Summary
- Core modules: document control, nonconformance, audits, CAPA, training, supplier/SCAR, compliance, analytics, risk, integrations.
- Map each module to recognized standards (ISO 9001, ISO 19011, ISO 31000, AS9100D, IATF 16949, FDA QMSR).
- Build in dashboards and ERP/IoT connections to make data usable.
- Most important: connect nonconformance → CAPA → training → audits for closed-loop quality.
This concise guide turns Rick Harrington Jr.’s quick video rundown into a structured checklist you can act on. A modern quality management system (QMS) should include ten modules that align with global standards and upcoming U.S. medical‑device rules. Use ISO 9001 as your baseline, audit using ISO 19011, manage risk with ISO 31000, and apply sector add‑ons like AS9100D (aerospace/defense) and IATF 16949 (automotive). For U.S. medical devices, note FDA’s Quality Management System Regulation (QMSR) takes effect February 2, 2026.
What is a QMS?
A QMS is the set of processes, roles, and records used to deliver consistent products and services and to improve over time. ISO 9001 defines the baseline requirements used across industries; sectors then add requirements (for example, AS9100D adds aerospace clauses; IATF 16949 adds automotive clauses). (iso.org, sae.org)
Definition box
- CAPA: Corrective and Preventive Action — fix the root cause and prevent recurrence.
- SCAR: Supplier Corrective Action Request — formal request to a supplier to investigate and correct a defect.
How do the 10 QMS modules work?
List each module, the purpose, and the primary standards it touches.
Document Control
A strong QMS starts with document control. Centralize policies, standard operating procedures, and work instructions so people find the right version fast. Control revisions and access to protect integrity and meet ISO 9001’s documented information requirements; sector standards inherit these rules.
Nonconformance Management
Nonconformance management comes next. Log defects and deviations, quarantine suspect material, decide the right disposition, and trend the data. This aligns with ISO 9001 on nonconforming outputs, while IATF 16949 and AS9100 add tighter traceability and containment expectations.
Audit Management
Audit management keeps the system honest. Plan your internal audits, manage checklists, track findings, and verify closure. Use ISO 19011 as the guide for building and running the audit program across the business.
CAPA (Corrective and Preventive Actions)
CAPA ties issues to improvement. Drive root‑cause analysis, implement corrective and preventive actions, and check effectiveness so problems do not return. The approach reflects ISO 9001’s improvement clauses, and FDA’s QMSR expects documented, effective CAPA.
Training Management
Training management proves competence. Assign required training from controlled documents, track completions and certifications, and show that people are qualified for the work they perform. This supports ISO 9001’s competence requirements and similar clauses in sector standards.
Supplier Management + SCAR
Supplier management, including SCARs, extends quality beyond your walls. Qualify suppliers, monitor performance, issue supplier corrective action requests when needed, and follow through to closure. ISO 9001 requires control of external providers, and IATF 16949 raises the bar for supplier oversight.
Compliance Tracking
Compliance tracking maps your procedures and records to specific requirements—ISO 9001, AS9100D, IATF 16949, and ISO 13485 for medical devices, plus FDA’s QMSR. FDA’s QMSR aligns with ISO 13485 and becomes enforceable on February 2, 2026, so plan transitions now.
Real-Time Analytics
Real‑time analytics turns records into insight. Use dashboards for scrap, defects per million, audit closure time, and SCAR aging so leaders can spot trends and act during reviews.
Risk Management
Risk management provides the common language for prioritization. Standardize how you identify, analyze, mitigate, and review risks. Follow ISO 31000 for organization‑wide guidance, and apply AS9100D’s risk‑based thinking across planning and operations.
Integrations (ERP, MES, PLM, IoT)
Finally, integrations with ERP, MES, PLM, and IoT systems remove manual work. Sync item masters, lots and batches, roles for training, and machine data to cut double entry and speed containment when issues arise.
How does rollout work?
Step 1: Centralize documents and training links.
Move controlled documents into one system and tie each role’s training to specific document versions.
Step 2: Stand up nonconformance → CAPA flow.
Define intake, risk triage, root‑cause method, effectiveness checks, and management review cadence.
Step 3: Launch audit program.
Use ISO 19011 to plan audits, set criteria, gather objective evidence, and verify corrective actions.
Step 4: Add supplier controls and SCARs.
Onboard suppliers with criteria, performance KPIs, and escalation paths tied to records.
Step 5: Integrate ERP/MES and build dashboards.
Pull lots, work orders, and downtime; publish quality KPIs for leaders to act.
Why are these modules important?
They create a closed loop: problems become data, data drives CAPA, CAPA updates documents and training, and audits verify the system. That structure is central to ISO 9001 and to sector standards like AS9100D and IATF 16949. For medical devices in the U.S., aligning now will ease the shift to FDA’s QMSR by February 2, 2026.
QMS modules vs. standards: key differences and fit
- ISO 9001: baseline requirements for any QMS; required structure for documents, competence, nonconforming outputs, improvement. (iso.org)
- ISO 19011: how to run internal audits well, including risk‑based auditing. (iso.org)
- ISO 31000: principles and process for risk; apply across modules (NCR triage, CAPA, supplier risk). (iso.org)
- AS9100D: adds aviation/space/defense requirements on top of ISO 9001. (sae.org)
- IATF 16949: automotive supplement to ISO 9001; strengthens supplier, traceability, and defect‑prevention controls. (iso.org)
- FDA QMSR: aligns with ISO 13485; effective February 2, 2026, with inspections under the new model. (fda.gov)
Common Mistakes to Avoid
- Treating CAPA as a ticket queue: missing root cause and effectiveness checks leads to repeat issues. Fix by defining acceptance criteria and post‑implementation verification. (iso.org)
- Auditing without a program: one‑off audits miss systemic risks. Build an ISO 19011‑based program and risk‑prioritize the schedule. (iso.org)
FAQ
Question: What’s the difference between nonconformance and CAPA? Answer: Nonconformance logs the issue; CAPA fixes the root cause and prevents recurrence. (iso.org)
Question: Do I need ISO 9001 certification to use these modules? Answer: No. The modules help you comply, and certification is optional. Many firms use the structure without certifying. (iso.org)
Question: How often should we run internal audits? Answer: Build an annual, risk‑based program and adjust frequency when risk or performance changes. (iso.org)
Question: What changes with FDA QMSR for medical devices? Answer: FDA aligns with ISO 13485 and will inspect to QMSR beginning February 2, 2026; QSIT is withdrawn the same day. (fda.gov)
Question: Where does risk management fit? Answer: Use ISO 31000 to embed risk in NCR triage, CAPA prioritization, supplier approval, and audit planning. (iso.org)
Question: How do aerospace and automotive differ? Answer: AS9100D and IATF 16949 add sector‑specific clauses on top of ISO 9001, especially for supplier control, traceability, and risk. (sae.org, iso.org)
Key Takeaways
- Build on ISO 9001, audit with ISO 19011, and integrate risk via ISO 31000.
- Add sector standards (AS9100D, IATF 16949) and meet FDA QMSR timelines if you make devices.
- Wire nonconformance, CAPA, training, audits, and supplier controls together; then add dashboards and system integrations.
Last Updated: September 5, 2025
Sources (all available)
- ISO 9001:2015 — Quality management systems — Requirements (International Organization for Standardization).
- ISO 19011:2018 — Guidelines for auditing management systems (International Organization for Standardization).
- ISO 31000:2018 — Risk management — Guidelines (International Organization for Standardization).
- AS9100D — Quality Management Systems for Aviation, Space, and Defense (SAE International).
- IATF 16949:2016 — Automotive Quality Management System (International Automotive Task Force; overview via ISO news release).
- FDA Quality Management System Regulation (QMSR) — Final Rule FAQ and effective date (U.S. Food and Drug Administration). (iso.org, sae.org, fda.gov)
