4.4 Quality Management System And Its Processes [ISO 9001]

What is a Quality Management System And Its Processes?

ISO 9001 includes specific requirements necessary for the adoption of processes when developing, implementing and improving a management system. This requires your organization to systematically define and manage processes and their interactions so as to achieve the intended results in accordance with both the policy and strategic direction.

Free download - Calibration Process (ISO 9001)

ISO 9001:2015 ISO 9001:2008 Summary of Changes
4.0 Context Of The organization 1.0 Scope

Title only

4.1 Understanding The organization And Its Context

1.1

General This new requirement requires an organization to demonstrate that it understands all internal and external influences that may affect its strategic direction and market position and what effect any changes may have on its future.
4.2 Understanding The Needs And Expectations Of Interested Parties 1.1 General This is a new requirement which requires the organization to determine the boundaries and applicability of the QMS. It also makes reference to 4.1.

There is now a requirement to state the scope in terms of the ‘goods and services’ delivered and the sites of the organization to be included. There is a requirement to document and justify any exclusion from the standard; exclusion must be limited to Clauses 7.1.4 to 8.0.
4.3 Determining The Scope Of The Quality Management System 1.2 Application This requirement is comparable to ISO 9001:2008 Clause 4 - Quality Management System and Clause 4.1 – General Requirements. organizations should review their process-based management system to ensure that it captures elements from 4.1 and 4.2.
4.2.2 Quality Manual
4.4 Quality Management System And Its Processes 4.0 Quality Management System Process approach – now a stated requirement but the content is largely the same as previous clause 4.1 apart from a requirement to determine the risks to conformity if processes are ineffective.
4.1 General Requirements

Auditors Will Want to Determine

  • How well is the ‘process approach’ understood in the organization?
  • Is the QMS in line with the organization’s context, and requirements of interested parties?
  • Is it likely the established QMS will achieve its intended outcomes and enhance quality performance?
  • Does it include the enhancement of product quality, quality control and process improvement using total quality management systems?
  • Does it include the desire to fulfill of legal and compliance obligations and objectives?

Existing operational procedures, work instructions, flow charts, corrective and preventive actions, nonconforming outputs, and nonconformity and corrective action are valid examples of documented information that can be used to evidence the requirement for ‘documented information to support the operation of processes is being met’.

Check that process inputs and outputs are defined and review how each of the processes are sequenced and how they interact. Look for evidence that your organization has:

  1. Assigned duties/process owners (Clause 5.3)
  2. Assessed risks and opportunities (Clause 6.1)
  3. Provided resources (Clause 7.1)
  4. Maintained and retained documented information (Clause 7.5)
  5. Implemented measurement criteria (Clause 9.0)
  6. Improved its processes and the QMS (Clause 10.0)

Your organization should begin using quality indicators to control and monitor issues, and associated risks and opportunities. These types of objective evidence will indicate that your organization has successfully integrated the QMS processes into its business processes.

Evidence may include management reviewing QMS KPI’s as part of regular business reviews, awareness of contractors and employees of the Quality Management Systems' goals and expectations, etc.

auditing process performance and effectiveness

Auditing Process Performance and Effectiveness

When auditing process performance and effectiveness your aim is to continuously improve effectiveness and efficiency.

You should ensure that you prioritize the following:

  • Reviewing your organization's processes, their sequence and interactions, the identification of functions and assignment of responsibilities, and performance against requirements and defined measures, with focus on processes that directly impact the customer
  • Reviewing the process for validation and approval of processes and process changes
  • Reviewing the availability of resources and information required to operate and support associated activities, including appropriate training and competency of personnel
  • Reviewing the process-based management techniques, including the examination of process measures (e.g., quality, tact time, cycle time, output effectiveness, control limits, process capability determination)
  • Reviewing plans in place to ensure performance objectives/targets are monitored, measured, and analyzed in order to realize the planned activities and achieve the planned results (e.g., verify performance information, percentage of non-conforming parts/products, percentage OTD)
  • Promoting continual improvement by reviewing actions taken when objectives/targets are not met
  • Pursuing audit trails addressing customer concerns or requests for corrective actions, performance against objectives, and relevant process controls

Identifying Key Processes

Key processes are steps that you go through to give the customer what they want, e.g. from order acceptance to design through to delivery.

Whereas support processes do not contribute directly to what the customer wants but do help the key processes to achieve it. Support processes include often human resources, finance, document control, training and facilities maintenance, etc.

A good way to do this is to think about how work-flows through your organization. Consider how the inputs and outputs to the key processes flow from one process to the next, what sub-processes might exist within it and how the support processes link in.

For now, ignore the standard, in fact put it in a draw and forget it exists. Instead focus on your key processes and how the departments interface with each other.

Once you have defined the processes and interfaces; go back to the standard and determine which processes are responsible for meeting which requirements.

When defining your organization’s processes, think about each process and department and assign try to define those processes around the current organizational model and not around the requirements of the standard.

Certification auditors will expect to see a process model that explains the key processes of the business and how each relates and links to the others. The depth of process explanation may be as detailed as the company chooses, but should be based on its customer and applicable regulations or statutory requirements, the nature of its activities and its overall corporate strategy.

Process Document

Which Processes Should be Documented?

In determining which processes should be documented the organization may wish to consider factors such as:

  • Effect on quality
  • Risk of customer dissatisfaction
  • Statutory and/or regulatory requirements
  • Economic risk
  • Effectiveness and efficiency
  • Competence of personnel
  • Complexity of processes

Customer oriented processes affect or interact with the customer

  • Marketing, sales and purchasing
  • Customer service
  • Capturing customers requirements
  • Design and development
  • Storage and dispatch

Support oriented processes support other process:

  • Calibration
  • Maintenance
  • I.T. and document control
  • Finance and accounts
  • Human Resources and training

Management oriented processes are normally conducted by Top Management:

Assessment oriented processes help provide data to determine compliance and process performance:

made in China

Outsourced Processes

Outsourced processes must be controlled by the organization and these controls must be defined and described within their system. organizations are required to identify the controls they apply for any outsourced processes.

Your documentation must identify if outsourced processes are applicable. In addition, written documentation on the methods used to control the outsourced processes.

Examples of some outsourced processes are:

  1. A process completed wholly or partially by a sister facility outside the scope of registration. Such as corporate performing design, purchasing or customer related processes, this includes management activities i.e. business planning, goal setting, resources, data analysis, budgeting, etc. This may include the entire element or a subsection i.e. corporate completes supplier evaluation and re-evaluation of suppliers and the registered site initiates purchase orders.
  2. A process completed by an outside vendor or subcontractor such as heat treating, plating, calibration, painting, powder coating, etc.

These types of processes may be controlled by the purchasing process where a formal contract or purchase order may be the controls. If this is the case, written documentation would be the purchasing documentation and records however; these processes are required to be documented.

If an outsourced process is controlled through purchasing, there must be documented objective evidence to ensure that these processes are being controlled beyond the basic purchasing requirements, which are focused on controlling products not processes.

The organization is responsible to ensure that the outsourced process is meeting the applicable requirements to ISO 9001.

Outsourced processes may be controlled through such methods as, but not limited to:

  • Auditing
  • Contractual agreements
  • Process performance data review on an on-going basis
  • Purchasing process

Ensuring control over outsourced processes does not absolve the organization of the responsibility for conforming to customer, statutory and regulatory requirements.

The type and extent of control to be applied to the outsourced process can be influenced by factors such as:

  • The potential impact of the outsourced process on the organization’s capability to provide a product or service that conforms to requirements
  • The degree to which the control of the process is shared
  • The capability of achieving the necessary control through the application of the purchasing process

You should expect to see evidence that your organization has determined their processes and interactions. If your organization calls it a ‘process’, it must be monitored for effectiveness and improved.

Sequence and Interaction

The auditor must see evidence that the organization has determined their processes and that the interactions are also defined, all within the Quality Manual.

Subsequently, this includes the actual and technical inputs and outputs of the processes to show their inter-relationship. This requires the description of the interactions between the processes and should include process names, process inputs and process outputs in order define their interactions.

Interaction means how one influences the other.

Auditors commonly agree that the description of the interactions of the processes cannot be done if the processes are not determined (names).

Foreman checklist document

Process Maps to Document Processes

ISO standards dictate the organization is not required to produce system maps, flow charts, lists of processes etc. as evidence to demonstrate that the system processes and their sequence and interactions were determined. Such documents may be used by organizations should they deem them useful, but they are not mandatory for the quality system.

Graphical representation such as flow-charting is perhaps the most easily understandable method for describing the interaction between processes for the Quality Management System (QMS).

Free download - Calibration Process (ISO 9001)

Free download - Customer Complaints & Feedback Process (ISO 9001)

Free download - Customer Satisfaction Process (ISO 9001)

Free download - Product Realization & Planning Process (ISO 9001)

Related Information You Might Find Useful

Next ISO 9001 Clause

Each ISO 9001 Clause Explained

Updated: 26th February 2022
Author: Richard Keen

Richard Keen

Richard Keen

Richard is our Compliance Director, responsible for content & product development.
But most importantly he is ISO's biggest fanboy and a true evangelist of the standards.
Learn more about Richard