Fundamental To Success
How adopting the process approach adds value to your QMS
by L.L. “Buddy” Cressionnie
ISO 9001:2000—Quality management systems (QMS) was transformational with its introduction of the process approach. Now, almost 20 years later, some organizations still have not embraced the process approach, and some auditors aren’t auditing according to the process approach.
Before ISO 9001:2000, ISO 9001 primarily was a requirements standard in which organizations generated numerous procedures to document the QMS. These procedures frequently were not used or fully integrated into how the organization operated. Organizations complained about expending significant resources to document their QMSs so auditors could review these documents and audit the system. Unfortunately, organizations often would not operate according to these procedures.
ISO 9001:2000 reduced the requirement for documented procedures and introduced the importance of an organization understanding activities that transform inputs into outputs using established resources.
The plan-do-check-act (PDCA) method was included in the ISO 9001:2000 process approach. PDCA is effective for understanding the process approach, and organizations are encouraged to leverage this model in process development, understanding and auditing. PDCA means:
- Plan: Establish the objectives and processes of the system, and the resources needed to deliver results according to customers’ requirements and the organization’s policies; identify and address risks and opportunities.
- Do: Implement what was planned.
- Check: Monitor and (where applicable) measure processes and the resulting products and services against policies, objectives, requirements and planned activities; report the results.
- Act: Take actions to improve performance, as necessary.1
The ISO 9001:2008 revision was a minor amendment to the standard, so the process approach stayed basically the same. However, all eyes were on the 2015 revision to see what would happen—would there be reduced or enhanced emphasis on the process approach, or would it maintain the status quo?
ISO 9001:2015 not only placed additional emphasis on the process approach, but it also embellished it with additional verbiage in Clause 4.4—Quality management system and its processes. It added a schematic representation of a single process (see Figure 1) and leadership promotion of the process approach. It also introduced risk-based thinking within the process approach.
What is the process approach?
The process approach is about achieving consistent and predictable results more effectively and efficiently when activities are understood and managed by the organization as integrated processes that function as a coherent system. The process approach is not only a fundamental tenet of the standard, but it is also one of the management system principles. Clause 4.4 provides a roadmap for the organization to determine its processes:
- What processes are needed to deliver the intended outcomes, provide products and services that comply with customer, regulatory and statutory requirements, and aim to enhance customer satisfaction?
- What organizational processes are needed to comply with ISO 9001 requirements? These processes should make sense to the organization based on their context to build the organization’s QMS, including documented information, and monitoring and measuring activities.
- What are the sequence and interaction of these processes? Understand the inputs and outputs of each process and how it links to other processes.
- What resources are required to have effective processes, including human, capital, facilities, maintenance and infrastructure resources?
- Who has responsibility and authority for these processes to ensure they are effective, resourced, risk-mitigated and achieving planned results?
- How are risks and opportunities identified and integrated? How are implemented actions taken?
- How are changes implemented and controlled so intended results and continual improvement are achieved?
- What will be the monitoring, measurement and performance indicators to determine whether these processes are effectively meeting their planned results? Are actions required so these processes achieve their planned results? How will these processes be evaluated for effectiveness?
Risk-based thinking applied with the process approach
Risk-based thinking ensures risk is considered when establishing, implementing and maintaining each process and activity. QMS risk-based thinking starts with understanding the organization and its context, interested parties’ relevant requirements, and the QMS scope and processes. Actions to address risks and opportunities are included in ISO 9001:2015, clause 6.1.
Risk-based thinking ensures risk is considered throughout the QMS, and it is peppered throughout every section of the standard. Risk-based thinking effectiveness is included in analysis and evaluation requirements, and management review. A risk feedback loop is included in the corrective action requirements to determine what additional risks and opportunities may have been missed during planning.
The goal of ISO 9001 is to be proactive by predicting risk and taking preventive actions to eliminate potential nonconformities or negative effects. Risk-based thinking establishes a proactive culture of improvement to assist with compliance and ensure consistency of product and service quality.
Process approach auditing
Like the standard, ISO 9001 auditing should use the process approach and thereby conduct process audits. Process audits start with an understanding of the processes defined by the organization in the interaction of processes. If processes are not defined, the auditor must document a nonconformity against clause 4.4.1b.
The auditor should plan and conduct the audit based on the process flow, handoffs and documented information, as defined by the organization. The auditor also should strive to understand the organization based on its process definition and language used. The auditor verifies the process measurements used are indicative of process performance, enabling the assessment of process effectiveness and compliance.
The International Aerospace Quality Group developed an auditing tool in 2009 called a process effectiveness assessment report (PEAR).2 The PEAR ensures that all aviation, space and defense organizations use the process approach, and auditors conduct third-party audits to those processes. The PEAR consists of four sections that are completed for every operational (clause 8) process defined by the organization:
- Section one: Process details. This section includes information to define the processes established by the organization to include process name, responsibility and authority (such as process owner), applicable QMS requirements, inputs, activities, outputs, and interactions and interfaces.
- Section two: Process results. This step includes key performance indicators (KPI) for the process to determine whether planned results are being achieved. What is the KPI target and value measured for the audited period? If the target was not met, were actions taken to start achieving planned results? If no actions were taken when KPIs weren’t achieved, a nonconformity is issued. A management principle of the standard is evidence-based decision making. Clause 4.4g requires the organization to evaluate these processes and implement any changes needed to ensure the processes achieve their intended results.
- Section three: Process realization. This is where the auditor documents the audit objective evidence from the process audit.
- Section four: Process effectiveness. This is a table that assigns an operational process score based on process realization versus process results. The process effectiveness matrix is a 3 x 3 table with a one through five rating (see Table 1).
Process realization is scored across the rows based on whether planned activities were:
- Fully realized. Planned activities are fully realized when no nonconformities are identified for that operational process.
- Not fully realized. Planned activities are not fully realized when minor issues have been identified.
- Not realized. Planned activities are not realized when there are major issues identified for the operational process.
Process results are scored down the columns based on whether planned results were achieved, not achieved but appropriate actions were taken, or not achieved and appropriate action was not taken.
If an operational process received no nonconformities during the audit and achieved all planned results, the process would be rated a five. If operational processes had major issues such that planned activities were not realized, planned results were not achieved, and appropriate action was not taken, the process would be rated a one.
Fundamental to success
The process approach is fundamental to organizational success. The benefit of well understood and implemented processes is the ability to consistently deliver conforming products and services to the customer on time, achieving customer satisfaction. When this is achieved, the organization’s interested parties will gain confidence in the organization’s effective use of resources and sustainability.
- International Organization for Standardization (ISO), ISO 9001:2015—Quality management systems—Requirements.
- Society of Automotive Engineers, AS9101F—Quality management systems—Audit requirements for aviation, space and defense organizations, Form 3: Process effectiveness assessment report.
ISO, ISO 9000:2015—Quality management systems—Fundamentals and vocabulary.
ISO, “ISO 9001 Auditing Practices Group,” https://committee.iso.org/tc176sc2.
ISO, “Who Are We?” https://committee.iso.org/tc176sc2.
L.L. “Buddy” Cressionnie is the president of ASD Expertise LLC, with industry leadership positions of Americas Aerospace Quality System Committee (AAQSC) chair and AAQSC leader of requirements, projects and AS9100. He is active in standards development as a liaison member to the International Organization for Standardization (ISO) Technical Committee (TC) 176, including writing ISO 9001:2015 and ISO 9004:2018, and participating in the ISO 9001 Interpretations Committee.