Retained Documented Information for Management Reviews

[Perspicuity]

[FONT=&quot]I’m seeking input to the following…….[/FONT]

[FONT=&quot]ISO9001:2008[/FONT]
[FONT=&quot]5.6.1 General[/FONT]
[FONT=&quot]Records from management reviews shall be maintained[/FONT]
[FONT=&quot]5.6.2 Review input[/FONT]
[FONT=&quot]5.6.3 Review output[/FONT]

[FONT=&quot]In the 2008 version of ISO9001 it was clearly understood that records would be maintained, and those records would include the inputs, the outputs and other “general) information that would attest to the effectiveness of the activity (e.g. dates, attendees, etc.). This is understood by the position of the requirement subordinate to 5.6.1 which implies “general” applicability to the management review process.[/FONT]

[FONT=&quot]ISO9001:2015[/FONT]
[FONT=&quot]9.3 Management review[/FONT]
[FONT=&quot]9.3.1 General[/FONT]
[FONT=&quot]9.3.2 Management review inputs[/FONT]
[FONT=&quot]9.3.3 Management review outputs[/FONT]
[FONT=&quot]The organization shall retain documented information as evidence of the results of management reviews.[/FONT]

[FONT=&quot]With the advent of the 2015 version, it is clearly relayed that records will be retained as evidence of the management review “results”. The retention requirement, being noted under 9.3.3, implies its applicability to “outputs”. Additionally, the use of the word "results" (defined as: a consequence, effect, or outcome of something) further implies applicability to outputs and not to either 9.3.1 (General) or 9.3.2 (…..inputs).[/FONT]

[FONT=&quot]This all said, ISO9001:2015 merely states that documented information retained as evidence of management reviews will include:[/FONT]

[FONT=&quot]“Decisions and actions related to opportunities for improvement, any need for changes to the QMS and resource needs.”[/FONT]

[FONT=&quot]My conundrum is a lack of evidence related to inputs and review participation that may be allowed by this new (2015) standard structure and wording. With this, the ability to determine effectiveness of the management review activities is compromised. [/FONT]

[FONT=&quot]IAF literature on documented information and management reviews does not address this topic other than confirming that required records shall be retained.[/FONT]

[FONT=&quot]I am wondering if anyone has explored this anomaly or encountered organizations that would attempt to exploit this gap?[/FONT]

[FONT=&quot]Any and all input is greatly appreciated!
[/FONT][FONT=&quot]
[/FONT]

 

[Sidney Vianna]

IAF literature on documented information and management reviews does not address this topic other than confirming that required records shall be retained....snip...Any and all input is greatly appreciated!

The following is from the ISO APG Paper on the subject:

ISO 9001 requires top management to review the organization's quality management system, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. The review could be carried out at a separate meeting but this is not a requirement of the standard. There are many ways in which Top Management can review the quality management system, such as receiving and reviewing a report generated by the management representative or other personnel, electronic communication, or as part of regular management meetings where issues such as budgets and targets are also
discussed.

The management review is a process that should be conducted and audited utilizing the process approach. Organizations need to be able to demonstrate that they have evaluated the effectiveness of actions taken to address risks and opportunities during management review; consequently auditors will be able to obtain objective evidence on the use of this approach. ISO 9001 specifies a number of inputs to the management review process and these topics need to be addressed; however, these are not the only subjects that can be included in a review. It is also acceptable not to address them individually or simultaneously but as part of an overall review of the business. Auditors should be aware that the inputs could be in many forms such as reports, trend charts and so on.

As outputs from the management review process, there should be evidence of decisions regarding:

• changes to the quality policy and objectives,
• plans and possible actions for improvements,
• change of resources,
• revised business plans,
• budgets.​

The outputs may not be only related to improvements or changes, but could also include decisions on other important issues, such as plans to introduce new products. Documented information on management reviews is required, but the format of this is not specified; minutes of meetings are the most common type, but electronic records, statistical charts, presentations etc. could be acceptable types.

The management review process might also include elements of quality management system planning, where changes to processes and systems are being considered. Where this is the case, the auditors should review whether or not the following points have been considered:

• Will changes to the management system, or the business as a whole, have an impact on other parts of the system or business?
• Are proposed changes evaluated before implementation?
• In preparing strategic plans, are issues such as those in clause 4 “Context of the organization” of the standard considered?
• Are the controls needed identified before the outsourcing of a process is begun?​

The management review process should not be an exercise carried out solely to satisfy the requirements of the standard and the auditors; it should be an integral part of the organization’s business management process. An overall management review is a complex process carried out at various levels in the organization. It will always be a two-way process, generated by top management with inputs from all levels in the organization. These activities could vary from daily, weekly, monthly, organizational unit meetings to simple discussions or reports.

Auditors should look for evidence that the inputs and outputs of the management review process are relevant to the organization’s size and complexity and that they are used to improve the business. Auditors should also consider how the organization’s management is structured and how the management review process is used within this structure.

 

[Perspicuity]

Thank you sir!

However, I had previously reviewed the attached IAF/APG document and concluded the following"

1) The document addresses the organization's need to create evidence of "outputs".
2) The document addresses the auditor's need to review evidence of "inputs and outputs".

Unless the auditor is bringing his own management review inputs to the audit, he could be "up a creek w/o a paddle".

The APG document also fails to address records of management review participation or other potentially relevant general data (dates, distribution, etc.).

Thank you again for the input and, as before, I am "all ears" to for feedback!

 

[Golfman25]

Sounds like your over complicating it. Inputs are what they are, showing the state of the system at that time. Things like kpis, audit reports, etc. Most is documented per other procedures. The outputs are plans to address any changes or improvements.

 

[Perspicuity]

Thank you sir!

I was fearful that starting with the simple question would not be correctly received.

I do understand inputs and outputs.

What I do not understand is:

Why did ISO9001:2008 require inputs, outputs, participants and dates to be kept as quality records while ISO9001:2015 only requires the outputs to be retained?

Thank you again!

 

[AndyN]

Thank you sir!

I was fearful that starting with the simple question would not be correctly received.

I do understand inputs and outputs.

What I do not understand is:

Why did ISO9001:2008 require inputs, outputs, participants and dates to be kept as quality records while ISO9001:2015 only requires the outputs to be retained?

Thank you again!

Did it? I don't see these listed as records. I believe you're reading too much into the requirements. In essence, the thing hasn't really changed...

 

[Jen Kirley]

What I do not understand is:

Why did ISO9001:2008 require inputs, outputs, participants and dates to be kept as quality records while ISO9001:2015 only requires the outputs to be retained?

I cannot state clearly why only outputs are required as retained documented information. I can, however offer that some of the inputs may be "living documents" such as that which gets reviewed regarding effectiveness of actions to address risks. I can also offer it is rather difficult to present things like that without documentation, so we should not treat the requirements so differently that we only keep documents from management review because of that one line in the standard.

 

[Sidney Vianna]

Why did ISO9001:2008 require inputs, outputs, participants and dates to be kept as quality records while ISO9001:2015 only requires the outputs to be retained?

I agree with Andy's question. ISO 9001:2008 did not require such things to be maintained as records.

There is a difference between (objective) evidence and records, as, I am sure, you are aware.

Nevertheless, even if we were to go down the path of debating that ISO 9001:2015 is "less prescriptive" than the previous versions, e.g., no mandatory documented procedure, we have to realize that we will never be able to ascribe the underlying reasons for the TC 176 SC WG 24 to have done what they did. In my professional judgement, the committee revising the standard had both good and questionable intentions at the same time.

The questionable intention had to do with the apparent desire to reduce prescriptiveness in the document, as an attempt to make it deployable in a broader scale, which means commercial interests trampled the basic tenets of what a standard should be.

Despite the fact that a management system standard will always have to be more adaptable than a product standard for obvious reasons, if you make a management system standard so loose, so malleable/pliable, so "unprescriptive" (if there is such a word), then, is it still a STANDARD?

If the performance range of "standard-compliant" systems is too broad, do we really have a standard? Especially for a standard with the intent so critical as to provide confidence to stakeholders in the global supply chain.

 

[Perspicuity]

ISO9001:2008
5.6.1 "Top management shall review" (these are participants)
5.6.1 "at planned intervals" (these are dates)
5.6.2 "Review Input" (these are inputs)
5.6.3 "Review Output" (these are outputs)
5.6.1 "Records from management reviews shall be maintained (see 4.2.4)" (this means everything above)
4.2.4 "Records established to provide evidence of conformity to requirements and of the effective operation of the quality management system shall be controlled."

In the case of ISO9001:2008 Section 5.6, records are evidence.

Please tell, which of the above are not really in ISO9001:2008?

Top management must do the review. If it were performed by the CEO's chauffeur, that probably would not be effective. Records are needed of the participants to validate effectiveness.

Planned intervals are needed to prevent reviews from drifting and ensuring commitment for QMS review by leadership. Without dates, there would be no way to tell when the review was done last and when it is due again.

Inputs are needed to achieve outputs. Outputs can only be assessed as suitable if one understands the inputs. If I were to output the number 6, all would be good until one day we realize the input was 15 + 9 and not 15 minus 9.

Outputs are certainly required by 2008 and, in my literal estimation, the only thing required by 2015. Outputs are nice, but only as good as they reflect the accurate crunching of the inputs.

Management reviews have been pencil whipped for years. ISO9001:2015, in my estimation, has paved the way for a whipping like not before seen. It was my intent to spur intelligible discussion on this topic and to see if any awareness was abound to address what I see as a real travesty to the standard's intent. Please accept my apologies for prompting what appears to be spontaneous debate.

Literally humble,
Perspicuity
expect less, get less

 

[Jen Kirley]

Since 2008 said (5.6.1) "Records from management reviews shall be maintained (see 4.2.4)" and 2015 says (9.3.3) "The organization shall retain documented information as evidence of the results of management reviews" we could argue that 2015 is more prescriptive, not less. They at least told us what sort of records were required: the results of management reviews. 2008 left itself open for interpretation, encouraging a range of what amounts to cocktail napkins to complex packages. The records clause would have been more clear if it followed 5.6.3, but it followed only the blurb about including assessment opportunities to improve, and the need for changes to the QMS including policy and objectives.

The question is, are you doing this for the certificate or are you doing this because looking at process performance, changes in issues and effectiveness of actions to address risk is a good practice for the business?

People who pencil whip management reviews are either choosing to "fly blind" or don't like the structure. Some people prefer hallway discussions. The problem with hallway discussions is the communication tends to get lost or leave some important people out; dysfunction can result.

We can call it a travesty if we want, but I'm just not seeing that when actually doing the certification audits. Once people lose their discomfort with the changed language and recognize they are operating to their customers' wants first, their internal needs second and the standard's language following, my customers have been largely fine.