SBS - The Best Value in QMS software

Common practices in ISO 9001 deployment

#1
Dear experts,
I'm planning to swich my focus from sustaining an existing ISO 9001 compliant QMS to developing and deploying QMS from scratch. Current expsriense does not provide me all the answers on how to develop and deploy a QMS in a new company and I hope you (and ISO9002 which I'm already reading) could bring some light here.
  1. Am I correct that the word "determine" does not imply the word "document"? When something should be determined, it could just exist in someone's head or for example be built in the process. On one of ISO 9001 trainings from NB auditor mentioned that "determine" should be supported by something "on paper". So just need to double check.
  2. Since ISO9001 does not require to document a CAPA process, is there a practice of decentralized CAPA process? Every department follow their own process and just document what is needed (problem, action, result) in their own way.
  3. Similar question about Document control process.
  4. Is it mandatory to create a record named "Quality policy" or I may use an existing Policy that fits ISO 9001 requirements?
  5. People in the company (from business) are trained on internal auditors (as much as it could be for a secondary role). Where should I send them for audits - upstream or downstream from their process? Probably the answer is "it depends" and "both may work"
  6. Will NB auditor expect a specific internal order or something related to the QMS deployment launch?

Thank you in advance,
Alex
 
Elsmar Forum Sponsor

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#2
Welcome to The Cove Alex!

My central issue with your position is equating a QMS with ISO 9001. While ISO 9001 is meant to provide a useful structure, doing things only because ISO 9001 says "The organization shall" risks making a system that does not represent the organization's processes, vision or culture.

1) People determine things and then make some kind of decision. This often happens in Management Review, which does need its outputs documented. It can, and does also happen at the departmental level when decisions are made involving processes. The determination gets incorporated in that activity (or the decision to take no action). If people can describe to me what they "determined" and how they applied that to a given decision, excellent.

0.1 of the standard puts some context into the term. We determine things when engaging in risk-based thinking. Documenting it, even if not specifically required by the standard, makes sense for business management to help avoid drift or loss of "memory" when someone inevitably leaves.

2) If we are going to have CAPA but not document it, how will we know how it turned out? How will we know if a problem repeats or if the symptom repeats but it was caused by a different problem?

I was once an internal auditor for QMS, EMS and OHSAS. We had a centralized CAPA system within the QMS management, but the Environmental Engineer insisted on keeping his own CAPA database. I questioned that until I got a good look at it. He was finding things internally and recording actions to address them before I, the site Internal Auditor (or someone else externally, or some incident occurred due to inaction) found it. Who could argue with that? We ended up working together to define his process, tidy up his tool and make it graph what had been found. The NC Tracking Log - risk based resulted. I would hope such a CAPA tool is kept in a backed-up network, safe from loss.

3) How will we manage the documented information changes and approvals without some type of documented information? The key is to make a system that people are comfortable using or can be easily trained to use. I have seen organizations manage their changes and approvals using the Voting Button feature in MS Outlook. (I am not affiliated with Microsoft) The resulting report can be saved to the backed-up network as a file to record the change and who approved it. Approvals can be gathered even out of the office because it is done via email - no more paper ECNs sitting on someone's desk, waiting for them to return and hopefully not lose them... Please review the Annex in the back of the stadard. Section A.6 of the standard attempts to add perspective to documented information.

4) The Quality Policy is considered important enough to document, but it is not a record. A record is some means to capture something that happened or was done. That said, if its review is made part of Management Review (seems sensible to me) and a determination to change it or keep as-is results, that can be part of the outputs which do become a record. How and where the Quality Policy is documented is up to the organization.

5) Send internal auditors to processes they can understand or learn enough to grasp what is successful or not, and yet are not placed at some kind of risk if they bring forward a problem; that is objectivity/impartiality.

6) No.

The Technical Committee who originated ISO 9001 has tried to "keep up with the times" by avoiding what looks like a requirement to keep paperwork for everything. We do so much electronically now that many legacy types of documentation and records now looks antique, especially among the young people. They will feel impatient with onerous requirements that make no clear sense. They will hold up their phones and say "It's all right here!" And they may be right. I have seen software such as iAuditor (I am not affiliated with SafetyCulture) that allows auditing to be done using one's smart phone, using the organization's checklist or one of their templates. I am very excited to try it and move away from the horrifying Excel-based checklist.

My long winded point is that we have more choices now and should feel free to use them. Just please, please don't use ISO 9001's lack of a "shall" as a reason to not do something that would add value.

I hope this helps!
 

Tagin

Trusted Information Resource
#3
  1. 'Determine' is problematic, because its something that auditor can/should audit, but the lack of a requirement for documentation sets up a situation where it can be hard for the auditee to defend their QMS, and hard for the auditor to be satisfied that the 'determine' requirement was met. Ask yourself: for each 'determine' in the standard, what can you point to in your QMS to defend it? Once you have that...well, why not just write it down, and add those comments to the QMS, to make easier for yourself, the auditor, and anyone else contributing to your QMS? :)
  2. It's so straightforward to write a general and flexible CAPA process, that I think you are making everyone's life more difficult by not writing a one or two-page process.
  3. You need to identify where documents are, retention times, etc. Document it.
  4. See 5.2.2a: "The quality policy shall a) be available and be maintained as documented information". The content of the policy has to meet all the bullet points in 5.2.1.
  5. Auditing one's process 'neighbors' might open the door for over-critical "revenge" auditing due to prior inter-process conflicts, or retaliatory behaviors via the process stream later on. It probably depends a lot on the company culture.
 

Big Jim

Super Moderator
#4
Many people forget that objective evidence is not just documents and / or records. It also includes what auditors can learn form interview and observation. If the standard has a requirement without including a requirement for documented information you don't have to have documented information unless your organization determines that they need to. What is critical is that you be able to demonstrate that you know the requirement and can explain your approach to it.

1. If the standard says "determine" it doesn't mean document unless you have decided it is needed.

2. You could decentralize it, but in my opinion it would be very difficult to control. By the way CAPA is old school thinking as preventive action is no longer in the standard. Although you don't need a written procedure for it I strongly recommend on, but keep it as simple as possible.

3. Similar answer.

4. You can call your quality policy whatever you want but be prepared to show it when asked and also make sure that it meets all the requirements. In my experience most existing vision statement and like such is way over complicated and difficult for most employees to explain.

5 & 6. Read and learn what the requirements in the standard are and don't try to read more into it than is there. Determine if they are already meeting the requirement or not, and if not, what would be needed to get there. Often it only needs small changes and you usually want to make as few changes as possible. It's less disruptive and what is already being done usually works for them. Try to tweak things instead of overhauling things.
 

Mike S.

Happy to be Alive
Trusted Information Resource
#5
2. You could decentralize it, but in my opinion it would be very difficult to control. By the way CAPA is old school thinking as preventive action is no longer in the standard.
ISO may have removed "preventive action" as a stand-alone requirement in favor of "risk-based thinking" but the root word "prevent" and its various children are all still throughout the text of the standard. A preventive action by any other name still serves the same purpose.
 

Sidney Vianna

Post Responsibly
Staff member
Admin
#6
Am I correct that the word "determine" does not imply the word "document"? When something should be determined, it could just exist in someone's head or for example be built in the process. On one of ISO 9001 trainings from NB auditor mentioned that "determine" should be supported by something "on paper". So just need to double check.
Determine means "find out".
Screenshot 2021-04-19 162702.jpg
See? It couldn't be clearer....:LOL: The TC 176 always comes through in times of uncertainty.
 

Big Jim

Super Moderator
#7
ISO may have removed "preventive action" as a stand-alone requirement in favor of "risk-based thinking" but the root word "prevent" and its various children are all still throughout the text of the standard. A preventive action by any other name still serves the same purpose.
The reason for changing from preventive action to risk based thinking was that preventive action didn't live up to its mission. It was misunderstood and misapplied. Corrective action and preventive action should have never been presented next to each other in a parallel fashion as it led to widespread misunderstanding that preventive action was part of corrective action, that is that preventive action was what you did to prevent a nonconformance from reoccurring, but it was not. What you did to prevent reoccurrence of a nonconformance was part of the corrective action. Preventive action was focused around what you did to prevent a POTENTIAL problem from occurring.

If you want to perpetuate that misunderstanding instead of accepting risk based thinking as something else, be my guest, but I choose not to.
 

Mike S.

Happy to be Alive
Trusted Information Resource
#8
Sure CA and PA caused some confusion as you say. Lots of things in the standard cause confusion.

But it's not like the introduction of risk based thinking instead of PA cleared up everything. I understood the definitions of corrective action and preventive action more than gibberish like this: "Risk is the effect of uncertainty and any such uncertainty can have positive or negative effects. A positive deviation arising from a risk can provide an opportunity, but not all positive effects of risk result in opportunities."
 
#9
Welcome to The Cove Alex!
I hope this helps!
Thank you for your vision. Indeed, the purpose of established QMS supposed to broader than just complying with ISO 9001 requirements.
1. Agree, that it's easier to document something in order to have a proof. Was just thinking if it is possible to optimize documentation. What I understood from your comment, there's no need to have a specific documented information for each and every "determined" entity. Combining and mentioning this in already existing records/documents may help.
2-3. The idea was to let people manage their documents and problems the way they want. If R&D dept got used to a full 8D process with lots of paper - let them do it this way. If Marketing is satisfied with a brainstorm or color hats - let it be. I would just expect that they need to document things required by 9001: problem, actions and result. Again, in a way they prefer.
Same for document control - choose and apply process complexity that fits your department/process better.
The bottleneck here is actually allowing people to control, let's roughly call it "ISO 9001"-related process on their own. I still dream that people could be able to handle their processes from the beginning to the end.
4. It is considered to be important, right. Just don't want to call it "Quality Policy" when I already have a regular business policy that fits 9001 requirements.

The rest is clear. Actually, my questions were triggered by the need of conscius 9001-compliant QMS deployment. Avoiding things that do not add value and implementing things that do.
 

Ed Panek

QA RA Small Med Dev Company
Staff member
Super Moderator
#10
When in doubt I always write a memo. It's quick, it's a signed and dated document and shows you at least thought about something.
 
Thread starter Similar threads Forum Replies Date
R EU-MDR Article 9-common specifications Other ISO and International Standards and European Regulations 2
Z Is Op Amp Common-Mode Rejection Ratio (CMRR) test applicable to battery operated devices? Other Medical Device Related Standards 0
Sidney Vianna IATF 16949 News Update on the IATF CARA Project (“Common Audit Report Application”) - 12/2020 IATF 16949 - Automotive Quality Systems Standard 1
M MDR "Common Specifications" (CS) - If not standards, then what? EU Medical Device Regulations 6
G Is it common to do a repeatability check during calibration of an instrument? General Measurement Device and Calibration Topics 5
M Medical Device Directive - Seeking common nonconformance write up scenarios CE Marking (Conformité Européene) / CB Scheme 2
K PFMEA (Process FMEA) - Can be common for 3000 products? FMEA and Control Plans 2
Sidney Vianna What do these things have in common? Surge in new ISO Committees & Standards Other ISO and International Standards and European Regulations 7
A CTD (Common Technical Document) for a Topical Preparation Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 2
W IMDS - Help (Common Warning and Error Fixes) RoHS, REACH, ELV, IMDS and Restricted Substances 9
M CB and Internal auditors most common nonconformities against AS9100D AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 16
W Can 2 different sites under different Quality System have a common management review? ISO 13485:2016 - Medical Device Quality Management Systems 4
G ISO 17025 Calibration Laboratory Assessor's Common Questions and Procedures ISO 17025 related Discussions 11
M IATF:16949 Common Quality Manual - Company is in Country A and Country B Quality Management System (QMS) Manuals 5
I Is it common practice for a bake oven to require a CQI-9? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
P Converting DMF III into eCTD (Electronic Common Technical Document) Medical Information Technology, Medical Software and Health Informatics 4
R Common Statistical Errors Using Minitab Software 1
cscalise Separate Forms or Procedure Attachments - What's more common? Document Control Systems, Procedures, Forms and Templates 2
J What is the most common industry requesting ISO 9001 Certification ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
2 Is it common to employ part time dental assistants ? Coffee Break and Water Cooler Discussions 3
P What do you think is the most common root cause of NCRs in a construction project? Quality Manager and Management Related Issues 3
BHobbs_Busche ISO/TS16949:2009 - MSA requirements for common gages IATF 16949 - Automotive Quality Systems Standard 5
S Common Electric Fan Motor Problems Reliability Analysis - Predictions, Testing and Standards 3
AnaMariaVR2 Finding a Common Language for Disaster-resistant Supply Chains Supply Chain Security Management Systems 1
M Common Reasons for Out Of Tolerance condition of DC Calibrator or any reference std General Measurement Device and Calibration Topics 1
V Most Common Internal/External Audit Observations on Risk Management ISO 14971 - Medical Device Risk Management 4
V Common Root Cause for Failures in Scaleup & Commercial (Validation) Batches 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
S ISO 13485 - Moving towards common (single) certification for multiple locations ISO 13485:2016 - Medical Device Quality Management Systems 13
J Is this practice common? 1 Quality Manager covering QA, QC, QE, SQE IATF 16949 - Automotive Quality Systems Standard 20
S How to do Adjustments & Repairs on Common Inspection Equipment General Measurement Device and Calibration Topics 7
J TL9000 Common Measurements - Design and Development for Telecommunication Products TL 9000 Telecommunications Standard and QuEST 5
M VDA Specifications - Common definitions, acronyms, etc. VDA Standards - Germany's Automotive Standards 1
V Common Failure Modes for a Product/Process Line ISO 14971 - Medical Device Risk Management 1
V Common Errors while Implementing Risk Management Process ISO 14971 - Medical Device Risk Management 9
V Common Coating Problems in Refinery Manufacturing and Related Processes 1
P The most common name for specifications? Design and Development of Products and Processes 3
M Do all common polymers have estrogenic activity? Other Medical Device and Orthopedic Related Topics 5
S What are the common Problems preventing (Gaps) Implementation of ISO 14001? ISO 14001:2015 Specific Discussions 7
B Common Sterilization Methods in Hospital - Prevalence? Hospitals, Clinics & other Health Care Providers 2
B ISO Clause Reference for Developing Common Customer Service Standards ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
N CMC File Content and what is common to share with the customer ISO 13485:2016 - Medical Device Quality Management Systems 4
somashekar Definition Evaluate and Select ... What are the most common understandings of these words. Definitions, Acronyms, Abbreviations and Interpretations Listed Alphabetically 12
Wes Bucey Privacy of communications - a common myth Career and Occupation Discussions 3
A Common causes of Corrosion on Alm 7075 Material Annodized, Tumbled, and Plated Manufacturing and Related Processes 6
P Are all standards based from common sense? Coffee Break and Water Cooler Discussions 11
B MSA (Measurement Systems Analysis) with One Operator using a CMM or Common Calipers Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 4
M General decline in good manners / common courtesy? Coffee Break and Water Cooler Discussions 26
E Which standard Cpk value intervals are common or frequently used? Statistical Analysis Tools, Techniques and SPC 5
ScottK Retroactive FMEA and Control plan - is this a common thing? FMEA and Control Plans 12
P Small parts trouble Kanban - Problems with the common small/bulk parts Lean in Manufacturing and Service Industries 8

Similar threads

Top Bottom