Control of Records - Is a List of Records Required by ISO 9001?

[Pat McGhie]

We just had a surveillance audit and had a discussion (and non-conformance written) written regarding Control of Records against our actual procedure.

The clause cited from the standard:
"A documented procedure shall be established to define the controls needed for the identification, storage, protection, retrieval, retention time and disposition of records."

The write up was as follows:
"Description of Nonconformity:
Control of records procedure is not effectively implemented

Supporting Audit Evidence:
Some records are not clearly identified on the records procedure, QPR 4.2.4, Rev 2
--Maintenance
--Validation"

This was written against our Scope Paragraph, claiming that we did not have these 2 sets of records listed. (which is true). It was NOT witten against the procedure itself. Here is our Scope.... I dd not write this as it was in place well before me.

"4.2.4.2 Scope
This procedure applies to all quality system records required by ISO 9001:2008 and ISO 13485:2003 Standards, and any other data that may be useful for the traceability of product and or history. Technh, Inc. regards the following as Quality Records:
• Audit Reports
• Sub-contractor records
• Corrective and preventive action records
• Management Review Minutes
• Calibration reports
• Incoming materials and product inspection records
• Inspection and Test Records
• Product nonconformance records
• Customer Purchase Orders
• Design approvals, specifications, and drawings
• Contract documentation
• Customer complaints
• Shipping and delivery documents and invoices"

My contention was that Validation (which is required) falls under Inspection & Test and Contract Documentaion (as we only do them when contracted). Regarding maintenance, I argued that it was not listed as it was not a quality record and thats what the list was. I also indicated that many records are saved that are not required and to list all of them would be cumbersome and non-productive. As you can see, I lost that argument/discussion!

Now we are preparing the response to the audit report. I am reading the standard and asking myself now, if a list is required??? It says "procedure shall be established to define the controls needed for the identification, storage, protection, retrieval etc...."

We have a procedure and it DOES define those and the Procedure specified the ID of records in the body as to how each record is Identified and Filed! I am not seeing where it actually says we must have a "List". If anything, maybe our partial list made it worse...

1. Is a list required by the standard?
2. If not we could change the wording to "The following are examples of some of the Quality Records we control"... Keeping in mind we also stated the procedure applies to all REQUIRED by Standard...
3. If a list is NOT required, how is everyone else identifying (if they are) what they consider a Record in their company (beyond what the standard mandates.

Sorry for being so long winded... I would like to be able to tell the auditor that:
A List is Not required
B Back that up with some "source" if possible...

Pat McGhie

[AndyN]

Pat, I believe that part of your problem is that your identification of records is a fairly 'global' description, instead of calling out exactly what constitutes a record. As a result - and you have 'listed' them in your procedure, whether the standard requires it or not - you haven't identified EXACTLY what are records. If you are using forms, then they should be called out.

It's true to say the auditor didn't do much digging, but it would be pretty easy, IMHO, to have shown why your procedure isn't sufficient the way it's currently written.

[Randy]

Here's where you started to go south....Making a list of applicable records....That's a self inflicted wound

A different method could have been --- "Examples of records will be those required by the standard or those needed to demostrate conformity to our requirments such as......."

I've seen the above more than once....Here's the catch, it isn't foolproof nor is any other method. Why? Because some fool will always come along.

[Jason PCSwitches]

Regardless, it's a petty write-up. You don't need a list & the justification given is bogus based on what you have provided as an example of your procedure.

[AndyN]

Quote:

In Reply to Parent Post by Jason PCSwitches

Regardless, it's a petty write-up. You don't need a list & the justification given is bogus based on what you have provided as an example of your procedure.

I'm thinking it's more of an incomplete finding...

It should have been easy for the auditor to visit the maintenance department ask about what records they keep, where, how long etc to see if they had a consistent story...rather than simply issuing an arbitrary findings for a coupe of categories of records, which is now controversial...

[somashekar]

Quote:

In Reply to Parent Post by Pat McGhie

We just had a surveillance audit and had a discussion (and non-conformance written) written regarding Control of Records against our actual procedure.

The clause cited from the standard:
"A documented procedure shall be established to define the controls needed for the identification, storage, protection, retrieval, retention time and disposition of records."

The write up was as follows:
"Description of Nonconformity:
Control of records procedure is not effectively implemented

Supporting Audit Evidence:
Some records are not clearly identified on the records procedure, QPR 4.2.4, Rev 2
--Maintenance
--Validation"

This was written against our Scope Paragraph, claiming that we did not have these 2 sets of records listed. (which is true). It was NOT witten against the procedure itself. Here is our Scope.... I dd not write this as it was in place well before me.

"4.2.4.2 Scope
This procedure applies to all quality system records required by ISO 9001:2008 and ISO 13485:2003 Standards, and any other data that may be useful for the traceability of product and or history. Technh, Inc. regards the following as Quality Records:
• Audit Reports
• Sub-contractor records
• Corrective and preventive action records
• Management Review Minutes
• Calibration reports
• Incoming materials and product inspection records
• Inspection and Test Records
• Product nonconformance records
• Customer Purchase Orders
• Design approvals, specifications, and drawings
• Contract documentation
• Customer complaints
• Shipping and delivery documents and invoices"

My contention was that Validation (which is required) falls under Inspection & Test and Contract Documentaion (as we only do them when contracted). Regarding maintenance, I argued that it was not listed as it was not a quality record and thats what the list was. I also indicated that many records are saved that are not required and to list all of them would be cumbersome and non-productive. As you can see, I lost that argument/discussion!

Now we are preparing the response to the audit report. I am reading the standard and asking myself now, if a list is required??? It says "procedure shall be established to define the controls needed for the identification, storage, protection, retrieval etc...."

We have a procedure and it DOES define those and the Procedure specified the ID of records in the body as to how each record is Identified and Filed! I am not seeing where it actually says we must have a "List". If anything, maybe our partial list made it worse...

1. Is a list required by the standard?
2. If not we could change the wording to "The following are examples of some of the Quality Records we control"... Keeping in mind we also stated the procedure applies to all REQUIRED by Standard...
3. If a list is NOT required, how is everyone else identifying (if they are) what they consider a Record in their company (beyond what the standard mandates.

Sorry for being so long winded... I would like to be able to tell the auditor that:
A List is Not required
B Back that up with some "source" if possible...

Pat McGhie

Hii Pat McGhie ...
Keep it simple and for your subject line, I will say yes, but it is not required by ISO9001, rather it is required for your quality system operations.
ISO9001 does not know your business, so when you write a procedure for your business keeping the mapping to ISO9001 requirement, give a simple thought....
"A documented procedure shall be established to define the controls needed for the identification, storage, protection, retrieval, retention time and disposition of records.".... so says the standard,
When you map your system to this statement within your quality system procedure., must you not mention WHAT are the records that are identified ?
Does it not make it so simple ... and further the standard also keeps mentioning at various places that records are to be maintained (per 4.2.4) helping you more.

[JaneB]

Suitable control over records is required. A list is not.

The specific requirements for management of records are in 4.2.4, which you've already quoted.

I don't like the finding for a number of reasons, already pretty well commented upon by others. Pinging you for not specifically listing maintenance records is a bit petty, I think. But I'm also thinking you've made a rod for your own back with the list of records, which gives that kind of auditor always scope to say 'but you've left out X'.

By the same token, you do want to know what kinds of records you have and how you manage them.

Consider listing records by category, with some examples, rather than being quite so specific. Lord save me from those 'masterlists'. I'd put in an icon for 'keep them away from me' but it doesn't exist.

[somashekar]

I would suggest you have a 8 column documented procedure for control of records. These columns may have the following titles.
The process
The type of record or record name (Ex: process validation records, purchase orders, etc)
How identified
How stored
How protected
Who retrieves
How long retained
How disposed
...so that across the organization there is a clear understanding and no contentions.
The processes listed can be the processes in your process and interaction mapping as in your quality manual.