ISO 9001:2015 4.4.1 - Providing Evidence of QMS Processes "Shalls"

ogghall

Starting to get Involved
#1
Regarding the processes that an organization has determined, ISO 9001:2015 4.4.1, what may be some examples or ideas on the ways to provide evidence of some or all of the "shalls" listed in a-h?

Thanks
 

The Specialist

Quite Involved in Discussions
#2
Ogghall, I have added a summary table to start you off...

Hopefully, this will give fellow covers a better overview of your question...

I will also work on some examples for you.

Good luck.​

4.4
Quality management system and its processes
beginning
4.4.1
Establish, implement, maintain and improve a process-based QMS
The company is free to decide how to apply the QMS without forgetting the issues (see sub-clause 4.1) and requirements (see sub-clause 4.2)
4.4.1
Determine the needed processes and their application
"If you cannot describe what you are doing as a process, you do not know what you're doing. Edwards Deming". Process map
4.4.1 a
Determine process inputs and outputs
Process sheet
4.4.1 b
Determine the sequence and interaction of processes
Flowchart
4.4.1 c
Determine the criteria and methods to control processes
Tools of the quality manager
4.4.1 d
Determine and ensure the resources
Needed to support processes. Cf. sub-clause 7.1
4.4.1 e
Assign process responsibilities and authorities
Job description of process owners
4.4.1 f
Take into account the risks and opportunities for each process
Plan and implement actions to address these risks, cf. sub-clause 6.1
4.4.1 g
Evaluate processes and if necessary modify them
Identify methods to monitor, measure, check and modify processes. Cf. sub-clause 9.1.1
4.4.1 h
Determine the improvement opportunities of processes and the QMS
Cf. sub-clause 10.1
4.4.2
Maintain documented information on process operation
Cf. sub-clause 7.5. The bare essential is sufficient. Use process map
4.4.2
Retain documented information on process operation
Cf. sub-clause 7.5. The goal is to ensure that processes' results are those planned

 

JoShmo

Quite Involved in Discussions
#4
Process controls aren't the Quality manager's responsibility, they are the Process Owners. Don't forget, some organization function without a "quality function" and ISO doesn't require a "management rep" any more.
 

ogghall

Starting to get Involved
#5
"The Specialist" Thanks for the reply. I don't have a problem with understanding what is being required. What is more of the issue is how to provide in a concise and simple way, the evidence of the requirements.

We are a large organization under a multi-site certificate. It seemed apparent this year with some of audits (to 20008 rev) that the 2015 rev audits will focus on how we have established our processes and how we can show evidence of these requirements in 4.4.1. I was thinking more in line of a table or registry that could provide that.

I believe this would be helpful not only to the auditor, the audit efficiency but also to our locations who end up having to supply some of this information.
 

RoxaneB

Super Moderator
Super Moderator
#6
I don't have a problem with understanding what is being required. What is more of the issue is how to provide in a concise and simple way, the evidence of the requirements.
I may be looking at this in too simplistic a manner, but if your organization knows what is required and has implemented processes that conform to the requirements, are not the results of the processes (e.g., records, indicators, etc.) evidence of said conformance?

ogghall said:
We are a large organization under a multi-site certificate. It seemed apparent this year with some of audits (to 20008 rev) that the 2015 rev audits will focus on how we have established our processes and how we can show evidence of these requirements in 4.4.1. I was thinking more in line of a table or registry that could provide that.
So, you're proposing a table of some sort that will show the outputs of the processes? In this case, my guess is such a document would be unique to each organization.

Out of curiousity, would the output from the processes vary between your organization's sites? That would certainly be interesting and possibly a discussion point with your auditor - not necessarily a nonconformance, but I know I'd be wondering why the output type wouldn't be standardized (results may vary, but I would expect the output type to be consistent).

ogghall said:
I believe this would be helpful not only to the auditor, the audit efficiency but also to our locations who end up having to supply some of this information.
It could help in audit prep, no doubt about it...however, and perhaps more importantly, is how it could possibly add value by providing a common direction for the organization. If you are looking to document the output types per process, this essentially can become a scorecard for the locations. Internal benchmarking becomes possible now and lower performing sites don't need to re-invent the wheel when trying to improve.
 

RoxaneB

Super Moderator
Super Moderator
#7
Process controls aren't the Quality manager's responsibility, they are the Process Owners. Don't forget, some organization function without a "quality function" and ISO doesn't require a "management rep" any more.
Agree...but...when I looked at the "table", it struck me that it really was heavy on the QUALITY management system side of things and lacking in the BUSINESS management system components. Maybe the links would take us into process controls and process monitoring for the product, yet at first glance it doesn't seem to address these.

That said, if "Tools of the Quality Manager" was altered to "Quality and SPC tools", I probably would have liked the table more.

In some organizations, the Quality Manager/Department/Process Owner is responsible for the implementation of the quality tools, yet it is the responsibility of the other Process Owners to apply them. Like Document Control...I was the process owner of Document Control, but if a department decided to not follow the doc control protocols, they received the finding, not I.

As for the Management Rep., sure it's no longer a requirement, but for some organizations, especially the larger ones with multi-site certifications, having a centralized individual to help coordinate and consolidate management systems activities can be a good thing.
 
#8
In our system, 4.4.1 a, b, are in the manual (yes, we kept ours, info is in the process ID and interaction section), c, d, are management review, e is the org chart, f is embedded in their process (we applied Risk Management at the process level), g per process, h Management Review.

An example of Documented Information (i.e. objective evidence) of our addressing Risks and Opportunities would be our Quote Review process. Part to big for our machines? Will the customer commit to a contract and help us buy a bigger machine? It is on our quote review form. Production - we want to try to use a lathe instead of a mill. It may be documented on an internal NC, and our production travelers (i.e. planning) is rev. controlled.

Don't overthink this stuff. You are probably doing it. Your job is to know what you do, make sure the process owners know how to answer the question what you do, and to make it clear that is what you do in the Documented Information.
 
Last edited:

ogghall

Starting to get Involved
#9
Kronos147, In one sense I agree with not overthinking it and that would easier if our organization and QMS was contained in a single location for example. We maintain a multi-site certificate with domestic and international locations. Identifying the evidence and communicating it throughout the organization becomes more difficult. Also especially with the new revisions to the standard the ISO requirements may not be as totally understood as it can be in a more localized organization. Creating a more direct link between what we do to the specific requirements so the organizational understanding is there is what the goal is.
 

dhakadmilind

Starting to get Involved
#10
HI ,
I have recently attented the course for iso 9001:2015.
During training ,we have dicussed this topic for demonstarte the risk base approach.
The results are,
A)We must have process mapping intial one
B)Risk date sheet 0r register:-Which records the risk considered and its mitigation plan
c)By consider B, we have to redesign the process mapping (As shown as Fig 1 in standard)

Thanks
 

Top Bottom