1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

Processes, procedures and requirements

Discussion in 'ISO 9001:2015 - Quality Management Systems' started by Andrew Murray, Nov 22, 2022.

  1. Andrew Murray

    Andrew Murray Member

    Joined:
    Nov 22, 2022
    Messages:
    10
    Likes Received:
    6
    Trophy Points:
    2
    Hello,

    I run a small software development company and working to implement an ISO 9001:2015 QMS system, we're small (just 8 or so people), but as we grow and develop ways of doing things, I thought it would be a great time to integrate a QMS. I have made some progress, but have some confusion around processes.

    I understand that (as per 4.4.1) I must identify the processes of our business (e.g. sales, software development, etc) - things we already do. And once identified the standard places requirements for each process, e.g. to define inputs, determine a way of monitoring and improving them, documented information etc. As I understand, a process is what we we do (e.g. turn requirements into quotes, quotes into software) and not how we do that. The steps of how a process is done, if documented is in the form of a procedure or work instructions. Is it reasonable to assume that most people include the procedures as part of the documented process, or at least reference the procedures from the documented process? I.e. to develop software we take these inputs, follow these procedures and use those resources to result in the expected output?

    I've seen many guides on ISO9001:2015 suggesting that you should map the requirements of the ISO standard into your defined processes. E.g. I may create an Outsourcing process and map the requirements of 8.4 (Control of externally provided processes, products and services) to it. In following this approach, I wonder how best to demonstrate I've implemented the requirements. For example, requirement 8.5.3 talks about how look after property of customers, we already have instructions for how to handle this on our wiki - therefore, to satisfy this requirement and tie it in with a process - should I simply treat this wiki page as a procedure and reference it from a 'software development process'? As part of our work customer's may send us hardware that we write software for - I feel that a 'goods inward' process may not be necessary, however receiving goods is part of the software development process and in my view could be referenced form the a Software development process. Is that reasonable?

    This is my interpretation of the standard, however when I look at examples or other company's QMS - I find their process documentation is often very detailed - as if they are combining the procedures in with the process. However as I understand this is not required. Perhaps its too easy to use these terms interchangeably.

    Am I heading in the right direction here?

    Thanks,

    Andrew Murray
     
  2. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Welcome, Andrew!
    A great description and good points for us to discuss your approach.

    Firstly, I'd like to point out that there's two schools of advice which are commonly found in book and on the web. The first one is what ISO 9001 requires and how to do it and the second is what people "think" ISO 9001 requires and how to pass a Certification audit. Both are covered in my recently published book on ISO 9001 (shameless plug)

    Let's deal with some of your points:

    This is somewhat "old school", from the days when ISO referenced types/categories of documents. The 2015 doesn't specify such things, so you are free to develop whatever is effective in getting the work done. When I was in sales, we used quote checklists to step through the process from inquiry to quote delivery. The checklist was also a form for the data we gathered about the clients' needs.

    Yes, that's the classic definition. However, per the above, ISO 9001 doesn't make reference to such types of documents and you aren't constrained to use them. BTW, certification auditors cannot expect your organization to have such documents either. Use whatever you wish to use to accomplish effective control of the process(es).

    Demonstration comes from 2 sources - actually seeing someone perform the process (competency) and also records which result from the process (from which you also derive performance to goals/objectives.)

    If that's your preference, yes.

    Yes, indeed.

    I believe so.

    I'm guessing you are somewhere in the UK, Andrew. The UK did have a "guide" to software development using ISO 9001, called the "TickIT" scheme. It was a practical implementation of what was - in the "good old days" of certification - a no-nonsense interpretation of a standard which was very hardware oriented. It's been a while and both the standards and software engineering etc has moved on. I'm unsure of the status of TickIT, but there may be information available. (ISO standards such as 27,001, 20,000 have somewhat taken over that space). Of course, there's also the CMMI maturity model which you could also use to guide you. https://en.wikipedia.org/wiki/Capability_Maturity_Model
     
    John C. Abnet likes this.
  3. John C. Abnet

    John C. Abnet Well-Known Member

    Joined:
    May 23, 2017
    Messages:
    709
    Likes Received:
    510
    Trophy Points:
    92
    Location:
    Upper Midwest- USA
    Good day @Andrew Murray and welcome to the site;
    So, no customer or other outside source is REQUIRING your organization to obtain certification? You're simply wanting to develop a management system while your organization is still "small" and manageable to ensure your intent/"corporate" intent is manifested in the day-to- day operation and sustained as result of accountability to internal and 3rd party audits ?? WOW!...what a novel idea.

    In regard to ISO 9001, ...don't overthink it. There are plenty of snake oil salesmen out there who will try to sell you on the idea of 'needing" so much, when in reality, 9001 does not prescribe how your organization is managed. 9001 only establishes a frame work and is intended to focus on successful "outputs".

    In regard to identifying your processes per 4.4,...yes. This should be extremely intuitive and it sounds as if you already have a handle on this. Consider a pizza company....
    - Purchase ingredients
    - Assemble
    - Bake
    - Cut
    - Package
    - Deliver

    Here we've just identified the processes, their sequence, and (arguably) their interaction. You MAY map this, or not. Up to you.

    Inputs and outputs are also implied (i.e. ingredients are an INPUt to assemble...bake is an OUTPUT of assemble. If your organization NEEDS additional detail, then some or each of these may have a controlled documented process (i.e."procedure', or "work instruction", or "recipe"...). Again, it's up to you.

    In regard to mapping the requirements of 8.4. Is this needed? Is there a gap currently where some type of decision map/flow diagram is necessary? If not...don't do it. ONLY do what is needed for your organization (in a manner that meets the requirements of ISO 9001). You CAN treat the wiki page as a procedure, but is it not by definition open source? If that is the case, how would you manage "revisions", etc... And remember, there are ZERO requirements in ISO 9001:2015 for any procedures/instructions.

    Organize what your company already does in a manner that makes the knowledge transferable to future associates....keep the required records as evidence of what is taking place...set goals that you NEED and then monitor performance towards your goals....audit to ensure what you think is happening is indeed....ensure that the leadership is aware and involved in the oversight and control of the company.

    Hope this helps.

    Be well.

    In regard to 8.5.3 (customer/provider property). Does this pertain to your organization? An example of this is often tooling and/or measuring fixtures in a manufacturing operation. Please help me understand what customer/provider property your type of organization maintains. Thank you.
     
    Andy Nichols likes this.
  4. Andrew Murray

    Andrew Murray Member

    Joined:
    Nov 22, 2022
    Messages:
    10
    Likes Received:
    6
    Trophy Points:
    2
    Hi, thanks for the really helpful reply, see responses inline...

    I'll take a look!

    Ah - I hadn't noticed that, thanks - this helps.


    OK

    This helps a lot, I think I've been too focused on documentation - I think I need to focus on ensuring we do the things that are required of us, document things are are required to be documented (or useful to us) and ensure we can demonstrate it in some way. I guess the standard doesn't have many requirements with regards to documenting how we do our processes - and that flexibility threw me, but I think it's starting to click now.

    Yes we're in the UK! I wasn't aware of any of that, it looks like it's now TickIT Plus.

    Thanks for the help
     
    Andy Nichols likes this.
  5. Andrew Murray

    Andrew Murray Member

    Joined:
    Nov 22, 2022
    Messages:
    10
    Likes Received:
    6
    Trophy Points:
    2
    Hi John,

    Thanks for the quick response.

    Yes that's correct - I seem to be choosing to take on this challenge! I'm really using this as an opportunity to better structure how we do things and improve - and that's really quite aligned to ISO9001.

    Indeed, there is a lot of information online and it's hard to cut through it all. I'm trying to do this myself without consultants or templates - I think that may lead to a better long term outcome - but we'll see how well that goes :).

    Thanks - and I assume the support functions such as finance etc tends to be left out of this?

    I've seen that some people like to map requirements or sections of the standard to their processes - I guess so they can say, yes we've implemented these requirements in this process. However as I'm learning this isn't necessary.

    For us, the wiki page is useful, it ensures everyone knows how to handle customer hardware. It's something we need. However it feels like there are implications or extra requirements in me referencing it from a process, i.e. you say "you CAN treat the wiki page as a procedure" - i.e. if I treat it as a procedure (which I'm not really sure what it means), then I guess I need to manage revisions etc (requirements of 7.5 Documented information?) - at what point does a procedure or wiki page become Documented information - do I decide that?

    Indeed, the wiki page is currently open to edit by all, however there are ways I can limit/restrict that. (I find information more accessible in a wiki page than other forms).

    It helps a lot thanks!

    It does, we write software for embedded devices (e.g. CCTV devices, set-top boxes, medical equipment, etc) - in order for us to write software we need customer hardware to develop and test it against. So customers ship us hardware, we work with it, and ship it back. And for us to look after it properly there are various considerations including safety to consider.

    Thanks!
     
    Andy Nichols likes this.
  6. pkfraser

    pkfraser Active Member

    Joined:
    Aug 1, 2015
    Messages:
    93
    Likes Received:
    61
    Trophy Points:
    17
    Location:
    Aberdeen Scotland
    Andrew
    How about looking at it slightly differently? As you grow, how can you be sure that a new start will know what to do from Day1, and how can you ensure consistency of operation? If you define that clearly and accessibly, then the chances are that you will (more than) comply with 9001. I would suggest that you can define a process in enought detail that you don't need much in the way of "procedures" or work instructions. I have attached an example of the sort of format that we use, and http://www.deethebusiness.co.uk/PP_Files/MgtSystemDesignModel/HowtoComplyWithISO9001_2015.pdf may give you some more ideas.
     

    Attached File(s): 1. Scan for viruses before using. 2. Report any 'bad' files by reporting this post. 3. Use at your own Risk.:

  7. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    You are very welcome! As an expat, I'm always delighted to help a fellow Brit. Where in the UK?

    In collaboration with your people, no doubt? Their participation is critical. Some may not see - or be convinced of - the need.

    Since ISO 9001 is in regards to product and the ability to meet customer needs and expectations, yes.

    Somewhat. Any "maintained documented information" used in the performance of a process requires control. That control doesn't have to be complex, however.
    Indeed and, knowing customers, it may not even be what they said they'd ship - most important to get a clear and concise definition of what it is, how to handle it, including reporting on condition when received etc, during the agreement phase(s).

    Come back when there's more questions...
     
    Last edited: Nov 22, 2022
    John C. Abnet likes this.
  8. John C. Abnet

    John C. Abnet Well-Known Member

    Joined:
    May 23, 2017
    Messages:
    709
    Likes Received:
    510
    Trophy Points:
    92
    Location:
    Upper Midwest- USA
    What @Andy Nichols said ;)
     
    Andy Nichols likes this.
  9. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    Just to add on this.

    Even the statements within the ISO 9001:2015 standard dissuade organizations to use the requirements of the standard as a model to document their QMS. Refer to the statements below:
    • It is not the intent of this International Standard to imply the need for: alignment of documentation to the clause structure of this International Standard (0.1 Introduction - General);
    • The structure of clauses is intended to provide a coherent presentation of requirements, rather than a model for documenting an organization’s policies, objectives and processes (Annex A.1 Structure and terminology).
    Documented information is defined by ISO 9000:2015 as "information required to be controlled and maintained by an organization and the medium on which it is contained". Under this definition there are supplementary Notes stating "Documented information can be in any format and media and from any source" and "Documented information can refer to information created in order for the organization to operate".

    Procedure is defined as "specified way to carry out an activity or a process". If the wiki page functions like the definition provided by ISO 9000, then you can treat it as a procedure and should be managed as a documented information. But, as @Andy Nichols said, control doesn't need to be complicated.
     
    Last edited: Nov 23, 2022
    John C. Abnet and Andy Nichols like this.
  10. Andrew Murray

    Andrew Murray Member

    Joined:
    Nov 22, 2022
    Messages:
    10
    Likes Received:
    6
    Trophy Points:
    2
    Thanks everyone for your replies.

    I'm based in South Wales, though we're a fully remote company with employees dotted around the UK.

    Being so small, I'm the sole owner/manager with everyone else being engineers - but this will be in collaboration with everyone.

    I'm sure I'll have more questions, but I'll start new threads.
     
    Andy Nichols and John C. Abnet like this.
  11. PatriciaC.Ravanello

    PatriciaC.Ravanello New Member

    Joined:
    Jan 17, 2023
    Messages:
    1
    Likes Received:
    1
    Trophy Points:
    2
    To whom it may interest:

    It's not easy to visualize (map out) the mandate that is verbalized in the entirety of the ISO and other standards. Thousands have tried...some, more successfully than others...all seem to be "adequate" to pass auditor scrutiny, with few exceptions. This is troubling on many levels (...but, I digress).

    It would have been much easier if the Standards organization had at least provided a visual template to represent the components and mechanics of the mandatory upper level procedural expectations, their sequence and interface, since, after all, it is a mechanism for "standardization", so everyone's models should be fairly comparable at the "procedural" level...Isn't that what standardization attempts to do???

    Indisputably, there are countless iterations of interpretations of the ISO mandate to define the "sequence and interaction" of key processes. The attached is another such model, with a few additional bells and whistles.

    It basically embodies the "key" processes (those visible from the 30,000 ft level), their sequence and interaction. The subordinate processes are not visible at this altitude (some have been added for discussion purposes only. Example: Product Realization).

    Don't be intimidated by the amount of information provided in the attached. Just take your time, and try to digest it, and you will find that it probably fairly accurately describes the mechanics of your organization, regardless of what your "product" is. If your "system" doesn't work like this, it should. It doesn't matter how many "standards" and/or "customer-specific requirements" and/or "legal and regulatory" system inputs are thrown into the mix of creating your system, all company "machines" should work the same.

    (Please note that the processes identified in the "arrow" shapes, represent input and/or output from one process to another process and establish sequence and interface, something that few models actually do. Also, the phases of Product Realization included herein are for a complex product...yours may not be as complex, but that won't affect your model at this level). Keep in mind that "Product Realization" is a key process, and the phases defined herein are the subordinate, sequential steps of the process.

    D - Universal Management System  Model - Rev 8 - May 6, 2009.jpg

    If you'd like a personal walk-through it, I'd be pleased to narrate an animated version of this model to assist in your understanding.

    Best regards,
    Patricia Ravanello
     

    Attached File(s): 1. Scan for viruses before using. 2. Report any 'bad' files by reporting this post. 3. Use at your own Risk.:

    BradM likes this.
  12. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Hi Patricia:

    Does this need updating in the light of the 2015 version of ISO 9001?
     
    WattsJA and John C. Abnet like this.
  13. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    Depends on where you want to apply "standardization". Since the ISO 9001 standard is applicable to any organization (regardless of type, size, product, resources, context), prescribing a template for documenting the QMS may not be beneficial to all organizations. It may also suppress creativity. I remember the time when a CB auditor raised a nonconformity against our quality manual because it wasn't structured against the ISO 9001 clauses. Fortunately, the 2015 version clarified that this is not the intent of the standard (see post #9). Further, the Introduction section of the standard mentioned: "It is not the intent of this International Standard to imply the need for: uniformity in the structure of different quality management systems."

    The use of terms like: Control of Documents, Control of Records, Management Review, Product Realization seem "ISOist". Organizations should view the standards as references that are useful for their QMS and their intended outcomes and not as templates that they should trouble themselves to demonstrate congruity.
     
    Last edited: Jan 18, 2023
    WattsJA, Andy Nichols and pkfraser like this.
  14. PatriciaCRavanello

    PatriciaCRavanello Member

    Joined:
    Nov 5, 2015
    Messages:
    16
    Likes Received:
    11
    Trophy Points:
    2
    I disagree with your comment that it "Depends on where you want to apply standardization". There is no room for discussion here. The standard defines its scope quite clearly. The standardization applies ONLY to the methodology of Business Management and its associated components, regardless of the product or service provided. It's unfortunate that your auditor was too myopic to recognize that his job was to confirm that all the "required ingredients" were present and deployed as intended, not how they were organized. I believe that is why the standard changed to the "process approach" of auditing, to prevent auditors from inadvertently forcing "uniformity" in format. Uniformity made their jobs easier...and some auditors still don't use the "process approach"...instead they audit by the "standard approach".

    Of course, it doesn't matter the size, product, resources, etc of each company...The idea of standardization creates a common language that should be transportable from one ISO-compliant organization to another.
    Consider "Guidelines for Baking" as an analogy for the standard ..every organization can bake a cake...any size or shape or flavor and utilizing whatever resources and secret processes they might choose. The standard doesn't stifle creativity, its just a "standard" (to ensure you have controls in place to bake the cake your customers have come to expect and/or have specified, i.e. controls for purchasing ingredients, training staff, keeping records, dealing with failures, etc.)...and wouldn't it be nice if, in addition, everyone used standardized nomenclature so that your basic knowledge and skills would be transportable from one kitchen to another kitchen....and possibly even preclude the likelihood of error or costly orientation period, due to "unfamiliar nomenclature".

    Be creative in your cake decorating, ingredient combinations and assembly and baking processes...The standard attempts to establish a discipline/template for business management...and yes, all ISO-compliant companies should operate the same way, regardless of what they produce or provide.

    The utilization of a Universal template (such as the one attached above) is not in any way forcing "uniformity" on companies. They already are "uniform" by virtue of the fact that they have chosen to adopt the ISO Standard as a model for their operations. That is where the uniformity ends. If thousands of companies are trying to achieve the same objective, and a common template fits, why not use it, especially if it works...again, why reinvent the wheel? The wheel is not your product, its a methodology for business management driven by standardization.


    As for your apparent disdain for "standardized" process naming, my question would be not "why should they trouble themselves to demonstrate congruity", but, "Why should they trouble themselves to come up with another name for "Management Review", etc. ??? They should save their creativity for more profitable endeavors.

    I appreciate your feedback to my post.

    Best regards,
    Patricia
     
    tony s likes this.
  15. PatriciaCRavanello

    PatriciaCRavanello Member

    Joined:
    Nov 5, 2015
    Messages:
    16
    Likes Received:
    11
    Trophy Points:
    2
    Hi Andy,
    From my perspective, there is nothing in the 2015 version that impacts the structure and dynamics of the Management System as interpreted in the model attached above. The changes would be visible within some of the individual "procedures", but that has no impact on the "sequence and interface" of the key processes, as illustrated in my model.

    Of course, there may be those who don't agree that perspective, but I'm open to discussion...

    Thanks for your inquiry.

    Patricia
     
  16. PatriciaCRavanello

    PatriciaCRavanello Member

    Joined:
    Nov 5, 2015
    Messages:
    16
    Likes Received:
    11
    Trophy Points:
    2
    "9001 does not prescribe how your organization is managed"????? OMG!!!! Nothing could be further from the truth! ISO is a quality MANAGEMENT system (with the emphasis on "management". It is a system for the standardization of management processes to ensure desired "outputs".

    Patricia
     
  17. PatriciaCRavanello

    PatriciaCRavanello Member

    Joined:
    Nov 5, 2015
    Messages:
    16
    Likes Received:
    11
    Trophy Points:
    2
    Hi Andy,
    Yes, the standard leaves out functions like accounting, finance, marketing, sales, information technology, to name a few.

    I think that possibly functions like accounting and finance are already somewhat controlled and monitored by professional standards and audits, and so it might be redundant to include them in the ISO standard, however, that doesn't prevent a company from including them in the documented "Management System".

    Most companies have not included those functions because they do not want to subject them to audit by "ISO auditors". In reality, the scope of an ISO Audit should only include the components that demonstrate compliance to the standard, so Auditors shouldn't be going down that rabbit hole. Even if you choose not to include it in your "Management System", it would be prudent for Senior Management to have a defined methodology to ensure that functions like marketing, sales, IT, etc., are monitored and that they too, are effective and efficient. After all, why exclude them? (Marketing and Sales could be integrated as steps one and two in your "Product Realization" process).

    Including them would constitute compliance to the standard both in letter and in spirit.

    Hope your efforts are fruitful!

    Patricia
     
  18. Miner

    Miner Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    576
    Likes Received:
    492
    Trophy Points:
    62
    Location:
    Greater Milwaukee USA
    I think you have misunderstood John's comment. ISO 9001 establishes the WHAT that a QMS must contain, but does NOT specify HOW your QMS achieves the WHAT. That was John's point.

    To further clarify, ISO requires that you have a process for dealing with nonconforming product (WHAT), but does NOT require that you use an MRB to do this (HOW).
     
  19. John C. Abnet

    John C. Abnet Well-Known Member

    Joined:
    May 23, 2017
    Messages:
    709
    Likes Received:
    510
    Trophy Points:
    92
    Location:
    Upper Midwest- USA
    What @Miner said....

    Be well.
     
  20. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    I'm not sure that's entirely true. The premise of the reduction of documentation is that it was seen as a burden to small businesses. The depiction of documentation as a pyramid was incorrect/inaccurate and is now outmoded. There's also the removal of "preventive action" as a distinct process/procedure, since it's embedded in planning actions, which the standard makes a much bigger deal. I see a way to "fit" ISO 9001:2008 (and similar) requirements into a picture, but not a clear description of how a Management System Operates.
     
    pkfraser and WattsJA like this.