ISO 9001:2015 4.4.1 - Providing Evidence of QMS Processes "Shalls"

[ogghall]

Regarding the processes that an organization has determined, ISO 9001:2015 4.4.1, what may be some examples or ideas on the ways to provide evidence of some or all of the "shalls" listed in a-h?

Thanks

 

[The Specialist]

Ogghall, I have added a summary table to start you off...

Hopefully, this will give fellow covers a better overview of your question...

I will also work on some examples for you.

Good luck.​

4.4​

Quality management system and its processes​

beginning​

4.4.1​

Establish, implement, maintain and improve a process-based QMS​

The company is free to decide how to apply the QMS without forgetting the issues (see sub-clause 4.1) and requirements (see sub-clause 4.2)​

4.4.1​

Determine the needed processes and their application​

"If you cannot describe what you are doing as a process, you do not know what you're doing. Edwards Deming". Process map​

4.4.1 a​

Determine process inputs and outputs​

Process sheet​

4.4.1 b​

Determine the sequence and interaction of processes​

Flowchart​

4.4.1 c​

Determine the criteria and methods to control processes​

Tools of the quality manager​

4.4.1 d​

Determine and ensure the resources​

Needed to support processes. Cf. sub-clause 7.1​

4.4.1 e​

Assign process responsibilities and authorities​

Job description of process owners​

4.4.1 f​

Take into account the risks and opportunities for each process​

Plan and implement actions to address these risks, cf. sub-clause 6.1​

4.4.1 g​

Evaluate processes and if necessary modify them​

Identify methods to monitor, measure, check and modify processes. Cf. sub-clause 9.1.1​

4.4.1 h​

Determine the improvement opportunities of processes and the QMS​

Cf. sub-clause 10.1​

4.4.2​

Maintain documented information on process operation​

Cf. sub-clause 7.5. The bare essential is sufficient. Use process map​

4.4.2​

Retain documented information on process operation​

Cf. sub-clause 7.5. The goal is to ensure that processes' results are those planned ​

​

​

 

[The Specialist]

Unfortunately the table hasn't posted very well!
But I think it is still readable.

 

[JoShmo]

Process controls aren't the Quality manager's responsibility, they are the Process Owners. Don't forget, some organization function without a "quality function" and ISO doesn't require a "management rep" any more.

 

[ogghall]

"The Specialist" Thanks for the reply. I don't have a problem with understanding what is being required. What is more of the issue is how to provide in a concise and simple way, the evidence of the requirements.

We are a large organization under a multi-site certificate. It seemed apparent this year with some of audits (to 20008 rev) that the 2015 rev audits will focus on how we have established our processes and how we can show evidence of these requirements in 4.4.1. I was thinking more in line of a table or registry that could provide that.

I believe this would be helpful not only to the auditor, the audit efficiency but also to our locations who end up having to supply some of this information.

 

[RoxaneB]

I don't have a problem with understanding what is being required. What is more of the issue is how to provide in a concise and simple way, the evidence of the requirements.

I may be looking at this in too simplistic a manner, but if your organization knows what is required and has implemented processes that conform to the requirements, are not the results of the processes (e.g., records, indicators, etc.) evidence of said conformance?

We are a large organization under a multi-site certificate. It seemed apparent this year with some of audits (to 20008 rev) that the 2015 rev audits will focus on how we have established our processes and how we can show evidence of these requirements in 4.4.1. I was thinking more in line of a table or registry that could provide that.

So, you're proposing a table of some sort that will show the outputs of the processes? In this case, my guess is such a document would be unique to each organization.

Out of curiousity, would the output from the processes vary between your organization's sites? That would certainly be interesting and possibly a discussion point with your auditor - not necessarily a nonconformance, but I know I'd be wondering why the output type wouldn't be standardized (results may vary, but I would expect the output type to be consistent).

I believe this would be helpful not only to the auditor, the audit efficiency but also to our locations who end up having to supply some of this information.

It could help in audit prep, no doubt about it...however, and perhaps more importantly, is how it could possibly add value by providing a common direction for the organization. If you are looking to document the output types per process, this essentially can become a scorecard for the locations. Internal benchmarking becomes possible now and lower performing sites don't need to re-invent the wheel when trying to improve.

 

[RoxaneB]

Process controls aren't the Quality manager's responsibility, they are the Process Owners. Don't forget, some organization function without a "quality function" and ISO doesn't require a "management rep" any more.

Agree...but...when I looked at the "table", it struck me that it really was heavy on the QUALITY management system side of things and lacking in the BUSINESS management system components. Maybe the links would take us into process controls and process monitoring for the product, yet at first glance it doesn't seem to address these.

That said, if "Tools of the Quality Manager" was altered to "Quality and SPC tools", I probably would have liked the table more.

In some organizations, the Quality Manager/Department/Process Owner is responsible for the implementation of the quality tools, yet it is the responsibility of the other Process Owners to apply them. Like Document Control...I was the process owner of Document Control, but if a department decided to not follow the doc control protocols, they received the finding, not I.

As for the Management Rep., sure it's no longer a requirement, but for some organizations, especially the larger ones with multi-site certifications, having a centralized individual to help coordinate and consolidate management systems activities can be a good thing.

 

[Kronos147]

In our system, 4.4.1 a, b, are in the manual (yes, we kept ours, info is in the process ID and interaction section), c, d, are management review, e is the org chart, f is embedded in their process (we applied Risk Management at the process level), g per process, h Management Review.

An example of Documented Information (i.e. objective evidence) of our addressing Risks and Opportunities would be our Quote Review process. Part to big for our machines? Will the customer commit to a contract and help us buy a bigger machine? It is on our quote review form. Production - we want to try to use a lathe instead of a mill. It may be documented on an internal NC, and our production travelers (i.e. planning) is rev. controlled.

Don't overthink this stuff. You are probably doing it. Your job is to know what you do, make sure the process owners know how to answer the question what you do, and to make it clear that is what you do in the Documented Information.

 

[ogghall]

Kronos147, In one sense I agree with not overthinking it and that would easier if our organization and QMS was contained in a single location for example. We maintain a multi-site certificate with domestic and international locations. Identifying the evidence and communicating it throughout the organization becomes more difficult. Also especially with the new revisions to the standard the ISO requirements may not be as totally understood as it can be in a more localized organization. Creating a more direct link between what we do to the specific requirements so the organizational understanding is there is what the goal is.

 

[dhakadmilind]

HI ,
I have recently attented the course for iso 9001:2015.
During training ,we have dicussed this topic for demonstarte the risk base approach.
The results are,
A)We must have process mapping intial one
B)Risk date sheet 0r register:-Which records the risk considered and its mitigation plan
c)By consider B, we have to redesign the process mapping (As shown as Fig 1 in standard)

Thanks