with reference requirements, reference architectures, design rules and reference implementation, to the agreed reuse level.

Product quality assurance

Supplier shall have the capability for identifying the focus for product quality, tailoring processes accordingly and verifying development and production against the focus. Product quality assurance shall be performed according to a documented process.

Product qualification and validation

Supplier shall have the capability for product characterization, design validation, related (traceable) measurements, statistical analysis and formal product qualification, as required by the manufacturing processes and the target volumes. Product qualification and validation shall be performed according to a documented process.

Process quality assurance

Supplier shall have the process capability and quality needed to do business with Nokia. Supplier shall be able, in collaboration with Nokia, to monitor process quality and initiate improvement efforts.

Planning for new product introduction

Supplier shall have the capability to plan the introduction of a new product (including, when applicable, concurrent planning / development of the manufacturing concept / process, supply line integration and logistics, line transfers, line verifications and production testing). Product introduction shall be performed according to a documented process.

Planning for product care, maintenance and end-of-life

Supplier shall have the capability to plan the delivery of services for a new product, including care and maintenance. Supplier shall, if relevant, be capable to design for care, maintenance and services. Where applicable due to mandatory legislation affecting supplier and/or Nokia, services provided shall include planning for End-of-Life treatment, and, if agreed, taking care of End-of-Life treatment. Planning for product care, maintenance and end-of-life shall be performed according to documented processes.


This chapter specifies requirements regarding how Supplier plans and implements quality and associated responsibilities in a complex multi-project R&D environment.

Program quality management practices

Supplier shall have the capability for total program quality management, covering the quality and reliability focus agreed with Nokia.

Copyright © 2006 Nokia Corporation


PAGE 21 (31)

Company Confidential Approved 4.0

10.211. 11.111.2 10.1.1

Program quality and reliability focus

Supplier should have the capability to identify a quality and reliability focus for a product or platform program.

10.1.2 Program quality and reliability planning

Supplier should have the capability to plan quality and reliability for a product or platform program according to targets and focus agreed with Nokia.

10.1.3 Program quality and reliability validation

Supplier should have the capability to validate the quality and reliability for a product or platform program.

New product implementation planning

Supplier shall be able to plan product ramp-ups for the agreed quality and reliability focus. Planning shall be performed according to a documented process and it shall include gap analysis against current manufacturing concept, manufacturing process and testing capabilities. Supplier shall be able to plan and implement the implied development activities and investments.


This chapter specifies requirements regarding Supplier’s product development process. [CMMI related requirements]

Product development process

Supplier shall have the capability to effectively plan, implement and control product development. The product development process shall cover the entire life cycle of the product and it shall be documented. Any subcontracted part of the development shall be indicated.

Requirements management and development

Supplier shall have the capability to identify, analyze, manage and implement customer and regulatory requirements and to ensure the traceability of requirements. Requirements engineering and management shall be performed according to documented processes, procedures and practices. 11.2.1

Customer requirements capture

Supplier shall have procedures for gathering and capturing customer requirements that ensure a proper understanding of the requirements as well as of the rationale behind them and the business / domain expectations.

11.2.2 Derivation of specifications

Supplier shall have procedures for developing the customer requirements into specifications as required by the engineering life-cycle and the development process and practices used. The specifications shall be structured enough to support architectural partitioning.

11.2.3 Design for Environment requirements

Supplier shall consider environmental aspects in all phases of product development, using, for example, specific Design-for-Environment (DfE) tools or checklists. Supplier shall comply with Nokia product environmental requirements (e.g., Nokia Substance List, ‘NSL’, and Environmental Requirements for Nokia products, ‘ERN’). Choices made during these product development phases shall, whenever possible, reduce or eliminate negative environmental impacts. All reasonable attempts shall be made to reduce or eliminate hazardous constituents from the product, to promote efficient use of materials (i.e., to reduce waste), to improve energy efficiency of the product and to promote recycling.

Copyright © 2006 Nokia Corporation



Requirements identification and database

Supplier shall have the capability to store requirements in a form that supports requirement identification for implementation completeness verification (using, e.g., a database or a requirements management tool). The solution shall support a requirements structure that ensures the continuation of the requirements chain (i.e., understanding of the requirement and its relevant background and related dependencies).

PAGE 22 (31)

Company Confidential Approved 4.0

11.2.5 Requirements traceability

Supplier shall have the capability for bidirectional traceability, from customer requirements to implementation, testing and releases, and vice versa.

11.2.6 Change management and design changes

Supplier shall have the capability to reliably manage and track changes in requirements or in any development phase down to implementation. The resulting changes in engineering and management plans and activities shall be documented and versioned. Change management shall be linked to configuration management and testing, to ensure that builds are done consistently and that unwanted side effects can be avoided or detected. Change histories shall be available as a record. Supplier shall notify Nokia immediately or as agreed about product design changes and modifications.

11.3 Project planning

Supplier shall ensure that effort estimation is based on facts, resource allocation based on competence and scheduling is accurate. Project planning shall be performed according to documented procedures and practices including applicable risk identification.

Supplier shall create a project plan for each product development project.

11.3.1 Scheduling

Supplier should have the capability to estimate the effort needed for a project by breaking down total effort successively into smaller individual tasks, using some work break-down structure technique suitable to the engineering life-cycle in use. Supplier’s effort estimation practice should be supported by the use of history data from previous projects. Based on effort estimation and task planning, Supplier should have the capability to schedule and resource projects in a reliable manner.

11.3.2 Project risk identification

Supplier should have the capability to identify project risks in a manner that supports systematic analysis and control of project risks and learning from past experience.

11.3.3 Review and test planning

Supplier should have the capability to plan reviews and testing using past experience (e.g., a project database).

11.3.4 Release and integration planning

Supplier should have the capability to plan releases and integration to be compatible with a mutually agreed integration and error correction scheme (e.g., a bi-weekly release and integration cycle). Supplier shall, when requested, be able to alter the release and integration frequency to provide for visibility of the changes, enhancements and error corrections in each release.

11.4 Project monitoring and control

Supplier shall ensure that management has adequate visibility to project status and progress. Project monitoring and control shall be performed according to documented procedures and practices. Supplier shall also have a system for notifying Nokia of potential schedule delays.

11.4.1 Project meeting practices

Supplier should have a suitable project status review practice such as regular project meetings. The practice should support alignment with operative plans and recognition of external and internal dependencies.

Copyright © 2006 Nokia Corporation



Project resource monitoring

Supplier should have the capability to monitor actual effort spent in all relevant lifecycle phases and preferably provide history data for further improvements of estimation accuracy. The approach used should also support efficient rescheduling and risk identification (e.g., critical path identification based on actual effort). Supplier should share effort monitoring data with Nokia when requested to.

PAGE 23 (31)

Company Confidential Approved 4.0

11.4.3 Project risk analysis, reporting, control and escalation

Supplier should continuously analyze, report and control project risks. Risks exceeding agreed thresholds or potentially becoming significant for Supplier and/or customer should be escalated.

11.4.4 Reporting and escalation to customer

Supplier should report risk status and risk mitigation and resolution actions to the customer in a proactive manner and if needed escalate risks management.

11.5 Product verification, qualification and validation

Supplier shall ensure, unless otherwise agreed, that products are verified, qualified and validated. Product verification, qualification and validation shall be performed according to documented

procedures and practices. Verification, qualification and validation data shall be available as a record. 11.5.1

Reviews and inspections

Supplier shall conduct formal design reviews or inspections to systematically review product development progress at agreed milestones or checkpoints. The review / inspection practice shall be documented.

Minutes of the reviews / inspections and related data, such as criteria used and action points raised shall be available as a record.

11.5.2 Testing

Supplier shall carry out all relevant or agreed testing. Test setup, data and metrics shall be available as a record.

11.6 Release and integration management

Supplier shall ensure the product is systematically integrated and released. Release and integration management shall be performed according to documented procedures and practices. The integration and release cycle shall be reviewed and adjusted to provide visibility to changes and to allow

enhancements and error corrections to be implemented in each release. The integration and release cycle shall, if required by Nokia, be aligned with Nokia’s integration and error correction cycle. 11.6.1

Builds and version control

Supplier shall have the capability to do builds and perform version control that is automated enough to provide consistency. The approach selected shall support multi-site and work sharing models.

11.6.2 Integration and release

Supplier shall have the capability to release and integrate as specified by its engineering lifecycle, processes and practices. The release and integration model used shall meet the Nokia’s requirements, concerning integration and error correction phases (e.g., a bi-weekly release and integration cycle). The model shall be reviewed and altered regularly to provide visibility to changes and feature enhancements implemented in each release.

11.7 Configuration management

Supplier shall use a Configuration Management (CM) system for identification, control, status accounting and verification of the components or constituents of any product version, including test data and links to requirements.

Versioning data shall be available as a record.

Copyright © 2006 Nokia Corporation


PAGE 24 (31)

Company Confidential Approved 4.0


11.9 12. 12.1 12.2 12.3 12.4 Defect management

Supplier shall use a defect management system to trace defects and open issues and action points during development.

Development tools and software

Supplier shall validate and control all development tools and software such as those used in Computer Aided Design (CAD), particularly what version of a tool is used. Development tools shall be agreed and recorded for each project, and tool data shall, on request, be part of each release/delivery to Nokia.


This chapter specifies requirements regarding how Supplier manages its own suppliers (vendors, subcontractors, service providers, partners etc – sub-suppliers from Nokia’s point of view). [ISO9001 related requirements]

Supplier base strategy and supplier selection

Supplier shall have a supplier base strategy and supplier base management for its sub-suppliers, based on short and long term business needs. Supplier shall identify, evaluate and select its sub-suppliers according to a documented procedure. Selection criteria shall be aligned with the NSR. When appropriate, a second-source policy shall be applied.

Supplier shall have purchase and/or service agreements as well as valid NDA(s) in place with all its sub-supplies, service providers and partners. Any such NDA(s) shall be aligned with supplier’s NDA(s) with Nokia.

A supporting data management system shall be used.

Supplier management

Supplier shall manage its sub-suppliers according to a documented process defining their roles and responsibilities (for, e.g., technology, supply, quality and cost) throughout the supply chain. The process shall ensure early sub-supplier involvement.

Supplier shall monitor the performance of its sub-suppliers using key performance indicators (such as product quality indexes, project metrics, assessment results, ratings, process reviews etc).

Supplier shall have a system to make complaints and claims against its sub-suppliers and a method for requesting corrective and preventive actions. A supporting data management system shall be used.

Supply document management

Supplier shall use a supply document management system to ensure that all applicable requirements and contractual obligations from Nokia are transferred to its sub-suppliers.

Supplier’s purchasing documents shall include all information necessary to define materials, products or R&D work to be ordered. This information includes details such as item name, specification, revision level, quantity, delivery time, price and transportation. A supporting data management system shall be used.

Nokia supplied data and material control

Supplier shall have a procedure to control materials, data or products supplied by Nokia.

Copyright © 2006 Nokia Corporation

CMO, NET & INS PAGE 25 (31) Company Confidential Approved 4.0


13. 13.1 13.2 13.3 13.4 13.5 13.6 14. Programs for improving environmental and ethical performance

Supplier shall set environmental and labor condition requirements (e.g., occupational health and safety, ethical conduct) for its sub-suppliers, including waste handling/recycling sub-suppliers. Evaluate their performance and set improvement targets. The requirements shall be aligned with Nokia requirements. If a sub-supplier is used for waste disposal, Supplier shall ensure it is appropriately authorized and licensed.


This chapter specifies requirements regarding how Supplier plans, establishes, qualifies and maintains its manufacturing process, and how new products are injected into it. [CMMI and ISO16949 related requirements]

Continuous improvement of systems and processes

Supplier shall continuously improve and develop processes for concurrent design, implementation, maintenance and manufacturing of products.

Use of concurrent engineering

Supplier shall have the capability for concurrent design, implementation, maintenance and

improvement of products and associated processes, taking into consideration the whole supply chain.

Product introduction and production line transfer

Supplier shall have the capability and resources to manage product introduction and transfer to the production line, as well as proactively to collaborate with the whole supply line.

13.3.1 Nokia product introduction and production line transfer

Supplier should have the capability and resources to manage product introduction and transfer to the production line according to Nokia’s technology transfer process, as well as proactively to collaborate with the whole supply line.

Production process qualification

Supplier shall have the capability and resources to manage process qualification for its own area, as well as to proactively collaborate with the whole supply line, regarding processes, resource allocation, skills, knowledge, competence, equipment etc.

Supply line integration and logistics

Supplier shall have the capability to align, optimize and integrate manufacturing processes and logistics setup within the whole supply line.

Resource planning for production process design

Supplier shall ensure enough competent resources are available for the design of the production process.


This chapter specifies requirements regarding how Supplier ensures availability of material, components, services and resources needed to assure timely delivery.

Copyright © 2006 Nokia Corporation



Planning process

Supplier shall have a planning process including the receiving and confirmation of forecast and production and capacity planning. Sub-suppliers shall be included in this process. Supplier must not change the forecasting figures provided by Nokia. 14.1.1

Supply planning

PAGE 26 (31)

Company Confidential Approved 4.0

Supplier’s planning processes shall enable reliable and timely responses to Nokia's plans. The confirmation of forecast shall be provided in the formats specified by Nokia (through, e.g., Syncro tool).

14.1.2 System-to-system integration

Supplier shall have the capability to perform true process integration and timely information exchange with Demand / Supply Network (DSN) partners using system-to-system collaboration tools such as the Rosetta net standard or other web-based collaboration tools (e.g., Suncro).

14.1.3 Flexibility planning

Supplier shall have the capability for flexibility planning on different forecasting horizons (i.e., short-, mid- and long-term), taking into consideration sub-suppliers’ flexibility. Flexibility planning shall cover both upwards and downwards flexibility.

14.1.4 Collaborative demand / supply planning

Supplier shall have an organization capable of handling all demand / supply related matters in collaboration with the relevant Nokia organization(s).

14.2 Execution process

Supplier shall have an execution process, covering all phases from receiving of demand information and order placement to product delivery or replenishment. Sub-suppliers shall be included in this process. 14.2.1

Supplier Managed/Owned Inventory capability

Supplier, when working in a Supplier Managed/Owned Inventory (SMI/SOI) environment (in which Supplier works within agreed service levels), shall have the capability to determine the correct minimum and maximum levels for material availability and capability to manage replenishment to agreed locations in collaboration with Nokia.

14.2.2 Supplier Direct Nokia Delivery capability

Supplier, when working in Direct Nokia Delivery (DND) mode (in which Supplier works within agreed service levels), shall have the capability to manage replenishment directly to Nokia production in collaboration with Nokia. Supplier shall also have the capability to ensure that the right minimum and maximum levels for material availability are managed at Supplier’s side to ensure delivery reliability within the leaner delivery process.

14.2.3 Self-billing capability

Supplier, when working under Supplier Owned Inventory (SOI) model, shall have the capability to process financial transactions and match them with material movements.

14.2.4 Global supply structure

Supplier shall have the capability to support Nokia global business in a cost-efficient and effective manner according to desired business model and envisioned requirements and flexibility needs.

14.2.5 Demand / Supply chain constraint notification

Supplier shall have a system for notifying Nokia of potential short- and longer-term delivery problems (e.g., capacity shortages or delivery delays).

Copyright © 2006 Nokia Corporation


PAGE 27 (31)

Company Confidential Approved 4.0

15. 16.1 14.2.6

Demand / Supply Network performance and improvement plans

Supplier shall have a system for monitoring and measuring the performance of the internal and external Demand / Supply Network and active plans on how to improve it. Sub-suppliers shall be included in this process.


This chapter specifies requirements regarding how Supplier handles materials needed for the production process or service delivery process.

Incoming material verification

Supplier shall have a system to verify incoming materials for conformance to specifications. Incoming material verification data shall be available as a record and may consist of, for example, incoming inspection reports, outgoing quality reports, certificates of conformance or certificates of analyses.

Material release for production / service

Supplier shall have a system that releases material for production and positively identifies it by means of, for example, stickers, labels, lot number control, dispatch control.

Material handling and storage

Supplier shall have a protection system for components or products susceptible to material damage or deterioration (due to, e.g., electric discharge, moisture, mechanical damage, temperature, dust or shelf life). Supplier shall have written instructions for material handling and storage in order to prevent material deterioration and safety hazards, and to maintain controlled storage conditions. The system shall cover the whole production chain including product development, purchasing, material handling, production, facilities, packaging and delivery of the products.

For components sensitive to electric discharge Supplier shall have an electrostatic discharge (ESD) protection system. For moisture sensitive components Supplier shall have a moisture protection procedure (other than MSL1 components). Both shall cover the whole production and logistic chain, including product development, purchasing, material handling, production, facilities, packaging and delivery of the products.

Inventory control

Supplier shall have an inventory control system. Material usage shall be controlled by manufacturing date, based on the first-in-first-out (FIF0) principle and shelf life control.


This chapter specifies requirements regarding how Supplier manages its production process or service delivery process.

Process map

Supplier shall have a production process map to ensure effective planning, operation and control of the process capability (e.g., critical steps, composite yield, and cycle time). Any part of the process that is rework, subcontracted or outsourced shall be indicated. 16.1.1


Supplier’s process flow (e.g., manufacturing, testing, packing, packaging and shipping areas) shall have a clear layout facilitating optimized movement of materials.

Copyright © 2006 Nokia Corporation



Process and material qualification

Supplier shall have a procedure to qualify and approve its production process and materials.

Changes of production process and materials shall be qualified and approved and Nokia shall be notified before implementation. Product and production process setups shall be verified whenever a new setup is performed. Evidence shall be kept as records.

PAGE 28 (31)

Company Confidential Approved 4.0

16.3 Work instructions

Supplier shall have clear work instructions, including criteria of workmanship, illustrations or

representative samples, where needed to ensure consistent levels of reliability and quality of a process step, available at the place of operation (including all rework steps).

16.4 Process control

Supplier shall define and control critical parameters at appropriate stages of the process in order to keep the processes under control. Process operators shall have instructions for actions and escalation in out-of-control or out-of-limits cases. Records of corrective and preventive actions shall be maintained.

16.5 Production equipment

Supplier shall ensure its production process equipment (e.g., machinery and test equipment) receives preventive maintenance to ensure effective performance and capability in accordance with appropriate plans, instructions and check sheets. Equipment software versions shall be controlled.

16.6 Tool management and control

Supplier shall have a system to ensure tools are inspected, maintained and stored, appropriately to detect and prevent deterioration.

16.7 Energy management and backup

Supplier shall ensure that all manufacturing facilities have reliable sources of electricity, water, chemicals, gases etc. For critical equipment, backups shall be used to ensure safety, undisturbed operation and to prevent loss of data.

16.8 Housekeeping

Supplier shall have a system (e.g., 5S), to ensure facilities, equipment and tools are clean, orderly and covered by regular and effective housekeeping.

16.9 Production process continuous improvement

Supplier shall have a system for continuous improvement of the production process, addressing process capability, process control, failure analysis, and statistical tools and techniques (such as metrics, control charts, distributions, trend plots etc) to analyze the process and its parameters. Improvement suggestions and actions shall be recorded.

16.10 Process capability

Supplier shall have a system for measuring the process capability (e.g., Cpk, yield, GRR, equipment parameters) of all defined critical processes. A process capability report shall be available as a record.

Copyright © 2006 Nokia Corporation




Supplier shall define permitted in-process rework procedures at all stages of the production process. Actual rework performed shall be available as a record.

PAGE 29 (31)

Company Confidential Approved 4.0

16.12 Failure analysis capability

17. 17.1 17.2 17.3 17.4 17.5 17.6 Supplier shall have the procedures, equipment and capability to analyze process, materials and product failures. The analysis results shall be available as a record.


This chapter specifies requirements regarding management of inspection and testing in production, or of services delivered, and the necessary equipment. [ISO9001 chapter 8 related requirements]

Inspection and test flow

Supplier shall have procedures and test plans to perform all inspection and testing activities. Any subcontracted testing shall be indicated. The test plan shall be reviewed, aligned and optimized throughout the entire supply chain.

Reliability / environmental / off-line testing

Supplier shall perform environmental / off-line testing against specifications, during the product’s full life cycle, in order to ensure conformance. Such tests may include, for example, reliability tests, vibration and shock tests, temperature tests humidity tests electrostatic discharge (ESD) tests, electromagnetic compatibility (EMC) tests or safety tests.

Off-line testing shall be indicated in the process map.

Release for delivery

Supplier shall have a system to ensure that all product releases being prepared for delivery to Nokia or Nokia’s supply chain are in accordance with a release procedure and with the agreed specifications.

Inspection and test equipment

Supplier’s inspection and test equipment shall be maintained, verified (e.g., Gage R&R-/measurement system analyses) and calibrated at defined intervals in accordance with plans and instructions. Test program versions, where applicable, shall be verified and controlled.

Inspection and test records

Supplier shall maintain inspection and test records from all test phases as evidence that the products have passed all specified tests. Supplier shall review these records regularly and take corrective and preventive actions.

Control of non-conforming materials/products

Supplier shall have procedures for the control, analysis, handling and disposition of non-conforming materials/products (scrap, use-as-is, rework). Where rework is performed the material / product shall be re-inspected in accordance with applicable procedures.

Copyright © 2006 Nokia Corporation


PAGE 30 (31)

Company Confidential Approved 4.0


17.8 18. 18.1 18.2 Product identification

Supplier shall have a system (using route card, run card, control software etc) to identify products (through lot or serial numbers etc) and their statuses during all stages of production and testing. Shipments containing finished products shall be labeled according to statutory requirements and Nokia specifications.

Product handling, storage, packing, packaging and delivery

Supplier shall have instructions and methods to protect components, sub-assemblies and finished

products from damage during handling, packing, packaging, storing and shipping. Damage may include / be caused by, for example, software viruses, electrostatic discharge (ESD), cosmetic defects, mechanical deformation or moisture ingress.

When available, Nokia provided instructions shall be followed.


This chapter specifies requirements regarding Supplier’s ability to maintain a (Nokia or ODM) product after marketing, and arrange for its disposal in an accountable way.

Product maintenance and care

Supplier shall have the capability to provide product care with different focuses, such as technical

support and maintenance activities (e.g., fault and change management), as applicable to the business model in use with Nokia.

To be able to provide product care, Supplier may have to plan and develop its processes and methods, develop its competences, do resource planning, and / or continuously monitor its performance during the life-cycle of the product.

18.1.1 Helpdesk

Supplier should have a helpdesk organization, responsible for identifying and analyzing customer complaints, assigning them to appropriate persons and offering fast escalation channels. The helpdesk should be logged.

End-of-life management

Supplier shall give early warning in an end-of-life situation (e.g., end-of-life or technology phase-out of an ODM product) and propose a replacement product. The replacement product shall be backward compatible with agreed old products and it shall meet environmental requirements.

Supplier shall have the capability to technically support the old product or technology over the agreed period.

Nokia shall have the right to return replaced hardware to Supplier. In case a product or asset being managed by Supplier is reaching its end-of-life or is classified as waste, Supplier shall be capable of disposal meeting waste management requirements as specified.

Copyright © 2006 Nokia Corporation

CMO, NET & INS 19.

PAGE 31 (31)

Company Confidential

Approved 4.0



Nokia Collaboration Security Standard Version R018

Capability Maturity Model® Integration Version 1.2, (http://www.sei.cmu.edu/cmmi/) Product creation process appraisal and improvement methodology. ISO9001: 2000 Quality management systems - Requirements

ISO14001 ISO14001:2004 Environmental management systems - Requirements with guidance for

ISO16949 ISO/TS ISO17799 NSR3 NSSR1 OHSAS18001 OHSAS18001:2004 Occupational health and safety management systems - Specification

P-CMM SA8000 TL9000

use 16949:2002 Quality management systems - Particular requirements for the

application of ISO 9001:2000 for automotive production and relevant service part organizations. ISO 17799:2005 Information technology - Security techniques - Code of practice for information security management

Nokia Supplier Requirements, Version 3.0, Nokia January 2003

Nokia Service Supplier Requirements, Version 1.0, Nokia Mobile Phone June 2005 People Capability Maturity Model (P-CMM) Version 2.0, (http://www.sei.cmu.edu/cmm-p/) People appraisal and improvement methodology. SA8000:2001 Social Accountability 8000 TL 9000 Requirements Handbook (Release 4.0)

Copyright © 2006 Nokia Corporation
