If you've ever received a purchase order that says "supplier must be ISO 9001 certified" and weren't sure if that was enough, this page is for you. Different industries require different quality management systems — and picking the wrong shop (or not asking the right questions) can sink a project. Here's how to match the certification to your application.
Start here. Match your industry or application to the required certification standard.
| Industry / Application | Required Certification | Why |
|---|---|---|
| General industrial, consumer products, electronics enclosures | ISO 9001:2015 | The baseline QMS. Covers process control, corrective action, and continuous improvement. Accepted by most buyers. |
| Automotive (OEM or Tier 1/2/3) | IATF 16949 | Automotive-specific. Includes PPAP, APQP, FMEA, SPC, MSA. Required by every major OEM worldwide. |
| Aerospace & defense (commercial or military) | AS9100 Rev D | Builds on ISO 9001 with aerospace-specific controls: configuration management, risk, special processes, traceability. |
| Aerospace special processes (welding, NDT, heat treat, plating) | NADCAP | Supplements AS9100. Accredits individual processes rather than the whole QMS. Often required alongside AS9100. |
| Medical devices (implants, instruments, housings) | ISO 13485 | Regulatory-focused. Design controls, risk management (ISO 14971), traceability, validation. Required for CE marking and FDA market entry. |
| Food processing equipment | FSSC 22000 or ISO 22000 | Food safety management. Material traceability and hygiene controls. |
| Oil & gas / pressure vessels | ISO 3834 + material certs | Welding quality. Often paired with EN 10204 3.1 material certificates. |
| Environmental management (any industry) | ISO 14001 | Environmental management system. Often requested alongside ISO 9001. Not a quality cert but frequently required by large buyers. |
| Robotics, semiconductors, precision optics | ISO 9001 + cleanroom | ISO 9001 is baseline; cleanroom capability (ISO 14644) is often the real differentiator. |
| Certification | What It Covers | Who Requires It | Audit Frequency | Annual Cost to Maintain |
|---|---|---|---|---|
| ISO 9001:2015 | Quality management system (QMS): process control, CAPA, internal audits, management review, risk-based thinking | General manufacturing, electronics, consumer goods, industrial equipment | Annual surveillance + full recert every 3 years | $5,000–$15,000 |
| IATF 16949:2016 | ISO 9001 + automotive core tools (PPAP, APQP, FMEA, SPC, MSA), customer-specific requirements | Automotive OEMs and all supply chain tiers | Annual surveillance; OEM audits additional | $15,000–$40,000 |
| AS9100 Rev D | ISO 9001 + configuration management, risk management, special process control, product safety, airworthiness | Aerospace OEMs (Boeing, Airbus, Lockheed), defense contractors | Annual surveillance + recert every 3 years | $15,000–$50,000 |
| ISO 13485:2016 | Design controls, risk management (ISO 14971), process validation, traceability, regulatory compliance | Medical device manufacturers, pharma packaging, surgical instrument makers | Annual surveillance + recert every 3 years | $15,000–$45,000 |
| ISO 14001:2015 | Environmental management: waste handling, energy use, emissions, compliance with environmental regulations | Large OEM buyers, EU market, companies with sustainability targets | Annual surveillance + recert every 3 years | $5,000–$15,000 |
| NADCAP | Accredits specific processes: welding, NDT, heat treatment, coatings, composites, chemical processing | Aerospace primes (Boeing, Airbus, Pratt & Whitney, NASA) | Every 12–24 months per process | $10,000–$30,000 per process |
ISO 9001 is the world's most widely adopted quality management standard. Over one million organizations in 170+ countries hold it. For CNC machining shops, it's typically the first certification obtained — and the foundation that other industry-specific standards build on.
ISO 9001 is a process-based QMS. It does not prescribe specific technical requirements for your parts — instead, it ensures your shop has consistent, documented processes for producing them. Key areas:
| Clause | Requirement | What It Means for Your Shop |
|---|---|---|
| 8.5.1 Production control | Controlled conditions for production | Work instructions, in-process inspection, equipment maintenance logs, environmental controls |
| 8.5.2 Identification & traceability | Identify outputs throughout production | Part marking, traveler/route cards, material lot traceability |
| 8.6 Release of products | Verify requirements are met before release | Final inspection records, CMM reports, dimensional conformance before shipping |
| 8.7 Nonconforming outputs | Control and manage nonconforming product | MRB (Material Review Board), red-tag system, disposition records, root cause analysis |
| 7.1.5 Measurement traceability | Calibrate measurement equipment | CMM calibration, gauge calibration schedule, calibration stickers, outside lab certs |
| 7.2 Competence | Ensure personnel are competent | Operator training records, welder qualifications, inspection training |
IATF 16949 is the quality management standard for the automotive supply chain. It cannot be certified independently — an organization must first hold ISO 9001, and IATF 16949 builds additional automotive-specific requirements on top of it.
| Requirement | Description | Practical Impact |
|---|---|---|
| PPAP (Production Part Approval Process) | Formal submission proving your process can consistently produce parts meeting requirements | 18 documentation elements including PFMEA, control plan, MSA, capability studies, sample parts |
| APQP (Advanced Product Quality Planning) | Structured framework for new product introduction | 5 phases: plan & define, product design, process design, product & process validation, feedback/continuous improvement |
| FMEA (Failure Mode & Effects Analysis) | Systematic risk assessment of potential failure modes | Design FMEA (DFMEA) + Process FMEA (PFMEA). RPN/Priority number ranking, action plans for high-risk items |
| SPC (Statistical Process Control) | Using statistical methods to monitor and control production | X-bar/R charts, Cp/Cpk capability indices, control plans. Typical target: Cpk ≥ 1.33 (1.67 for critical features) |
| MSA (Measurement System Analysis) | Evaluating measurement system variation | Gauge R&R studies, linearity, bias, stability. Target: <10% GRR for critical measurements, <30% acceptable |
| Customer-specific requirements | Each OEM (VW, BMW, GM, Toyota) has additional requirements beyond IATF | Must identify, review, and comply with every customer's specific CSR. This adds significant documentation burden |
AS9100 is the aerospace quality management standard, built on ISO 9001. It adds requirements specific to airworthiness, configuration management, and risk management that are critical for flight-critical parts. "Rev D" is the current version, released in 2016.
AS9100 certifies the entire quality management system of an organization. NADCAP (National Aerospace and Defense Contractors Accreditation Program) accredits specific processes. They are complementary, not interchangeable.
Think of it this way: AS9100 says "this shop has a solid quality system." NADCAP says "this shop's welding process (or heat treat, or NDT) has been independently verified to meet aerospace requirements."
| Process | NADCAP Required? | Typical Aerospace Standard |
|---|---|---|
| CNC machining | No — AS9100 sufficient | AS9100 covers machining processes |
| Welding (TIG, MIG, EB) | Yes | AMS 1595, AWS D17.1 |
| Heat treatment | Yes | AMS 2750 (pyrometry), AMS 2759 |
| NDT (UT, MT, PT, RT) | Yes | ASTM E1444, E709, E165 |
| Surface treatment / plating | Yes | AMS 2404, AMS 2482, AMS 2700 |
| Composites manufacturing | Yes | AMS 3901, ASTM D3039 |
| Chemical processing | Yes | AMS 2403, AMS 2404 |
ISO 13485 is the quality management standard for medical device manufacturers and their suppliers. Unlike ISO 9001, which focuses on customer satisfaction, ISO 13485 focuses on regulatory compliance and patient safety. It is harmonized with EU MDR (Medical Device Regulation) and FDA 21 CFR 820 requirements.
| Area | ISO 9001 | ISO 13485 |
|---|---|---|
| Focus | Customer satisfaction, continual improvement | Regulatory compliance, patient safety, risk management |
| Design controls | Optional (if design is excluded from scope) | Mandatory. Design input, output, review, verification, validation, transfer. Full design history file (DHF). |
| Risk management | General risk-based thinking | Mandatory ISO 14971 risk management throughout product lifecycle |
| Traceability | As needed | Full traceability for all components and materials. Batch/lot level tracking required. |
| Process validation | As needed | Mandatory for all processes that affect product quality. IQ/OQ/PQ protocols required. |
| Document control | Controlled documents | Stricter version control, electronic signatures, audit trail, retention periods (often 15+ years) |
| Supplier management | Evaluate and monitor | Formal supplier qualification, approved supplier list, ongoing performance monitoring, incoming inspection |
| Continual improvement | Explicit requirement | Not explicit — focus is on maintaining compliance and effectiveness |
Certifications aren't just about QMS standards — material documentation is equally important. Many industries require certified material test reports (MTRs) that verify the chemical composition and mechanical properties of the raw material used to make your parts.
EN 10204 defines types of material certificates. For CNC machining, Type 3.1 is the most commonly required:
| Certificate Type | Who Issues It | What It Contains | When You Need It |
|---|---|---|---|
| Type 2.1 | Manufacturer (mill) | Statement of compliance with order. No test data. | Low-criticality parts, general construction |
| Type 2.2 | Manufacturer (mill) | Statement of compliance + non-specific test results (based on statistical data, not this specific batch) | Low-pressure piping, general structural |
| Type 3.1 | Manufacturer (mill) | Specific test results for THIS heat/batch. Chemistry, tensile, yield, impact, hardness. Signed by manufacturer's authorized inspector. | Pressure vessels, aerospace, automotive, medical, any critical application |
| Type 3.2 | Independent third party | Same as 3.1 but verified and signed by an independent inspection agency (TUV, SGS, Lloyd's) | Highest criticality: nuclear, offshore, military, aerospace structural |
Material traceability means being able to trace a finished part back to the original heat of raw material. This is critical when:
Best practice: the material certificate number (heat number) should be recorded on the traveler/route card for every job, and referenced on the final inspection report.
PMI is a non-destructive test that verifies the chemical composition of a material on-site. It uses X-ray fluorescence (XRF) or optical emission spectroscopy (OES) to confirm the alloy grade.
When to request PMI:
| Mistake | What Happens | Correct Approach |
|---|---|---|
| Assuming ISO 9001 is enough for automotive parts | Automotive OEM will reject the supplier. IATF 16949 is mandatory. | Verify which standard your customer requires before selecting a supplier. Ask to see the actual certificate. |
| Not checking the certification scope | Shop is certified for "sheet metal fabrication" but you need "5-axis CNC machining of titanium" — the cert doesn't cover your process. | Read the scope line on the certificate. Confirm it matches the process, material, and product type you need. |
| Accepting an expired certificate | The shop may have lost certification but not told you. Quality system may no longer be audited. | Check the expiry date. Verify the certificate with the issuing registrar (TUV, SGS, BSI, DNV, etc.) using the certificate number. |
| Confusing NADCAP with AS9100 | Shop has AS9100 but no NADCAP for the special process you need (e.g., heat treatment). Parts get rejected. | For aerospace parts requiring special processes, verify NADCAP accreditation for each specific process, not just AS9100. |
| Not requesting material certificates | Cannot verify material meets specifications. Major problem for aerospace, medical, and pressure vessel applications. | Specify EN 10204 Type 3.1 (or 3.2 for critical applications) on your PO. Cross-reference heat numbers. |
| Ignoring customer-specific requirements (CSRs) | IATF 16949 shop passes audit but fails customer audit because they missed a CSR specific to your OEM. | Ask the shop if they are familiar with your specific OEM's customer-specific requirements. Include them in the quality agreement. |
| Treating ISO 13485 like ISO 9001 | Medical device submissions fail because the supplier's QMS doesn't meet regulatory requirements (design controls, risk management, validation protocols). | Understand that ISO 13485 has fundamentally different requirements. Ensure the supplier's scope covers medical device manufacturing. |
| Not verifying the registrar's accreditation | Certificate was issued by an unaccredited body. Not recognized by major OEMs. | Verify the registrar is accredited by a recognized body (ANAB, UKAS, etc.). Major registrars: TUV SUD, TUV Rheinland, SGS, BSI, DNV, Intertek. |
| Requesting PPAP but not specifying the level | Shop submits Level 1 (warrant only) when you needed Level 3 (full submission). Wastes time going back and forth. | Specify the PPAP level on your PO. Level 3 is the default for most automotive applications. |