Cross-Sector Quality Management

Quality management is now indispensable for many firms. While many companies have themselves certified “voluntarily”, in the automotive and medical sectors certifications are often a requirement. In this blog post, I would like to clarify for you the interconnections between and the certification procedure for different QM standards, with a focus on the ISO 13485, IATF 16949 and ISO 9001 standards. I will also go into more detail on a couple of interesting differences between the standards.

Standards

Let’s begin with some facts about the standards mentioned above:

• ISO 9001 is aimed at all kinds of companies, can be applied in all sectors and provides for a process-oriented, sector-independent quality management system.
• ISO 13485 covers the medical technology sector and formulates requirements for the QM systems of manufacturers of medical products.
• IATF 16949 is a sector-specific standard and defines general requirements for QM systems in the automotive industry.

Differences and backgrounds:

The ISO 9001 standard is the basis for all other standards regarding sector-specific QM systems requirements. ISO 13485 & IATF 16949 are therefore based on ISO 9001, although there are differences.

As a basic standard, ISO 9001 focuses on continual improvement, process-oriented and risk-based thinking and customer satisfaction. The current version was completely revised and then published in 2015. It was structured according to “Annex SL” of the ISO/IEC directives and the High-Level Structure (HLS) defined there.

While IATF 16949:2016 version adopted the same structure, ISO 13485:2016 version did not. Compared to previous versions, the most recent edition of ISO 13485 has distanced itself somewhat from ISO 9001. It focuses more on risk management and compliance with statutory requirements. The medical products must first and foremost be safe and fulfil their intended use. Customer satisfaction is only considered afterwards.

Looking back to the beginnings of IATF 16949, one can see that it was more or less drawn up by different automotive manufacturers (mainly from the American and European market) as a supplement to ISO 9001. The standard is targeted at the entire supplier chain, but only a few automotive manufacturers have their own factories IATF-certified. Certification is mostly requested of suppliers and includes the fulfilment of customer-specific requirements in addition to the IATF standard requirements.

As well as extending the ISO 9001 standard, the automotive manufacturers have therefore also left a back door open to decentralise the standard and implement their own demands. This does not make life any easier for suppliers if they are working for different OEMs (which is usually the case). Not a good approach for increasing standardisation or even harmonisation. This was the real reason at the time for the introduction of the first 16949 (ISO/TS) version. At least here it is quite clear that the customer is the focus.

SPICE and additional standards:

ISO 13485 and IATF 16949 refer in their bibliography annex to other standards in which specific topics are dealt with in more depth. In the medical technology sector, these are the ISO and IEC standards and in the automotive industry mainly the VDA and AIAG publications.

VDA Automotive Spice is a system-hardware-software process assessment model which has since become well-established in the automotive industry. This model is used for process evaluation at both project and organisation level. The maturity level determined according to A-Spice is intended to then provide results regarding the strengths and areas for improvement of the processes.

This model has not yet really been adopted in the medical technology sector. Since then, a Medical SPICE Process Assessment Model was issued as a recommendation for best practice in Germany with VDI 5702 Blatt 1, but in practice companies still turn to the already existing standards landscape (inter alia IEC 62304, IEC 60601, ISO 14971, IEC 62366) for fulfilling the regulatory requirements.

Certification procedure:

The certification procedure is very similar for all three QM standards mentioned. Following the initial information discussion and commissioning of the certification body, the certification audit level 1 takes place. Most certifiers offer the option of having a pre-audit carried out at the company on request. This is intended to detect possible weak points in advance (gap analysis) and is always recommended for initial certification.

Pre-audits can, however, also be carried out by independent third parties, such as a consulting company. The advantages of working with an independent consulting company are mainly that one can rely on the many years of experience of such consultants, which is not just restricted to audits, but also includes the introduction of QM systems.

The Level 1 Audit serves to determine readiness for certification. The following Level 2 Audit is planned based on the information from the Level 1 Audit and is carried out on a random sample basis to review the effectiveness of the QM system.

Following a successful audit, the certificate is issued by the certification body for a period of 3 years, followed by annual monitoring audits or re-certification after the expiry of the certificate.

Reasons for certification:

The motivations for the different QM system certifications are summarised once more in the below table:

By and large, the three QM standards ISO 9001, ISO 13485 and IATF 16949 are all very similar as regards their structure and the required processes. However, there are certain differences due to the different sectors.

By Dijaz Maric – Consultant Quality Management & Reliability Engineering