Different referees, same game
Think of compliance standards as referees. Football, cricket and hockey have different referees enforcing different rulebooks — but every referee is doing the same fundamental job: watching the game and ruling on what actually happened.
Manufacturing works the same way. An automotive OEM sends an IATF auditor. A drug regulator sends a GMP inspector. A food-safety officer checks your HACCP plan. Each speaks a different language, checks different documents, and can stop your business cold. But strip away the vocabulary and every one of them is asking the identical question: "Can you prove your process did what you say it did?"
That one insight — different rulebooks, same underlying demand — is the key to handling compliance without drowning in it. Let's walk the rulebooks first.
The rulebooks, industry by industry
What each rulebook actually means, in one breath each:
IATF 16949 (automotive). The global quality standard OEMs impose on their supply chain. In practice it means: every part traceable to its batch, machine and operator; processes proven statistically capable (SPC); new parts approved through a formal evidence pack (PPAP); and every customer complaint answered with structured problem-solving (8D). Miss it and you don't supply automotive — full stop.
GMP / 21 CFR Part 11 / ICH Q7 (pharma). Good Manufacturing Practice — in India, Schedule M; for exports, WHO-GMP and the US FDA's rules. It demands complete batch records for every lot, electronic records that are attributable, timestamped and tamper-evident (that's Part 11), every deviation investigated and closed (CAPA), and data integrity to the ALCOA+ standard. One missing signature can be the difference between a clean inspection and a warning letter. (We covered how batch records can build themselves in the GMP deep-dive.)
FSSAI / HACCP / ISO 22000 (food & FMCG). Food safety runs on Critical Control Points: identify where hazards can enter (temperature, contamination, foreign bodies), monitor those points continuously, and prove the monitoring happened. Add full lot traceability — because when a recall comes, you have hours, not weeks, to know exactly which batches went where.
IPC / ESD / RoHS (electronics). Workmanship standards (IPC-A-610) define what an acceptable solder joint even is; ESD S20.20 requires proof that static controls were in place while boards were handled; RoHS demands material declarations down the component tree. The theme is component-level traceability: which reel, which oven profile, which operator, which board.
The ISO baseline (everyone). ISO 9001 (quality management), 14001 (environment), 45001 (worker safety), 50001 (energy), 27001 (information security). Most serious plants carry two or more of these on top of their industry rulebook — each with its own surveillance audit cycle.
What all of them secretly share
Read those again and a pattern jumps out. Every standard, whatever the vocabulary, decomposes into the same five demands:
- ① Capture reality as it happens — not reconstructed at shift end.
- ② Trace everything — this unit came from that batch, that machine, that operator, those materials.
- ③ Handle deviations formally — detect, classify, investigate, close the loop.
- ④ Keep records trustworthy — timestamped, attributable, tamper-evident.
- ⑤ Produce evidence on demand — when the auditor arrives, the proof exists already.
The differences between standards are real but they live above this core: what counts as a critical parameter, what format the record takes, how long you retain it, who signs it. IATF wants SPC charts; GMP wants batch records; HACCP wants CCP logs. Same evidence, different paperwork.
Why one-size-fits-all systems break here
Now the architectural point. Most compliance software is built as a monolith around one rulebook — a "GMP system," an "automotive quality suite." That works right up until reality intervenes, and reality intervenes constantly:
Plants straddle industries. A Tier-2 machining shop supplies automotive and industrial customers. A contract manufacturer packs food this quarter and cosmetics next. An electronics EMS builds automotive ECUs — IATF and IPC at once. Which monolith do they buy? Both? Now there are two systems, two data entries, and two versions of the truth — the exact parallel-systems trap that makes auditors suspicious.
Rulebooks change on their own schedules. Schedule M was overhauled in 2024. IATF revisions land on their own cycle. FSSAI notifications arrive mid-year. In a monolith, a regulation update means touching — and revalidating — the whole system. That's why plants run five-year-old compliance software: upgrading is scarier than the audit.
Customers demand more over time. Winning your first pharma-adjacent contract, or your first export customer, shouldn't mean replacing your plant software. But if compliance is welded into a monolith's core, that's exactly what it means.
The conclusion writes itself: compliance logic must be modular — separable from the evidence layer beneath it, so rulebooks can be added, updated or retired one at a time, without disturbing each other or the floor.
The modular answer: one backbone, many packs
The architecture has exactly two layers, and the split is the whole point:
The evidence backbone does the five common-core jobs — capture at source, trace everything, log deviations, keep records tamper-evident, retrieve on demand. It's rulebook-agnostic, because reality is rulebook-agnostic. A temperature reading doesn't know whether it will one day be GMP evidence or HACCP evidence. It just needs to be true, timestamped, and attributable.
Compliance modules sit on top, one per rulebook. Each module knows its standard's vocabulary and paperwork: the GMP module assembles batch records and routes CAPA workflows; the IATF module watches SPC limits and compiles PPAP evidence; the HACCP module monitors critical control points and keeps recall-ready lot genealogy; the IPC/ESD module ties workmanship checks and static-control logs to each board. Every module reads the same backbone — no duplicate capture, no parallel systems, no divergence.
And because modules are independent: when Schedule M changes, you update the GMP module — the IATF module doesn't even notice. When you win your first automotive customer, you add the IATF module — nothing gets reimplemented. When an auditor arrives, their pack generates from evidence that was accumulating all along.
The cheat sheet: standard → demand → module output
| Standard | Industry | What it really demands | What the module produces |
|---|---|---|---|
| IATF 16949 | Automotive | Part-level traceability, capable processes, formal approvals | SPC charts, PPAP evidence, 8D reports, trace queries |
| GMP / Part 11 | Pharma | Complete batch records, data integrity, closed-loop deviations | Auto-generated batch records, CAPA trail, one-click audit pack |
| FSSAI / HACCP | Food & FMCG | Continuous CCP monitoring, lot genealogy, recall readiness | CCP logs with alerts, lot-to-shipment trace, recall report in minutes |
| IPC / ESD S20.20 | Electronics | Workmanship acceptance, static-control proof, component trace | Per-board build history, ESD compliance log, reel-level trace |
| ISO 9001 / 14001 / 45001 / 50001 | Everyone | Managed quality, environment, safety, energy — with records | KPI evidence, incident logs, energy baselines from the same backbone |
How wiseDo runs this
This two-layer architecture is exactly how wiseDo is built — it's the same modularity we've described for capability rollout, applied to compliance:
The backbone is the product's core. wiseDo captures floor reality at the source — from the sensors, machines, and cameras you already have — with immutable timestamps and full genealogy. That satisfies the five common-core demands once, for every current and future rulebook. Your ERP stays the system of record for the business; the backbone is the system of evidence for the floor.
Compliance packs are modules you enable. Running a pharma line? Enable the GMP pack and batch records assemble themselves as production runs. Adding an automotive customer next year? Enable the IATF pack — it starts interpreting the same backbone, historically and forward. Nothing is ripped out, nothing re-entered, nothing revalidated below the module line.
Multiple packs run side by side. A plant running food and cosmetics lines, or automotive and industrial parts, carries several packs against one backbone — one truth below, one pack per referee above. And because agents watch the same backbone, deviations get caught and classified in real time, not discovered during audit prep.
One honest note, because compliance deserves honesty: wiseDo doesn't make you certified — audits, quality systems and discipline do. What it removes is the part that burns your team: the evidence scramble. The proof exists the moment the auditor asks, in the format their rulebook expects.
Facing more than one rulebook?
If your plant carries two or more of the standards above — or is about to add one for a new customer — a floor walk will show you exactly which evidence you're already generating, which you're reconstructing by hand, and what a modular setup would look like on your lines.
Book a free floor walk, or read how batch records auto-generate for the deepest of the rulebooks.
wiseDo Technology
Building agentic MES for manufacturing
Field Notes
Plant-floor intelligence, in your inbox.
Practical writing on MES, OEE recovery and agentic systems — for the people who run the line. One email when there's something worth your time. No drip campaigns.
Straight to Substack. No spam, unsubscribe anytime.