Informational Required Documents/Records in ISO 9001:2015

AlanC

Involved In Discussions
#11
Hi All,
I think the new standard gives flexibility to change the QMS to a more purpose driven one which meets business requirements. Process mapping our business rather than a series of procedures has helped to link the areas together and highlights the gaps. However, I'm not clear on the risk side of things. What will the audit requirement look like, and more importantly what will the business requirement look like, as anyone got examples from the other areas, financial etc that use this approach to point me in the right direction
thanks
 
Elsmar Forum Sponsor

01mercy

Involved In Discussions
#12
I read this discussion and I was just thinking the other way around.
Not what the stripped requirements on documentation would mean internally, but what it would mean if you would get audited.

Internally you would be challenged indeed to take the responsibility to determine what is significant to put under the flag of control.
However... if you would get audited, I think there will be some interesting discussions with the ISO auditor and customers on what is really significant for your company.
 
E

element79

#13
Hi Covers! Has there been a change to the list of required records posted by the OP based on the released DIS?

I noticed that results/records of Preventive Actions are missing. Is this really the case (PA records not needed anymore) or has it just been reworded to fit the risk management direction of the DIS? Thanks.

-A.
 
P

pldey42

#14
Risk management and risk-based thinking replace PA, and they require "documented information" as appropriate.

Just 2c
Pat
 
P

pldey42

#15
After reading through CD-ISO-9001, unless I am missing something, these are all that I see that will be required:

what we currently refer to as documents:
- [4.3] Scope & justifications for exclusions (limited to 7.1.4 and 8)
- [5.2] Quality Policy
- [6.2.a-g] Quality Objectives and information

what we currently refer to as records:
- [7.1.4] Evidence of fitness of monitoring & measurement equipment
- [7.2.d] Evidence of employee competence
- [7.5.b] Information determined by the organization as being necessary
- [8.1.c] Information that processes have been completed as planned
- [8.2.3] Basically Order intake & processing)
- [8.4.2] Provider evaluations (ability to provide)
- [8.4.3] (Basically Purchase Order)
- [8.4.3] Provider evaluations (performance)
- [8.6.2] Unique identification for traceability
- [8.6.3] Customer property lost, damaged, or unsuitable
- [8.6.6] Review of change
- [8.7] Evidence of conformity
- [8.7] Person releasing to customer
- [8.8] Nonconforming goods and actions taken
- [9.1.1] Records that monitoring and measurement have been completed
- [9.2.f] Audits were held and results
- [9.3] Results of Management Review
- [10.1.a] Nature of nonconformance's and actions taken
- [10.1.b] Results of Corrective Actions

It appears that as long as everyone knows our processes, we do not need to have anything in writing. I did not see anything that states we need to have processes in writing, although some should be.

Have I missed something? :confused:
For me this is a long-overdue breath of fresh air. The focus at last moves from documented procedures, to processes that work, supported with appropriate documented information - which can be procedures, records, either or both. Indeed, a completed record might sometimes be an example to follow, which communicates the process better than does a procedure.

To audit a non-documented procedure the auditor might interview a few people who execute it and ask them what it is. If they all say substantially the same thing, it's communicated - somehow - systematically. Then the auditor needs evidence it's systematically executed - observation perhaps, or maybe records - and evidence that it's effective - records, almost certainly.

(The auditor might also wonder how it's communicated, if not in writing. I've seen some orgs do it by osmosis: never parachute people in to senior positions and have everyone learn from the ground up by copying their seniors. The procedures can become second nature, not written because "everyone does it that way." When the culture is well led, nobody changes the process except through discussion with colleagues and change that's managed, if informally. It can work, especially when everyone is focused upon common objectives expressed in the quality policy and measurable goals. Critically, such systems can be responsive and adaptive in changing market and customer conditions, and good at responding to disruptive events.)

The only part of this that documented procedures helped with was the first, communicating - and even that wasn't guaranteed, so auditors were often wise to do all the above anyhow. For intelligent organizations and auditors, there's little change but to remove excessive focus upon 5 or 6 mandatory documented procedures.

Just my 2c
Pat
 

John Broomfield

Staff member
Super Moderator
#16
Pat,

Undocumented procedures have been recognized for 14 years now but you have to study the definition of procedure.

Grant you, the six orphan processes, that belonged to no one, probably needed their documented procedures so people could understand, use and improve these often new processes.

BTW, I could see no specified requirement in the DIS for records of risk management or of the ephemeral "risk-based thinking".

John
 
P

pldey42

#17
John,

4.4.f requires the organization to determine "the risks and opportunities in accordance with the requirements of 6.1, and plan and implement the appropriate actions to address them" and the last para of 4.4 requires "documented information to the extent necessary." In many but not all situations there will be something like a risk register and documented mitigation plans. In some cases these will reconcile with risks identified in 10k filings which the management system might address.

Some situations won't have documented plans. For example, if a new product idea risks diluting sales of existing product, the new idea might simply be dumped: no documented risk info, necessarily.

When documented info is used with regard to risk, it might address relevant details of processes that deal with risk under 6.1, as well as 4.4. But this would not be mandatory, the organization has the choice, of course.

9.3.1.d requires management to review the effectiveness of actions taken to address risks and opportunities; this is surely often going to be presented to them in written reports - although yes, there's no mandate for such. And 9.3.2 requires documented information on the results of management reviews which might, or might not, mention risk.

But you're right, John, the organization has huge latitude in what it documents with regard to risk and that could well be nil.

On undocumented procs being ok since 2000, yep, true - but I've lost count of the number of organizations I've audited that still have useless documentation they hope will please auditors, sometimes written for them by consultants who ought to know better - but who play it safe, because they're paid to get the organization certified and perceive less risk of certification failure if they document, document, document. "Do you actually do this?" I have often asked. "No," comes the response, "Our consultant wrote it for us." This is a culture that seems to take forever to change. It's born of fear, I think, fear of auditors (who rarely visit and are unknown quantities), fear of failing certification and increased costs of extra audits, an example of the kind of fear that Deming said should be driven out.

Pat
 

John Broomfield

Staff member
Super Moderator
#18
Pat,

Agreed, trying to "second guess" or please the auditor is a huge problem.

Of course, it detracts from accepting, planning, designing, operating and improving processes so they fulfill their objectives and result in services and products that fulfill customer requirements.

9001:2015's lack of specificity may make the problem of unnecessary "documented information" even worse.

John
 

Marc

Hunkered Down for the Duration
Staff member
Admin
#20
<snip> Undocumented procedures have been recognized for 14 years now but you have to study the definition of procedure. <snip>
I remember "undocumented procedure" arguments/discussions (definition of what a "procedure" is) with ISO 9001 auditors back in 1990, and I went through the "a flow chart is not a procedure" auditor "interpretation" back in 1994 in a company I worked with where we did the "required documented procedures" (and many other procedures) in a flow chart format. That one was fun... :notme:
 
Thread starter Similar threads Forum Replies Date
H Is "Master Documents and Records list" required per ISO 9001 ? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
O What are typical records of different documents required by ISO9001? Records and Data - Quality, Legal and Other Evidence 2
L ISO 14001 4.4.4 d) - What exactly are the documents and records required by ISO 14001 ISO 14001:2015 Specific Discussions 3
I QMS documents required at each stage of Software development IEC 62304 - Medical Device Software Life Cycle Processes 5
C Defining Approvals Required for Design Control Documents ISO 13485:2016 - Medical Device Quality Management Systems 6
Marc IAF Mandatory Documents (MD Series) - Required to be used by certification bodies ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
F The depth of the required Design Documents ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
M Which documents are required for a class I medical device listing US Food and Drug Administration (FDA) 4
S Clarification in organizing required documents for ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 6
X Documents required by the quality management system shall be controlled ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 12
S Minimum documents required by AS9100 AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 3
N What Documents are Required for each ISO 9001 Requirement ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 11
G Rookie to the ISO 9001:2008 World - Required Procedures and Documents ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 11
M AS9100 Clause 4.2.3 requirements - Documents required by the QMS shall be Controlled AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 13
T Control of Safety Documents Required? ISO 9001:2008 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 10
R What Documents are required for Application of Brazilian INMETRO IEC 60601 - Medical Electrical Equipment Safety Standards Series 5
K Documents required to display/keep during ISO 9000 Audit in EPCC firm ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 17
W Electronic Distribution of Controlled Documents: Validation required? Qualification and Validation (including 21 CFR Part 11) 5
J ISO 9001:2008 Clause 4.2.3 - What are the required documents? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 24
C ISO 3834-2 references ISO 3834-5 for the list of documents required for conformity Other ISO and International Standards and European Regulations 1
M All Internally Generated Documents ? Required to be Controlled or Not All? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 19
C Control of Documents - Is a unique format required? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
S Required documents for Class III Medical Device in Yemen Other Medical Device Regulations World-Wide 3
M List of documents required for engineering service project (CAD/CAM) AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 4
V What documents are required for Education and Training in AS9100 Internal Auditing 3
A Documents required for ISO 17020 vs. ISO 9001? General Measurement Device and Calibration Topics 10
P Required Documents and Document Control in Human Resources for ISO 9001:2000 Document Control Systems, Procedures, Forms and Templates 5
P New product Design & Development for automotive requirements - Documents required Design and Development of Products and Processes 4
T Using References - Required in Quality Documents? Document Control Systems, Procedures, Forms and Templates 2
R Documents required for certification process - AS/EN/JISQ9100 AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 2
E New and revised documents - Acknowledgement of distribution required? Document Control Systems, Procedures, Forms and Templates 3
E Level 3 PPAP with only a few of the required documents? APQP and PPAP 3
R TS16949 Grandfather documents - Control Plans - Required or not based upon date FMEA and Control Plans 4
Howard Atkins TS 16949 Clause 4.2.1 - Required Documents IATF 16949 - Automotive Quality Systems Standard 15
G Control of External Documents - Which documents are required to be controlled? IATF 16949 - Automotive Quality Systems Standard 10
C How long we're required to keep supplier and our PPAP documents? Supplier Quality Assurance and other Supplier Issues 1
R Shall a new UDI-DI be required when stand-alone software device's version is updated? EU Medical Device Regulations 1
A Question on ISO 14001:2015 - Are annual audits required? ISO 14001:2015 Specific Discussions 8
M Is Validation of Plating Processes required and who is responsible? Qualification and Validation (including 21 CFR Part 11) 10
MDD_QNA Medical Device Software - Is a Help Button required? IEC 62304 - Medical Device Software Life Cycle Processes 1
O ISO 13485 - Is management review required before stage 1? ISO 13485:2016 - Medical Device Quality Management Systems 6
D Recent changes to ISO 14971 - SOP required for managing standard revisions ISO 13485:2016 - Medical Device Quality Management Systems 1
Jane's Like-for-like critical raw material change qualification - type of testing/ number of lots required ISO 13485:2016 - Medical Device Quality Management Systems 3
V Manufacturing requirements for respiratory ventilators - clean room required? Medical Device and FDA Regulations and Standards News 6
A When there is a 2 year lapse in production, is a full FAI required? AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 2
C Is it required to put"Rx only" on the home page of an app? Medical Device and FDA Regulations and Standards News 4
B IEC 60601-2-10 - Accuracy of Pulse Parameters - Required Measurement Uncertainty IEC 60601 - Medical Electrical Equipment Safety Standards Series 3
S Is Optical Parallel Set required calibration? ISO 17025 related Discussions 1
R Is it required to have an SOP for external audits? Medical Device and FDA Regulations and Standards News 7
M MDR - Is a formal GSPR Procedure required? EU Medical Device Regulations 20
Similar threads


















































Top Bottom