by T.D. (“Dan”) Nelson
Based on a review of the Draft International Standard (DIS) version of ISO 9001:2015, details in the new standard will allow (or force) competent auditors to more clearly discriminate between management systems that demonstrate a process approach and those that don’t. This is important. Only those demonstrating a process approach, as required, should be registered to ISO 9001:2015. Those that don’t, shouldn’t be.
Beyond the general requirements demanding a process approach, a new requirement directed at top management will also serve to identify rogue management system requirements defying proper application of a process approach. Top management is responsible for ensuring that such rogue management system requirements are integrated into the business processes where they apply.
First, let’s take a look at general requirements in ISO 9001:2015 directly addressing the process approach.
ISO 9001:2015 Process approach requirements
According to the ISO 9001:2015 DIS, the requirements of 4.4 are thought to be adequate to determine if a process approach has been applied. From 0.3 of the DIS, “Clause 4.4 of this International Standard includes specific requirements considered essential to the adoption of a process approach.”
Looking at these proposed requirements of DIS 4.4, they resemble current requirements appearing in ISO 9001:2008 at 4.1. If the requirements of ISO 9001:2008 4.1.a and b and the requirements of (DIS) 4.4.a and b were properly applied, they are adequate to find certain systems as being nonconforming. 4.4.a of the DIS offers a bit more granularity to what is required of process definition.
The added granularity should help auditors determine if the defined system reflects a coherent, viable system outputting product or service, as opposed to merely being a set of documents responding to ISO 9001 requirements.
A working system
Before applying the balance of ISO 9001 requirements, auditors need to confirm that a process approach is being applied in the first place and that the system is defined accordingly. Perhaps that’s why these requirements are among the first effective general requirements. Generally, an organization seeking registration must have a system in place to meet customer requirements and that system needs to be adequately and effectively documented.
In other words, in assessing a documented management system to the requirements of ISO 9001, the first question is, “Does the defined system work?” or “Does the management system described by documented information output product or service to customers?” The question of conformity to subsequent requirements should not be entertained at all until a documented management system has been confirmed to effectively define a system of processes (as opposed to defining a system as a set of documents responding to ISO 9001 requirements).
Process details—inputs and outputs
Let’s take a close look at the first few requirements serving to determine if a management system demonstrates a process approach:
ISO 9001:2008 “4.1 General requirements”:
“…The organization shall:
- determine the processes needed for the quality management system and their application throughout the organization (see 1.2),
- determine the sequence and interaction of these processes…”
Here are the corresponding requirements of the ISO 9001:2015 DIS:
DIS “4.4 Quality management system and its processes”:
“…The organization shall determine the processes needed for the quality management system and their application throughout the organization and shall determine:
- the inputs required and the outputs expected from these processes;
- the sequence and interaction of these processes…”
Although the proposed requirements of the ISO 9001:2015 DIS have been slightly rephrased and reformatted, the notable difference is this: inclusion of inputs and outputs, tucked between the requirement to determine processes needed for the QMS, and the requirement to describe their sequence and interaction.
A traceable path to shipping
Both versions of the standard require, right up front, that the processes needed for the system are determined and that their sequence and interactions are also determined. If this hasn’t been done effectively, a system hasn’t been effectively defined. Clause 4.4.a of the DIS offers a bit more detail beyond the requirements of ISO 9001:2008 clause 4.1 to help assess whether or not the processes have been effectively defined. Once confirmed, the requirements of clause 4.4.b—depending on the processes defined per 4.4.a—should demonstrably work together to output product or service to customers. Otherwise, it’s not an effectively documented system; the resulting documentation belies the system actually outputting product and service to customers.
Process interaction should be evident at this level of system description. The expected output(s) from one process serve(s) as the input(s) to at least one other designated process. One output of a process might become an input to only one other subsequent process; or multiple outputs of a process may be intended as inputs for several subsequent processes. This interaction between processes is naturally defined when viewing a system as a coherent set of processes operating on inputs and outputs systemically to output product.
Notice this systemic process interaction resulting in release of product or service isn’t defined by “procedures” merely responding to requirements of ISO 9001. Simply following procedures dedicated to ISO 9001 requirements, a company would never ship anything. The inputs upon which these processes are defined to operate and the outputs they produce cannot be demonstrated to provide a path to releasing product to customers. Their only collective output is a certificate (again, which needs to stop). These documents don’t define any management system.
On the other hand, following procedures that describe how real processes are supposed to be carried out, product is released to customers. Once such a system has been adequately (and completely) documented, the requirements of ISO 9001 make much better sense to the quality minded (including use of the terms “process” and “system”). The application of ISO 9001 requirements is also much more sensible.
Recap of inputs and outputs
As ISO 9001 is a standard of effectiveness, a conforming management system is effectively documented. Effective management system documentation addresses the system of operations resulting in the release of product and service; this system should be viewed and managed as a collection of processes and documented accordingly.
Documented information describing each process needed for a management system (e.g., a “procedure”) should describe not only the inputs to the process and the outputs expected from the process, but also the processing controls in place to ensure that processing activities are properly performed and outputting conforming product. Clause 8.5.1.b of the ISO 9001:2015 DIS relates a specific controlled condition required of core processes, as applicable: “the availability of documented information that defines the activities to be performed and the results to be achieved.” Although this documented information could take many forms, in most cases, a good process-based procedure will do nicely.
A QMS defined by documentation dedicated to the clauses of ISO 9001—or merely addressing only the six procedures most explicitly required—does not pass as a QMS meeting the requirements of ISO 9001. It procedurally (and systemically) ignores or marginalizes the most important processes to any QMS: core processes. It fails to effectively address processes needed for the QMS, evidenced by examining process inputs and outputs of processes identified as being needed for the system.
Similarities between the clause headings of ISO 9001 and procedures’ titles (pertaining to core processes) should automatically raise red flags during document review, as the “processes” described by these “procedures” don’t work together to output product or service to customers.
Top management: integrate ISO 9001:2015 requirements into business processes
When procedures are dedicated to ISO 9001 requirements—instead of being dedicated to management system processes—the QMS requirements contained in these procedures are divorced from the processes where they apply. In other words, these procedures represent bolt-on QMS requirements.
In an effort to demonstrate conformity to ISO 9001 requirements, bolt-on processing requirements were captured in documents dedicated to ISO requirements, rather than being captured in the internal processing requirements pertaining to any given core process. Bolt-on QMS requirements are defined separately from the processes to which they pertain as stand-alone QMS requirements merely addressing ISO 9001 requirements. Using bolt-on documents, management can claim that they have established QMS requirements consistent with ISO 9001 requirements, but these requirements have not been integrated into the business processes where they belong consistent with the process approach.
Clause 5.1.1.d of the ISO 9001:2015 DIS is saying, in so many words, that if you have properly determined and documented the processes needed for a system, you still need to eliminate documents merely pandering to ISO 9001:2015 requirements.
Applied properly, the upcoming ISO 9001:2015 revision will offer more traction for auditors to write nonconformities against systems that don’t demonstrate conformity to the general requirement to apply a process approach.
New requirements demanding evaluation of defined processes (considering their inputs and outputs), coupled with an analysis of their sequence and interaction should provide assurance that defined systems actually describe real systems of operations. The new requirement demanding QMS requirements be integrated into business processes should prevent systems from including bolt-on QMS requirements.
The ISO 9001:2015 revision focuses on efficacy. Effective application of these new requirements will ensure that only management systems that are effectively documented and effectively implemented will receive ISO 9001:2015 registration.
About the author
D. (“Dan”) Nelson has been closely involved with ISO 9000 since 1994 as a technical writer, quality manager, management representative, consultant, author, and CB auditor. Nelson also has 12 years of experience as an IRCA-certified QMS lead or principal auditor.
Using a process approach, Nelson has taken scores of clients of various shapes and sizes through registration to ISO 9001:1994/2000/2008 and related sector schemes (e.g. QS-9000, AS9100, ISO 13485, and ISO 17025). He is available for management consulting, training, and coaching, as well as auditor training.