ISO 9000 Standards – Document control procedures

ISO 9000 Standards – Document control procedures

The ISO 9000 Standards requires that a documented procedure be established to define the controls needed.

This requirement means that the methods for performing the various activities required to control different types of documents should be defined and documented.

Although the ISO 9000 standards implies that a single procedure is required, should you choose to produce several different procedures for handling the different types of documents it is doubtful that any auditor would deem this noncompliant. Where this might be questionable is in cases where there is no logical reason for such differences and where merging the procedures and settling on a best practice would improve efficiency and effectiveness.

Documents are recorded information and the purpose of the document
control process is to firstly ensure the appropriate information is available
where needed and secondly to prevent the inadvertent use of invalid
information. At each stage of the process are activities to be performed that
may require documented procedures in order to ensure consistency and
predictability. Procedures may not be necessary for each stage in the process.

Every process is likely to require the use of documents or generate documents and it is in the process descriptions that you define the documents that need to be controlled. Any document not referred to in your process descriptions is therefore, by definition, not essential to the achievement of quality and not required to be under control. It is not necessary to identify uncontrolled documents in such cases. If you had no way of tracing documents to a governing process, a means of separating controlled from uncontrolled may well be necessary.

The procedures that require the use or preparation of documents should also specify or invoke the procedures for their control. If the controls are unique to the document, they should be specified in the procedure that requires the document. You can produce one or more common procedures that deal with the controls that apply to all documents. The stages in the process may differ depending on the type of document and organizations involved in its preparation, approval, publication and use. One procedure may cater for all the processes but several may be needed.
The aspects you should cover in your document control procedures, (some
of which are addressed further in this chapter) are as follows
Planning new documents, funding, prior authorization, establishing need
etc.

- Preparation of documents, who prepares them, how they are drafted,
conventions for text, diagrams, forms etc.
- Standards for the format and content of documents, forms and diagrams.
- Document identification conventions.
- Issue notation, draft issues, post approval issues.
- Dating conventions, date of issue, date of approval or date of distribution.
- Document review, who reviews them and what evidence is retained.
- Document approval, who approves them and how approval is denoted.
- Document proving prior to use.
- Printing and publication, who does it and who checks it.
- Distribution of documents, who decides, who does it, who checks it.
- Use of documents, limitations, unauthorized copying and marking.
- Revision of issued documents, requests for revision, who approves the
request, who implements the change.
- Denoting changes, revision marks, reissues, sidelining, underlining.
Amending copies of issued documents, amendment instructions, and
amendment status.
- Indexing documents, listing documents by issue status.
- Document maintenance, keeping them current, periodic review.
- Document accessibility inside and outside normal working hours.
- Document security, unauthorized changes, copying, disposal, computer
viruses, fire and theft.
- Document filing, masters, copies, drafts, and custom binders.
- Document storage, libraries and archive, who controls location, loan
arrangements.
- Document retention and obsolescence.

With electronically stored documentation, the document database may provide many of the above features and may not need to be separately prescribed in your procedures. Only the tasks carried out by personnel need to be defined in your procedures. A help file associated with a document database is as much a documented procedure as a conventional paper based procedure.

Transition from ISO 9001:2000 to ISO 9001:2008

Transition from ISO 9001:2000 to ISO 9001:2008

This reference guide was developed to help you understand the nature of the changes to theISO 9001 standard.

Clause Change/Emphasis Not Auditable

0.1 General – Added language emphasizing statutory and regulatory requirements are a concern as it relates to products for this international standard.

0.4 Compatibility with Other Management Systems Standards - Emphasis was added on the consideration given to ISO 14001:2004 to ensure that the standards are compatible.

1.1 General

1.2 Application – “Statutory” was added in certain paragraphs to ensure the user is aware that these requirements must be taken into consideration. Additional notes were added to explain that where the word “product” appears, it refers to every stage of its existence, from raw material received to the final product being shipped to the customer.

2. Normative Reference – Reference to ISO 9000 (vocabulary and concepts) was updated to refer to the current revision (i.e. ISO 9000:2005).

3. Terms and Definitions – The supplier/organization/customer model was removed. These relationships, in reality, are not always linears.

The Auditable Requirements
Clause Change/Emphasis
4.1
In 4.1 a, “identify” was replaced with “determine” to emphasize that an organization must give careful consideration to what processes are needed in order to fulfill requirements.
A link is drawn to 7.4 in the additional note. This was done to show that the supplier approval, evaluation, and re-evaluation process is where evidence of controlled outsourced processes should be demonstrated.
4.2.1
References to records and documents were consolidated.
Also, the organization can require records not specified in this international standard that are created and maintained.
4.2.3
Clarification is given to the requirement for outsourced documents. Only those needed for the planning and operation of the QMS need to be controlled. This could exclude documents related to occupational health and safety since ISO 9001 contains requirements only concerned with product (see 0.1).
4.2.4
Rephrased, but no additional clarifications or emphasis added. Editorial change only.
5.5.2
The management representative must be from the organization’s management. This would exclude consultants and other individuals external to the organization (e.g. a management representative from the corporate entity). The purpose of this is to ensure that this individual, entrusted with the responsibilities of championing the quality management system, is not “out of touch” with the organization.
6.2.1
The boundaries of competence only extend to individuals who impact product conformity. However, this does not just include those who are directly involved in production. The decisions made by management affect product conformity; therefore, they must be competent as well.

6.2.2
If said personnel have not yet attained the competence needed to perform the assigned job, then the organization must provide training or some other remedy to ensure that competence is achieved. The organization must also have a mechanism to ensure that personnel have been evaluated based on how well they demonstrate their knowledge and skill (i.e. competence). It is not enough to merely provide training or consider an individual’s experience. The organization must prove to itself that this person can, in fact, perform.
6.3
Infrastructure also includes databases and information technology.
6.4
Emphasis is added in a note to highlight that the concept of “work environment” only extends to product quality.
7.1 c
“Measurement” is added.
7.2.1
“Post-delivery activity” is clarified in a note with examples.
7.3.1
A note emphasizes that design verification, validation, and review are different from one another and serve different purposes. Design review is where the organization evaluates if the design can meet requirements and if any changes need to be made. Design verification is where the organization has ensured that requirements have been met (e.g. is the widget blue and is it hexagonal?). Design validation is where the organization proves that the design can perform as required.
However, the records of design verification, validation, and review do not have to be separate.
7.3.3
Production and service provisions also extend to how product is preserved, handled, etc., to ensure product conformity. See 7.5.1
Design outputs must include requirements related to preservation. See 7.5.5.

7.5.2
Notes were added to give examples of the types of processes where this requirement would apply along with a statement that service organizations should have additional considerations in the planning stages when deficiencies and conformity are not likely to be identified prior to delivery.
7.5.3
Product status must be identified throughout product realization, not just the final product. See 1.2.
7.5.4
Wording was modified to add clarity, but the intent of the requirement has not changed.
7.5.5
Again, emphasis is added that care must be given to preserving the product regardless of where it falls in the realization process.
7.6
An obsolete reference to another ISO document was replaced.
The definition of “monitoring and measuring devices” has been clarified to include equipment and devices that are purposed for monitoring and measuring, regardless of their original or intended purpose.
An additional note regarding software was added.
8.2.2
Document and record requirements were reworded and their placement modified to improve clarity.
The reference to the auditing guidance document was updated (i.e. ISO 19011).

8.2.3
Wording was modified to emphasize that correction and corrective actions are not only to be taken to preserve the conformity of the product, but also to preserve the quality management system. For example, internal rejection/scrap rates could show evidence that the organization is preserving product conformity and is taking intermediate action to prevent bad product from being shipped to their customers; however, it could also be a sign that the organization is not efficient since the higher rejection/scrap rates are undesirable.
A note was added to clarify the meaning of “suitable methods” related to planning, monitoring and measurement processes. Suitability should be determined based on risk and the impact that nonconformity would have on the product or process.
8.2.4
Product can be released to other internal processes despite planned arrangements not being satisfactorily completed as long as it conforms prior to release to the customer. This relaxes requirements on intermediate inspection results and records.
8.3
Actions taken against nonconforming product must be proportional to its impact or potential impact. See 8.2.3 related to impact considerations for monitoring and measurement.
This would mean that in the planning stages of a product, the organization needs to customize responses to nonconforming products based on the risk or potential risk to the organization.
This requirement existed in ISO 9001:2000; however, its location has changed.

8.5.2
Nonconformity can have multiple causes (“cause”; i.e. a singular reason, was used in the 2000 version); therefore, the organization must consider this when conducting root cause analysis.
Also, it is not enough to simply review corrective action and ensure that procedures were changed, personnel have been re-trained, and that processes were amended. The organization must review whether or not the action(s) taken were effective; i.e. did they successfully eliminate the nonconforming condition?
8.5.3
Similar to the new emphasis on the effectiveness of corrective action, the organization must also document whether or not the preventive action(s) taken were effective in eliminating the risk of nonconformity.