Clause 4.4 Quality Management System and Its Processes

By

Table of Contents

The requirements for this clause are to ensure that your organisation establishes process and process control for its products, services and implementation and maintenance of the management system. If you have interactions with suppliers, contractors or outsourced function providers then these will also require process definition and control. For example, if you identify a need for a process for capturing and sharing organisation knowledge, then the process will need to meet the requirements of ISO 9001:2015, 7.1.6. Exactly which processes require process mapping and to what level of detail will depend upon the context of your organisation, its scope, and the levels of risk associated with the tasks that you perform. The requirement begins by stating:

“The organisation shall determine the processes needed for the QMS and their application throughout the organisation”

A Non-Prescriptive Approach

Here again, we can see the non-prescriptive approach of ISO 9001:2015 in that it leaves you and your organisation to determine which processes are needed (are essential) for the quality management system to function effectively. Let’s not forget that the point of adopting a ‘process approach is to ensure that the management system achieves its intended results. For ISO 9001:2015, at a fundamental level, that means producing goods and services that consistently meet the requirements of your customers. For ISO 45001:2018 it means providing workers with safe and healthy workplaces, and for ISO 14001:2015 it means ensuring that the aspects of your activities do not result in a negative impact on the environment.

When thinking about process design and control, it’s important that your organisation all aspects of a process including: inputs, activity (change), outputs, resources, personnel, criteria, monitoring and measuring. Incidentally, it’s important to think of processes in this way for the purposes of auditing them. You can only audit a process fully by checking all of the individual components that constitute and support the process. I will discuss this in more detail when focusing on clause 9.2 and the requirements for Internal Audits. For simplicity, I would recommend mapping your processes and their interactions using a high-level approach, and not getting too bogged down with unnecessary detail. There is nothing prescriptive here, if your current method for mapping your processes works for you, then there is no need to make any changes. However, it is important that anyone affected by the process understands it, and where necessary, has received the appropriate training for that process.

ISO Process Definition

ISO 9001:2015 describes a process as a set of interrelated activities that use inputs to deliver an intended result’. The requirements for processes are described in clauses 4.4.1 (a) to ((h):

  1. Inputs and outputs; have you identified the inputs required so that your processes can deliver their intended outputs as planned? These might be final outputs such as finished products or services delivered to a customer or outputs that become inputs to the next process in a chain of manufacturing or service delivery. Outputs can be physical items or intangible items such as data, communications, signals or knowledge etc.

  2. Sequence and interactions; it makes sense that certain processes happen, and have to be completed before other processes can begin. For example, in manufacturing, a finished product would require final inspection and testing against the design criteria before being passed through to packing. After packing has been completed the item can then move through to the dispatch process ready for delivery to the customer. Should inspection and testing fail to be completed according to the process criteria, then potential problems with a product might be missed resulting in a customer complaint.

  3. Process criteria; does the service that you are providing have to be completed in a certain time frame according to the criteria? Does the item that you are manufacturing have to be a specific Pantone shade of pink, specific weight and size according to the customer design criteria? Are you driving safely and according to the speed criteria indicated by the traffic signs along the road? If the answer is yes, how are you monitoring to ensure that goods and services are meeting these criteria? Have you set any performance indicators against quality objectives that are linked to the criteria? Who is responsible for monitoring and reporting on these indicators and objectives?

  4. Resources required; have any of your processes ever failed due to a lack of a resource/s? The resource might be a worker, communication, material, infrastructure or a resource from an external supplier etc. For example, a machine run has to be stopped due to a lack of cooling lubricant. The supplier has a shortage of transport staff and cannot supply until next month. Should you be planning to keep stock of essential resources and mitigate against known risks? Will lessons be learned and changes be made to the process and business continuity plans?

  5. Responsibilities and authorities: who will be responsible for the overall process? Is this described within an organisational chart, job description, documented procedure or by word of mouth? Functions within the process such as machining, monitoring, testing, inspection and training etc can have their responsibilities shared between various process owners. However, it’s important from a management system perspective that the high-level process has a defined owner. This person can then report on the process and identify possible improvements during the management review process.

  6. Risks and opportunities; are linked to the requirements of clause 6.1 where you are asked to make plans to address the risks and opportunities from both an internal and external perspective. Once you have completed the work for clause 6.1 you can then build your risk mitigation strategies into your processes. Mitigating for risk is a never-ending rabbit hole and so the best option is to mitigate what you consider to be your most significant risks. For a quality management system, any risk that harms the customer should be considered first. From a safety or environmental perspective, work with your most significant risks and work backwards from there.

  7. Performance evaluation; have you established key performance indicators that are related to measurable objectives for your processes? The monitoring and measuring activities for your process performance should produce data that can be analysed and discussed during a management review meeting. Through analysis, you can identify if your processes are performing to their design criteria and also focus on ways to improve them if possible. Process efficiency results in both time and cost savings.

  8. Process improvement; is where you are using the data produced from your monitoring and measuring activities to identify ways to improve the process. Improvements might be obtained in terms of time/cost efficiency, human error, product/service non-conformities, design modifications, process flow, training or verification and validation activities etc. Let’s not forget, that continual improvement is at the heart of all modern management systems that are guided by the PDCA process. Top management should try to embed the concept of continual improvement into the culture of everything that you do as an organisation.

The Best-Laid Plans

If you fully understand the requirements of clause 4.1 you will realise an approach to process design, implementation and control that is going to help you achieve the intended outcomes of your management system consistently. Of course, even the best-laid plans have errors and failures from time to time but those errors will be far less common by using a fully committed process approach.

You are required to maintain and retain documented information that describes the operation of your processes, but only to the extent necessary’ As I mentioned earlier if you already have a way of documenting your processes that you are happy with then there should be no real reason to make any significant changes to what you already have. You made need to perform a few tweaks here and there to ensure that you are meeting all of the requirements as listed in clause 4.4.1, but I would imagine that would amount to nothing major.

When considering the extent of documented information to maintain your organisation should consider using a risk-based approach. This is where you might be asking yourself what if’?. The consequences of the answers you get and the severity of the effects on the customer will help you determine how far to go with your documented information. Should certain processes require observations to be performed at specific periods, and forms signed and dated as evidence of the event then these forms will be ‘retained’ as historical evidence. It’s best to only do what is necessary from a risk or customer requirements perspective. Too many management systems that I’ve audited are completely bogged down by unnecessary paperwork.

ISO 14001:2015

The requirements for clause 4.4 are far less detailed than for ISO 9001:2015. The clause does mention the requirements for processes and their interactions but focuses more on the need to continually improve. There is slightly more detail provided for process control in clause 8.1 where you are required to establish operating criteria for the processes and implement control of the processes according to the criteria. If you are running ISO 9001:2015 alongside ISO 14001:2015 my best advice would be to implement the requirements for the QMS of clause 4.1 into your environmental management system. Of course, it makes perfect sense to be operating an integrated management system but that’s a discussion for another chapter.

ISO 45001:2018

The requirements for this clause read the same as for ISO 14001:2015

For auditors:

Sample a process/s and check to see that the process has:

  • An owner.
  • Inputs and outputs are described.
  • Resource requirements are described.
  • Sequence and interactions described (where applicable).
  • Criteria and methods described.
  • Risk mitigation and control have been considered and applied (where applicable).
  • Data from monitoring and measuring has been evaluated and fed into the continual improvement process.
  • Investigate any non-conformities and how they were managed through the corrective action process.

Further questions I will answer in future articles:

  • How do you map a process?
  • How do processes interact with each other?
  • How do you communicate a process?
  • How do you train a process?
  • What is an ISO process?
  • What is a process owner?
  • What is a process auditor?
  • How do you audit a process?

References: 

  • www.iso.org
  • ISO 9000:2015
  • ISO 9002:2015
  • ISO 14001:2015
  • ISO 45001:2018

Please be kind, share and create a link back to this article.

(c) All content is copyrighted to ISO Training UK – All rights reserved 2022.

Author Bio

Paul Ingram has over 15 years of experience working in quality, health and safety and environmental management. Specialising as a trainer, he has provided training to thousands of delegates for small and multi-national businesses across the globe. A specialist in management system training and able to design and deliver courses for ISO 9001, 45001 & 14001. This includes implementation, Introduction, Internal Auditor, Lead Auditor, Remote Auditing, Management Brief and many more. For more information about booking a course visit: ISO Training & Consultancy

You cannot copy content of this page