QMS: ISO 9001, AS 9100, ISO 13485, TL 9000 compared
Guide · QMS standards
A quality management system (QMS) is the documented and operational backbone of any serious electronics manufacturer. Four standards dominate the landscape: ISO 9001:2015 as the generic baseline, AS 9100 Rev D for aerospace, ISO 13485:2016 for medical devices and TL 9000 for telecommunications. They share a common QMS skeleton inherited from ISO 9001 but diverge significantly on design controls, traceability, configuration management and operational measurement. This page maps the four standards onto each other for an electronics manufacturer choosing a regime, or running several regimes in parallel, with emphasis on the practical points where the sector overlays change the workload.
The four standards at a glance
Section titled “The four standards at a glance”| Standard | Current edition | Sector | Owner / publisher | Required by |
|---|---|---|---|---|
| ISO 9001 | 2015 | Generic | ISO TC 176 | Voluntary, contractual |
| AS 9100 Rev D | 2016 | Aerospace, defence, space | IAQG (international group) | Aerospace primes |
| ISO 13485 | 2016 | Medical devices | ISO TC 210 | EU MDR, US QMSR, MDSAP regulators |
| TL 9000 | QMS-R R6.3 (2023) + QMS-M R5.5 | Telecommunications | TIA QuEST Forum | Tier-1 telecom operators |
ISO 9001 is the substrate. AS 9100 and TL 9000 explicitly embed ISO 9001 word-for-word and add sector clauses. ISO 13485 keeps the ISO 9001:2008 structure (it did not migrate to Annex SL when ISO 9001:2015 did) and adds medical-device clauses; it does not embed ISO 9001:2015 verbatim.
ISO 9001:2015: the generic baseline
Section titled “ISO 9001:2015: the generic baseline”ISO 9001:2015 is published by ISO Technical Committee 176 (Quality management and quality assurance). It is built on Annex SL, the high-level structure (HLS) that ISO management-system standards share since 2012, and it makes risk-based thinking, process approach and leadership commitment explicit requirements.
Clause structure
Section titled “Clause structure”| Clause | Title | What it covers |
|---|---|---|
| 1 | Scope | Applicability of the standard |
| 2 | Normative references | (Empty in ISO 9001) |
| 3 | Terms and definitions | Refers to ISO 9000 vocabulary |
| 4 | Context of the organisation | External / internal issues, interested parties, QMS scope, processes |
| 5 | Leadership | Top-management commitment, quality policy, roles |
| 6 | Planning | Risks and opportunities, quality objectives, change planning |
| 7 | Support | Resources, competence, awareness, communication, documented information |
| 8 | Operation | Operational planning and control, design and development, externally provided products and services, production and service provision, release of products, control of non-conforming outputs |
| 9 | Performance evaluation | Monitoring, measurement, analysis, internal audit, management review |
| 10 | Improvement | Non-conformity and corrective action, continual improvement |
Clause 8.3 (design and development) is conditionally applicable: ISO 9001 allows an organisation to exclude it where design is not part of its scope. AS 9100 and ISO 13485 both make design controls mandatory in their respective sectors.
Certification path
Section titled “Certification path”ISO 9001 certification is delivered by certification bodies accredited under ISO/IEC 17021-1 by national accreditation bodies (UKAS in the UK, COFRAC in France, ANAB in the US, DAkkS in Germany, JAB in Japan, and so on, all members of the IAF MLA mutual-recognition arrangement). The typical cycle is a three-year certificate with annual surveillance audits and a full re-certification audit at year three. The certificate identifies the accreditation mark, the certification body, the scope of certification, the issue and expiry dates.
Status of the next revision
Section titled “Status of the next revision”ISO TC 176 has been working on the next edition of ISO 9001, commonly referenced as the 2026 edition while in draft. As of mid-2026, the working draft is not yet a published standard. Once it is published, certification bodies will define a transition period (typically three years from publication) during which ISO 9001:2015 certificates remain valid and progressively migrate to the new edition. The substance is expected to evolve on climate-change considerations, ethics and stronger interested-party engagement, but no revolution is anticipated.
AS 9100 Rev D: aerospace overlay
Section titled “AS 9100 Rev D: aerospace overlay”AS 9100 (in the US), EN 9100 (in Europe) and JISQ 9100 (in Japan) are identical technical documents published in their respective regions. Together they form the 9100 standard maintained by the IAQG (International Aerospace Quality Group). Rev D was published in 2016; Rev E is in development as of 2026, with publication expected once the revision project is closed. The 9100 family covers:
| Standard | Scope |
|---|---|
| 9100 | Aerospace QMS for manufacturers (design, production) |
| 9110 | Aerospace QMS for maintenance, repair and overhaul (MRO) organisations |
| 9120 | Aerospace QMS for stockists and distributors |
| 9101 | Audit requirements for the 9100 family |
| 9104 | Programme oversight |
| 9117 | Delegation of product verification |
What AS 9100 adds to ISO 9001
Section titled “What AS 9100 adds to ISO 9001”| Aerospace addition | Why it matters |
|---|---|
| Configuration management | Aerospace assemblies require formal configuration baselines (identification, control, status accounting, audits) that ISO 9001 does not mandate |
| Counterfeit-part prevention | Explicit clauses require a supply-chain programme to detect and avoid counterfeit components; AS 6174 and AS 5553 are commonly referenced |
| Product safety | A dedicated safety clause covering safety items and special characteristics |
| Special processes | Welding, heat treatment, non-destructive testing (NDT), surface treatments require process qualification (often Nadcap) |
| Material traceability | Forward and backward traceability of materials and components down to lot and serial |
| First Article Inspection (FAI) | Formal FAI per AS 9102 for new or changed parts |
| Risk and operational risk management | Risk integrated into project, supply chain and production decisions |
| Customer-furnished property | Specific controls for property supplied by the customer |
| Foreign object debris (FOD) | A documented FOD prevention programme |
OASIS, AATT and audit specifics
Section titled “OASIS, AATT and audit specifics”AS 9100 audits are governed by the IAQG ICOP scheme (Industry Controlled Other Party). Auditors must be qualified via the AATT (Aerospace Auditor Training and Transition). Certificates are registered in the OASIS database (Online Aerospace Supplier Information System), publicly searchable. An aerospace prime checking a supplier verifies the certificate in OASIS rather than relying on the paper certificate alone.
The audit references AS 9101 (audit requirements). Findings are graded as major or minor, with strict timelines for closure (typically 60 days for a major). A major finding can suspend the certificate. The level of evidence expected is substantially deeper than for ISO 9001, in particular on traceability, configuration baselines and special processes.
ISO 13485:2016: medical-device QMS
Section titled “ISO 13485:2016: medical-device QMS”ISO 13485:2016 is published by ISO Technical Committee 210. It is the dominant medical-device QMS internationally. The 2016 edition was last reviewed and confirmed in 2025 without modification.
ISO 13485:2016 deliberately did not migrate to Annex SL. Its structure stays close to ISO 9001:2008. This decision was taken to preserve regulatory stability for medical-device manufacturers, who rely on this QMS for placing on multiple regulated markets simultaneously.
What ISO 13485 adds to (and removes from) ISO 9001
Section titled “What ISO 13485 adds to (and removes from) ISO 9001”| Medical-device feature | Reference clause | Comment |
|---|---|---|
| Design and development controls | Clause 7.3 | Mandatory, with design plan, inputs, outputs, review, verification, validation, transfer, changes, design history file |
| Risk management linked to ISO 14971 | Multiple clauses | Risk integrated into design, supplier control, post-market surveillance |
| Document and record retention | Clause 4.2 | Longer retention rules driven by device lifetime |
| Sterile barrier validation | Clause 7.5 | Validated process for sterile devices |
| Cleanliness and contamination | Clause 6.4, 7.5 | Cleanroom controls where applicable |
| Software validation | Clause 4.1.6 and 7.5.6 | Validation of QMS-relevant software and process software |
| Complaint handling and vigilance | Clause 8.2 | Documented complaint files, vigilance reporting hooks |
| Field safety corrective actions (FSCA) | Clause 8.3 | Tied to MDR, US 21 CFR Part 806 |
| Continual improvement | Clause 8.5 | Less prescriptive than ISO 9001:2015, framed as suitability and effectiveness of the QMS |
Regulatory anchoring
Section titled “Regulatory anchoring”ISO 13485:2016 is not a regulation by itself, but it is referenced by multiple regulators:
- EU MDR 2017/745 and IVDR 2017/746: notified bodies expect a QMS aligned with ISO 13485:2016 for conformity assessment under Annexes IX, X, XI of MDR.
- US FDA QMSR: the QMSR Final Rule (published 2 February 2024, effective 2 February 2026) amends 21 CFR Part 820 to incorporate ISO 13485:2016 by reference. The legacy QSR is being phased out.
- Health Canada: MDSAP (which uses ISO 13485 as its technical baseline) has been mandatory since 1 January 2019, replacing CMDCAS.
- Brazil ANVISA, Australia TGA, Japan MHLW/PMDA: accept MDSAP audits.
See MDR for the EU regime and the medical-device deep dives for sector specifics.
MDSAP audit programme
Section titled “MDSAP audit programme”MDSAP (Medical Device Single Audit Program) is the multi-regulator audit programme operated under IMDRF coordination. A single MDSAP audit, carried out by an MDSAP-authorised auditing organisation (a subset of ISO 13485 certification bodies), satisfies the QMS audit obligations of FDA, Health Canada, ANVISA, TGA, and PMDA/MHLW. The technical reference is ISO 13485:2016, complemented by the regulatory annexes of each jurisdiction. The audit follows a defined process model: Management, Measurement, Analysis and Improvement, Design and Development, Production and Service Controls, Purchasing, plus regulator-specific tasks (Medical Device Adverse Events, Advisory Notices, Medical Device Registration).
TL 9000: telecom-sector overlay
Section titled “TL 9000: telecom-sector overlay”TL 9000 is the telecommunications QMS, originated by the QuEST Forum in the late 1990s and now maintained by the Telecommunications Industry Association (TIA) following the QuEST Forum integration into TIA in 2017. It targets equipment vendors, component manufacturers and service providers supplying network operators.
TL 9000 is a two-handbook standard:
| Handbook | Current edition | Scope |
|---|---|---|
| Quality Management System Requirements Handbook (QMS-R) | Release 6.3 (2023) | ISO 9001 embedded plus telecom-specific clauses |
| Quality Management System Measurements Handbook (QMS-M) | Release 5.5 | Telecom KPIs and reporting rules |
Telecom additions
Section titled “Telecom additions”The requirements handbook adds telecom-specific clauses around:
- Long- and short-term planning for product lifecycle.
- End-of-life (EOL) and end-of-service (EOS) notifications to customers.
- Network outage analysis and reporting.
- Configuration management of releases, patches and firmware.
- Services lifecycle and on-site installation controls.
- Software development lifecycle alignment.
Measurement handbook and the MRS
Section titled “Measurement handbook and the MRS”The measurements handbook defines a set of telecom KPIs that certified organisations must compute and report monthly to the Measurements Repository System (MRS), operated under the TL 9000 programme. Common categories include:
| KPI family | Examples |
|---|---|
| Outage measurements | Service outage frequency, outage duration, root-cause distribution |
| Hardware return / replacement | Field Replacements per Thousand (FRT), Annualised Return Rate (ARR), early returns |
| Software quality | Problem reports per million NEs (network elements), fix response time |
| Service quality | On-time delivery (OTD), on-time service performance |
| Customer-perceived | Customer complaints, escalations |
The MRS aggregates the data anonymously and produces industry benchmarks (best in class, average, worst quartile) that Tier-1 operators use in supplier evaluation. TL 9000 audits verify both that the QMS clauses are met and that the measurements are collected, defined and reported as the handbook prescribes.
TL 9000 certification is voluntary, but for several Tier-1 operators it is a contractual prerequisite for inclusion in an Approved Vendor List. The TL 9000 certificate identifies the product categories (numbered 1.x through 8.x in the standard) for which the measurements are reported, since reporting rules differ between hardware, software and services.
Stacking and integrated management systems
Section titled “Stacking and integrated management systems”Most electronics manufacturers run more than one management-system standard. The typical stack:
| Layer | Standard | Purpose |
|---|---|---|
| Quality core | ISO 9001:2015 | Substrate |
| Sector overlay | AS 9100, ISO 13485, TL 9000, IATF 16949 | Customer or regulator requirement |
| Environment | ISO 14001:2015 | Environmental management |
| Health and safety | ISO 45001:2018 | Occupational health and safety |
| Information security | ISO/IEC 27001:2022 | Information security management |
| Energy | ISO 50001:2018 | Energy management |
Annex SL was designed to allow standards built on it to share a common skeleton: ISO 9001, ISO 14001, ISO 45001, ISO/IEC 27001, ISO 50001 and AS 9100 (which embeds ISO 9001) all follow it, so a single integrated management system (IMS) can host them. ISO 13485 does not follow Annex SL: stacking it on top of an Annex SL IMS requires careful mapping rather than direct overlay.
Practical stacking patterns
Section titled “Practical stacking patterns”| Sector | Typical stack |
|---|---|
| Generic consumer electronics | ISO 9001 + ISO 14001 + ISO 45001 |
| Aerospace electronics | ISO 9001 + AS 9100 + ISO 14001 + ISO 45001 + (sometimes Nadcap for special processes) |
| Medical-device electronics | ISO 13485 + ISO 14971 (risk) + IEC 62304 (software) + IEC 60601-1 (safety) + MDSAP |
| Automotive electronics | ISO 9001 + IATF 16949 + ISO 14001 + ISO 45001 (see IATF 16949) |
| Telecom infrastructure | ISO 9001 + TL 9000 + ISO 14001 + ISO/IEC 27001 + ISO 45001 |
| Mixed (defence + civil) | Two QMS scopes, shared documentation top layer, separate operational paths |
Audit calendar consolidation
Section titled “Audit calendar consolidation”When a single certification body covers several standards in scope, it is usual practice to align surveillance audits in a combined audit that consolidates auditor days. For example, an ISO 9001 + ISO 14001 + ISO 45001 combined surveillance lasts shorter than three separate audits. AS 9100 audits cannot be fully merged with ISO 9001 (the AS 9100 certificate replaces the ISO 9001 scope where applicable), but combined audits with ISO 14001 / ISO 45001 are common. ISO 13485 audits often stay separate, in particular when an MDSAP audit is in the calendar.
Common pitfalls
Section titled “Common pitfalls”| Pitfall | Consequence |
|---|---|
| Treating ISO 9001 design and development (clause 8.3) as optional in a regulated sector | Acceptable for ISO 9001 alone, but AS 9100 and ISO 13485 make design controls mandatory; cherry-picking creates audit findings |
| Missing counterfeit-part prevention programme for AS 9100 | A major finding under AS 9100 Rev D; aerospace primes flag it during their own audits |
| Configuration management treated as ad-hoc on aerospace cable harnesses | Lack of formal configuration baselines is a recurring AS 9100 finding; documented baselines are the audit evidence |
| Late or missing MRS monthly submissions for TL 9000 | Risk to the TL 9000 certificate; some Tier-1 operators monitor MRS submission status as part of supplier scorecards |
| Confusing ISO 13485:2016 with ISO 9001:2015 structure | The two have different clause structures; an ISO 13485 file cross-referenced into an ISO 9001:2015 framework can hide mandatory clauses |
| QMSR transition delayed past February 2026 | FDA inspections after 2 February 2026 reference the QMSR; a QMS still aligned to the legacy QSR alone risks observations |
| Trying to merge ISO 13485 and ISO 9001 into a single document set | Possible in theory, costly in practice; the structural divergence usually surfaces at the next ISO 13485 audit |
| Forgetting MDSAP for the Canadian market | Mandatory since 1 January 2019; Health Canada does not accept a stand-alone ISO 13485 certificate without MDSAP |
| Ignoring OASIS verification before contracting an AS 9100 supplier | A printed AS 9100 certificate is not the source of truth; OASIS is |
| Letting design history file (ISO 13485) drift from configuration baseline (AS 9100) on dual-scope products | Documentation hygiene must reconcile both; a single product cannot have two incompatible histories |
How to choose
Section titled “How to choose”The question for an electronics manufacturer is rarely "which QMS standard?" but rather "which sector overlays do I need on top of ISO 9001?". Three short questions help:
- Who are my customers? Aerospace primes demand AS 9100. Medical-device customers (and the regulator) demand ISO 13485. Telecom operators may demand TL 9000 contractually. Automotive Tier-1s demand IATF 16949. Consumer electronics generally settle for ISO 9001.
- Do I do design and development on the product, or only manufacture against a customer file? Design controls are the largest delta between ISO 9001 (optional) and AS 9100 / ISO 13485 (mandatory). If you have a design office, expect to operate full design controls in any regulated sector.
- Is my product lifecycle long? Long-lifecycle products (aerospace, medical, telecom infrastructure) generate strong demand on configuration management, traceability, change control, end-of-life management. Generic ISO 9001 does not address those points to the same depth.
See IATF 16949 for the automotive equivalent overlay, MDR for the EU medical-device regulation that anchors ISO 13485 in Europe, and FDA 510(k), De Novo, PMA for the US medical-device routes that anchor ISO 13485 via the QMSR.
Further reading
Section titled “Further reading”- IATF 16949 automotive quality: automotive Tier-1 equivalent of AS 9100, built on top of ISO 9001
- MDR medical device regulation: EU framework that anchors ISO 13485
- FDA 510(k), De Novo, PMA: US medical routes that now reference ISO 13485 via the QMSR
- Glossary: definitions of ISO 9001, AS 9100, ISO 13485, TL 9000, MDSAP, QMSR, IAQG, OASIS, MRS
See also
Section titled “See also”- IATF 16949: automotive quality management
- Risk management: ISO 14971, IEC 31010, FMEA, FTA, HAZOP
- MDR: the EU Medical Device Regulation (2017/745)
- MDR class IIb and III: UDI, EUDAMED, NB, surveillance
Sources & references
- ISO 9001:2015 Quality management systems requirements , International Organization for Standardization www.iso.org/standard/62085.html
- ISO 13485:2016 Medical devices quality management systems , International Organization for Standardization www.iso.org/standard/59752.html
- IAQG OASIS database of AS 9100 certified suppliers , International Aerospace Quality Group www.iaqg.org/oasis/
- TL 9000 Quality Management System (QuEST Forum / TIA) , Telecommunications Industry Association www.tiaonline.org/what-we-do/quest-forum/
- FDA QMSR Final Rule (21 CFR Part 820 amendment, 2 February 2024) , US Food and Drug Administration www.federalregister.gov/documents/2024/02/02/2024-01709/medical-devices-quality-system-regulation-amendments
- MDSAP Medical Device Single Audit Program , US Food and Drug Administration / IMDRF www.fda.gov/medical-devices/cdrh-international-affairs/medical-device-single-audit-program-mdsap
- Annex SL high-level structure for management system standards , International Organization for Standardization www.iso.org/sites/directives/current/consolidated/index.xhtml
Frequently asked questions
- What is the difference between ISO 9001, AS 9100, ISO 13485 and TL 9000?
- The four standards share a common QMS skeleton (top-management commitment, document and record control, internal audit, management review, corrective and preventive action) but target different sectors. ISO 9001:2015 is the generic baseline, built on the Annex SL high-level structure and applicable to any industry. AS 9100 Rev D (2016) is the aerospace overlay, published by the IAQG (International Aerospace Quality Group): it embeds ISO 9001 word-for-word and adds aerospace-specific clauses on configuration management, counterfeit-part prevention, special processes, product safety and traceability. ISO 13485:2016 is the medical-device QMS: it deliberately did not migrate to Annex SL and adds design controls, risk management linked to ISO 14971, sterile barrier validation and post-market surveillance. TL 9000 is the telecom overlay maintained by the QuEST Forum (now part of TIA) and combines a requirements handbook with a measurements handbook reporting KPIs to a central repository (MRS).
- Can a single QMS cover ISO 9001, AS 9100 and ISO 13485 together?
- In theory yes, in practice rarely. ISO 9001 and AS 9100 share the Annex SL structure and integrate cleanly: most AS 9100-certified organisations run a single integrated management system that satisfies both standards, often extended to ISO 14001 (environment) and ISO 45001 (health and safety). ISO 13485 sits apart: it kept the ISO 9001:2008 structure and explicitly excludes some ISO 9001:2015 requirements such as continual improvement framed as a generic principle. An organisation that needs both an aerospace and a medical scope typically maintains two QMS branches with a shared top layer (policy, document control, internal audit programme) and separate operational procedures. Trying to collapse everything into a single document set usually fails at the next ISO 13485 surveillance audit.
- Is ISO 9001 mandatory for electronics manufacturers?
- ISO 9001 is not mandatory by law in the European Union or in the United States for general electronics. It is a voluntary standard, certifiable by accredited bodies under ISO/IEC 17021-1 (UKAS, COFRAC, ANAB, DAkkS, JAB and others). It is however a contractual prerequisite for many tier-1 customers and public procurement frameworks. Aerospace customers require AS 9100, medical-device customers require ISO 13485 (and the regulator does as well, through MDR or the US QMSR), telecom Tier-1 operators may require TL 9000. So the practical answer is: ISO 9001 alone is rarely sufficient for B2B electronics, but it is the entry door and the substrate on which sector overlays are added.
- What changed between ISO 9001:2008 and ISO 9001:2015, and what about 2026?
- ISO 9001:2015 introduced the Annex SL high-level structure (HLS), risk-based thinking as an explicit requirement, the "context of the organisation" clause (4) covering interested-party analysis, and a stronger emphasis on leadership commitment without the dedicated management-representative role. The process approach was made more explicit. ISO 9001:2015 remains the current edition in 2026. A revision (commonly referred to as ISO 9001:2026) is in development at ISO/TC 176. As of mid-2026 the working draft is not yet a published standard. Once published, a transition period (typically three years) is granted by accredited certification bodies. Existing ISO 9001:2015 certificates remain valid during the transition.
- Does AS 9100 certification require special auditor accreditation?
- Yes. AS 9100 audits are not delivered under the general ISO/IEC 17021-1 accreditation alone: the IAQG (International Aerospace Quality Group) runs the OASIS scheme (Online Aerospace Supplier Information System) which lists every certified aerospace supplier worldwide and the certification bodies authorised to issue AS 9100 (or EN 9100, JISQ 9100) certificates. Auditors must be qualified under the AATT (Aerospace Auditor Training and Transition) scheme. A certificate that does not appear in OASIS is not recognised by aerospace primes. The IAQG also publishes 9101 (audit requirements), 9104 (oversight) and 9117 (delegation of verification) that govern the audit programme.
- What is the status of the US FDA QMSR Final Rule and ISO 13485?
- In February 2024, the US FDA published the QMSR Final Rule (Quality Management System Regulation), which amends 21 CFR Part 820 to incorporate ISO 13485:2016 by reference. The effective date is 2 February 2026. From that date, the QSR (Quality System Regulation) as historically structured is replaced by the QMSR, and FDA inspections will be carried out against the new framework. The substance of ISO 13485:2016 is preserved, but FDA-specific provisions (definitions, labelling cross-references, complaint files, UDI) are retained. Medical- device manufacturers selling in the US must have their QMS ready against the QMSR from February 2026 onwards. MDSAP (Medical Device Single Audit Program) audits already used ISO 13485 as the technical baseline and are unaffected in structure.
- What does TL 9000 add on top of ISO 9001 for telecom suppliers?
- TL 9000 is a two-volume standard: the Quality Management System Requirements Handbook (QMS-R), currently at Release 6.3 (2023), and the Quality Management System Measurements Handbook (QMS-M), currently at Release 5.5. The requirements handbook embeds ISO 9001 and adds telecom-specific clauses (long-term planning, end-of-life management, network outage analysis, services lifecycle). The measurements handbook defines telecom KPIs reported monthly to the Measurements Repository System (MRS), in particular outage measurements (network outage frequency and duration), Field Replacements per Thousand (FRT, also known as return rate), problem reports per million, on-time delivery. The MRS aggregates these measurements anonymously and produces industry benchmarks used by Tier-1 operators in supplier evaluation.
- How is MDSAP related to ISO 13485 and is it a separate certification?
- MDSAP (Medical Device Single Audit Program) is not a separate standard: it is an audit programme that uses ISO 13485:2016 as its technical baseline plus the regulatory requirements of five participating regulators (FDA for the US, Health Canada, ANVISA for Brazil, TGA for Australia, MHLW/PMDA for Japan). A single MDSAP audit, carried out by an MDSAP- authorised auditing organisation, satisfies the QMS audit requirements of all five jurisdictions. Health Canada has required MDSAP since 1 January 2019, replacing the previous CMDCAS scheme. The other regulators accept MDSAP as an alternative or complementary path. An MDSAP certificate is typically issued alongside an ISO 13485:2016 certificate by the same auditing organisation.