ISO 9001 - 4.4 - Part 3 - Processes management

   


  

In this entry I continue the analysis of Sub-clause 4.4 of the ISO 9001:2015 standard. As I have mentioned in previous entries, this sub-clause is perhaps the most complex of all those included in this standard since, in a general way, it is related to all the other sub-clauses of this standard and all its requirements.

 

For that reason, the analysis of requirements of this Sub-clause 4.4 of ISO 9001 has been carried out in three parts:

 

In the first one I have analyzed the initial requirements regarding the QMS. In that first entry about this topic I dealt with the requirements regarding the establishment, implementation, maintenance and continuous improvement of the quality management system. (Click hereIf you want to access to that first part entry).

 

In the second part, I presented a description of the approach to processes required by the standard, as well as the description of what a process is, the elements that make it up, the line of action to establish a process, as well as the Plan-Do-Check-Act Cycle. (PDCA) that should be used to establish and document any process; and also, in that entry, I analyzed the requirements from No. 32 to No. 37, according to the identification and breakdown of requirements of this sub-clause (Click here If you want to access to that second part entry).

 

Entering now at the content of this third part, below I present the list of the remaining requirements of this sub-clause, in order to continue with this analysis:

   


Even though I am going to analyze all these requirements that still need to be analyzed in this Sub-clause 4.4 of the ISO 9001: 2015 standard, let me present again the following slide, which although I presented it in the previous entry in relation to the process approach, is also important in this entry, as it presents all the steps that must be followed to determine a process and is related to several of the requirements that we will see now.

 


The following eight requirements of this sub-clause always create a great deal of confusion for those who have the responsibility to apply, verify, audit and also improve them.

 

If you read this part of Sub-Clause 4.4, or even when you read these requirements already broken down, it might seem that they say the same thing and that they are repeating themselves; but you have to be careful, since as I have previously mentioned, this standard does not include repeated information. It is only the way in which the sub-clauses and paragraphs of the standard are drafted. These requirements are similar in that the first four of them refer to the fact that the organization should determine either the criteria or the methods, to ensure either the effective operation or the effective control of those processes. Based on the PDCA Cycle, the activities that involve these four requirements are for planning (P).

 

Effective operation can be defined as the comprehensive and general optimization of internal processes, which results in an optimal level of quality and satisfaction in the final product or service. Effectiveness refers to the results in relation to the goals and the fulfillment of the organizational objectives. To achieve an effective operation, tasks must be prioritized and those that allow them to be achieved in the best way be carried out in an orderly manner. It is the degree to which a process can achieve the best possible result.

 

Process control is one of the stages of the quality management system and consists of analyzing and monitoring processes to locate failures and opportunities for improvement.

 

The effective process control allows us to keep within the limits of acceptance of the process at all times, as well as to control that specifications of the product or requirements of the service offered are met, and to work on the continuous improvement of the process.

 

To have a better understanding of these requirements, as well as the following four, it is important to also understand the meaning of two terms that are essential to them, which are "criteria" and "methods" for a process.

 



 

Taking this definition into consideration, the criteria define "what is expected" of a process that is evaluated, that is, that by means of those the "evaluation" of the process can be carried out and compared with a benchmark or performance standard. In this sense, they establish the required and expected level of the characteristics of the process, as well as its results, and define when a process is considered to meet a certain objective.

 

Considering this corresponding definition, we can understand by “process method”, as “an organized and systematic way in which a set of mutually related activities is carried out that use the inputs to provide an expected result”.

 

The other next four requirements are similar in that they refer to the organization should apply either those criteria or those methods to ensure either the effective operation or the effective control of the processes.

 

In order to ensure that processes are effective (ie that they deliver planned results), the organization should determine and apply process control criteria and methods; the criteria for monitoring and measurement could be process parameters, or specifications for products and services; performance indicators should relate to monitoring and measurement, or may relate to the organization's quality objectives (criteria); other methods of indicating performance include, but are not limited to, reports, charts, or audit results; If we refer to the PDCA Cycle, these four requirements involve operation, verification and control (DCA) activities.

 

As we can see, the organization should also identify the monitoring and measurement criteria for the control and performance of the process, to determine the effectiveness and efficiency of the process, taking into account factors such as:

 

• Conformity with requirements,

• Customer satisfaction,

• Supplier performance,

• On time delivery,

• Lead times,

• Failure rates,

• Waste,

• Process costs,

• Incident frequency.

 

Requirement No. 38: “The organization shall determine the criteria (including monitoring, measurements and related performance indicators) needed to ensure the effective operation of these processes.

 

If we consider the information previously presented, we can identify that, in order to comply with this requirement, the organization should indicate exactly what are the criteria or standards, such as process parametersspecifications or performance indicators, which establish the required and expected level of the characteristics of the process, as well as its results, and the corresponding monitoring, measurements, and related performance indicators, and define when a process is considered to meet a certain objective, achieving comprehensive and general optimization of the processes.

 

Requirement No. 39: “The organization shall determine the methods (including monitoring, measurement and related performance indicators) necessary to ensure the effective operation of these processes.

 

As we did with the previous requirement, considering the information presented, we can identify that, in order to comply with this requirement, the organization should indicate exactly what is the organized and systematic way in which a process should be carried out and the corresponding monitoring, measurements and related performance indicators, and that define when a process is considered to meet a specific objective, achieving the integral and general optimization of the processes.

 

Requirement No. 40: “The organization shall determine the criteria (including monitoring, measurements and related performance indicators) needed to ensure the effective control of these processes.

 

In order to comply with this requirement, we can identify that the organization should indicate exactly what are the criteria or standards, such as process parametersspecifications or performance indicators, which should establish the required and expected level of the process characteristics, as well as its results, and the corresponding monitoring, measurements and related performance indicators, which should allow it to have the process within its acceptance limits at all times, as well as control that the product specifications or requirements of the service offered are met, and work in the continuous improvement of the process.

 

Requirement No. 41: “The organization shall determine the methods (including monitoring, measurements and related performance indicators) needed to ensure the effective control of these processes.

 

In the same way, to comply with this requirement, we can identify that the organization should indicate exactly what is the organized and systematic way in which the process is carried out, as well as the monitoring, measurements and related performance indicators, which allow it to have at all times the process within its limits of acceptance, as well as control that the product  specifications or requirements of the service offered are met, and work on the continuous improvement of the process.

 

Requirement No. 42: “The organization shall apply the criteria (including monitoring, measurements and related performance indicators) necessary to ensure the effective operation of these processes.

 

With this requirement begins the group of four of them which establish the verb shall apply, either the criteria or the methods, to ensure, either the effective operation, or the effective control of the processes.

 

This means that, in order to comply with this requirement, the organization should carry out the application (action and effect of using or meeting) the criteria or standards, determined in compliance with requirement No. 38, as process parametersspecifications or performance indicators, which establish the required and expected level of the characteristics of the process, as well as its results, and the corresponding monitoring, measurements and related performance indicators, to ensure that the process meets a specific objective, achieving the integral and general optimization of the processes

 

Requirement No. 43: “The organization shall apply the methods (including monitoring, measurements and related performance indicators) needed to ensure the effective operation of these processes.

 

To meet this requirement, the organization should carry out the application (action and effect of using or meeting) in an organized and systematic manner in which a process and related monitoring, measurement and performance indicators are performed, determined in compliance with requirement No. 39, to ensure that the process meets a specific objective, achieving the integral and general optimization of the processes.

 

Requirement No. 44 “The organization shall apply the criteria (including monitoring, measurements and related performance indicators) needed to ensure the effective control of these processes.

 

To comply with this requirement, the organization should carry out the application (action and effect of using or meeting) the criteria or standards, determined in compliance with requirement No. 40, such as process parameters, specifications or performance indicators, which establish the required and expected level of the characteristics of the process, as well as its results, and the corresponding monitoring, measurements and related performance indicators, which allow the process to be within its acceptance limits at all times, as well as to control that the product specifications or requirements of the service offered are met, and work on the continuous improvement of the process.

 

Requirement No. 45: “The organization shall apply the methods (including monitoring, measurements and related performance indicators) needed to ensure the effective control of these processes;

 

To meet this requirement, the organization should carry out the application (action and effect of using or meeting) in an organized and systematic manner in which a set of mutually related activities is performed that use the inputs to deliver an intended result, as well as its results, and the corresponding monitoring, measurements and related performance indicators, determined in compliance with requirement No. 41, which allow the process to be within its acceptance limits at all times, as well as control that product  specifications or requirements of the service offered are met, and work on the continuous improvement of the process.

 

Requirement No. 46: “The organization shall determine the needed resources for these processes;

 

If an organization does not adequately identify what type of resources it requires for a process to be carried out, that operation will surely be a failure. That is why, within its planning activities, the organization should determine all the resources that are necessary for the effective operation of each of its processes, as well as the resources for monitoring and measurement (in accordance with Sub-Clause 7.1 of ISO 9001:2015).

 


 

If we refer to the PDCA Cycle, this requirement involves planning activities (P).

 

Requirement No. 47: “The organization shall ensure the availability of the resources needed for these processes.

 

Similarly, if the organization cannot have the necessary resources to carry out a process in a timely manner, it will be a failed effort. That is why the organization should define all the necessary considerations that allow it to ensure the timely availability of all the resources necessary for the implementation of each one of the processes, among which should be included the capacities and restrictions of the existing internal resources and those that can be obtained from external providers. And, in the same way as it has been done before, if we refer to the PDCA Cycle, this requirement involves planning, operation, verification and control (PDCA) activities.

 

Requirement No. 48: “The organization shall assign responsibilities for these processes.

 

If we look at the Merriam-Webster Dictionary for the term "assign", we can find the next definition:

 

 

Regarding the term "responsibility", which is a term that derives from the Latin "responsum", we find the next definition:

 


So, in relation to this requirement, the organization should signal someone's responsibility for the response and fulfillment of the duty, whether it is consequences of personal acts or obligations for its processes, by first determining the activities of the process and then determining the people who will perform each activity; Those responsibilities can be assigned on documented information such as organizational charts, documented procedures, operating policies, and job descriptions, or using a simple verbal instructions approach.

 

Top management should organize and define individual roles, responsibilities, work groups, attributions and ensure the necessary competence for the effective definition, implementation, maintenance and improvement of each process and its interactions. To manage process interactions, it may be useful to also establish a QMS "process management team" that has a system overview across all processes and may include representatives of interacting processes and functions.

 

I think it is important to mention that the responsibilities related to each process should be established at the individual level and not to a group of people. Let us remember that “what is the responsibility of many is the responsibility of no one”. However, some responsibilities may be delegated to one or more subordinates.

 

Requirement No. 49: “The organization shall assign the authorities for these processes.

 

We already saw in the previous requisite the meaning of the term “assign”. Now, let's see what the term "authority" means:

 


Likewise, authority is a quality that encourages an order to be fulfilled. In this way, having authority supposes, on the one hand, to command, and, on the other, to be obeyed.

 

The organization should also assign authorities for its processes, defining ownership, as well as accountability. The individuals who are assigned authority over a process are generally referred to as “Process Owners”.

 

These authorities can equally be established on documented information such as organizational charts, documented procedures, operating policies, and job descriptions, or by using a simple verbal instructions approach.

 

We should also consider that an authority can be shared with a subordinate, but it cannot be delegated.

 

Requirement No. 50: “The organization shall address the risks determined in accordance with the requirements of Sub-clause 6.1.

 

Risk is the effect of uncertainty, and such uncertainty can have positive or negative effects. A positive deviation arising from a risk may provide an opportunity, but not all positive effects of risk result in opportunities.

 

When planning the processes of the quality management system, the organization should determine the risks that need to be addressed in order to ensure that the QMS can achieve its intended results, increase desirable effects, prevent or reduce unwanted effects and achieve improvement.

 

To this end, the organization should plan actions to address these risks and how to integrate and implement the actions into its QMS processes, as well as assess the effectiveness of these actions.

 

It shall also determine the risks to the conformity of products, services and customer satisfaction if undesired results are delivered, and shall ensure that the quality management system as a whole takes into account all significant risks to the organization and the users.

 

The organization should ensure that all necessary actions are implemented to address the risks associated with the processes.

 

Actions taken to address risks should be proportional to the potential impact on the conformity of products and services.

 

Options to address risks may include:

  


Requirement No. 52: “The organization shall address the opportunities determined in accordance with the requirements of Sub-clause 6.1.

 

An organization needs to plan and implement actions to address the opportunities. Addressing both risks and opportunities lays a foundation for increasing the effectiveness of the quality management system, achieving better results, and preventing negative effects.

 

Opportunities may arise as a result of a situation favorable to achieving an intended result, for example, a set of circumstances that enables the organization to attract customers, develop new products and services, reduce waste, or improve productivity. Actions to address opportunities may also include consideration of associated risks.

 

The organization should ensure that all necessary actions are implemented to address opportunities associated with the processes.

 

When planning the processes of the quality management system, the organization should determine the opportunities that need to be addressed in order to ensure that the QMS can achieve its intended results, increase desirable effects, prevent or reduce unwanted effects and achieve improvement.

 

To this end, the organization should plan actions to address these opportunities and how to integrate and implement the actions into its QMS processes, as well as assess the effectiveness of these actions.

 

Opportunities can lead to:

 


Requirement No. 52: “The organization shall evaluate these processes.

 

The organization should confirm that each of the processes is effective and that the characteristics of the processes are consistent with the purpose of the organization. To do this, it should take into account the performance data obtained by reviewing the criteria established for the process, as well as those for monitoring and measurement; It should analyze and evaluate this data and implement any necessary changes to ensure that these processes consistently achieve their intended results.

 

The organization should compare the results against the objectives to verify that all requirements are met.

 

Processes are needed to collect data. Examples include measurement, monitoring, reviews, audits, and performance analysis.

 

Requirement No. 53: “The organization shall implement any changes necessary to ensure that these processes achieve the expected results.

 

The organization should take into account the performance data obtained by reviewing the established criteria for monitoring and measurement; analyze and evaluate this data; and implement any changes necessary to ensure that these processes consistently achieve their intended results;

 

Requirement No. 54: “The organization shall improve these processes.

 

The organization should use the results of the analysis and evaluation to determine the necessary improvement actions; Improvements can be made at the process level, such as by reducing variations in the way an activity is performed. The more variations, less effectiveness.

 

The organization should act on the findings to ensure that the effectiveness of the process is improved. The organization may also want to improve the efficiency of processes, although this is not a requirement of ISO 9001 standard.

 

Corrective action as a result of process failure should include identifying and eliminating root causes of problems. “Systemic thinking” recognizes that an event in a process could have a cause or effect in a dependent process. Causes and effects may not be within the same process.

 

Even when planned process results are achieved and requirements are met, the organization should still seek to improve process performance, customer satisfaction, and reputation. This may be achieved, for example, through continuous improvement in small steps ("Kaizen"), breakthrough improvements or through innovation.

 

Requirement No. 55: “The organization shall improve the quality management system.

 

The organization should use the results of the analysis and evaluation to determine the necessary improvement actions; improvements may be made at the quality management system level, such as by reducing the paperwork associated with the system, allowing people to focus more on managing processes.

 

Requirement No. 56: “The organization shall maintain, to the extent necessary, documented information to support the operation of its processes.

 

The intent of this paragraph is to ensure that the organization determines the extent of documented information that is needed. This documented information is information that requires be controlled and maintained by the organization, as well as the medium that contains it.

 

The appropriate person (for example, the process owner, the owner of the process output, the person who controls the process) should review the information that is used for the process to perform in order to consistently provide the intended outputs. For information (such as procedures, work instructions, visual aids, information and communication systems, drawings, specifications, metrics, reports, key performance indicators [KPIs], meeting minutes, representative samples, verbal conversations) that are used, it is necessary to carry out a value analysis/review to support the process. The result will be the decision of what information will be treated as documented information. For example, when top management conducts strategic planning, it might consult and review relevant information on the Internet, such as reports on the current and future state of the organization's industry sector, developed by government agencies and other relevant parties. This information should not be considered documented information, as it is available in the public domain. Instead, it would be necessary to consider as documented information a business plan that includes quality objectives, risks and opportunities and strategies among other relevant elements (for example, the mission, vision and values and an organization's process map).

 

It is up to the organization to specify the different types of documented information necessary to support the operation of its processes and its quality management system. In determining the type and degree of documented information needed, the organization should assess its own needs and apply risk-based thinking. It should also take into account its size, activities, types of products or services, complexity of its processes, resources, etc., as well as the potential consequences of nonconformities.

 

Although the ISO 9001 standard specifies the use of documented information in several of its requirements, the organization may need to have additional documented information (such as documented procedures, web pages, work instructions, manuals, regulations, standards, forms, guides, software, applications on phones, etc.) to control the operation of its processes.

 

Some of the organization's documented information will need to be periodically reviewed and modified to keep it current. The ISO 9001 standard uses the phrase "maintain documented information" in reference to this type of documented information.

 

Requirement No. 57: “The organization shall retain, to the extent necessary, documented information to have confidence that the processes are being carried out as planned.

 

In order to differentiate this requirement with the previous one, is important to mention that there are other documented information which needs to be retained unchanged (unless a correction is authorized), by the organization, to demonstrate conformance and to have confidence that processes are being carried out as planned, or to demonstrate whether or not requirements are being met (often this type of documented information is referred to as a “record”). The ISO 9001 standard uses the phrase "retain documented information" in reference to this type of documented information, which is often related to customer requirements, legal and regulatory requirements, or the organization's own requirements to retain documented information.

 

This documented information necessary for the control and improvement of the processes, both maintained and retained, should be treated in accordance with Sub-clause 7.5 of the ISO 9001:2015 standard.

 

In this way I conclude what refers to the analysis of Subclause 4.4.- Quality management system and its processes, hoping that some of the information presented is useful for you.

 

In the next entry, I will start the analysis of Clause 5.- Leadership, with the requirements of Sub-clause 5.1.- Leadership and commitment.

 

Author:

 

Ernesto Palomares Hilton

 

Comments