The QMS process: select the tests, run them, record the outcome.

QMS is the foundation of every regulated industry

In regulated industries, a documented and demonstrable quality management system is not optional. It is the substrate that determines whether an organisation can operate at all, and whether it can do so profitably. Profitability and organisational success are directly affected by how well the QMS is run.

A working QMS underpins five outcomes a regulated business cannot ship without:

• Compliance - regulators expect a documented, demonstrable QMS. Examinations begin with "show me your quality management system". An organisation without one fails the examination before specific deficiencies are even reviewed.
• Risk management - the QMS records what changed, who approved it, what testing applied, what outcome resulted. Without that record, every change is an unmeasured risk; with it, risk is calculable per change.
• Ability to deliver products and services - regulated releases (medical devices, financial software, AI-driven decisions) cannot ship without QMS evidence. Velocity is gated by QMS evidence, not by engineering throughput.
• Avoidance of fines - non-compliance carries direct monetary penalties. The EU AI Act fines high-risk-system violations up to EUR 35 million or 7% of global annual revenue, whichever is higher. GDPR reaches 4% / EUR 20 million. HIPAA carries up to USD 2 million per violation category per year. NYDFS Part 500, NAIC, FDA - each has its own penalty schedule.
• Legal liability - a faulty product or service that injures a customer is far more defensible when the QMS evidence shows the design controls and testing applied. Without QMS, the defence often becomes negligence; with QMS, it becomes documented diligence.

The downside, ranked: a finding that violates a regulation incurs a fine. A finding of recklessness can attract personal liability for officers. A pattern of findings, or a single critical breach, can result in loss of licence to operate, exclusion from supply chains, criminal prosecution, and in the most serious cases the organisation going out of business. The 2008 financial crisis, the Theranos shutdown, several FDA Form 483 enforcement actions, and recent EU GDPR enforcement against major platforms are illustrative.

QMS is therefore not a cost centre. It is the substrate that decides whether the business can operate, whether it operates profitably, and whether the senior team is personally exposed when something goes wrong. CODITECT makes QMS evidence a byproduct of normal work rather than a parallel documentation effort - the same record that proves compliance demonstrates risk management, accelerates delivery, and reduces personal and corporate exposure.

Absence 2 - that they actually ran

After selection, the QMS gate executes. Tests run in the appropriate environment (unit, integration, UI, security scan). The platform records start time, end time, exit code, and full console output. A test that was selected but not executed - because of a flaky runner, a network blip, an aborted CI job - is treated as a failure, not absence of evidence.

Closure of the gate requires that every selected test ran and produced a result. No silent skips, no half-runs. The signed gate event is what releases the change to the next stage.

Absence 3 - recording the outcome

The recorded outcome is the deliverable of every QMS run: which tests, which results, the change that triggered the run, the agent or human who approved it, the time it was completed. The record is appended to an immutable audit table; database triggers reject mutation.

The same record drives the four standard QMS audit documents (Installation Qualification, Performance Qualification, Virtual Test Record, Requirements Traceability Matrix). The qvs-cli validation runner produces these as Markdown post-run, with the underlying evidence pulled from the audit tables. The auditor's request list is satisfied from the same data the work itself produced.