ISO 9001 is the generalist certification — a baseline that tells you a manufacturer has a documented quality management system. For buyers in regulated industries or highly demanding supply chains, ISO 9001 is the floor, not the ceiling. The certifications that actually differentiate qualified from unqualified suppliers in aerospace, automotive, defense, food, and medical manufacturing are sector-specific, harder to obtain, and more rigorous to maintain.
Understanding these certifications — what they require, what they actually tell you, and how to verify them — is a procurement competency that matters when the stakes of a supplier failure are high.
Aerospace: AS9100 and AS9102
AS9100 is the aerospace quality management system standard, developed by the International Aerospace Quality Group (IAQG). It incorporates all of ISO 9001’s requirements and adds aerospace-specific requirements: configuration management, counterfeit parts prevention, risk management, first-article inspection, and key characteristics management.
AS9100 certification is a baseline requirement to supply most aerospace OEMs and Tier 1 suppliers. The aerospace supply chain has a strong culture of customer-directed supplier quality requirements — your customer’s customer may specify AS9100 as a condition of their own contract.
Verification: The OASIS database (searchable at oasis.sae.org) maintained by IAQG is the authoritative verification source for AS9100 certification. Verify the CAGE code, certification scope, and expiration date. AS9100 scope statements are more granular than ISO 9001 — verify that the scope covers the specific product categories and processes in your supply relationship.
AS9102 is the first-article inspection (FAI) standard in aerospace. Rather than a certification, it is a process standard defining what must be documented and verified in a first-article inspection. Buyers should require AS9102-compliant FAI reports for new aerospace part introductions.
NADCAP (National Aerospace and Defense Contractors Accreditation Program) accreditation covers special processes — heat treatment, chemical processing, non-destructive testing, welding — that are not directly covered by AS9100. NADCAP accreditation is maintained at the process level. A supplier AS9100 certified but not NADCAP-accredited for heat treatment cannot self-certify that process for aerospace applications. Verification through the Performance Review Institute’s database (eAuditNet).
Automotive: IATF 16949
IATF 16949 is the automotive quality management standard, published by the International Automotive Task Force. Like AS9100, it incorporates ISO 9001 and adds automotive-specific requirements: advanced product quality planning (APQP), production part approval process (PPAP), measurement system analysis (MSA), statistical process control (SPC), and failure mode and effects analysis (FMEA).
IATF 16949 certification is effectively mandatory for suppliers to automotive OEMs and Tier 1 suppliers in most markets. The standard requires customers (OEMs or Tier 1 suppliers) to specify supplier quality requirements, which then flow down to sub-tier suppliers.
Verification: The IATF’s publicly searchable certificate database (iatfglobaloversight.org) verifies current certifications by supplier name, CAGE code, and location. The scope statement in an IATF 16949 certificate specifies which plant locations and product categories are covered.
PPAP (Production Part Approval Process) — as covered in the quality control methods guide — is the automotive supplier approval process that works in conjunction with IATF 16949. PPAP documents demonstrate that the manufacturing process is capable of producing parts meeting design requirements. Buyers requiring PPAP should specify the PPAP level required in the purchase order.
Core tools training. The AIAG automotive core tools (APQP, PPAP, MSA, SPC, FMEA) have associated training certifications. Suppliers whose quality engineers hold AIAG core tools certifications have demonstrated training investment that complements the IATF 16949 quality system certification.
Defense: ITAR, CMMC, and MIL-SPEC
ITAR (International Traffic in Arms Regulations) registration is required for manufacturers of defense articles and defense services defined in the U.S. Munitions List. ITAR registration is administered by the U.S. Department of State’s Directorate of Defense Trade Controls (DDTC). It is not a quality certification — it is a regulatory registration that restricts who can access, manufacture, and export controlled military technology.
For buyers sourcing defense components, verifying that a supplier is ITAR-registered and compliant is a legal obligation. ITAR violations carry criminal and civil penalties for both the manufacturer and the buyer. Verification is through the DDTC’s publicly accessible registration database.
CMMC (Cybersecurity Maturity Model Certification) is a Department of Defense certification framework for cybersecurity practices applicable to the Defense Industrial Base. As of current implementation, CMMC Level 2 (based on NIST SP 800-171) applies to suppliers handling Controlled Unclassified Information (CUI). CMMC is becoming a contractual requirement in DoD procurements. Verification is through the CMMC Accreditation Body’s marketplace.
MIL-SPEC compliance refers to conformance with specific military specifications for products — materials, components, or processes. MIL-SPEC is not a certification body but a set of standards; conformance is demonstrated through qualification testing and sometimes qualification approval list (QPL) inclusion. For defense procurement, specifying MIL-SPEC requirements and verifying compliance through test reports and QPL status is part of the sourcing process.
Food and Beverage: SQF, FSSC 22000, BRC, and FSMA
Food manufacturing regulatory and certification requirements are particularly complex because they involve both private certification schemes and federal regulatory requirements.
FDA FSMA Registration. The Food Safety Modernization Act requires food manufacturers supplying the U.S. market to register with the FDA. Buyer importers may be subject to the Foreign Supplier Verification Program (FSVP), which requires documented supplier verification activities. The FDA’s Food Facility Registration database allows verification of supplier registration status.
GFSI-recognized certification schemes. The Global Food Safety Initiative has benchmarked several private food safety certification schemes as equivalent in rigor. The major GFSI-recognized certifications:
- SQF (Safe Quality Food): Published by the Food Marketing Institute, widely adopted in the U.S. retail supply chain.
- FSSC 22000: Combines ISO 22000 (food safety management) with additional technical specifications. Widely recognized in international food supply chains.
- BRC Global Standards: Originated in UK retail, widely used in food and consumer goods globally.
- BRCGS (BRC Global Standard for Food Safety): The current iteration of BRC’s food safety standard.
Most major food retailers and food service companies require GFSI-recognized certification from their direct suppliers. Verification is through the certification body’s public databases or the GFSI’s benchmarked program lookup.
Medical Devices: ISO 13485
ISO 13485 is the quality management standard for medical device manufacturers. It incorporates many ISO 9001 elements but adapts them specifically for regulatory compliance in medical device manufacturing — design and development controls, risk management (per ISO 14971), sterile product controls, and traceability requirements.
ISO 13485 certification is not equivalent to FDA approval or clearance. Device approval is handled through the FDA’s 510(k), PMA, or other regulatory pathways. ISO 13485 certification is a quality system certification — it certifies the management system, not the device.
Verification: ISO 13485 certifications are verified through the issuing registrar’s database. Unlike aerospace (OASIS) or automotive (IATF global database), there is no single central database for ISO 13485 — each registrar maintains their own certificate search.
FDA Quality System Regulation (21 CFR Part 820) applies to U.S. medical device manufacturers and is harmonized with ISO 13485. For manufacturers selling medical devices in the U.S., FDA registration and compliance with 21 CFR Part 820 is required in addition to ISO 13485 certification for the international market.
Electronics: IPC Standards
IPC certifications cover quality standards for electronic assemblies:
- IPC-A-610 (Acceptability of Electronic Assemblies): The most widely used quality standard for evaluating the workmanship of electronic assemblies. Buyers can specify IPC-A-610 class requirements (Class 1, 2, or 3) in their purchase orders, with Class 3 being the most stringent (applicable to life-sustaining and critical systems).
- IPC/WHMA-A-620 (Requirements and Acceptance for Cable and Wire Harness Assemblies): The equivalent standard for cable and wire harness assemblies.
- IPC-J-STD-001 (Requirements for Soldering): The soldering quality standard.
IPC certifications cover both the standards and the training certification for individuals: CIS (Certified IPC Specialist), CIT (Certified IPC Trainer). Buyers can require that electronics assembly suppliers maintain certified IPC trainers on staff and that operators working on their products are IPC-certified.
Verification: IPC’s website (ipc.org) allows verification of IPC-certified training providers. Individual operator certifications are maintained by the certifying facility.
How to Use These Certifications in Supplier Qualification
The practical application of industry-specific certifications in procurement:
Set certification requirements as qualification gates. In the sourcing process, specify which certifications are required for consideration. This filters the qualified supplier pool to those who have already demonstrated the relevant quality system maturity.
Verify, do not accept. Use the verification databases for each certification type — do not rely on certificate documents alone. Verify current certification status, scope coverage, and facility applicability.
Understand scope limitations. Certification scope is not company-wide. A manufacturer certified at one facility is not automatically certified at all locations. A scope covering one product category does not cover all categories. Verify that the certificate scope covers your specific supply relationship.
Use certification as a filter, not a guarantee. As discussed in the ISO 9001 certification guide, certification certifies the quality management system process, not the output quality. Certification combined with customer quality audits and performance data produces a more complete supplier quality picture than certification alone.
Frequently Asked Questions
Can a supplier have ISO 9001 but not AS9100 and still supply to aerospace?
ISO 9001 is a prerequisite for AS9100 but not a substitute. Aerospace OEMs and Tier 1 suppliers require AS9100 certification for direct suppliers of safety-critical components. Suppliers of non-critical commercial off-the-shelf (COTS) products to aerospace customers may operate under ISO 9001, depending on the customer’s specific requirements. Check the customer’s supplier quality requirements — they specify which standard is required for each category.
How long is each certification valid before renewal?
Most management system certifications (ISO 9001, AS9100, IATF 16949, ISO 13485) operate on a three-year certification cycle with annual surveillance audits. Certifications are suspended or withdrawn if surveillance audits reveal significant nonconformances. IATF 16949 has specific provisions for withdrawal that are more stringent than general ISO standards.
If a supplier is IATF 16949 certified for automotive, does that qualify them for aerospace work?
Not automatically. IATF 16949 and AS9100 have significant overlap but different specific requirements. An IATF 16949 supplier transitioning to aerospace supply needs AS9100 certification in addition. The quality management maturity demonstrated by IATF 16949 certification does, however, provide a strong foundation for AS9100 certification — many suppliers hold both.
How do GFSI certifications interact with FDA regulatory requirements for food suppliers?
They operate in parallel, not as substitutes. GFSI-recognized certification (SQF, FSSC 22000, BRC) certifies the food safety management system under a private scheme. FDA requirements (registration, FSMA compliance, FSVP for importers) are regulatory obligations independent of private certification status. A food facility can hold GFSI certification without being FSMA-compliant, and vice versa. Both are required for suppliers to most major U.S. food retailers.
What is a Qualified Products List (QPL) and when does it matter?
A Qualified Products List is a list of products (and their manufacturers) that have been pre-tested and approved to meet a specific specification — typically a military specification (MIL-SPEC) or a government agency standard. QPL inclusion means the product has been tested to the specification by an accredited test facility and approved before procurement. Defense buyers often require QPL-listed products rather than testing every supplier’s product independently.
Further Reading from Authoritative Sources
- International Aerospace Quality Group — OASIS Database: The authoritative verification database for AS9100 certifications, searchable by supplier name, CAGE code, and certification scope.
- IATF Global Oversight — Certificate Search: Official IATF 16949 certificate verification database for automotive supplier qualification.
