I realized that many people are confused about the companies that typically get involved when a factory wants to get its quality management system (QMS) certified to ISO 9001 or ISO 13485.
Let’s break it down into the logical steps to get to a certification.
1. Gap analysis
You need to know what the gap is. This is necessary in order to draw a QMS implementation plan (along with a budget).
You may call in a certifying body (more on them in section 4, below). But, if there really is no quality system in place, it won’t be helpful — they will simply indicate that all is missing or very immature. They can’t say much more than that, actually.
The best is usually to have the QMS implementation consultant(s) carry out this analysis, as they need to understand how far exactly the organization is from being compliant. They need far more than yes/no answers.
2. Implementation
A well-implemented quality system will make sense for your processes, will make your life easier, and will save you money.
A poorly-implemented system will do all the opposite. It won’t be very helpful, and it will add a heavy paperwork load onto your people. I wrote before about 10 Signs of a Bad ISO 9001 Implementation.
This is usually best done by an experienced consultant who takes the time to understand the business (remember step 1, the gap analysis), will set up an appropriate plan, and will provide guidance on the way to implement the plan.
3. Training courses
A consultant alone will not be able to do much that sticks in the long run if some people in the company don’t understand the basic concepts behind quality assurance and quality improvement.
Find a few people who will do the implementation support work (writing SOPs, doing internal audits, etc.) and send them to a decent training course. There are many such courses. Some are offered by international companies such as BSI, TUV Rheinland, SGS, etc. and an auditor certificate is issued, but that’s not a must. Focus on the end result you need — people who understand the standard and what they have to do!
4. Certification and ongoing re-certifications
At this point, you need to talk to a certifying body. Again, it is companies such as BSI, Bureau Veritas, SGS, etc.
They will send auditors to the factory and they will deliver the certification if they find it is in compliance. They are accredited as certifying bodies, and they need to comply with ISO 17021, an important standard that ensures they remain impartial.
In step 2, I did not mention those companies. That type of consulting is NOT allowed by ISO 17021 (imagine a company gets paid for helping a client, and then that same company gets to audit that same client for certification – a blatant conflict of interest).
There is a lot to be said about that whole third-party certification process, as I wrote before:
The ISO certification (or ‘registration’) process
An objective of ISO 9001 is to give a common standard for different actors in a given supply chain.
But, how to make sure these different actors really follow that common standard? They can be certified. It sends the signal that they have established a QMS and comply with the minimum requirements spelled out in ISO 9001.
It reduces ‘audit fatigue’ — the need for a company to keep auditing all its suppliers and partners. Get audited once, comply with the standard, and get the certification. That’s the logic at play here.
Who issues those certifications/registrations? A few companies are authorized to do this by the national governing bodies — they are the ‘registrars’.
However, something went wrong in the certification process
The company pursuing certification is the one that picks its registrar. That’s a fundamental issue. Soccer teams can’t pick their own referees, and pigs can’t pick the door enclosing their paddock, and for good reason…
Large international bodies (Intertek, Bureau Veritas, TUV Rheinland, SGS, British Standards Institute, and so forth) try to follow the same standards in China as in other countries.
However, a large number of ‘certificate mills’ — companies that have been accredited and yet don’t fulfil their mission — have popped up, and their certificates are sometimes not worth more than the paper they are printed on.
I should add that this is never “done”…
A factory needs to go beyond the minimum requirements set in standards such as ISO 9001, if it is to assure a high level of customer satisfaction.
******
How did your QMS implementation go, or maybe you’re thinking about undertaking it right now? Let me know by leaving a comment.
Disclaimer
We are not lawyers. What we wrote above is based only on our understanding of the regulatory requirements. QualityInspection.org does not present this information as a basis for you to make decisions, and we do not accept any liability if you do so.
Always good to hear from my friend Renaud. As always this article is “on the mark”. I will add a few bits of emphasis.
First, I couldn’t agree more with the recommendation in #1 that the company seeking certification would do best to have an implementation consultant do a proper gap analysis. I would in fact state the benefit even more strongly. While it’s true that the certification bodies can and will do these – sometimes called “readiness reviews” or some similar name – in my experience these are nearly always a waste of time and money. One of two situations is true. First, perhaps you are very close to ready. If so, jump right in and get a full proper audit. There is no penalty for getting nonconformances, you just fix them! Then you’ll be certified. Second, truth is that while the auditors can determine compliance or not, many lack the skills to prescribe a solution. Implementors do just that. I speak as someone who did implementation consulting full time for 20 years. (No longer in the business.)
Second, I do support a number of the large international registrars. But even here, the audit process is highly dependent on the skill of the individual auditor, and these vary. Don’t be shy about asking for credentials for the specific auditor(s) proposed (at least, the lead auditor) and checking them out. If they don’t seem reasonable, ask for a change after the first audit is complete. I had clients suffer from being afraid to critique the auditor, and put up with poor work. No reason for this, you’re paying the bill!
Thanks for adding to the article, Brad.
You are absolutely right, yes. Those ‘pre-audits’ by certifying bodies don’t bring much value.
And yes, one of the principles of ISO 9000 is about good supplier relationships… It’s good practice to give feedback about the auditor and request some changes, as long as it’s reasonable.
I agree with what Bradd said about the skill of the individual auditor. If we are a QA person in charge, then we can ask for a CV (curriculum vitae) from the auditor team to ensure they carry out audits that are relevant to the business processes that we run. Because it will be ambiguous when the non-conformities that are addressed by them are not in accordance with what we want to improve in our organization.
Yes, good point.
But of course they might raise NCs in an area that you might not want to improve, but those NCs may really need to be raised because of a clear lack of compliance to the requirements.