Quality Assurance: Standards Overview

Quality assurance (QA) encompasses the systematic processes, frameworks, and regulatory requirements that organizations use to ensure products and services consistently meet defined specifications. This reference covers the structural landscape of QA standards — the bodies that issue them, how compliance mechanisms function, where sector-specific variants diverge, and how practitioners and organizations determine which frameworks apply to a given operational context. The field is governed by interlocking national and international standards bodies, federal agency mandates, and industry-specific codes that collectively define minimum acceptable practice across manufacturing, healthcare, software development, food production, and defense contracting.

Definition and scope

Quality assurance, as defined by the American Society for Quality (ASQ), refers to the planned and systematic activities implemented in a quality system so that quality requirements for a product or service will be fulfilled. This definition distinguishes QA from quality control (QC): QA is process-oriented and preventive; QC is product-oriented and detection-based.

The formal scope of QA standards spans three primary tiers:

  1. International standards — Issued by the International Organization for Standardization (ISO), most notably ISO 9001, which specifies requirements for a quality management system (QMS). ISO 9001:2015, the current revision, applies across industries and has been adopted by over 1 million organizations in more than 170 countries (ISO Central Secretariat data).
  2. National standards — In the United States, the American National Standards Institute (ANSI) coordinates voluntary consensus standards. ANSI-accredited standards developers, including ASQ, produce sector-specific QA codes. See ANSI Standards for a detailed breakdown.
  3. Regulatory mandates — Federal agencies impose QA requirements through statute and rule. The Food and Drug Administration (FDA) enforces 21 CFR Part 820 (Quality System Regulation) for medical devices; the Federal Aviation Administration (FAA) references AS9100 for aviation suppliers; the Department of Defense (DoD) applies MIL-Q-9858 lineage requirements through acquisition regulations.

The Capability Maturity Model Integration (CMMI) framework, maintained by the CMMI Institute, extends QA principles into software and services through a five-level maturity scale measuring process capability from Initial (Level 1) to Optimizing (Level 5).

How it works

A functioning QA system operates through four discrete phases, consistent with the Plan-Do-Check-Act (PDCA) cycle formalized in ISO 9001:

  1. Planning — Organizations establish quality objectives, define process parameters, and identify applicable standards and regulatory requirements. A quality manual serves as the foundational document linking policy to procedures.
  2. Implementation — Documented procedures are executed across production, procurement, and service delivery. This phase includes supplier qualification, incoming inspection, and statistical process control (SPC) methods drawn from standards such as AIAG's Measurement System Analysis (MSA) manual.
  3. Verification and auditInternal audits and third-party audits assess conformance against the defined QMS. Registrar-conducted audits for ISO 9001 certification follow a two-stage process: Stage 1 (documentation review) and Stage 2 (on-site assessment). Audit findings are classified as major nonconformances, minor nonconformances, or observations, per ISO 19011:2018 guidelines on auditing management systems.
  4. Corrective and continual improvement action — Nonconformances trigger corrective action workflows. Root cause analysis methods — including 8D, Fishbone (Ishikawa), and 5-Why — are applied before corrective actions are verified as effective.

The regulatory framework governing these phases varies by sector but consistently requires documented evidence of each phase's execution, preserved under defined record retention schedules.

Common scenarios

QA standards application diverges significantly by industry sector. Four high-volume scenarios illustrate the classification boundaries:

Medical devices — FDA 21 CFR Part 820 mandates a documented QMS for device manufacturers. The FDA's Quality System Regulation aligns substantially with ISO 13485:2016, the sector-specific medical device QMS standard issued by ISO Technical Committee 210. Non-compliance carries enforcement actions including warning letters, consent decrees, and injunctions.

Aerospace and defense — AS9100 Rev D (issued by the International Aerospace Quality Group, IAQG) extends ISO 9001 requirements with 130+ aerospace-specific additions covering configuration management, first article inspection, and counterfeit part prevention. Prime contractors typically flow AS9100 certification requirements down to all Tier 2 and Tier 3 suppliers through contract clauses.

Software development — ISO/IEC 25010:2011 defines a software product quality model with 8 quality characteristics. CMMI-DEV provides process area guidance for development organizations. The software standards landscape also includes IEEE 730 (Software Quality Assurance Processes) for safety-critical systems.

Food safety — The FDA Food Safety Modernization Act (FSMA), enacted in 2011, shifted US food safety regulation from reactive to preventive. FSMA-compliant QA systems reference Hazard Analysis and Critical Control Points (HACCP) principles codified in 21 CFR Part 120 and Part 123.

Decision boundaries

Determining which QA standard governs a given operation depends on three factors that must be evaluated in sequence:

  1. Regulatory mandate — Federal or state law may specify a standard directly (e.g., FDA 21 CFR Part 820, FAA AC 120-16). Regulatory mandates take precedence over voluntary standards. The applicable federal requirements are catalogued at Federal Requirements.
  2. Customer or contractual requirement — In the absence of a statutory mandate, customers — particularly in defense, automotive (IATF 16949), and aerospace supply chains — often specify certification to a named standard as a contract condition. This transforms a voluntary standard into a binding obligation.
  3. Industry sector baseline — Where neither regulation nor contract specifies a standard, organizations typically align to the dominant voluntary consensus standard for their sector. ISO 9001 functions as the cross-industry baseline, with sector-specific extensions (ISO 13485, AS9100, IATF 16949) layering additional requirements on top.

The distinction between QA standards that require third-party certification versus those requiring only self-declaration is operationally significant. ISO 9001 permits self-declaration of conformity under ISO/IEC 17050-1, but most supply chain and regulatory contexts require third-party certification through an accredited certification body, verified against ISO/IEC 17021-1 conformity assessment requirements. Certification requirements detail the accreditation body landscape and certification body selection criteria.

Read Next

Quality Assurance: ANSI Standards Reference This reference maps the structural role of ANSI-accredited standards within quality management systems, identifies the primary... Quality Assurance: CMMI Framework Overview Administered by the CMMI Institute, the framework applies across software development, systems engineering, services, and... Quality Assurance: Quality Manual Requirements ISO 9001:2015, published by the International Organization for Standardization, defines the minimum content expectations for...