What is the difference between IATF 16949 and ISO 9001?

IATF 16949:2016 does not replace ISO 9001:2015, it builds on top of it. The IATF text structurally incorporates the full set of ISO 9001 requirements and adds automotive-sector requirements, identified through a mirror numbering (IATF clauses 4 to 10 reproduce the ISO 9001 clauses and append sector-specific sub-clauses). Being certified IATF 16949 therefore means complying with ISO 9001 in full plus the automotive layer (OEM CSRs, core tools, product discipline requirements, sub-tier supplier development).

Does my site need IATF 16949 certification or only ISO 9001?

The rule is set by the Rules for achieving and maintaining IATF Recognition (6th Edition, 2024). IATF 16949 certification is open to sites that manufacture parts or materials intended for the automotive industry, and that are named on an automotive customer contract. Sites that only perform design or support, without manufacturing, are not eligible for a standalone certificate, but can be covered as a remote location associated with a manufacturing site, when they carry design responsibility or quality support responsibility. Downstream subcontractors (for example an outsourced marking or sorting workshop) are managed under the certified site's responsibility through the outsourced processes requirements.

What are Customer-Specific Requirements (CSRs)?

CSRs are the additional requirements that an OEM (or its higher tier) publishes alongside IATF 16949 and ISO 9001. Each OEM (Ford, GM, Stellantis, Volkswagen, BMW, Mercedes-Benz, Toyota, Honda, and others) publishes its own CSR document, which clarifies or tightens certain requirements (PPAP run-at-rate, supplier performance metrics, escalation mechanics, software requirements, cybersecurity requirements). Each customer's CSRs are available on the IATF portal (CSR section) and are mandatory for suppliers shipping to that customer.

What are the five AIAG/VDA core tools?

APQP (Advanced Product Quality Planning), FMEA (Failure Mode and Effects Analysis), PPAP (Production Part Approval Process), MSA (Measurement Systems Analysis) and SPC (Statistical Process Control). These five methods are the IATF reference manuals, published by AIAG in the United States and by VDA in Germany. Both versions coexist, some harmonised (AIAG-VDA FMEA Handbook, 1st edition 2019) and others still specific to each association (for example VDA 6.3 for process audit, which has no strict AIAG equivalent). The applicable version is set by the end customer, often through its CSRs.

Does IATF 16949 cover functional safety (ISO 26262)?

No. IATF 16949 is a quality management standard. It requires a formal product safety management process (clause 4.4.1.2) and demands particular attention to safety characteristics, but it does not specify the methodology. For electrical and electronic components capable of causing injury, functional safety methodology is handled by ISO 26262 (V-cycle, ASIL, safety case). The two standards are complementary and applied jointly by E/E suppliers.

What is the IATF 16949 audit cycle?

The cycle is three years, per the Rules 6th Edition. The initial audit takes place in two stages (stage 1 documentary, stage 2 on-site), followed by the certification decision. In subsequent years the certificate is maintained through an annual surveillance audit, then renewed through a recertification audit at the end of the three-year cycle. Any major non-conformity left open beyond the corrective window leads to certificate suspension, and failure to close leads to withdrawal.

What is the difference between the AIAG and VDA manuals?

Historically the AIAG (Automotive Industry Action Group, United States) groups the American Big Three (Ford, GM, Stellantis) and publishes the reference manuals for the North American market. The VDA (Verband der Automobilindustrie, Germany) groups the German OEMs (Volkswagen, BMW, Mercedes-Benz, Porsche, Audi) and publishes its own manuals (VDA 6.3, VDA 6.5, Maturity Level Assurance, and others). Both references are recognised by IATF 16949. The AIAG-VDA FMEA manual, published in 2019, is the first harmonised product between the two corpora.

Does my sub-tier supplier need IATF 16949 certification?

Not necessarily. Clause 8.4.2.3 of IATF 16949 requires the certified supplier to develop its automotive sub-suppliers towards a conforming quality management system. The end target stated by the text is IATF 16949 certification, but an intermediate trajectory is accepted (ISO 9001 certified by an accredited body, then second-party audit by the direct customer, then IATF certification). The end customer may impose stricter rules through its CSRs (for example mandating ISO 9001 as a minimum from the first sub-tier level).

IATF 16949: automotive quality management

Author Hugues Orgitello Last updated 27 May 2026 ~13 min read

Guide · IATF 16949

IATF 16949:2016 is the quality management standard that applies to the global automotive supply chain. It does not exist as a standalone text, but as a sector layer built on top of ISO 9001:2015 and maintained by the International Automotive Task Force, a consortium of the major automakers and their industry associations. Certification is a contractual prerequisite for nearly every direct and indirect automotive supplier, whether they make mechanical parts, wiring, embedded electronics or battery packs. This page covers the history of the standard, its relation to ISO 9001, the certification scope, the Rules 6th Edition requirements (2024), the OEM Customer-Specific Requirements, the five AIAG/VDA core tools, and the audit cycle.

History: from ISO/TS 16949 to IATF 16949

Automotive quality discipline developed in stages, around successive national specifications.

QS-9000, published in 1994 by the American Big Three (Chrysler, Ford, General Motors), the first sector harmonisation built on ISO 9001:1994.
VDA 6.1, the German equivalent, published by VDA for the German OEMs.
AVSQ (Italy), EAQF (France, Renault and PSA), national European specifications.
ISO/TS 16949:1999, first attempt at international harmonisation under the joint auspices of ISO and IATF, incorporating ISO 9001:1994 augmented with consolidated automotive requirements. Revised in 2002 (aligned with ISO 9001:2000) and in 2009 (aligned with ISO 9001:2008).
IATF 16949:2016, published on 1 October 2016, replacing ISO/TS 16949:2009. The prefix change (IATF instead of ISO/TS) reflects an institutional shift, the standard is no longer published by ISO but directly by IATF, even though it still rests structurally on ISO 9001:2015. The transition to IATF 16949:2016 was completed by end 2018.

The standard text itself has not undergone a major revision since 2016. The Rules for achieving and maintaining IATF Recognition, which frame the certification scheme, have been reissued several times. The current edition is the 6th Edition, published in 2024, which clarifies in particular the requirements on remote locations, remote audits, and sanctions for major non-conformities.

The layered architecture: ISO 9001, then IATF 16949, then CSRs

Automotive quality requirements stack in three concentric layers.

Layer	Reference	Origin	Audited by
Generic baseline	ISO 9001:2015	ISO	Accredited certification body
Automotive layer	IATF 16949:2016	IATF	IATF-recognised certification body
Customer layer	CSRs (Customer-Specific Requirements)	OEM (Ford, GM, Stellantis, VW, BMW, Toyota, Honda, and others)	Direct customer (second-party audit)

The IATF 16949 certificate attests conformity for the first two layers. The third (the CSRs) is not certifiable as such by a third-party body, but it is verified during the IATF audit, since the Rules 6th Edition require the auditor to account for the CSRs applicable to the audited site's customers. A non-conformity against a customer CSR is treated as a non-conformity against IATF 16949.

This layered architecture explains why a supplier can be rejected by an OEM while still holding a valid IATF certificate, where the rejection rests on a specific CSR requirement not yet caught by their certification body.

Certification scope: who can be certified

The Rules 6th Edition define precisely the scope eligible for IATF 16949 certification. The governing principle is that certification applies to sites that manufacture parts or materials intended for the automotive industry.

Manufacturing sites

Eligible sites perform at least one manufacturing operation among those listed in the Rules: machining, forming, surface treatment, assembly, test, commissioning, and so on. A site is evaluated for each manufacturing process it operates. A site that does only final assembly need not cover the machining operations it subcontracts elsewhere, but it remains accountable for those outsourced processes under clause 8.4 of the standard.

The site boundary is defined geographically and operationally. Two adjacent buildings under the same legal entity but with distinct quality systems are treated as two sites and require two separate certificates. Conversely, a single site that operates two product lines for two different customer segments is covered by a single certificate, with both segments listed in the scope statement.

Remote locations

Remote locations are sites that support manufacturing without manufacturing themselves: design centres (R&D), quality support centres, logistics hubs, customer service centres. A remote location cannot obtain its own certificate, but is covered by the certificate of one or more associated manufacturing sites. The certificate scope then lists the main site and its associated remote locations.

This rule has a practical consequence for design centres. An automotive design office holding design responsibility for a product delivered by a manufacturing site can be certified as a remote location of that site. A pure design office that does not manufacture and is not associated with a manufacturing site has no access to IATF certification, and remains confined to ISO 9001.

Exclusions

The Rules 6th Edition list cases excluded from the IATF 16949 scope, including:

aftermarket parts manufacturers (non-OEM aftermarket) that do not supply OEMs or their chain,
heavy commercial vehicle parts manufacturers outside the IATF scope (the heavy commercial vehicle scope varies by region and OEM, case-by-case verification is needed),
manufacturers of parts supplied to non-automotive sub-systems,
pure distributors without any transformation step.

Articulating IATF 16949 and ISO 9001

The IATF 16949:2016 text mirrors the chapter architecture of ISO 9001:2015, with mirror numbering.

Chapter	ISO 9001 title	IATF-specific additions
4	Context of the organisation	Product and process conformity to customer requirements, classification of special processes
5	Leadership	Product responsibility, discipline requirements, safety risk prevention
6	Planning	Supply chain risks, contingency plans (business continuity, recovery plans)
7	Support	Laboratory control (internal and external), internal auditor competency, identification of special characteristics
8	Operation	APQP, FMEA, PPAP, change control, product traceability, outsourced process management
9	Performance evaluation	Process audits (for example VDA 6.3 or equivalent) in addition to system audits, customer scorecard metrics (OEE, ppm, delivery)
10	Improvement	Reaction to customer non-conformities, structured root cause analysis, problem solving discipline

This mirror numbering means IATF 16949 cannot be read in isolation, the official text is a combined edition that presents ISO 9001 and the IATF additions side by side. Mastery of both is mandatory.

The five core tools (AIAG/VDA)

The core tools are the five quality methods that any IATF-certified supplier must be able to operate. They are described in reference manuals published by AIAG (United States) and VDA (Germany).

Core tool	Purpose	AIAG manual	VDA manual
APQP (Advanced Product Quality Planning)	Five-phase quality planning cycle from concept through series launch	APQP, 2nd edition (2008)	VDA Maturity Level Assurance for New Parts
FMEA (Failure Mode and Effects Analysis)	Systematic analysis of failure modes (Design FMEA and Process FMEA)	AIAG-VDA FMEA Handbook, 1st edition (2019), harmonised	AIAG-VDA FMEA Handbook (joint)
PPAP (Production Part Approval Process)	Part validation file before series launch, submission levels 1 to 5	PPAP, 4th edition (2006)	VDA 2, Quality Assurance for Supplies (PPF)
MSA (Measurement Systems Analysis)	Analysis of measurement systems, repeatability and reproducibility studies (R&R)	MSA, 4th edition (2010)	VDA Volume 5, Capability of Measurement Processes
SPC (Statistical Process Control)	Statistical process control, Cp/Cpk and Pp/Ppk capability, control charts	SPC, 2nd edition (2005)	VDA Volume 4, Quality Assurance in the Process Landscape

The end customer chooses the applicable reference (AIAG or VDA) and states it in its CSRs. For a supplier exposed to several OEMs, mastering both reference sets in parallel is common practice and weighs on internal training.

The AIAG-VDA FMEA harmonisation, published in 2019, is the first tangible result of a convergence effort engaged between the two associations. The method shifts from a historical RPN logic (Risk Priority Number) toward an Action Priority (AP) logic based on three factors (severity, occurrence, detection) without numeric multiplication. Suppliers facing this transition must check in each customer's CSRs which FMEA version is mandated, since some OEMs have made the new method mandatory while others retain the historical RPN method for legacy projects.

Customer-Specific Requirements (CSRs)

The CSRs are the third requirement layer, specific to each OEM. The IATF portal maintains a directory of CSRs published by member OEMs and by some higher-tier suppliers (tier 1).

Examples of CSRs

Without being exhaustive, the CSRs typically cover:

supplier performance metrics tracked by the customer (ppm rate, IPPM, OTD, scorecard score, severity of quality incidents),
PPAP rules specific to the customer (default submission level, situations triggering a re-PPAP, run-at-rate requirements, sampling requirements),
escalation rules in case of quality drift (controlled shipping level 1 and 2, customer-controlled containment),
software requirements, generally by reference to Automotive SPICE for electronic-software developments,
cybersecurity requirements, by reference to ISO/SAE 21434 and to UN-R 155 requirements,
functional safety requirements, by reference to ISO 26262 for E/E components,
material and substance requirements, notably IMDS (International Material Data System) and reporting rules under REACH or GADSL.

Ford Q1, GM BIQS, Stellantis SQE

Beyond their CSRs, several OEMs publish supplier qualification programs that extend past plain IATF certification. Ford Q1, GM BIQS, Stellantis Supplier Quality Excellence are examples. Holding an IATF certificate is a prerequisite for access to these programs, but is not sufficient on its own, the programs add their own audits and target metrics.

Requirement hierarchy

In case of divergence between IATF 16949, ISO 9001 and a customer CSR, the end customer prevails. A CSR can impose a stricter requirement than the standard, but never a more lenient one. When a CSR introduces a requirement that contradicts IATF 16949, the supplier formally raises a waiver request with the customer, and the decision is traced.

In practice, a supplier shipping to several OEMs has to maintain a matrix that maps each CSR clause to its internal procedure or work instruction. The matrix is reviewed when a CSR is updated (CSR updates are announced on the IATF portal) and during the supplier's internal audit cycle. The auditor checks both the matrix and a sample of records during the IATF audit.

Articulation with ISO 26262 and ISO/SAE 21434

IATF 16949 is a quality management standard, generic across automotive parts and systems. For electrical and electronic (E/E) components, two complementary standards structure in parallel the safety and cybersecurity disciplines.

Standard	Subject	Target
IATF 16949:2016	Quality management	All automotive suppliers
ISO 26262	Functional Safety	E/E systems capable of causing injury
ISO/SAE 21434	Automotive Cybersecurity Engineering	E/E systems exposed to cyber threats

The three standards coexist and do not substitute for one another. A supplier of an ECU responsible for safety-critical functions must therefore:

be certified IATF 16949 for its quality management system,
develop under ISO 26262 for the safety functions, with a dedicated V-cycle and ASIL allocation,
develop under ISO/SAE 21434 for cybersecurity, and meet the regulatory UN-R 155 requirements on the CSMS (Cybersecurity Management System) if the product is intended for a vehicle homologated under WP.29,
meet the customer CSRs for all three disciplines.

The ISO 26262 guide covers safety in detail and will get a dedicated page. Automotive cybersecurity (ISO/SAE 21434 and UN-R 155) will be covered separately.

IATF 16949 audit cycle

The Rules 6th Edition set a three-year cycle, in three phases.

Initial certification

The initial certification proceeds in two stages, stage 1 documentary and stage 2 on-site.

Stage 1: documentary review of the quality system, verification of eligibility (manufacturing site or associated remote location status, eligible automotive scope), evaluation of readiness for the stage 2 audit. Typically performed remotely or on-site several weeks before stage 2.
Stage 2: on-site audit of the actual operation of the quality system. Covers all site processes, application of each customer's CSRs, deployment of the core tools and the conformity of artefacts (PPAP, FMEA, control plans, PSO files). Lasts several days according to the site size (the minimum audit time is computed from a formula in the Rules, based on full-time-equivalent employee count).

After stage 2, the auditor issues a report and the certification body's decision committee grants or denies certification. Any major non-conformity detected must be closed before the certificate is issued. Minor non-conformities follow a corrective action plan tracked by the certification body.

Surveillance and recertification

After initial certification, the three-year cycle proceeds with:

a surveillance audit each year (year 1 and year 2), generally shorter than the initial audit, covering a sampled scope and mandatorily the critical processes (4.4.1.2 product safety, customer satisfaction, internal audits, management review),
a recertification audit during year 3, comparable in duration to the initial stage 2, covering the full system again.

The certificate is issued for three years, subject to continued conformity and closure of non-conformities within deadlines.

Sanctions

The Rules 6th Edition provide a strict sanction mechanism.

Major non-conformity not closed within the deadline: certificate suspension (typically 90 days).
Suspension not lifted: certificate withdrawal.
Special cases (non-cooperation, documentation fraud, audit refusal): immediate withdrawal and signalling to the IATF portal.

A suspended or withdrawn certificate becomes visible on the IATF database, and customers can rely on it in their supplier evaluation.

IATF auditors and certification bodies

IATF 16949 certification can only be issued by a Certification Body (CB) recognised by IATF. Recognition is conditional on accreditation by a national member body of IAF (for example ANAB in the United States, COFRAC in France, DAkkS in Germany, UKAS in the United Kingdom), and on specific IATF recognition after surveillance audit by IATF Oversight.

IATF auditors themselves must be qualified under a dedicated scheme (3rd Party Auditor Qualification). Qualification requires minimum automotive industry experience, a written examination, a witness audit, and maintenance through audits performed each year. Qualification levels differentiate between auditor, lead auditor, and veteran (experienced auditor with extended qualifications).

This reinforced auditor qualification requirement is one of the notable differences with ordinary ISO 9001 schemes, where auditor qualification is more generic and less centrally controlled.

Transitions and coexistence periods

The transition from one version to the next follows a protocol published by IATF.

Transition from ISO/TS 16949:2009 to IATF 16949:2016: completed by end 2018, no ISO/TS certificate remains valid.
Rules updates (5th to 6th Edition): do not require a specific re-audit, but new audits are performed under the new Rules edition from the application date announced by IATF (date specified in the Rules document).
Sanctioned Interpretations (SI) updates: IATF issues numbered SIs that clarify or modify the interpretation of certain clauses. They apply immediately or with a short notice and are kept up to date on the IATF portal.

It is the certified supplier's responsibility to monitor these evolutions and adapt its quality system accordingly. A non-conformity may be raised if a SI is not applied.

Common field pitfalls

Without being exhaustive, several pitfalls recur on audit.

Confusion between ISO 9001 and IATF 16949. Holding an ISO 9001 certificate does not grant access to the automotive market. New-entrant suppliers often underestimate the coverage gap (and audit cost gap).
Disregard of CSRs. The CSR layer is often deprioritised during initial certification, but is a frequent reason for non-conformity and customer rejection at series launch.
Incomplete PPAP. A PPAP file submitted at level 3 (default) but with PSWs (Part Submission Warrants) signed before closure of corrective actions is a classic PPAP failure.
Static FMEA. A FMEA treated as a one-shot launch document, not revised in feedback loops after field incidents, is non-conforming to the AIAG-VDA FMEA Handbook spirit.
Sloppy MSA. A R&R study conducted with non-representative operators, or without a sound experimental plan, biases downstream SPC capability. A recurring audit finding.
Formal but unrehearsed contingency plan. Clause 6.1.2.3 requires a continuity plan, and the audit verifies that the plan is exercised periodically, not just documented.
Misdeclared remote location. A design-responsible engineering office not declared as a remote location associated with a manufacturing site may compromise the certificate scope at the next surveillance audit.

IATF 16949: automotive quality management

History: from ISO/TS 16949 to IATF 16949

The layered architecture: ISO 9001, then IATF 16949, then CSRs

Certification scope: who can be certified

Manufacturing sites

Remote locations

Exclusions

Articulating IATF 16949 and ISO 9001

The five core tools (AIAG/VDA)

See also

Customer-Specific Requirements (CSRs)

Examples of CSRs

Ford Q1, GM BIQS, Stellantis SQE

Requirement hierarchy

Articulation with ISO 26262 and ISO/SAE 21434

IATF 16949 audit cycle

Initial certification

Surveillance and recertification

Sanctions

IATF auditors and certification bodies

Transitions and coexistence periods

Common field pitfalls

Further reading