Certification & Compliance FAQ

What is ISO 14001 environmental management?
ISO 14001 is the global standard for Environmental Management Systems (EMS), helping organisations systematically control environmental impacts.

Why implement ISO 14001 for sustainability?
Benefits include reduced waste and energy use, lower risk of fines, stronger ESG credentials, and alignment with customer sustainability goals.  This is often required in European and Asian markets and can be differentiator for your business.

What are environmental aspects and impacts?
Aspects are elements of your activities that interact with the environment (e.g., emissions). Impacts are the changes that result (e.g., pollution).

What documents are required for ISO 14001 compliance?
Environmental Policy, Aspect/Impact Register, Legal Register, Emergency Plans, Monitoring Records, Corrective‑Action Logs, Internal Audit Reports, Management Review Minutes.

What deliverables does Ledge Inc. offer for ISO 14001?
Complete EMS documentation, awareness training, audit prep, and certification‑body selection support.

Can ISO 14001 be integrated with ISO 9001?
Absolutely—both share the Annex SL structure and can operate under a single integrated management system.  We can help you to understand when this is appropriate for your systems.

How long does ISO 14001 implementation take?
Standalone EMS: 6–12 months. Integrated with ISO 9001: 3–6 months thanks to overlapping requirements.

What is an Integrated Management System (IMS)?
An IMS merges multiple Annex SL‑based standards (ISO 9001, 14001, 45001, etc.) into one streamlined system.

What are the benefits of integration?
Fewer documents, combined audits, unified metrics, and less administrative overhead.

Which standards can be integrated under Annex SL?
ISO 9001, ISO 14001, ISO 45001, ISO 27001, ISO 13485, ISO 50001, and more.

What does Ledge Inc. provide for IMS projects?
Integrated policy & manual, harmonised procedures, shared risk registers, audit templates, and certification support.

Can we integrate with existing systems?
Yes—our roadmap preserves what works while merging overlapping controls.

What is a Fractional Quality Manager?
A part‑time quality leader who provides strategic direction, implementation muscle, and ongoing compliance guidance without the cost of full‑time staff.  They can help with things like contract review, non-conformance investigation, corrective action guidance, continual improvement activities and more.

What types of consulting services does Ledge Inc. offer?
QMS implementation for multiple standards, QMS/EMS design, process mapping, root‑cause analysis, supplier onboarding, and digital tool integration.

Who benefits from fractional services?
Small‑to‑mid‑size firms without in‑house quality teams, companies facing tight certification deadlines, and organisations in rapid growth.  Companies that are in between quality managers or trying to better define the scope of that role.  Our team is often brought in when companies are developing new QC leadership where our team can serve as a mentor and help to prepare their next quality leaders.

How are services delivered?
On‑site, remote, or hybrid—project‑based or ongoing—with a dedicated consultant as your single point of contact.

What is an internal audit for ISO & industry standards?
A systematic, independent review that tests your management system against standard requirements and your own procedures.

Why outsource internal audits to Ledge Inc.?
Eliminate conflicts of interest, gain fresh insight, reduce staff burden, and improve audit quality.  Often teams are too busy to do a sufficient audit or they don’t have the experience to identify issues.  Our team can ensure you completed your audits for the year in an efficient manner and avoid just checking the box.  

What types of audits do you perform?
ISO 9001, ISO 14001, AS9100, ISO 13485, ISO 17025, ISO 45001, AISC fabrication & erection, supplier audits, and custom process audits.  We can also help with items around food safety and NADCAP requirements.  

What’s included in an outsourced audit package?
Pre‑audit planning, on‑site evidence collection, detailed findings report, corrective‑action support, and leadership summary.

How long do internal audits take?
Duration depends on employee count, sites, and audit scope; we right‑size the schedule to your needs, your audit plan and your goals.  

Can Ledge Inc. help with Stage 1, Stage 2, and surveillance audit prep?
Yes—we perform readiness assessments, gap analyses, corrective‑action planning, and coaching throughout the certification cycle.

How do I choose the right certification body (registrar) for ISO, AS, or CMMC?
Prioritise accreditation (e.g., ANAB, UKAS), industry expertise, auditor competence, global reach, transparent pricing, and quick report turnaround. Short‑list at least three bodies and compare audit‑day estimates, travel fees, and scheduling lead times.  Look for registrars with responsive teams and remember you are the customer, make sure you’re getting the service level that should be delivered.  Hold the registrar to the same standards that you would expect to deliver to a customer.

Does the registrar have to be accredited?
Yes—accreditation under ISO/IEC 17021 (or 17065 for product schemes) ensures your certificate is internationally recognised and trusted by customers.  There are companies that offer non-accredited certificates, which are often not looked highly upon by your customers.

Do I need to purchase official copies of ISO or AS standards?
Yes—copyright law requires each organisation to own a licensed copy for internal use. Buying a standard also guarantees you have the latest, error‑corrected edition.

Where can I buy ISO, AS9100, ITAR, or CMMC documentation?
ISO standards: ISO.org, ANSI Webstore, Techstreet, BSI, or your national standards body.
AS9100: SAE International.
ITAR: Free via the U.S. Government Publishing Office’s eCFR site.
CMMC Assessment Guide: Free from the U.S. Department of Defense.

We’re an engineering/design firm—does ISO 9001 still apply?
Absolutely—ISO 9001 covers any organisation that delivers products or services. “Product” can be physical goods, digital designs, or professional advice.  We have worked with many engineering firms that want to utilize certification to help standardize processes and the audits as enforcement mechanisms throughout their processes.

How do service organisations interpret clause 8 (Operation)?
Focus on project‑management controls: requirements capture, design review, change control, and verification of deliverables rather than production lines.

Which ISO 9001 clauses challenge service providers most?
Clause 7.1.5 (Monitoring & Measuring Resources) when there’s no physical inspection equipment, and clause 8.5 (Process Control) when work is knowledge‑based. Use peer review, checklists, and version control as objective evidence.

What is AS9100?
AS9100 (currently Rev D) is the aerospace industry’s quality‑management standard, built on ISO 9001 with extra requirements for safety, counterfeit parts, risk, and configuration management.

Who needs AS9100 certification?
Aerospace manufacturers, MROs, and engineering houses that supply to OEMs such as Boeing or Airbus.  Many defense contractors will be required to achieve AS9100 by their contracts.  

How does AS9100 differ from ISO 9001?
Added focus on product safety, operational risk, configuration control, and post‑delivery support. Certification requires an IAQG‑approved registrar and OASIS database entry.

What is ISO 13485?
ISO 13485:2016 is the international standard for Quality Management Systems in the medical-device industry. It builds on ISO 9001 but adds stringent regulatory, traceability, and risk‑management requirements tailored to medical‑device safety and efficacy.

Who needs ISO 13485 certification?
Manufacturers, designers, contract assemblers, component suppliers, sterilisation providers, distributors, and service providers involved in a medical device’s lifecycle.

How does ISO 13485 differ from ISO 9001?
Tighter documentation control, device master records, validated production processes, sterile‑barrier integrity, complaint handling, vigilance reporting, and extensive risk management aligned with ISO 14971.

How long does ISO 13485 implementation take?
Typical timelines run 9–18 months depending on device class, regulatory markets (FDA, EU MDR), and existing QMS maturity.

Can ISO 13485 integrate with ISO 9001 or ISO 14001?
Yes— but because it doesn’t follow the same number scheme it can be a little more difficult. Many organisations operate a single IMS covering ISO 9001, 13485, and 14001.

What deliverables does Ledge Inc. provide?
Ledge supports development of the following in support of developing your QMS to meet the 13485 requirements: device Master Record templates, risk‑management files, process‑validation protocols, supplier‑quality agreements, CAPA workflows, and mock FDA/MDSAP audit readiness.

What is ISO/IEC 17025?
ISO/IEC 17025:2017 specifies the general requirements for the competence of testing and calibration laboratories.

Who needs ISO/IEC 17025 accreditation?
Independent, in‑house, or contract labs that provide test reports or calibration certificates relied upon by customers or regulators.

How does ISO/IEC 17025 differ from ISO 9001?
17025 focuses on technical competence—method validation, equipment calibration, measurement uncertainty—beyond QMS fundamentals.

How do I calculate measurement uncertainty to comply with ISO/IEC 17025?
This process can be a barrier to many companies looking at ISO 17025.  In general, for each item on the scope you must Identify all significant sources of uncertainty, quantify each component (Type A statistical data, Type B manufacturer specs), combine them using the root-sum-of-squares method, apply coverage factor k (typically 2) to obtain expanded uncertainty, and document the method per ILAC-P14.  If this seems like it is too much, reach out to a consulting firm like Ledge Inc. for support through the process.

What are the steps to achieve accreditation?
Gap analysis, uncertainty budgets, proficiency testing, quality manual updates, internal audits, management review, and assessment by an ILAC-recognised body.

What deliverables does Ledge Inc. provide?
QMS updates, uncertainty-budget spreadsheets, method-validation templates, proficiency-test planning, calibration schedules, and pre-assessment coaching.

Can ISO/IEC 17025 integrate with ISO 9001 or ISO 13485?
Yes—many labs operate integrated QMS and technical systems to meet multiple standards.

What is IATF 16949?
IATF 16949:2016 is the global automotive quality-management standard that merges ISO 9001 with additional, sector‑specific requirements for defect prevention, variation reduction, and continual improvement.

Who needs IATF 16949 certification?
Tier 1‒3 suppliers, component manufacturers, contract design & engineering firms, and logistics providers delivering production parts or services to automotive OEMs (e.g., GM, Ford, Toyota, VW).  Often this is a flow down and one that needs to be considered extensively by the management team.

How does IATF 16949 differ from ISO 9001?
Mandatory automotive core tools (APQP, PPAP, FMEA, MSA, SPC), product-safety clauses, embedded‑software controls, warranty and recall management, contingency planning, traceability to lot level, and stricter supplier‑development requirements.

What are the “automotive core tools,” and are they required?
Yes—Advanced Product Quality Planning (APQP), Production Part Approval Process (PPAP), Failure Mode & Effects Analysis (FMEA), Measurement System Analysis (MSA), and Statistical Process Control (SPC) must be implemented and evidenced during audits.  During internal audits these must be reviewed and the auditor must have core tool training.

How long does implementation take?
Typical timelines are 12–24 months depending on programme complexity, existing ISO 9001 maturity, and supply‑chain readiness.  Some items that can slow momentum include: calibration requirements around 17025 labs, ISO 9001 flow downs to vendors, statistical process control planning and design controls.

Can I integrate IATF 16949 with ISO 9001 and ISO 14001?
Absolutely—the standard follows ISO’s High-Level Structure, enabling a single integrated management system.

What deliverables does Ledge Inc. provide?
The Ledge team can support 16949 implementation with QMS document development, Core‑tool templates, Control Plans, PFMEAs, PPAP packages, layered-process audit checklists, warranty/recall procedures, supplier‑development kits, and launch support.

What is PPAP?
The Production Part Approval Process is the automotive supply chain’s standardised procedure for demonstrating that production parts consistently meet all customer engineering and quality requirements before full‑scale manufacture.

Which industries require PPAP?
Primarily automotive, heavy truck, and increasingly aerospace and industrial OEMs that follow APQP methodologies.  Remember these can be expensive to complete to make sure your team is considering the cost of quality when quoting new projects and customers.

What documentation is included in a complete PPAP submission?

1. Design Record
2. Authorised Engineering Change Document
3. Customer Engineering Approval
4. DFMEA (Design FMEA)
5. Process Flow Diagram
6. PFMEA (Process FMEA)
7. Control Plan
8. Measurement System Analysis (MSA / Gage R&R)
9. Dimensional Results
10. Material / Performance Test Results
11. Initial Process Studies (Cp, Cpk)
12. Qualified Laboratory Documentation
13. Appearance Approval Report (AAR)
14. Sample Product
15. Master Sample
16. Checking Aids / Fixture Validation
17. Customer‑Specific Requirements evidence
18. Part Submission Warrant (PSW)—the executive summary and sign‑off.

What is a Part Submission Warrant (PSW)?
A single‑page form summarising part numbers, revision levels, submission level, results of dimensional and material tests, and supplier sign‑off. The PSW documents customer approval when signed and dated.

What are the PPAP submission levels?

• Level 1: PSW only.
• Level 2: PSW + limited supporting data (e.g., dimensional results) kept on file.
• Level 3 (default): PSW + complete PPAP package submitted for review.
• Level 4: PSW + any combination of elements specified by the customer.
• Level 5: PSW + complete PPAP, with customer review at the supplier’s manufacturing location.

When is a PPAP required?
New part introductions, engineering changes, tooling transfers, production resumption after >12‑month pause, or deviation from approved process (material, supplier, location, or equipment changes).  Your customer will dictate both the timing and the level of PPAP that will be required.

How long does PPAP approval take?
Preparation 2–8 weeks depending on complexity; customer review typically 5–10 working days, subject to capacity and findings.

How does PPAP relate to IATF 16949 and APQP?
PPAP is Phase 4 of the APQP cycle and a mandatory output for IATF 16949 certification. Core‑tool evidence (FMEA, Control Plan, MSA, SPC) feeds directly into the PPAP package.

What support does Ledge Inc. provide?
The Ledge team can support development of the following – PPAP process plans to simplify internal flow, Interactive PPAP generator, AI‑assisted FMEA builder, MSA calculators, Control‑Plan templates, pre‑submission audits, and direct customer liaison to streamline approvals.  Remember that while we would love for all PPAPs to be created equal, customer expectations vary wildly across the industry.  Our team can help you to navigate this process, understand what that customer is looking for an implement a process to meet the requirements.  

In considering the cost of quality, our team can help you to understand what that PPAP is actually costing you to produce so you can capture that cost with your customers.   Remember quality isn’t free, make sure your organization is capturing this during the quoting process.

What training is required to maintain an effective Quality Management System?
Fundamentals for all employees, process‑specific work instructions, internal‑auditor competence, root‑cause analysis, risk‑based thinking, and standard‑specific requirements (e.g., PPAP core tools, medical‑device vigilance, cybersecurity hygiene).

Where can we obtain accredited ISO/IATF/AS training?

• American Society for Quality (ASQ): Instructor‑led and e‑learning courses for ISO 9001, internal auditing, Six Sigma, FMEA, PPAP, and statistics.
• Ledge Inc. Academy: On‑demand micro‑modules, live virtual boot camps, and on‑site workshops customised to your processes.
• Exemplar Global & IRCA‑approved providers: Offer auditor‑cert and lead‑auditor qualifications recognised worldwide.
• Local universities & community colleges: Often run affordable evening classes on quality fundamentals and Lean.
• Industry associations (AIAG, SAE, IAQG, AIA): Sector‑specific technical training for automotive core tools, aerospace AS9100, and PPAP.
• Online platforms (Coursera, LinkedIn Learning, Udemy): Introductory modules and refresher courses—ensure content aligns with latest standard editions.

What is the difference between awareness, competency, and certification courses?

• Awareness covers basic concepts and terminology.
• Competency builds practical skills—e.g., writing an internal audit report.
• Certification validates competence via exams and, for lead auditors, observed audits.

Do internal auditors need formal certification?
Not mandatory, but ISO/IATF auditors must be competent. Formal courses plus supervised practice provide credible evidence of competence during third‑party audits.

How often should employees be trained or retrained?
At onboarding, after major process changes, and at least annually for critical roles (auditors, inspectors, cybersecurity stewards). Track training records and verify effectiveness per ISO 9001 clause 7.2.

Are there funding programs to help pay for training?
Yes—many regions offer cost‑share grants or vouchers for workforce development and quality training:

1. Manufacturing Extension Partnership (MEP) Center: U.S. companies can contact their state MEP for subsidised training and consulting. Find yours here: nist.gov/mep/find-your-center.
2. Local Manufacturing Association or Chamber of Commerce: These groups often administer state workforce grants or group‑buy discounts for training.
3. Local ASQ Section: Many ASQ sections run low‑cost refresher courses and can point you to scholarship funds—locate your section at asq.org/community/sections.
4. Workforce Development Boards & Community Colleges: Provide training grants (e.g., WIOA in the U.S.) and low‑cost evening classes.
5. Employer Tax Credits: Some jurisdictions offer credits for employee up‑skilling—check with your finance team.

How do I verify a reputable online training provider?
Look for recognised accreditations (Exemplar Global, IRCA, ASQ RU credits), current standard editions, instructor bios, learner reviews, and post‑course assessment certificates.  Consider what you’re asking for, are you just looking for a certificate or do you want a course that dives deeply into the topic before you pick a direction.

What is ITAR?
The International Traffic in Arms Regulations control defence‑related articles, technical data, and services. Non‑compliance can trigger severe civil and criminal penalties.

How do I know if my work is ITAR‑controlled?
Check the U.S. Munitions List (22 CFR §121) and consult legal counsel. Design files, CAD models, and even email discussions may be export‑controlled.

What quality processes support ITAR compliance?
Access control, encryption, vetted suppliers, secure cloud storage, and employee training. ISO 9001 clause 8.5.1 aligns with ITAR data‑handling requirements.

What is CMMC?
The Cybersecurity Maturity Model Certification is the U.S. Department of Defense framework for safeguarding Controlled Unclassified Information.  This continues to evolve but must be considered by businesses looking at government contracts as the costs can be significant.  Look for EXPERT advice on IT security and compliance to CMMC as this process is not a simple in house survey but enforces true cybersecurity rules and requires audits similar to ISO 9001 for a quality management system.

Who needs CMMC?
Any contractor or subcontractor handling DoD data. Required level (1–3) depends on contract scope.  Review this with your IT company but they can’t do it all.  Your team will need to invest, train and understand the implications of CMMC.