Informational Required Documents/Records in ISO 9001:2015

#21
Very interesting discussion and great comments! I too remember a round table of CB auditors (at a TickIT event) having quite heated arguments about documented procedures and how you audit that! Needless to say, each had their own ideas...

I believe that there's a dichotomy in the industry where on one hand people follow the mantra "Say what you do, do what you say" which tends to make them over document on the "say what you do" portion - which affects everyone from the "ISO in a Can" purveyors to auditors who somehow learned (in lead auditor courses etc) that the standard (apparently) requires lots of documentation!

I don't see the lack of specificity to be too much of an issue. I believe that since "ISO" has been around for 25 years, only a few will go down an uncharted route, most preferring to do what everyone else has done - create documents. They did before even when ISO 9001:2000 didn't require it.

Those who are going to transition their QMS aren't going to throw documents in the trash and those coming new to QMS are going to take the least line of resistance and not get too creative!

I also don't see a repeat of the "interpretations" of such things as flow charts etc. That kind of thing happened 10 - 15 years ago (or more, typically) and since there's a lot of grey hair in the industry and not a lot of new(er) auditors coming into the industry, most have learned to live with the impacts on how documentation is now created, I'd suggest.
 
Elsmar Forum Sponsor

Marc

Hunkered Down for the Duration
Staff member
Admin
#22
Typically, when I do a "gap analysis", we look at what they have, what is already documented, and what isn't. Usually there is no added documentation because in most cases if documentation wasn't already present they didn't need any to begin with. Over-documentation was a Dilbert cartoon years ago, but I can't find the one I'm thinking of off hand.

There are threads here from way back on over-documentation. Example: ISO 9001: Avoiding Over Documentation
From: http://Elsmar.com/level2/accolades.html


--> Subject: Results?
--> Date: Thu, 24 Jun 1999 16:29:21 -0500
--> From: Anaren Microwave
--> To: Marc Smith
-->
--> Well, as you anticipated, we "passed" with relatively few problems.
--> We had only 7 isolated non-conformities across 5 elements. Details
--> are in the attached file. The auditor said that this was a very
--> good result when compared to other registration audits he has
--> performed. All I can say is I am glad it was successful and Marty
--> said that she was happy to finally win! Once again, thanks for the
--> help. You're advice was extremely important. Especially important,
--> at least in my opinion, was your help in determining where we did
--> not need to document every last thing (by using training, etc.). I
--> think that without this input, we would have spent a lot more time
--> writing things that we did not need and wasted a lot of peoples'
--> time.
We were able to get the audit done in a year while we are
--> achieving record sales and profits. Who can argue with that?

Over-documentation in this day and age is (or should be) well in our past with respect to ISO 9001 requirements.
 

qpled

Involved In Discussions
#23
Typically, when I do a "gap analysis", we look at what they have, what is already documented, and what isn't. Usually there is no added documentation because in most cases if documentation wasn't already present they didn't need any to begin with. Over-documentation was a Dilbert cartoon years ago, but I can't find the one I'm thinking of off hand.
Now I am trying to find that Dilbert cartoon! :)
I did find the one about the Records Retention Department throwing documents away since no one ever asked for them back...
 
E

element79

#25
:thanx: for the replies, guys. I guess the question whether or not it is required to document anything on risk management (used to be PA) based on the DIS is still open-ended and could very well depend on the auditor's interpretation.

It's just that we're STILL in the process of filling the documentation gaps. We certainly don't want to go down the path towards overdoing things, especially as most of the staff (and some of the management) have a strong aversion to anything that involves documenting/recording their work. :frust:

:topic: I wanna see that Dilbert cartoon too. :D

- Au
 

John Broomfield

Staff member
Super Moderator
#26
:thanx: for the replies, guys. I guess the question whether or not it is required to document anything on risk management (used to be PA) based on the DIS is still open-ended and could very well depend on the auditor's interpretation.

It's just that we're STILL in the process of filling the documentation gaps. We certainly don't want to go down the path towards overdoing things, especially as most of the staff (and some of the management) have a strong aversion to anything that involves documenting/recording their work. :frust:

:topic: I wanna see that Dilbert cartoon too. :D

- Au
Au,

First it depends on the auditee's determination of what is necessary. Then it depends on the auditee's willingness and ability to defend the limited extent of documented information in the audits of their management system.

We depend on auditor interpretations only when the defense is weak or the auditor should not be the auditor.

After all, to audit is to listen.

John
 
P

pldey42

#27
"to audit is to listen" - well said, John.

I think that to allow auditors to take control of documentation pertaining to risk-based thinking would be a mistake. They - we - tend to be conservative and they'll maybe want every last risk that can be imagined, significant or not, to be considered. I think it will be important to manage a relationship with the CB of mutual respect, acknowledging legitimate risks they bring to our attention (e.g. those they learn of when visiting their other clients, of which we're unaware) but firmly retaining control.

If they persist in wasting our time with daft risks, I think we'll need to be assertive in managing them with questions like,

"Show me the shall?" (The requirements for risk management are very abstract, deliberately so in my opinion, so that organizations can do what is appropriate; we should not let auditors dilute it with their own conservative interpretations (anxieties) - not that the good ones will.)

"Where does it say that 'the organization shall maintain documented information to the extent the auditor thinks necessary?" (It doesn't)

I would avoid the temptation to write down a risk and tolerate it, just to shut the auditor up, for that's the seed for over-documentation.

It's also important to understand that sometimes organizations avoid writing down certain risks, communicating about them verbally instead, to avoid liability issues should something bad happen. When things go to court, written risk assessments can be subject to disclosure and misrepresented by the opposition for the purposes of inflating damages ("You knew about it!"). We could debate whether that's right or wrong, but my understanding is that even in well-governed businesses, some of it stays off the record because of the vagaries of legal proceedings. (I imagine this is less true of regulated industries than others.)

I think essential elements of managing this will include (a) a relationship of mutual respect, (b) a risk appetite that is understood and shared by the auditor, and (c) documented information to the extent necessary to convince current and future managers (and therefore auditors) at the organization that prudent risk management is in place - especially when there's an incident and heads on platters are demanded.

Pat
 

Helmut Jilling

Auditor / Consultant
#28
Now I am trying to find that Dilbert cartoon! :)
I did find the one about the Records Retention Department throwing documents away since no one ever asked for them back...

that was my favorite of all the Dilbert ISO cartoons....the infamous, round, silver record storage cylinder....
 
Y

Yukon

#29
ISO 9001:2015 does not require that an organization have documents. The standard requires (referenced 41 times) that the organization maintain "documented information" aka records.
 

Big Jim

Trusted Information Resource
#30
Annex A (in the back of the standard) Clarification of new structure, terminology and concepts. (emphasis on terminology) A.6 Documented information. I suggest you read all of A.6 but I'm going to pull out the pertinent parts.

"documented information" is used for all document requirements.

Where ISO 9001:2008 used specific terminology such as "document" or "documented procedures", "quality manual", or "quality plan" this edition of this International Standard defines requirements to "maintain documented information". (so maintaining documented information refers to having what was known before as documents)

Where ISO 9001:2008 used the term "records" to denote documents needed to provide evidence of conformity with requirements, this is now express as a requirement to "retain documented information". (so what was known before as records are now referred to a retained documented information.

Let's look in the main body of the standard now for some examples. By my count there are nine places where it says that it is necessary to maintain documented information. Some of them require both maintain and retain. Some of them are to the extent necessary or as applicable.
  • 4.3 Maintain DI of Scope
  • 4.4.2 Maintain DI to support operation of processes
  • 5.2.2a Maintain DI of Quality Policy
  • 6.2.1 Maintain DI of Quality Objectives
  • 8.1e1) Operation planning includes determining, maintaining, and retaining DI to the extent necessary for confidence that processes have been carried out as planned
  • 8.1e2) Operation planning includes determining, maintaining, and retaining DI to the extent necessary to demonstrate conformity of products
  • 8.2.4 relevant DI is amended when product requirements are changed
  • 8.5.1 As applicable, availability of DI that defines characteristics of products or services to be provided that ensure production under controlled conditions
  • 8.5.1 As applicable, availability of DI that defines results to be achieved to ensure production under controlled conditions

By my count there are 30 places where the standard calls for retained documented information. Some of them also say to maintain. Some are also as appropriate or something similar.

Retain (Record Retention) – Some of these may contain weasel words such as “as applicable” or “as necessary”. Refer to the full text of the ISO 9001:2015 Standard.
  • 4.4.2 Retain DI to provide confidence that the processes are being carried out as planned
  • 7.1.5.1 Retain DI as evidence of calibrated equipment fitness for purpose
  • 7.5.1.2 Retain DI for how to calibrate equipment that cannot be traced to standards
  • 7.2 Retain DI as evidence of competence
  • 8.1e1) Operation planning includes determining, maintaining, and retaining DI for confidence that processes have been carried out as planned
  • 8.1e2) Operation planning includes determining, maintaining, and retaining DI to demonstrate conformity of products
  • 8.2.3.2a Retain DI to show results of contract review
  • 8.2.3.2b Retain DI on product new requirements
  • 8.3.2 Determine DI [retaining]needed to demonstrate design requirements have been met
  • 8.3.3 Retain DI of design inputs
  • 8.3.4 Retain DI of design control activities (reviews, verification, validation, actions taken)
  • 8.3.5 Retain DI of design outputs
  • 8.3.6 Retain DI of design changes
  • 8.3.6 Retain DI of results of reviews that ensure that changes has no adverse effects
  • 8.4.1 Retain DI of external providers approval activities and actions
  • 8.5.2 Retain DI necessary to enable traceability
  • 8.5.3 Retain DI of reports to customers or external suppliers when their property is lost, damaged, or otherwise found to be unsuitable for use
  • 8.5.6 Retain DI of results of reviews of production changes
  • 8.6 Retain DI of evidence of conformity of products (inspection results)
  • 8.6 Retain DI showing who authorized release of product
  • 8.7.2 Retain DI that describes product nonconformity
  • 8.7.2 Retain DI that describes action taken concerning product nonconformity
  • 8.7.2 Retain DI that describes any concessions obtained for nonconforming product
  • 8.7.2 Retain DI that identifies the authority deciding the action in respect to the nonconformity
  • 9.1.1 Retain DI that provides evidence of monitoring, measuring, analysis, and evaluation results
  • 9.2.2 Retain DI as evidence of implementation of the internal audit program
  • 9.2.2 Retain DI of internal audit results
  • 9.3.3 Retain DI as evidence of management review
  • 10.2.2 Retain DI of the nature of nonconformities and any subsequent actions taken
  • 10.2.2 Retain DI of the results of any corrective actions
 
Thread starter Similar threads Forum Replies Date
H Is "Master Documents and Records list" required per ISO 9001 ? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
O What are typical records of different documents required by ISO9001? Records and Data - Quality, Legal and Other Evidence 2
L ISO 14001 4.4.4 d) - What exactly are the documents and records required by ISO 14001 ISO 14001:2015 Specific Discussions 3
I QMS documents required at each stage of Software development IEC 62304 - Medical Device Software Life Cycle Processes 5
C Defining Approvals Required for Design Control Documents ISO 13485:2016 - Medical Device Quality Management Systems 6
Marc IAF Mandatory Documents (MD Series) - Required to be used by certification bodies ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
F The depth of the required Design Documents ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
M Which documents are required for a class I medical device listing US Food and Drug Administration (FDA) 4
S Clarification in organizing required documents for ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 6
X Documents required by the quality management system shall be controlled ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 12
S Minimum documents required by AS9100 AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 3
N What Documents are Required for each ISO 9001 Requirement ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 11
G Rookie to the ISO 9001:2008 World - Required Procedures and Documents ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 11
M AS9100 Clause 4.2.3 requirements - Documents required by the QMS shall be Controlled AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 13
T Control of Safety Documents Required? ISO 9001:2008 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 10
R What Documents are required for Application of Brazilian INMETRO IEC 60601 - Medical Electrical Equipment Safety Standards Series 5
K Documents required to display/keep during ISO 9000 Audit in EPCC firm ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 17
W Electronic Distribution of Controlled Documents: Validation required? Qualification and Validation (including 21 CFR Part 11) 5
J ISO 9001:2008 Clause 4.2.3 - What are the required documents? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 24
C ISO 3834-2 references ISO 3834-5 for the list of documents required for conformity Other ISO and International Standards and European Regulations 1
M All Internally Generated Documents ? Required to be Controlled or Not All? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 19
C Control of Documents - Is a unique format required? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
S Required documents for Class III Medical Device in Yemen Other Medical Device Regulations World-Wide 3
M List of documents required for engineering service project (CAD/CAM) AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 4
V What documents are required for Education and Training in AS9100 Internal Auditing 3
A Documents required for ISO 17020 vs. ISO 9001? General Measurement Device and Calibration Topics 10
P Required Documents and Document Control in Human Resources for ISO 9001:2000 Document Control Systems, Procedures, Forms and Templates 5
P New product Design & Development for automotive requirements - Documents required Design and Development of Products and Processes 4
T Using References - Required in Quality Documents? Document Control Systems, Procedures, Forms and Templates 2
R Documents required for certification process - AS/EN/JISQ9100 AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 2
E New and revised documents - Acknowledgement of distribution required? Document Control Systems, Procedures, Forms and Templates 3
E Level 3 PPAP with only a few of the required documents? APQP and PPAP 3
R TS16949 Grandfather documents - Control Plans - Required or not based upon date FMEA and Control Plans 4
Howard Atkins TS 16949 Clause 4.2.1 - Required Documents IATF 16949 - Automotive Quality Systems Standard 15
G Control of External Documents - Which documents are required to be controlled? IATF 16949 - Automotive Quality Systems Standard 10
C How long we're required to keep supplier and our PPAP documents? Supplier Quality Assurance and other Supplier Issues 1
M Case study solution help required as per ISO 9001 : 2015 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 0
R Shall a new UDI-DI be required when stand-alone software device's version is updated? EU Medical Device Regulations 1
A Question on ISO 14001:2015 - Are annual audits required? ISO 14001:2015 Specific Discussions 8
M Is Validation of Plating Processes required and who is responsible? Qualification and Validation (including 21 CFR Part 11) 10
MDD_QNA Medical Device Software - Is a Help Button required? IEC 62304 - Medical Device Software Life Cycle Processes 1
O ISO 13485 - Is management review required before stage 1? ISO 13485:2016 - Medical Device Quality Management Systems 6
D Recent changes to ISO 14971 - SOP required for managing standard revisions ISO 13485:2016 - Medical Device Quality Management Systems 1
Jane's Like-for-like critical raw material change qualification - type of testing/ number of lots required ISO 13485:2016 - Medical Device Quality Management Systems 4
V Manufacturing requirements for respiratory ventilators - clean room required? Medical Device and FDA Regulations and Standards News 6
A When there is a 2 year lapse in production, is a full FAI required? AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 2
C Is it required to put"Rx only" on the home page of an app? Medical Device and FDA Regulations and Standards News 4
B IEC 60601-2-10 - Accuracy of Pulse Parameters - Required Measurement Uncertainty IEC 60601 - Medical Electrical Equipment Safety Standards Series 3
S Is Optical Parallel Set required calibration? ISO 17025 related Discussions 1
R Is it required to have an SOP for external audits? Medical Device and FDA Regulations and Standards News 7
Similar threads


















































Top Bottom