cgaro62
Starting to get Involved
********************************Good day @cgaro62 ;
As mentioned by @Cari Spears , there is no such requirement for a "periodic review". I have seen this erroneous "requirement" burden other organizations. I even had one client who had annual "due dates" established in a data base and they were holding themselves accountable (their own internal documented requirements), to annually review EVERY document in their QMS as part of some misguided belief that it was a requirement.
I have found that this misguided belief usually comes from 7.5.2 c) of ISO 9001, which requires "review and approval for suitability and adequacy". You will notice two important things, however...
1- There is no stipulated frequency or periodic requirement. In fact....
2- This requirement is within the scope of "Creating and Updating" . In other words, when an organization decides to create a controlled document (i.e. critical to quality, ...i.e. if that document is "wrong or gone" it can lead to a nonconformance), then the organization should review to make sure it is suitable and adequate before releasing that document (or updating it).
Here are the requirements from ISO 9001:
ISO 9001:2015
7.5.2 Creating and updating
c) review and approval for suitability and adequacy.
In regards to ISO 13485, the requirement is specific to ...
1- Prior to use (again, as with 9001, don't implement a document without the necessary review/approvals to ensure adequacy.)
2- The requirement is for a governing process of "Control of documents" which identifies your organization's governing requirements ("controls needed")...necessary to "review, update as necessary, and re-approve documents".
Here are the requirements from ISO 13485:
ISO 13485:2016
4.2.4 Control of documents
a) review and approve documents for adequacy prior to issue;
b) review, update as necessary and re-approve documents;
In regards to your consultants council. Hmmmm. The only way what you are doing is a problem is if REVIEW is not being done at the creation, revision (update) and approval of controlled documents.
Question your consultant's advice in this situation.
Hope this helps
Be well.
Hi John C. Abnet,
Thank you for your reply.
13485:2016, 4.2.4 begins the description of requirements for a documented procedure with "shall define the controls needed to..." prior to listing the requirements. As you show above, bullet b) is the second "review" along with "update as necessary and re-approve.." I have always taken this to mean that not only newly created documents but also any changes to existing documents are also reviewed and approved prior to release.
At my company, we also conduct a periodic review to ensure continued suitability & applicability (9001:2015), are you saying a review of this nature isn't required?
Here, every document that makes up our QMS is reviewed for content prior to approval - which is a good thing. Revised documents are also reviewed to ensure that the changed, or added, content is applicable and has also not altered the intent or purpose of the document. We also use internal audits as a second set of eyes (so to speak) - since the auditor is reviewing the internal document, first against the standard's requirements and then against the respective process to ensure compliancy, in preparation for their audit. This is the consultant's issue - that we use internal audits for this at all. To be sure, that is not the intent of the internal audit, but, if a discrepancy or issue is found during audit preparation, it is brought to the attention of the document owner and myself, as well as noted on the audit report.
Are you saying as long as an internal audit is not the only means for review - at the creation or revision of an internal document, this is okay. is that correct?
To answer John B's question: Yes, we do audit all of our processes which includes document review and approval as part of the document control procedure/process. And I agree John B, I want my auditors to focus on the audit at hand, however if during their audit preparation they discover an issue with the procedure, document or forms then that "second set of eyes" is working.
Responding to Tagin's statement: ISO 19011:2018 4e) also states in the last paragraph, "for small organizations, it may not be possible for internal auditors to be fully independent of the activity being audited ...."
While a small company may get away with an auditor having to possibly audit in their own area, that is not the case here. We do not have employees who conduct the process and audit of that process at the the same time. Our auditors are not permitted to audit their own work or in areas where they are assigned. That being said, our operator's are trained to check their documentation and process; to stop and question it if something appears to be incorrect or amiss. Does that make sense?
Thank you all! Great input as it has all been very helpful.