Implementing the ISO 9001:2015 “Process Approach”

The “process approach” to QMS management has been around since the 2000 edition of ISO 9001, but it’s confused everyone to no end. Making matters worse, the new ISO 9001:2015 standard rewrote the language surrounding the requirements, making it less clear, rather than clarifying it. As I’ve argued elsewhere, this is because the authors of the new version were comprised of mostly private consultants who have since tried to make a fortune on deciphering the garbled text they created.

So it behooves us to revisit the process approach or, for new users, take a look at how it can be implemented for the first time.

Inconsistent Usage of Terms

First, understand that the ISO 9001 authors did not include actual process engineers. Again, they were mostly private consultants and registrar representatives, with no background in actual process design or process management. Then, ISO fails to employ a “final edit authority” in its standards development, to ensure that language and terms are used consistently throughout a given document. This is why through the first half of clause 8.5 the authors used the words “product or services” and in the second half, they used the word “output”; different authors wrote the two halves, and ISO didn’t enforce a final editor to clean up the disparity.

This is also why the word “process” is used willy-nilly in the standard, without concern for the confusion or impact. For example, in clause 9.2.2 bullet point (a) the standard calls internal auditing a “program,” and just two sentences later, bullet point (c) it refers to it as a “process.” Then, in bullet point (f), it’s back to a “program” again. An editor would have caught this, but ISO can’t be bothered with things like editing when it has money to make by rushing things to print.

Next, some of the usages of the word “process” within the text contradict other areas of the very same standard.  For example, clause 8.3 demands you implement “design processes,” apparently demanding there be more than one process related to design. This violates clause 4.4.1 which says, “the organization shall determine the processes needed for the quality management system” — so the organization (you) decide what processes exist for your QMS, not anyone else. The ISO 9001 standard cannot dictate your QMS processes, and yet the text of some sections appears to do just that. Neither can ISO 9001 tell you to split a process into multiple processes (plural) if you don’t want to, but that’s exactly what 8.3 is doing.

So you have to ignore any instance of the word “process” except in clause 4.4, where the “process approach” requirements reside. Don’t let the other text confuse you.

Identifying Your QMS Processes

Ignoring ISO’s ever-changing definition of the word “process” (trust me, ignore it), understand that a process is an activity that converts inputs into outputs. Every human activity is a process: eating, breathing, walking, etc. This also means that everything — everything! — your company does is a process: from answering phones to sorting files to manufacturing airplane parts to serving lunch to the employees. Which makes things insanely difficult to manage, obviously.

Knowing that the process approach is defined in clause 4.4, you thus only want to use the word “process” when defining an activity you intend to manage under the requirements defined in bullet points 4.4.1 (a) through (h). Anything you don’t want to manage under those rules, well, call them something else: “activity,” “workstep,” “operation,” “sub-process” — make up a word if you have to. Just ensure that even if ISO 9001 is confused about how to use the word, in your QMS (including the documentation) you only use the word to describe activities you intend to manage per 4.4. And remember, the second sentence of 4.4.1 gives you this right:  “the organization shall determine the processes needed for the quality management system.”

So what are those requirements? They’re not particularly complicated to understand, but ISO jumbled them up sequentially, making it confusing. So we can better understand them if we look at them logically, rather than in exact sequence:

• “b) Determine the sequence and interaction of these processes.” Here you have to develop an overall process flow, typically presented as a diagram or flow chart, of the sequence of the processes. For example, “Order Intake” usually precedes “Shipping.” The typical approach here is to make a single “overall process flow chart” that shows this flow, and shove it in the quality manual somewhere. An example of such a flow diagram appears below, or can be found here. If you have a small to medium company, this might seem blindingly simple, and that’s normal.

• “a) Determine the inputs required and the outputs expected from these processes.” Next, start to define each individual process you’ve selected by identifying what its inputs are (required information, personnel, equipment, materials, etc.) and then what their final output should be (finished product, completed service, etc.) People use Turtle Diagrams for this, which I have written are entirely stupid, but if you like them, go for it. I use a “Process Definition” approach which eschews dumb graphics for a more thoughtful text-based description, and you can find a sample here. This also captures some of the information required for the other bullet points herein.
• “d) Determine the resources needed for these processes and ensure their availability.” Now define — perhaps in that Process Definition — what personnel, equipment and facilities are needed for the process.
• “e) Assign the responsibilities and authorities for these processes.” Now define — perhaps (again) in the Process Definition — who is responsible for not only “owning” the process, but carrying out its related activities.
• “c) Determine and apply the criteria and methods (including monitoring, measurements and related performance indicators) needed to ensure the effective operation and control of these processes.” Here is where things get tricky. You must develop process measurements — some call these KPIs (key performance indicators) — for each of your identified processes. I discuss this further in this article, below.
• “g) Evaluate these processes and implement any changes needed to ensure that these processes achieve their intended results.” Now that you’ve established the measurements, start actually measuring them, and report the data to management; typically this is done in real time, daily, and then re-examined more formally during your regular management review per clause 9.3.
• “f) Address the risks and opportunities as determined in accordance with the requirements of 6.1.” The analysis of the measurement data will likely highlight problems, which can be converted into risks which you then analyze per 6.1. Likewise, the data may identify opportunities. But you should also conduct a per-process review of possible risks and opportunities prior to, or outside of, any process measurement data collection. See my series of articles on “Practical Implementation of Risk-Based Thinking” available here.
• “h) Improve the processes and the quality management system.” Finally, use the data and your corrective action system to improve the processes when they don’t meet process objectives, or any other time you want to improve them.

So as we can see, that’s a lot to do, and you wouldn’t want to do all that for an activity as mundane as “shredding files” — unless, of course, your company offers professional file shredding services, in which case that might be your primary process! So every company will be different. My experience tells me most small to medium sized companies (1000 employees or less) have under a dozen activities they label as core QMS processes. For example, a typical small manufacturing shop usually has the following processes:

• Quoting & order entry
• Purchasing & receiving
• Manufacturing (including QA)
• Packaging
• Shipping

Depending on your company’s size and complexity, you may separate these further. For example, some companies separate Purchasing and Receiving into two processes, while other smaller companies keep them together as one. Others putting Shipping and Receiving together. Often, companies won’t have a single “Manufacturing” process, but instead a handful of individual manufacturing processes, such as “cleaning,” “milling,” “sawing,” etc. Again, that depends on their size and complexity, and what they want to measure. If measuring “manufacturing” as a process isn’t useful, because it’s too vague, then you would label the individual activities as processes, and measure those.

Often, the processes will align to some degree to company departments, but you shouldn’t use departments as the sole guide when dividing your company into processes.

You’re also going to add a few administrative processes, which I will discuss shortly.

Assign ISO 9001 Clauses

It’s not in the ISO 9001 standard itself, but to properly implement a process-based QMS which, itself, must comply with ISO 9001, you should ensure that your set of processes also encompasses all the ISO 9001 clauses. This will make sense in a minute, but for now trust me; make a table of each of your processes and assign the ISO 9001 clauses that are applicable to that process, until all the clauses are assigned somewhere. For example, a “Purchasing” process would be assigned clause 8.4, and your “Design” process would be assigned clause 8.3.

What you will find is that a lot of the ISO 9001 clauses other than those in 8 don’t fit anywhere. This is why you have to develop a few additional QMS oversight processes. These will then cover clauses 4, 5, 6, 7, 9 and 10 which are typically not covered by your product or service related processes.

I usually suggest a single “QMS Administration” process which covers all of management activities for clauses 4, 5 and 6. Then a “Resources” process to cover clause 7, and an “Improvement” process to cover 9 & 10. Some companies keep Internal Auditing as a separate process, which makes auditing easier (more on that coming up), and others with huge documentation libraries and complex configuration management activities may break out “Document Control” into a standalone process. It’s entirely up to you, but I urge companies to keep their top-level processes to a minimum, because it can get out of hand quickly. Again, even with a few QMS management related processes added, most companies have a set of about a dozen processes when done.

Again, each of these QMS management processes would need be measured, too. To measure the “Resources” process, for example, you might measure employee turnaround, or equipment downtime, etc. To measure the “QMS Administration” process, you might measure overall compliance to ISO 9001, or how effective all the other processes are; after all, if the other processes are ineffective, then it’s likely a management issue.

In such a case, the process list from the example I made above might grow a bit, to look like this when done:

• QMS Administration
• Improvement
• Internal Auditing
• Quoting & order entry
• Purchasing & receiving
• Manufacturing (including QA)
• Packaging
• Shipping

Here is an example of what your process listing vs. ISO 9001 clauses might look like for a company that conducts both design and field service, alongside manufacturing (click here for a PDF version.)

Process Objectives

Recall that clause 4.4.1 bullet point (c) requires you to “determine and apply the criteria and methods (including monitoring, measurements and related performance indicators) needed to ensure the effective operation and control of these processes.”  This means each process should have at least one measurement.

The clause on quality objectives (now residing in 6.2 of the latest standard) is just an update of original language that has existed since the 1987 initial release, and has never been properly aligned with the process approach; this was a pretty significant error made in the 2000 version, which was never corrected in any version since; again, this is because there are no actual process engineers in the ranks of the ISO 9001 authors. But process engineers understand that each process has objectives, and these are almost always redundant — or much better — than simple “quality objectives.”

“Quality objectives” in the oldest sense meant simple things like scrap rates, yield, on-time delivery, etc. (AS9100 still adheres to this thinking, in fact.) But under a true process-based QMS, such objectives are meaningless because they don’t tell you where problems with scrap rates, yields or OTD come from; by this I mean which process caused the problem. Without knowing that, the data is meaningless since it makes it difficult to know where (which process) to apply corrective action.

So I recommend combining the concept of “quality objectives” from clause 6.2 with the “process performance indicators” required by 4.4.1. To do this, you assign at least one objective/metric pairing to each process, and ensure these include metrics suitable for measuring product or service conformity. I take an unconventional interpretation here, as follows:

• “Objective” should be a prose (text) description of what the process intends to achieve. Each process must have at least one such objective, but may have more than one. For example, the objectives of a “Purchasing” process may be “to ensure high quality raw materials are used” and “to ensure excellent performance by our selected suppliers.” These are simple statements of the obvious.
• “Metric” is the means of measuring each objective statement; some objectives may have multiple metrics. For example, the Purchasing objective of “to ensure excellent performance by our selected suppliers” (from above) may have two metrics: measurement of supplier on-time delivery, and measurement of quality acceptance of received raw materials.
• “Goal” or “target” is then the actual measurement you want to achieve for each metric. For example, your goal for supplier on-time delivery may be “95% on time delivery for all items received in the last 6 months.” Always make sure you have a time period included in the goal, unless it’s a running total. Goals are set by top management.

Again, each process must have at least one objective; each objective must have at least one metric (sometimes more) and each metric must have a goal, set by management. You will find that your traditional quality objectives, such as yield, scrap rate, etc., “fit” somewhere into the process objectives, probably for your manufacturing-related processes. Now, when you have a poor yield, you know which process is likely responsible, and thus where to apply corrective action.

I suggest making a table of the entire thing, that looks like this:

Obviously, you will fill this in accordingly, leaving the columns “current standing” and “goal met?” blank — those are used later, during management review.

Process Auditing

Finally, if you like (it’s optional) you can audit by processes. Despite common belief, there’s no such thing as process-based auditing, and anyone telling you otherwise just made it up. It’s not defined in the auditing standard, ISO 19011, not mentioned anywhere in the registrar accreditation rules, and there’s no consensus on what it actually means. That hasn’t stopped a host of consultants and auditors from telling you it’s mandatory, and then giving their ideas (or selling their books and seminars) on how to conduct process-based audits anyway. They also invent a false dichotomy, saying that process auditing is the opposite of clause-based auditing, which is also utterly untrue. In fact, ISO 9001 clause 9.2 requires you to audit the clauses, (“the requirements of this international standard“) and not the QMS processes, so when someone tells you otherwise, you know they have no idea what they’re talking about.

Having said that, conducting internal audits by processes is a good idea, as it makes audits more manageable, and then results in audits that can highlight process inefficiencies or problems. But, as I said, you still have to audit the clauses in some fashion. If you make audit checklists based on the processes, and include only questions related to the ISO 9001 clauses you identified for that specific process (as above), then you’re on your way. There are additional things you should do beyond just checklist auditing, but that’s out of scope for this article.

But this is also why you want to have some processes dedicated to the QMS administrative clauses, like 4 and 5, to ensure they get audited, and that they are measured as part of your processes. It is also why some companies elect to have “Internal Auditing” as a standalone process, since you have to audit your internal audits (yes, really), and having them separate makes that activity easier, since you can assign the “process audit of the Internal Audit process” to someone objective, who wasn’t involved in all the other process audits. Makes sense!

Risk & Opportunity

I’ve indicated you should read my article series on Practical Implementation of Risk-Based Thinking, so I won’t reiterate it here, only to say that as part of your day-to-day work, you should be identifying risks and opportunities not only related to products or contracts or customers, etc., but also related to your top-level processes. If you use my COTO Log, then that covers you here, too.

Management Review of Process Effectiveness

Finally, you will assess the performance of each process, based on its objectives and measurements, in real time as needed. But you must then report this to management during your periodic management review; ISO 9001 clause 9.3.2 bullet (c)(3) says that the review must include “process performance,” and this satisfies that.

Prior to any management review activity, I recommend alerting the process owners to submit their most recent process objectives data, so that the table I presented above can be filled in with the “current standing.” For example, if your Purchasing objective’s goal is “95% on time delivery for all items received in the last 6 months,” then you indicate what is the actual data showing right now, which may be “98% OTD by suppliers in the last six months” or it might be something terrible like “25% OTD by suppliers in the last 6 months.”

Then, during management review, have the process owners present their data to top management, and if the goals are not met, then management may elect to either change the goal or request corrective action. Whatever happens, if a goal is not met, something must be done, and this should be captured in the records of management review.

Likewise, you will report on the internal audit results, by processes. In fact, the entire management review should be structured around an analysis of each process (its objectives/performance, internal audit results, resource needs, staffing levels, etc.) When done, your top management will know which processes are operating effectively, which are not, and thus be able to make informed decisions aimed at correcting or improving some processes, while leaving the high-performing processes alone to carry on.

Conclusion

Remember that a quality management system is just that: a system; and a “system” is a set of processes. The system cannot operate well if one or more of the major processes is stumbling. By adopting a truly robust process approach to the QMS, this enables management to manage by processes, which simultaneously captures the performance against ISO 9001 clauses and other requirements.

Last tip: our totally free ISO 9001 QMS Documentation template kit is still available, constantly updated, and includes sample documentation based on the process approach methods defined herein. Like I said, it’s totally free, so click here to download it (or click here for the AS91900 version.)

I also urge you to consider buying my, umm… “controversial” book on this whole thing, called Surviving ISO 9001: What Went So Wrong With The World’s Foremost Quality Management Standard, and How to Implement It Anyway. This is the only book on ISO 9001 that goes behind the scenes to detail the politics, backstabbing and skulduggery that caused the latest version of ISO 9001 to be so terrible, but then provides proven, real world guidance on how to implement each clause. You can grab it by visiting www.survivingiso9001.com. (Adult language is used, so fair warning; as I said, the new standard is pretty terrible, and it deserves a few f-bombs.)