Quality Management Systems Explained and How They Work
Quality Management in Brief
- Consistent delivery of products and services that meet customer needs
- Process approach with risk-based thinking
- Continual improvement through Plan-Do-Check-Act
What is a Quality Management System?
A quality management system, usually shortened to QMS, is how an organisation makes sure that the products and services it delivers consistently meet what customers and regulators require. It is not a specific piece of software or a single document - it is the whole pattern of how the organisation is run, from the way orders are taken to the way complaints are handled, viewed through the lens of quality.
A well-run organisation usually already has most of a QMS in place before anyone calls it that. There are ways of doing things, responsibilities, checks, records and review. ISO 9001 is the international standard that takes that common structure, formalises it and adds the elements that experience has shown are needed to keep quality consistent over time - particularly internal audit, management review, and the discipline of identifying and addressing risks and opportunities.
Organisations pursue a formal QMS for two reasons. The external reason is commercial: customers, tenders and regulators increasingly expect ISO 9001 certification as a baseline for any supplier of significance. The internal reason is operational: a QMS gives management a reliable way to spot when the business is drifting off course and to act before small issues become large ones.
The Seven Quality Management Principles
ISO 9001 is built on seven underlying principles, set out in the related standard ISO 9000. These are not a checklist to tick off but the values the standard expects to see reflected in how the organisation operates.
Customer focus. The primary purpose of the QMS is to meet customer requirements and to aim to exceed them. Every process in the system should ultimately be traceable to delivering something a customer needs. Losing sight of this is the most common way a QMS drifts into being a paperwork exercise rather than a business tool.
Leadership. Top management establish unity of purpose and direction, and create the conditions in which staff can contribute to the organisation's quality objectives. A QMS run from the middle of the organisation without visible leadership commitment rarely delivers consistent quality, because when competing priorities arise the QMS gets dropped.
Engagement of people. Competent and engaged people at all levels are essential to a QMS that works. People who understand what the organisation is trying to achieve and their contribution to it will raise issues, suggest improvements and flag when something is going wrong. A QMS that relies only on procedures and forms, without engaged people behind them, is fragile.
Process approach. Consistent results come from understanding and managing activities as interconnected processes. Rather than managing the organisation as a collection of departments, the QMS looks at the flow of work end to end - order fulfilment, customer service, product development - and defines inputs, outputs, owners and measures for each. This is covered in more detail in a separate article on the process approach.
Improvement. Successful organisations have an ongoing focus on improvement. The QMS includes mechanisms for identifying opportunities, tracking them to closure and verifying they have delivered the expected benefit. Continual improvement is not the same as constant upheaval - most improvements are small, incremental and steady.
Evidence-based decision making. Decisions based on the analysis of data and information are more likely to produce the intended results. The QMS generates data - audit findings, customer feedback, process measures, non-conformity trends - and builds this into the rhythm of management review and operational decisions.
Relationship management. An organisation manages its relationships with relevant interested parties - suppliers, customers, regulators, employees - to sustain good performance. In practice this means understanding the expectations of those parties and the risks and opportunities those relationships create, captured in the interested parties register and the risks register.
What ISO 9001 Requires of a QMS
At a headline level, ISO 9001 sets out seven main areas of requirement. Each is covered in more detail in its own article elsewhere in this knowledge base.
Clause 4 - Context of the organisation. The organisation understands its internal and external issues, identifies interested parties, determines the scope of the QMS and describes how the system and its processes fit together.
Clause 5 - Leadership. Top management demonstrate commitment, establish and communicate a quality policy, and assign responsibilities and authorities throughout the organisation.
Clause 6 - Planning. The organisation identifies risks and opportunities, sets measurable quality objectives and plans changes to the QMS in a controlled way.
Clause 7 - Support. Resources, competence, awareness, internal and external communication, and documented information are all managed so that the QMS can function.
Clause 8 - Operation. The day-to-day delivery of products and services is planned and controlled - requirements are captured, design and development is controlled, externally provided processes are controlled, production and service provision are controlled, and non-conforming outputs are managed.
Clause 9 - Performance evaluation. The organisation monitors, measures, analyses and evaluates - including customer satisfaction, internal audit, and management review.
Clause 10 - Improvement. Non-conformities are identified, corrected and followed by corrective action. Continual improvement is pursued as an ongoing activity.
All of these sit on top of the process approach, risk-based thinking and the Plan-Do-Check-Act cycle, which run through every part of the standard.
The QMS as Part of the Business
The most common misconception about a QMS is that it is a separate thing from how the business operates - a parallel layer of ISO paperwork sitting alongside the real work. This almost always produces a QMS that is both expensive to maintain and useless to management.
A QMS that works is the way the business runs, with a few additional disciplines layered in - formal internal audit, structured management review, systematic handling of non-conformities and a documented risks register. The procedures describe what staff actually do. The records are the records the business already generates, slightly reshaped. The manual describes the real organisation, not an idealised version.
The practical implication is that a QMS should reduce friction, not add to it. If staff are completing forms that nobody reads, writing records that nobody uses, or following procedures that do not reflect how work actually happens, the QMS has been bolted on rather than built in. The repair is usually to prune - strip out the bits that do not earn their keep and tighten the bits that do.
QMS in an Integrated Management System
Many organisations that hold ISO 9001 eventually add other standards - ISO 14001 for environmental management, ISO 45001 for health and safety, ISO 27001 for information security. At that point the question becomes whether to run each standard as a separate management system or integrate them into one.
The integrated approach is almost always the better choice. A single management system manual, one set of policies, one document register, one risks register, one management review and one internal audit programme covers the requirements of every standard the organisation holds. The QMS stops being a thing on its own and becomes the quality dimension of a single integrated management system.
The IMS1 manual is structured this way - built around how the business actually operates, with ISO 9001 correlation documents handling the mapping between the standard's clauses and the operational sections of the manual. An organisation using IMS1 for its QMS can extend to other standards without restructuring the system. A clause-based QMS manual cannot, which is why many organisations end up rebuilding their QMS when they add a second standard.
Common QMS Mistakes
A handful of mistakes come up often enough to be worth flagging.
Writing the QMS around the clauses of ISO 9001 rather than around how the business operates. This produces a manual that reads like a response to an exam paper, trains badly, and has to be rewritten every time the standard is revised. An operationally-organised manual with correlation documents is more durable.
Treating the quality policy as a framed statement rather than a working document. The policy should set direction that the objectives, internal audit and management review can all be traced back to. A policy that says nothing specific is not useful.
Running the internal audit programme as a tick-box exercise. Internal audits that are designed to generate clean reports rather than find genuine issues provide no early warning when things start to go wrong. Good internal audit is uncomfortable for the auditee in a useful way.
Separating the QMS from operational management. When the Quality Manager has no standing in operational decisions, the QMS becomes an overhead rather than a management tool. The QMS role is most effective when integrated with operational leadership, not isolated from it.
Letting the QMS drift after certification. Certification auditors sample every few months; most of the time, the QMS is running unobserved. Without a rhythm of internal audit, management review and continual improvement, even a well-designed system drifts, and the drift is only discovered at recertification when it is expensive to fix.
When I start with a new QMS client, the first thing I ask is how they run the business. Not what they think ISO 9001 wants to hear - just how orders come in, how work gets done, how problems get handled. That conversation usually tells me ninety percent of what the QMS should cover. The gap between that and what ISO 9001 formally requires is smaller than most people expect.
Our QMS has been running for about fifteen years now. In the early days it felt like a separate thing we had to maintain alongside the real business, and honestly it was - because that is how we had set it up. It took us three or four years to properly merge it into how we operated.
The turning point was when we stopped having a Quality Manual that described a theoretical company and started having one that described us. Procedures shortened. Forms got used. The internal audit findings became useful because they were about real work rather than paper compliance. And the whole thing became cheaper to maintain because we were maintaining one system, not two.
Adding ISO 14001 and ISO 45001 later was an extension rather than a rebuild, because the QMS was already operationally organised.
When I audit a QMS I look first for whether the system matches the organisation. If the manual describes one reality and the staff describe another, the QMS has not been embedded. When that happens, every non-conformity I raise is a symptom of the same problem.
The second thing I look for is whether improvement is happening. A QMS that never changes over three years is not really a QMS - it is a filing cabinet. I expect to see evidence in the issues and actions register, in the objectives tracking and in the management review minutes that the organisation is using the system to get better over time.
Practical Compliance Guidance
A working QMS needs a core set of documents in place: a manual describing how the system fits together, a quality policy and objectives, core procedures (document control, internal audit, management review, non-conformity handling) and the registers that support day-to-day operation. The alphaZ toolkits provide these as an editable starting point.
The documents in the table below are the ones most closely tied to the QMS specifically. A full QMS also draws on the common elements shared with any ISO management system, covered elsewhere in this knowledge base.
| alphaZ document | How to use it |
|---|---|
| ISO 9001 Management System Toolkit | Starting point for a QMS. Includes the IMS1 manual, quality policy, core procedures and registers, plus the ISO 9001 correlation document for certification. |
| ISO 9001, 14001, 45001 IMS Toolkit | For organisations whose QMS will sit within a wider integrated system. Covers the common management system core once, rather than separately for each standard. |
| F-Q11 Company Objectives | Sets and tracks the quality objectives that give the QMS direction through the year. Reviewed at management review and used to close the Plan-Do-Check-Act loop. |
| F-Q3 Management Review | The central review point for the QMS. Inputs from across the organisation feed into decisions on objectives, resources and improvement actions. |
| F-IMS23 Opportunities and Risks Register | Captures the quality-related risks and opportunities the QMS addresses - a requirement of Clause 6.1. Reviewed at each management review cycle. |
| F-IMS22 Interested Parties Register | Records customers, regulators, suppliers and other parties relevant to the QMS and their requirements - Clause 4.2 evidence. |
| ER1 Issues and Actions Register | Running log of QMS issues, non-conformities and improvement actions with owners and dates. Anchors the improvement loop the QMS needs to demonstrate. |
| F-Q16 Improvement Request | Staff-facing form for raising improvement ideas. Feeds the QMS with bottom-up observations that might not otherwise reach management. |
Note - all the above files can be downloaded with an alphaZ subscription.
Frequently Asked Questions
UK Legislation
No UK legislation specifically requires organisations to operate a formal QMS or to hold ISO 9001 certification. However, general consumer protection and product safety legislation assumes organisations have reasonable systems in place to control the quality and safety of what they sell. A well-designed QMS supports compliance with these obligations, though certification is neither required nor a substitute for them.
