Search the Elsmar Cove!
**Search ALL of Elsmar.com** with DuckDuckGo including content not in the forum - Search results with No ads.

Informational Required Documents/Records in ISO 9001:2015

#21
Very interesting discussion and great comments! I too remember a round table of CB auditors (at a TickIT event) having quite heated arguments about documented procedures and how you audit that! Needless to say, each had their own ideas...

I believe that there's a dichotomy in the industry where on one hand people follow the mantra "Say what you do, do what you say" which tends to make them over document on the "say what you do" portion - which affects everyone from the "ISO in a Can" purveyors to auditors who somehow learned (in lead auditor courses etc) that the standard (apparently) requires lots of documentation!

I don't see the lack of specificity to be too much of an issue. I believe that since "ISO" has been around for 25 years, only a few will go down an uncharted route, most preferring to do what everyone else has done - create documents. They did before even when ISO 9001:2000 didn't require it.

Those who are going to transition their QMS aren't going to throw documents in the trash and those coming new to QMS are going to take the least line of resistance and not get too creative!

I also don't see a repeat of the "interpretations" of such things as flow charts etc. That kind of thing happened 10 - 15 years ago (or more, typically) and since there's a lot of grey hair in the industry and not a lot of new(er) auditors coming into the industry, most have learned to live with the impacts on how documentation is now created, I'd suggest.
 

Marc

Captain Nice
Staff member
Admin
#22
Typically, when I do a "gap analysis", we look at what they have, what is already documented, and what isn't. Usually there is no added documentation because in most cases if documentation wasn't already present they didn't need any to begin with. Over-documentation was a Dilbert cartoon years ago, but I can't find the one I'm thinking of off hand.

There are threads here from way back on over-documentation. Example: ISO 9001: Avoiding Over Documentation
From: http://Elsmar.com/level2/accolades.html


--> Subject: Results?
--> Date: Thu, 24 Jun 1999 16:29:21 -0500
--> From: Anaren Microwave
--> To: Marc Smith
-->
--> Well, as you anticipated, we "passed" with relatively few problems.
--> We had only 7 isolated non-conformities across 5 elements. Details
--> are in the attached file. The auditor said that this was a very
--> good result when compared to other registration audits he has
--> performed. All I can say is I am glad it was successful and Marty
--> said that she was happy to finally win! Once again, thanks for the
--> help. You're advice was extremely important. Especially important,
--> at least in my opinion, was your help in determining where we did
--> not need to document every last thing (by using training, etc.). I
--> think that without this input, we would have spent a lot more time
--> writing things that we did not need and wasted a lot of peoples'
--> time.
We were able to get the audit done in a year while we are
--> achieving record sales and profits. Who can argue with that?

Over-documentation in this day and age is (or should be) well in our past with respect to ISO 9001 requirements.
 

qpled

Involved In Discussions
#23
Typically, when I do a "gap analysis", we look at what they have, what is already documented, and what isn't. Usually there is no added documentation because in most cases if documentation wasn't already present they didn't need any to begin with. Over-documentation was a Dilbert cartoon years ago, but I can't find the one I'm thinking of off hand.
Now I am trying to find that Dilbert cartoon! :)
I did find the one about the Records Retention Department throwing documents away since no one ever asked for them back...
 
E

element79

#25
:thanx: for the replies, guys. I guess the question whether or not it is required to document anything on risk management (used to be PA) based on the DIS is still open-ended and could very well depend on the auditor's interpretation.

It's just that we're STILL in the process of filling the documentation gaps. We certainly don't want to go down the path towards overdoing things, especially as most of the staff (and some of the management) have a strong aversion to anything that involves documenting/recording their work. :frust:

:topic: I wanna see that Dilbert cartoon too. :D

- Au
 

John Broomfield

Staff member
Super Moderator
#26
:thanx: for the replies, guys. I guess the question whether or not it is required to document anything on risk management (used to be PA) based on the DIS is still open-ended and could very well depend on the auditor's interpretation.

It's just that we're STILL in the process of filling the documentation gaps. We certainly don't want to go down the path towards overdoing things, especially as most of the staff (and some of the management) have a strong aversion to anything that involves documenting/recording their work. :frust:

:topic: I wanna see that Dilbert cartoon too. :D

- Au
Au,

First it depends on the auditee's determination of what is necessary. Then it depends on the auditee's willingness and ability to defend the limited extent of documented information in the audits of their management system.

We depend on auditor interpretations only when the defense is weak or the auditor should not be the auditor.

After all, to audit is to listen.

John
 
P

pldey42

#27
"to audit is to listen" - well said, John.

I think that to allow auditors to take control of documentation pertaining to risk-based thinking would be a mistake. They - we - tend to be conservative and they'll maybe want every last risk that can be imagined, significant or not, to be considered. I think it will be important to manage a relationship with the CB of mutual respect, acknowledging legitimate risks they bring to our attention (e.g. those they learn of when visiting their other clients, of which we're unaware) but firmly retaining control.

If they persist in wasting our time with daft risks, I think we'll need to be assertive in managing them with questions like,

"Show me the shall?" (The requirements for risk management are very abstract, deliberately so in my opinion, so that organizations can do what is appropriate; we should not let auditors dilute it with their own conservative interpretations (anxieties) - not that the good ones will.)

"Where does it say that 'the organization shall maintain documented information to the extent the auditor thinks necessary?" (It doesn't)

I would avoid the temptation to write down a risk and tolerate it, just to shut the auditor up, for that's the seed for over-documentation.

It's also important to understand that sometimes organizations avoid writing down certain risks, communicating about them verbally instead, to avoid liability issues should something bad happen. When things go to court, written risk assessments can be subject to disclosure and misrepresented by the opposition for the purposes of inflating damages ("You knew about it!"). We could debate whether that's right or wrong, but my understanding is that even in well-governed businesses, some of it stays off the record because of the vagaries of legal proceedings. (I imagine this is less true of regulated industries than others.)

I think essential elements of managing this will include (a) a relationship of mutual respect, (b) a risk appetite that is understood and shared by the auditor, and (c) documented information to the extent necessary to convince current and future managers (and therefore auditors) at the organization that prudent risk management is in place - especially when there's an incident and heads on platters are demanded.

Pat
 

Helmut Jilling

Auditor / Consultant
#28
Now I am trying to find that Dilbert cartoon! :)
I did find the one about the Records Retention Department throwing documents away since no one ever asked for them back...

that was my favorite of all the Dilbert ISO cartoons....the infamous, round, silver record storage cylinder....
 
Y

Yukon

#29
ISO 9001:2015 does not require that an organization have documents. The standard requires (referenced 41 times) that the organization maintain "documented information" aka records.
 
#30
Annex A (in the back of the standard) Clarification of new structure, terminology and concepts. (emphasis on terminology) A.6 Documented information. I suggest you read all of A.6 but I'm going to pull out the pertinent parts.

"documented information" is used for all document requirements.

Where ISO 9001:2008 used specific terminology such as "document" or "documented procedures", "quality manual", or "quality plan" this edition of this International Standard defines requirements to "maintain documented information". (so maintaining documented information refers to having what was known before as documents)

Where ISO 9001:2008 used the term "records" to denote documents needed to provide evidence of conformity with requirements, this is now express as a requirement to "retain documented information". (so what was known before as records are now referred to a retained documented information.

Let's look in the main body of the standard now for some examples. By my count there are nine places where it says that it is necessary to maintain documented information. Some of them require both maintain and retain. Some of them are to the extent necessary or as applicable.
  • 4.3 Maintain DI of Scope
  • 4.4.2 Maintain DI to support operation of processes
  • 5.2.2a Maintain DI of Quality Policy
  • 6.2.1 Maintain DI of Quality Objectives
  • 8.1e1) Operation planning includes determining, maintaining, and retaining DI to the extent necessary for confidence that processes have been carried out as planned
  • 8.1e2) Operation planning includes determining, maintaining, and retaining DI to the extent necessary to demonstrate conformity of products
  • 8.2.4 relevant DI is amended when product requirements are changed
  • 8.5.1 As applicable, availability of DI that defines characteristics of products or services to be provided that ensure production under controlled conditions
  • 8.5.1 As applicable, availability of DI that defines results to be achieved to ensure production under controlled conditions

By my count there are 30 places where the standard calls for retained documented information. Some of them also say to maintain. Some are also as appropriate or something similar.

Retain (Record Retention) – Some of these may contain weasel words such as “as applicable” or “as necessary”. Refer to the full text of the ISO 9001:2015 Standard.
  • 4.4.2 Retain DI to provide confidence that the processes are being carried out as planned
  • 7.1.5.1 Retain DI as evidence of calibrated equipment fitness for purpose
  • 7.5.1.2 Retain DI for how to calibrate equipment that cannot be traced to standards
  • 7.2 Retain DI as evidence of competence
  • 8.1e1) Operation planning includes determining, maintaining, and retaining DI for confidence that processes have been carried out as planned
  • 8.1e2) Operation planning includes determining, maintaining, and retaining DI to demonstrate conformity of products
  • 8.2.3.2a Retain DI to show results of contract review
  • 8.2.3.2b Retain DI on product new requirements
  • 8.3.2 Determine DI [retaining]needed to demonstrate design requirements have been met
  • 8.3.3 Retain DI of design inputs
  • 8.3.4 Retain DI of design control activities (reviews, verification, validation, actions taken)
  • 8.3.5 Retain DI of design outputs
  • 8.3.6 Retain DI of design changes
  • 8.3.6 Retain DI of results of reviews that ensure that changes has no adverse effects
  • 8.4.1 Retain DI of external providers approval activities and actions
  • 8.5.2 Retain DI necessary to enable traceability
  • 8.5.3 Retain DI of reports to customers or external suppliers when their property is lost, damaged, or otherwise found to be unsuitable for use
  • 8.5.6 Retain DI of results of reviews of production changes
  • 8.6 Retain DI of evidence of conformity of products (inspection results)
  • 8.6 Retain DI showing who authorized release of product
  • 8.7.2 Retain DI that describes product nonconformity
  • 8.7.2 Retain DI that describes action taken concerning product nonconformity
  • 8.7.2 Retain DI that describes any concessions obtained for nonconforming product
  • 8.7.2 Retain DI that identifies the authority deciding the action in respect to the nonconformity
  • 9.1.1 Retain DI that provides evidence of monitoring, measuring, analysis, and evaluation results
  • 9.2.2 Retain DI as evidence of implementation of the internal audit program
  • 9.2.2 Retain DI of internal audit results
  • 9.3.3 Retain DI as evidence of management review
  • 10.2.2 Retain DI of the nature of nonconformities and any subsequent actions taken
  • 10.2.2 Retain DI of the results of any corrective actions
 
Top Bottom