QM certification refers to the certification of a quality management system (QM system or QMS) by a certification body. The certification confirms to the certified company that its QM system meets a standard (e.g., ISO 9001, ISO 13485) or a law (e.g., MDR, IVDR).
The category page “Quality Management & ISO 13485” provides a quick introduction and a comprehensive overview that is not only relevant for medical device and IVD manufacturers.
1. Who requires QM certification?
There are various reasons why companies seek QM certification:
- Legal obligation: For example, the European Medical Devices Regulations MDR and IVDR require manufacturers of medical and IVD medical devices to have a QM system. These QM systems must be certified according to MDR or IVDR unless the manufacturers only place low-risk devices on the market.
- Customer expectations: In many industries, a certified QM system is required and may even be a prerequisite for bidding on tenders.
- Quality improvement: QM certification according to an applicable standard by an external certification body provides the organization with an objective assessment that reveals weaknesses and non-conformities in the QM system and thus helps to improve this QMS.
2. How QM certification works
QM certification involves several steps and is an ongoing process.
Step 1: Create conditions
First, companies seeking QM certification must establish the necessary conditions, including their QM system. That includes the following activities, among others:
- Defining quality policy and quality objectives
- Creating specification documents such as standard operating procedures, work instructions, templates, and forms (as documents or in software systems)
- Establishing a quality management representative (QMR)
- Providing the necessary resources and training employees so that they can meet the QM requirements
- Implementing processes and procedures in accordance with the requirements
A company uses an internal audit to check whether its QM system covers all legal and normative requirements and whether it complies with the requirements of its QM system.
The Johner Institute helps companies to quickly establish a lean, effective, and standards-compliant QM system and to assess it as part of an internal audit.
It also supports the creation of integrated management systems that cover additional aspects such as IT security, occupational safety, and environmental safety.
Step 2: Select certification body
The next step is for the company to select a certification body. The criteria for this selection include:
- Costs for the initial audit, certification, and future surveillance and recertification audits
- Availability: The certification body must be able to complete the process within the timeframe required by the company. These deadlines should be specified in the contracts.
- Scope: The certification body must be accredited for the standards, or the notified bodies must be designated for the device class for which certification is sought. For example, some medical device manufacturers should seek certification according to the ISO 13485, ISO 27001, and ISO 42001 standards, as well as Annex IX of the MDR.
The selection of a certification body requires an application, which results in a signed contract.
Manufacturers of medical and IVD medical devices that do not belong to the lowest class must have their QM system certified by a notified body in accordance with MDR or IVDR to meet the legal requirements (see MDR Annex IX, IVDR Annex IX). Additional certification according to ISO 13485 is not a legal requirement.
Certifying organizations must be authorized, i.e., accredited or designated. Otherwise, their QM certificates are worthless. Read more about the responsibilities of the German accreditation body DAkkS and the competent authority ZLG here.
Step 3: Complete audits
The certification body then audits the QM system. There are usually two audits:
- Stage 1 audit: In the Stage 1 audit, the focus is on checking whether the QM system (i.e., the “set of rules” that the organization has set for itself) is suitable for meeting the legal or normative requirements. This audit can even be carried out remotely, based on the specification documents.
- Stage 2 audit: In a Stage 2 audit, the certification body checks whether the company complies with its own specifications, i.e., quality system. To do this, it reviews the records that the organization creates as it goes through its processes.
During the audits, the certification bodies usually identify areas for improvement and divide them into the following three classes:
- Recommendations: Organizations are not required to follow these recommendations from the certification body but may do so. However, too many unimplemented recommendations can have a negative impact on subsequent audits.
- Minor nonconformities: These are deviations from the standard or from legal or internal requirements that must be corrected but do not generally call into question the effectiveness of the QM system.
- Major nonconformities: These significant deviations indicate that the company is not ready for QM certification until they have been corrected. Too many of these deviations can lead to the certification body interrupting or discontinuing the QM certification process.
Many organizations equate these audits with QM certification. However, this is not correct. The audits are a prerequisite for QM certification.
Read more about the audit process here.
Step 4: Obtain QM certification
Based on the results of these audits, the certification body decides whether to grant QM certification. This step, therefore, is not within the organization’s control when seeking QM certification.
If successful, the certification body issues the organization with a QM certificate, which has a limited period of validity.
Step 5: Maintain QM certification
“After the audit is before the audit” is the lesson learned by companies. That is because they not only have to follow their own rules continuously but also undergo an annual surveillance audit and, in the event of significant changes (MDR, IVDR) or every three years (ISO 13485), even a recertification audit.
So, there is one QM certification but many QM recertifications.
3. What you should also know
3.1 Effort, duration, costs
This FAQ on the QM system answers questions such as:
- How long does it take to obtain certification?
- What does it cost, and what effort is involved?
- Where can I get support?
3.2 Success factors
Companies are particularly successful with QM certification when
- top management supports the QM system (management commitment),
- it provides the necessary resources (personnel, infrastructure),
- it ensures the qualification of the employees concerned,
- it doesn’t see certification as a one-off effort but as daily practice,
- it always pursues the objective of QM certification: to achieve better quality for customers.
3.3 Typical mistakes
On the other hand, companies find it difficult to obtain or maintain their QM certification if they:
- expand the QM system without regularly reviewing, updating, and streamlining it.
- set up parallel management systems (quality, IT security, environmental protection, etc.) instead of integrating them.
- fail to involve the people affected in the development of specification documents (for example, a software developer should know better than a QM manager how to design a software process), which leads to a QM system that is not adopted in practice.
- believe that responsibility for the QM system can be placed on the QMR.
- fail to use feedback loops via customers (e.g., customer complaints), management (especially management reviews), and external audits for the continuous improvement of the QM system.
4. Conclusion and summary
Successful QM certification is typically not optional for medical device manufacturers but rather a legal requirement. At the same time, it helps to improve product quality and customer satisfaction, as well as increase company efficiency.
With the proper support, a QM system can be implemented within nine to 18 months and successfully certified. So, there is no reason to wait.
