Why is certification of an organization’s quality management system to ISO 9001 – or AS9100, or IATF 16949 or ISO 13485 – so special? What does the certification signify? And what supports the paper behind that framed certificate?

In the last 35 years, certification of a company’s quality management system (QMS) to a recognized international standard has become the Holy Grail in the global manufacturing arena. It proclaims the achievement of an effectively implemented management system whose process controls are adequately robust to reassure customers of its ability to consistently deliver quality products as specified. This, in turn, serves a few purposes. It heightens customers’ confidence that they can rely on the quality of your products and services over time. It relieves the company of the burden of supplemental customer audits (sometimes) and it helps improve how the company operates. This last benefit is often the least touted but the most valuable.

Some of the observable traits of a well-implemented and maintained QMS include:

  • Defined and integrated processes
  • Risk-based thinking
  • Allocation of resources such as trained personnel and appropriate infrastructure
  • Capacity to understand and fulfill customer requirements
  • Well-managed supply chain
  • Monitoring of key performance indicators (KPIs)
  • Well-maintained and protected documentation

Taken separately, they sound like buzzwords and catch phrases. Lots of ISO-speak and quality jargon. Blah, blah, blah. The value comes when you start linking them together and relating them to the business of the business.

ISO 9001 is the QMS model that is most generic, so I’ll use this as my source for examples and reference. ISO 9001:2015, 5.1.1 states that top management shall ensure “the integration of the quality management system requirements into the organization’s business processes”. Essentially, what this means is that the QMS practices have to be aligned with how the business operates. Please note that this is not a suggestion; it is a requirement of the standard. Once the implication of this “shall” is internalized, the process of making the “ISO” system the company’s actual management system can unfold. And, as the unfolding spreads, the wisdom and value of a controlled QMS can be realized.

Implementing a QMS is not a paper-shuffling exercise. And its maintenance is not tedious busy work. Those attributes noted above relating to risk, process definition, resource allocation and process monitoring are the business of the business. You’re already doing a lot of this stuff.

Well-controlled design processes can mitigate costly re-engineering activities. Well-defined manufacturing processes can decrease downtime and reworks. Supply chain management can ensure timely delivery of quality materials. A well laid out factory can decrease accidents and optimize workflow. Consistent monitoring helps to head off declining trends before they become epic crashes. Negative consequences cost money. They imperil your relationship with your customers, erode your reputation and endanger your viability in the marketplace. They can sound your company’s death knell. Being responsive and resilient diminish that likelihood. A good quality management system makes financial sense and can help get you to where you need to be.

With a well-implemented QMS there’s interrelation of processes. There is an organizational awareness of interactions and interdependencies. We can follow the chain from customer specifications to questions about what materials will be needed, how much time will be required, the potential need to acquire new tooling or technologies. The design process might have to rely on the talents of the purchasing staff in qualifying potential new suppliers. Engineers might also need to investigate new measuring or test equipment – which, in turn, involves the QC department and the calibration process. Manufacturing engineers will look at capacity and shop training requirements. Warehouse space, software, material traceability, documentation and environmental controls will probably all have to be considered. A risk assessment might even yield the wise business decision to say “no” to a large project because of the load it would place on limited resources – with a real risk of endangering the company’s reputation with existing customers.

ISO 9001 corresponding clauses for the previous paragraph might look like this:

  • customer specifications (8.2.2)
  • materials needed (8.4.1)
  • time, new tooling or technologies (7.1)
  • risk assessment (6.1)
  • design process (8.3)
  • qualifying potential new suppliers (8.4.1)
  • measuring or test equipment (
  • manufacturing (8.5.1)
  • shop training (7.2)
  • warehouse space (8.5.4)
  • software (7.1.3)
  • material traceability (8.5.2)
  • documentation (7.5)
  • environmental controls (7.1.4).

Managing changes (6.3) to all of the aforementioned to ensure against new problems is essential to maintaining control.

The rewards of a good QMS should include optimized processes, on-time delivery, satisfied customers, reliable information for planning, improvements and a healthier bottom line. The certificate on the lobby wall (despite the customers’ clamor) is really just icing on the cake.

That last sentence notwithstanding, certification does have its value. It means that the organization’s QMS has been assessed by an independent accredited certification body. The assessment is conducted against the requirements of a standard (such as ISO 9001) through rigorous review of documentation and witness of activities and other objective evidence all demonstrating consistent conformance. That consistency is important in that it engenders a high level of confidence that the QMS has been sustained and the customer can reasonably be assured of its continued reliability.

Without the certification body, there’s no unbiased appraisal and no evidence that a thorough assessment has even been conducted by competent individuals. Bottom line: without the certificate all you have is your good word for the customer to count on.

There are some organizations who self-declare that they are ISO 9001-compliant. The phrase is at best not dishonest. This declaration intimates that: “We have a pretty good system. We aren’t certified. But, we believe that we comply with ISO.” While it is a truthful statement, it still doesn’t carry very much weight in the world of certification.

Certification audits are conducted by auditors who have had their qualifications vetted by the certification body (CBs). CBs are also referred to as registrars and the terms are used interchangeably.

Auditors are required to be trained and go through a provisional period in which their skills are witnessed by the certification body or by training providers. The training that auditors undergo covers: audit planning, developing checklists, time management, auditor attributes, interviewing techniques, evidence sampling, process approach, statistical methods, comprehension of requirements, writing up findings, generating audit reports and post-audit follow-up. Auditors must also demonstrate competence in the organization’s field or industry. An individual whose only background is in healthcare does not have the requisite competence to assess a chemical manufacturing facility. The certification bodies (CBs) are required by their accrediting bodies to ensure that auditors have both the necessary auditor skills and experience in their clients’ various fields.

Third-party assessors (individual doing certification audits) are required to ascribe to a code of conduct that includes objectivity, truthfulness, confidentiality and freedom from personal interest that would bias the outcome. Auditors are required to be upfront about the fact that they agree not to consult during the course of the audit or for a defined period afterwards.

Having audits conducted by competent, trained auditors is important for the CB, the client organization (entity being audited) and the customer. The CB has the confidence that the auditor will represent them by conducting credible and reliable audits – and, therefore, the certificate – and by extension their reputation – is not impugned. The client has an independent entity assess their practices which either confirms they have a great system or that they have some gaps that, when addressed, will eventually lead to improvement activities. The client’s customer has the confidence that objective eyes have verified the company’s QMS and, by inference, its reliability.

If your customers require you to be certified, they probably expect that you have a robust and effective quality management system – one that they can rely on to consistently provide them with great products on time and to their specifications. If you are already able to fulfill their expectations, there’s a good chance that your existing management system is pretty far along the path to compliance with ISO 9001 or a comparable QMS standard. Certification might be more attainable than you thought.