Retained Documented Information for Management Reviews

Perspicuity

Starting to get Involved
#1
[FONT=&quot]I’m seeking input to the following…….[/FONT]

[FONT=&quot]ISO9001:2008[/FONT]
[FONT=&quot]5.6.1 General[/FONT]
[FONT=&quot]Records from management reviews shall be maintained[/FONT]
[FONT=&quot]5.6.2 Review input[/FONT]
[FONT=&quot]5.6.3 Review output[/FONT]

[FONT=&quot]In the 2008 version of ISO9001 it was clearly understood that records would be maintained, and those records would include the inputs, the outputs and other “general) information that would attest to the effectiveness of the activity (e.g. dates, attendees, etc.). This is understood by the position of the requirement subordinate to 5.6.1 which implies “general” applicability to the management review process.[/FONT]

[FONT=&quot]ISO9001:2015[/FONT]
[FONT=&quot]9.3 Management review[/FONT]
[FONT=&quot]9.3.1 General[/FONT]
[FONT=&quot]9.3.2 Management review inputs[/FONT]
[FONT=&quot]9.3.3 Management review outputs[/FONT]
[FONT=&quot]The organization shall retain documented information as evidence of the results of management reviews.[/FONT]

[FONT=&quot]With the advent of the 2015 version, it is clearly relayed that records will be retained as evidence of the management review “results”. The retention requirement, being noted under 9.3.3, implies its applicability to “outputs”. Additionally, the use of the word "results" (defined as: a consequence, effect, or outcome of something) further implies applicability to outputs and not to either 9.3.1 (General) or 9.3.2 (…..inputs).[/FONT]

[FONT=&quot]This all said, ISO9001:2015 merely states that documented information retained as evidence of management reviews will include:[/FONT]

[FONT=&quot]“Decisions and actions related to opportunities for improvement, any need for changes to the QMS and resource needs.”[/FONT]

[FONT=&quot]My conundrum is a lack of evidence related to inputs and review participation that may be allowed by this new (2015) standard structure and wording. With this, the ability to determine effectiveness of the management review activities is compromised. [/FONT]

[FONT=&quot]IAF literature on documented information and management reviews does not address this topic other than confirming that required records shall be retained.[/FONT]

[FONT=&quot]I am wondering if anyone has explored this anomaly or encountered organizations that would attempt to exploit this gap?[/FONT]

[FONT=&quot]Any and all input is greatly appreciated!
[/FONT][FONT=&quot]
[/FONT]
 
Elsmar Forum Sponsor

Sidney Vianna

Post Responsibly
Staff member
Admin
#2
IAF literature on documented information and management reviews does not address this topic other than confirming that required records shall be retained....snip...Any and all input is greatly appreciated!
The following is from the ISO APG Paper on the subject:

ISO 9001 requires top management to review the organization's quality management system, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. The review could be carried out at a separate meeting but this is not a requirement of the standard. There are many ways in which Top Management can review the quality management system, such as receiving and reviewing a report generated by the management representative or other personnel, electronic communication, or as part of regular management meetings where issues such as budgets and targets are also
discussed.

The management review is a process that should be conducted and audited utilizing the process approach. Organizations need to be able to demonstrate that they have evaluated the effectiveness of actions taken to address risks and opportunities during management review; consequently auditors will be able to obtain objective evidence on the use of this approach. ISO 9001 specifies a number of inputs to the management review process and these topics need to be addressed; however, these are not the only subjects that can be included in a review. It is also acceptable not to address them individually or simultaneously but as part of an overall review of the business. Auditors should be aware that the inputs could be in many forms such as reports, trend charts and so on.

As outputs from the management review process, there should be evidence of decisions regarding:

• changes to the quality policy and objectives,
• plans and possible actions for improvements,
• change of resources,
• revised business plans,
• budgets.​

The outputs may not be only related to improvements or changes, but could also include decisions on other important issues, such as plans to introduce new products. Documented information on management reviews is required, but the format of this is not specified; minutes of meetings are the most common type, but electronic records, statistical charts, presentations etc. could be acceptable types.

The management review process might also include elements of quality management system planning, where changes to processes and systems are being considered. Where this is the case, the auditors should review whether or not the following points have been considered:

• Will changes to the management system, or the business as a whole, have an impact on other parts of the system or business?
• Are proposed changes evaluated before implementation?
• In preparing strategic plans, are issues such as those in clause 4 “Context of the organization” of the standard considered?
• Are the controls needed identified before the outsourcing of a process is begun?​

The management review process should not be an exercise carried out solely to satisfy the requirements of the standard and the auditors; it should be an integral part of the organization’s business management process. An overall management review is a complex process carried out at various levels in the organization. It will always be a two-way process, generated by top management with inputs from all levels in the organization. These activities could vary from daily, weekly, monthly, organizational unit meetings to simple discussions or reports.

Auditors should look for evidence that the inputs and outputs of the management review process are relevant to the organization’s size and complexity and that they are used to improve the business. Auditors should also consider how the organization’s management is structured and how the management review process is used within this structure.
 
Last edited:

Perspicuity

Starting to get Involved
#3
Thank you sir!

However, I had previously reviewed the attached IAF/APG document and concluded the following"

1) The document addresses the organization's need to create evidence of "outputs".
2) The document addresses the auditor's need to review evidence of "inputs and outputs".

Unless the auditor is bringing his own management review inputs to the audit, he could be "up a creek w/o a paddle".

The APG document also fails to address records of management review participation or other potentially relevant general data (dates, distribution, etc.).

Thank you again for the input and, as before, I am "all ears" to for feedback!
 

Golfman25

Trusted Information Resource
#4
Sounds like your over complicating it. Inputs are what they are, showing the state of the system at that time. Things like kpis, audit reports, etc. Most is documented per other procedures. The outputs are plans to address any changes or improvements.
 

Perspicuity

Starting to get Involved
#5
Thank you sir!

I was fearful that starting with the simple question would not be correctly received.

I do understand inputs and outputs.

What I do not understand is:

Why did ISO9001:2008 require inputs, outputs, participants and dates to be kept as quality records while ISO9001:2015 only requires the outputs to be retained?

Thank you again!
 
#6
Thank you sir!

I was fearful that starting with the simple question would not be correctly received.

I do understand inputs and outputs.

What I do not understand is:

Why did ISO9001:2008 require inputs, outputs, participants and dates to be kept as quality records while ISO9001:2015 only requires the outputs to be retained?

Thank you again!
Did it? I don't see these listed as records. I believe you're reading too much into the requirements. In essence, the thing hasn't really changed...
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#7
What I do not understand is:

Why did ISO9001:2008 require inputs, outputs, participants and dates to be kept as quality records while ISO9001:2015 only requires the outputs to be retained?
I cannot state clearly why only outputs are required as retained documented information. I can, however offer that some of the inputs may be "living documents" such as that which gets reviewed regarding effectiveness of actions to address risks. I can also offer it is rather difficult to present things like that without documentation, so we should not treat the requirements so differently that we only keep documents from management review because of that one line in the standard.
:2cents:
 

Sidney Vianna

Post Responsibly
Staff member
Admin
#8
Why did ISO9001:2008 require inputs, outputs, participants and dates to be kept as quality records while ISO9001:2015 only requires the outputs to be retained?
I agree with Andy's question. ISO 9001:2008 did not require such things to be maintained as records.

There is a difference between (objective) evidence and records, as, I am sure, you are aware.

Nevertheless, even if we were to go down the path of debating that ISO 9001:2015 is "less prescriptive" than the previous versions, e.g., no mandatory documented procedure, we have to realize that we will never be able to ascribe the underlying reasons for the TC 176 SC WG 24 to have done what they did. In my professional judgement, the committee revising the standard had both good and questionable intentions at the same time.

The questionable intention had to do with the apparent desire to reduce prescriptiveness in the document, as an attempt to make it deployable in a broader scale, which means commercial interests trampled the basic tenets of what a standard should be.

Despite the fact that a management system standard will always have to be more adaptable than a product standard for obvious reasons, if you make a management system standard so loose, so malleable/pliable, so "unprescriptive" (if there is such a word), then, is it still a STANDARD?

If the performance range of "standard-compliant" systems is too broad, do we really have a standard? Especially for a standard with the intent so critical as to provide confidence to stakeholders in the global supply chain.
 

Perspicuity

Starting to get Involved
#9
ISO9001:2008
5.6.1 "Top management shall review" (these are participants)
5.6.1 "at planned intervals" (these are dates)
5.6.2 "Review Input" (these are inputs)
5.6.3 "Review Output" (these are outputs)
5.6.1 "Records from management reviews shall be maintained (see 4.2.4)" (this means everything above)
4.2.4 "Records established to provide evidence of conformity to requirements and of the effective operation of the quality management system shall be controlled."

In the case of ISO9001:2008 Section 5.6, records are evidence.

Please tell, which of the above are not really in ISO9001:2008?

Top management must do the review. If it were performed by the CEO's chauffeur, that probably would not be effective. Records are needed of the participants to validate effectiveness.

Planned intervals are needed to prevent reviews from drifting and ensuring commitment for QMS review by leadership. Without dates, there would be no way to tell when the review was done last and when it is due again.

Inputs are needed to achieve outputs. Outputs can only be assessed as suitable if one understands the inputs. If I were to output the number 6, all would be good until one day we realize the input was 15 + 9 and not 15 minus 9.

Outputs are certainly required by 2008 and, in my literal estimation, the only thing required by 2015. Outputs are nice, but only as good as they reflect the accurate crunching of the inputs.

Management reviews have been pencil whipped for years. ISO9001:2015, in my estimation, has paved the way for a whipping like not before seen. It was my intent to spur intelligible discussion on this topic and to see if any awareness was abound to address what I see as a real travesty to the standard's intent. Please accept my apologies for prompting what appears to be spontaneous debate.

Literally humble,
Perspicuity :)
expect less, get less
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#10
Since 2008 said (5.6.1) "Records from management reviews shall be maintained (see 4.2.4)" and 2015 says (9.3.3) "The organization shall retain documented information as evidence of the results of management reviews" we could argue that 2015 is more prescriptive, not less. They at least told us what sort of records were required: the results of management reviews. 2008 left itself open for interpretation, encouraging a range of what amounts to cocktail napkins to complex packages. The records clause would have been more clear if it followed 5.6.3, but it followed only the blurb about including assessment opportunities to improve, and the need for changes to the QMS including policy and objectives.

The question is, are you doing this for the certificate or are you doing this because looking at process performance, changes in issues and effectiveness of actions to address risk is a good practice for the business?

People who pencil whip management reviews are either choosing to "fly blind" or don't like the structure. Some people prefer hallway discussions. The problem with hallway discussions is the communication tends to get lost or leave some important people out; dysfunction can result.

We can call it a travesty if we want, but I'm just not seeing that when actually doing the certification audits. Once people lose their discomfort with the changed language and recognize they are operating to their customers' wants first, their internal needs second and the standard's language following, my customers have been largely fine.
 
Thread starter Similar threads Forum Replies Date
S Retained samples from each batch of spinal implant medical screws that we make ISO 13485:2016 - Medical Device Quality Management Systems 7
Q Do hard copies of quality records have to be retained? ISO 13485:2016 - Medical Device Quality Management Systems 2
J Should Documents and Records Retention pertaining to Implants retained for 15 years? Document Control Systems, Procedures, Forms and Templates 7
S Supplier Retained Records Requirements - AS9100 4.2.4 Control of Records AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 6
C Control of Records retained outside ISO 9001 Scope Records and Data - Quality, Legal and Other Evidence 5
T What is the basis for retained documents? Medical device manufacturer - FDA/GMP Document Control Systems, Procedures, Forms and Templates 9
Q 'Retained Quality Samples' from each manufacturing batch - Thoughts on this please ISO 13485:2016 - Medical Device Quality Management Systems 8
P Customer Furnished Drawings Retained? Control of Documents of External Origin Records and Data - Quality, Legal and Other Evidence 4
S Specific records to be retained for Class II devices per 820.184 DHR ISO 13485:2016 - Medical Device Quality Management Systems 8
D Obsolete and current PPAP retained for the life plus one year of the product APQP and PPAP 4
J Document control - ISO 13485:2003 - Obsolete controlled documents shall be retained? Document Control Systems, Procedures, Forms and Templates 7
S AIAG PPAP Manual pg 16 - PPAP requirements shall be retained at appropriate locations APQP and PPAP 2
T Controlled Forms or documented requirements for records? ISO 13485:2016 - Medical Device Quality Management Systems 2
qualprod Documented actions and changes in the QMS by COVID 19 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 10
C Missing routers/documented information Nonconformance and Corrective Action 5
K AS9100D Clause 7.5.2.a) - What is considered to be "documented information"? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
Q AS9120 7.5.3.2 Control of Documented Information - Audit Nonconformance AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 20
J ISO 17025 Documented Procedure for 6.2.5 - Determining competency ISO 17025 related Discussions 4
L VDA 1 Documented Information and Retention (new revision 4, August 2018) VDA Standards - Germany's Automotive Standards 0
M Quality System Processes without Documented Procedures Document Control Systems, Procedures, Forms and Templates 39
C Significant Organizational Changes - Documented Responsibilities Document Control Systems, Procedures, Forms and Templates 4
B Documented process for type and extent of control IATF 16949 - Automotive Quality Systems Standard 6
K Documented problem solving and documented error-proofing - IATF 16949 10.2.3 & 10.2.4 Internal Auditing 7
Q Stage 1 audit observations - documented report? General Auditing Discussions 5
H Documented processes required by IATF 16949 section 4.4.1 IATF 16949 - Automotive Quality Systems Standard 1
H New IATF 16949 required Documented Processes IATF 16949 - Automotive Quality Systems Standard 5
S ISO 13485 Cl. 5.4.2 - Is Documented Quality Planning required? ISO 13485:2016 - Medical Device Quality Management Systems 2
A How to Handle Documented Information in an online database for ISO 9001:2015 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
E IATF 16949 Cl. 7.1.5.1 - Documented information as evidence of fitness for purpose IATF 16949 - Automotive Quality Systems Standard 3
B IATF 16949 Cl. 7.3.2 - Documented Process (Effectiveness & Efficiency) IATF 16949 - Automotive Quality Systems Standard 7
R IATF requirement of Documented QMM incorporation of CSR's into the processes? IATF 16949 - Automotive Quality Systems Standard 2
Q Risk Based Thinking - Is a Documented Procedure required? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 15
S ISO9001:2015 Cl. 4.4.1 - What Processes Do I Need Documented ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
S ISO 9001:2015 - Required Processes and required Documented Processes ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
K Documented Information Turtle Diagram IATF 16949 - Automotive Quality Systems Standard 2
M [Student] Documented Process vs Documented Procedure IATF 16949 - Automotive Quality Systems Standard 5
A Documented Processes as per IATF16949 - Requirements for Turtle Diagrams IATF 16949 - Automotive Quality Systems Standard 3
R How to Control Videos as part of the QMS Documented Procedures and Instructions Document Control Systems, Procedures, Forms and Templates 2
A ISO 9001:2015 Clause 9.3.2 - Management Review Inputs must be Documented? Management Review Meetings and related Processes 15
N Must Bioburden Sampling Procedures be Documented? Other Medical Device Related Standards 5
W Documented Problem-Solving for Automotive IATF 16949 - Automotive Quality Systems Standard 4
Ninja What is the most useless {real} documented procedure you've seen? Coffee Break and Water Cooler Discussions 4
Q "Documented Procedure" Health Canada Canada Medical Device Regulations 8
T Notification of affected parties of Updated Documented Procedures ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
T AS9100C Processes which need to be documented AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 7
C AS9100 Requirement Definition - Defined vs. Documented AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 14
J Can the mandatory procedures of ISO 9001-2008 be documented within one procedure? Document Control Systems, Procedures, Forms and Templates 5
J Recycling Procedure (ISO9001) - Do I need a documented process ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 10
C ISO 13485 - Documented Requirements for Risk Management ISO 13485:2016 - Medical Device Quality Management Systems 6
M HACCP vs. ISO 22000 Documented Procedure requirements Food Safety - ISO 22000, HACCP (21 CFR 120) 1

Similar threads

Top Bottom