QMS and Processes

ISO 9001:2015, clause 4, Context of the Organization, includes requirements for the organization to determine its:

  • external and internal issues (4.1)
  • relevant interested parties (4.2)
  • quality management system scope (4.3)
  • processes and their interaction (4.4)

This article is on clause 4.4 and establishing a quality management system and the interaction of its processes. See the External Issues and Internal Issues articles in our February 2018 newsletter. See the Interested Parties and Scope Statement articles in our March 2018 newsletter.

4.4 Quality management system and its processes
 
Requirements

4.4.1 The organization must establish, implement, maintain and continually improve a quality management system (QMS), including the processes needed and their interactions, in accordance with the requirements of ISO 9001.

The organization must determine the processes needed for the quality management system and their application throughout the organization, and:

a) determine the inputs required and the outputs expected from these processes;
b) determine the sequence and interaction of these processes;
c) determine and apply the criteria and methods (including monitoring, measurements and related performance indicators) needed to ensure the effective operation and control of these processes;
d) determine the resources needed for these processes and ensure their availability;
e) assign the responsibilities and authorities for these processes;
f) address the risks and opportunities as determined in accordance with the requirements of 6.1;
g) evaluate these processes and implement any changes needed to ensure that these processes achieve their intended results;
h) improve the processes and the quality management system.

4.4.2 To the extent necessary, the organization must:

a) maintain documented information (documents) to support the operation of its processes;
b) retain documented information (records) to have confidence that the processes are being carried out as planned.

Definition

ISO 9000:2015, Fundamentals and Vocabulary, defines a “quality management system” as the part of a management system regarding quality. A “management system” is defined as a set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives.

The management system elements establish the organization’s structure, roles and responsibilities, planning, operation, policies, practices, rules, beliefs, objectives, and processes to achieve those objectives.

ISO 9000 defines a “process” as a set of interrelated or interacting activities that use inputs to deliver an intended result. Whether the “intended result” of a process is called output, product, or service depends on the context of the reference.

Inputs to a process are generally the outputs of other processes; outputs of a process are generally the inputs to other processes. Processes in an organization are generally planned and carried out under controlled conditions to add value.

A process where the conformity of the resulting output cannot be readily or economically validated is frequently referred to as a “special process”.

Guidance

According to ISO/TS 9002:2016, the intent of clause 4.4 is to ensure that the organization determines the processes needed for its quality management system in accordance with ISO 9001. This includes not only the processes for production and service provision, but also the processes that are needed for the effective implementation of the system, such as internal audit, management review and others (including processes that are performed by external providers).

For example, if the organization determines the need for a process for monitoring and measuring resources, the process will need to meet the requirements of ISO 9001:2015, 7.1.5. The level to which processes need to be determined and detailed can vary according to the context of the organization and the application of risk-based thinking – taking into consideration the extent to which the process affects the organization’s ability to achieve its intended results, the likelihood of problems occurring with the process and the potential consequences of such problems.

ISO/TS 9002:2016 provides guidance for ISO 9001:2015, 4.4.1, bullets a) to h):

a) Inputs and Outputs
The organization should determine the inputs required and the outputs expected from its processes. Inputs required for the processes should be considered from the viewpoint of what is required for the implementation of the processes as planned. Expected outputs should be considered from the viewpoint of what is expected either by the customers or the subsequent processes. Inputs and outputs can be tangible (e.g., materials, components or equipment) or intangible (e.g., data, information or knowledge).

b) Sequence and Interaction
When determining the sequence and interaction of these processes, the links with the inputs and outputs of the previous and subsequent processes should be considered. The methods for providing details of the sequence and interaction of the processes depends on the nature of the organization. Different methods can be used, such as retaining or maintaining documented information (e.g., process maps or flow diagrams), or a simpler approach, such as a verbal explanation of the sequence and interaction of the processes.

c) Criteria and Methods
To make sure that processes are effective (i.e., deliver the planned results), the process control criteria and methods should be determined and applied by the organization. The criteria for monitoring and measurement could be process parameters, or specifications for products and services. Performance indicators should be related to monitoring and measurement, or can be related to the organization’s quality objectives (criteria). Other methods for performance indicators include, but are not limited to, reports, charts, or the results of audits.

d) Resources
The organization should determine the resources needed for processes, such as people, infrastructure, environment for the operation of the processes, organizational knowledge, and monitoring and measuring resources. Considerations on the availability of resources should include the capabilities and constraints of existing internal resources and those that are obtainable from external providers.

e) Responsibilities and Authorities
The organization should assign the responsibilities and authorities for its processes by first determining the activities of the process and then determining the persons who will perform the activity. The responsibilities and authorities can be established in documented information, such as organization charts, documented procedures, operational policies, and job descriptions, or by using a simple approach of verbal instructions.

f) Risks and Opportunities
The organization should ensure that any actions needed to address risks and opportunities associated with the processes are implemented.

g) Evaluation and Changes
The organization should consider the performance data obtained through the review of criteria established for monitoring and measuring. Analyze and evaluate this data, and implement any changes needed to ensure that these processes consistently achieve their intended results.

h) Improvement Actions
The organization can use the results of analysis and evaluation to determine the necessary actions for improvement. Improvements can be made at the process level (e.g., by reducing variations in the way an activity is performed) or at the quality management system level (e.g., by reducing the paperwork associated with the system, allowing persons to concentrate more on managing the processes).

Documented Information
The intent of subclause 4.4.2 is to ensure that the organization determines the extent of documented information that is needed. Documented information is the information required to be controlled and maintained by an organization and the medium on which it is contained.

According to ISO/TS 9002:2016, the appropriate person (e.g., process owner, process output owner, process control person) should review what information is used for the process to perform consistently to deliver the intended output. For information (e.g., procedures, work instructions, visual aids, information and communication systems, drawings, specifications, metrics, reports, key performance indicators [KPIs], meeting minutes, representative samples, verbal conversations) that is used, an analysis of the value to support the process needs to be carried out.

The result of the analysis will be the decision as to which information will be treated as documented information. For example, when top management does strategic planning, they could consult and review relevant information on the internet, such as reports on the current and future status of the organization’s industry sector that have been developed by governmental agencies and other relevant parties. This information should not be considered as documented information, as it is available from the public domain. In contrast, a business plan that includes quality objectives, risk and opportunities, strategies, among other relevant elements (e.g., the organization’s mission, vision, values, and process map) would need to be considered as documented information.

It is up to the organization to specify the distinct types of documented information needed to support the operation of its processes and its quality management system. In determining the type and extent of documented information needed, the organization should evaluate its own needs and apply risk-based thinking. It should also consider its size, activities, types of products or services, complexity of its processes, resources, etc., as well as, the potential consequences of nonconformities.

While ISO 9001 specifies the use of documented information in some of its requirements, there can be a need for the organization to have additional documented information (such as documented procedures, websites, work instructions, manuals, regulations, standards, forms, guides, computer software, telephone applications) to control the operation of its processes.

Some of the organization’s documented information will need to be reviewed periodically and be revised to be kept up to date. ISO 9001 uses the phrase “maintain” documented information to refer to these types of “documents”.

Other documented information needs to be “retained” unchanged (unless a correction is authorized) to demonstrate conformity and to have confidence that processes are being carried out as planned. This type of documented information is referred to as a “record”.