ISO certificates… your QMS is certified, not your company

Your QMS is certified!  Before you celebrate and tell everyone about it, there are some questions that you should answer first: What’s exactly certified – your company, your QMS, or your device?  What’s the best way to let the world know about this?  Many companies get it wrong.  Let’s shine some light on the subject to clear it up.

What is certified

For ISO 9001 and ISO 13485,  the system itself has passed inspection or audit and complies with a set of regulations. The certification applies to the Quality Management System (QMS). 

This means that all of the relevant procedures as required by the standard are present in the QMS.  They are being followed successfully as proven by the records produced in the QMS.  So, everything including human resources, design and development, risk management and all points in between have been found to comply with requirements.  The system is working well and is certified as being compliant with ISO 9001 or ISO 13485.  Thus, it is a certified system.

This is important because it helps to maintain clarity of the QMS scope and what drives device quality and safety.  The ideology here is that when the ISO certified system is followed, it inherently produces high quality products and safe medical devices.  Also, like any system, if something is not working it can be improved upon with measurable results.  

What is not certified

It is equally important to know what is not certified under certification to  ISO 9001 or ISO 13485.  Your organization is not certified.  The same can be said about your product or medical device.  In either case, a certified QMS does not extend its scope to your organization or product.

An organization is not certified under ISO 9001 or ISO 13485.  It may seem that many corporate processes come under audit (such as Human Resources and Sales) for QMS certification.  However, these standards only apply to quality systems and to only those processes deemed applicable to impact product quality or medical device safety.   For example, one QMS requirement is that Human Resources hire and maintain staff whose skills are applicable to what is being made.  So, HR must keep resumes on file and staff certifications to prove this requirement is met.  What the standards do not do is govern your HR policies about vacation and sick days, for example.  

QMS certification does not certify that the organization itself is running well or is represented as high quality or safe.  Certification to an ISO standard, in this case, does not certify your organization as one that makes great business decisions, either.  There are many corporate management certifications for these purposes, such as operational risk management (Operational risk management – Wikipedia).  

The same holds true for the product or medical device that you are making under a certified QMS.  Your system is certified, but the device itself is not automatically certified.  The reason is that the standards require certain processes to be followed to ensure that quality and safety are maintained throughout the life cycle of the device.  This applies to any device, but does not certify the safety of the device itself.  

For example, the ISO 13485:205 standard requires that there is a process to verify that inspections take place to ensure that materials received from vendors are within conformity.  This provides proof that the material going into a device will not cause risk or harm when the device is used.  However, it is this process that is certified under the QMS, not the device’s safety itself.

Since every device can be unique, there are likely many other standards and regulations that would require certification to safety, such as electrical safety (IEC 60601 – Wikipedia).  Then, there are the specific standards based on device function that would need to be proven through testing.  General QMS certification does not provide compliance to these specific standards.. 

How to say it clearly and within compliance

Now that you have a clearer idea of what is certified under your ISO 9001 or ISO 13485 certificate (I hope that you do), here is some guidance on how you can say it to the world and remain compliant.

You need to convey the message that your QMS is certified, under which standards and by whom.  Here are some examples:

“Our firm operates with a QMS certified to ISO 9001:2015”.  This is definitive in all aspects of what is certified and to what particular standard.

“WIth a QMS certified to ISO 13485:2016, our firm makes a cutting edge medical device”.  This is just as strong and true as the first example.

“We develop your product under our own certified QMS”.  This is also true, but far more ambiguous.  Be sure to follow with a statement of what the certification actually is for the QMS.  

Notice that these statements use the full standard designation and not just the general name.  ISO 13485 vs ISO 13485:2015, for example.  This is a best practice and supports your certification claim, and further alleviates any question of how current the certification is.

It is also very acceptable to provide a link to an electronic copy of your QMS certification for all to see.

What not to say about your certification

Sometimes it is best to illustrate an idea by showing what not to do.  Here are some examples of what you cannot say about your ISO certification:

“Our firm is ISO 9001 certified”.  No it is not, your QMS is.

“We are an ISO 13485:2015 medical device design company”.  This is not clear enough and implies that the company is certified.  It is not..

“Our ISO 9001 exercise ball is a cutting edge product”.  While it may be true that your product is cutting edge, it is not certified to ISO 9001.  Your QMS that drove the processes to make the product is certified.

“Our QMS is ISO Certified”.  No.  ISO itself did not certify your QMS.  Your registrar did.  You might get away with “Our ISO 13485:205 QMS is certified by ABC Registrar”, however.

There are some other things to be aware of not to do.  Such as:

Do not use the ISO logo to promote your certification.  ISO in no way endorses your firm.  When you become certified, your registrar will allow you access to their logo for this purpose as it contains the compliant information.

Do not display any certification logos on products, product labels, or product packaging, Doing so will be interpreted as denoting product conformity and land you in hot water with regulators.

Make it clear that your QMS is certified

The take away from this is to be clear about what is certified and tell the world.  Be sure to get it right when you talk about how your product is developed under a QMS… a certified QMS!

If you would like to learn more about QMS development and maintaining compliance, contact Paul Needler, Managing Director and QMS Specialist at NeedlerQMS.