ISO Requirements or Good Documentation Practices?

 

Calibration

Question

Are these standard for ISO or just good documentation practices?

1. All entries, except IPQA, should be made with blue ball pen in clear and legible handwriting.
2. IPQA entries shall be done in black ball pen.
Answer

I can sense what it is happening at the place where this question originated. In the past, I saw a company where the person in charge of the Quality System was saying “this is a ISO requirement” to enforce what in this person’s opinion was a best practice. Nobody questioned those statements because “it is an ISO requirement”. So, the answer to the question is, those are best practices, not ISO requirements. Please see below the ISO 9001:2015’s clause pertaining to this question.

7.5.3 Control of documented information

7.5.3.1 Documented information required by the quality management system and by this International Standard shall be controlled to ensure:

  1. a)       it is available and suitable for use, where and when it is needed;
  2. b)       it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).

7.5.3.2 For the control of documented information, the organization shall address the following activities, as applicable:

  1. a)       distribution, access, retrieval and use;
  2. b)       storage and preservation, including preservation of legibility;
  3. c)       control of changes (e.g. version control);
  4. d)       retention and disposition.

Documented information of external origin determined by the organization to be necessary for the planning and operation of the quality management system shall be identified as appropriate, and be controlled.

Documented information retained as evidence of conformity shall be protected from unintended alterations.

NOTE  Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information.

As you can see, no reference to any ink color whatsoever. Legal documentation tends to be completed by using blue ink to differentiate originals from Xerox copies. However, today’s technology allows us to have color copies.

Regards,

Aura Stewart

Document Revision Criteria

ISO documentation practices, requirements

Question

Is there any criteria available for the frequency of document revision in ISO 9001 or ISO 13485?  Some organization don’t revise the documents for a period of more than 2-3 years.  The reason provided by the organization is that there were no changes during this period. Do ISO standards mandate the revision of documents within a certain time frame? Can we treat this as non-compliance, if the documents are not revised over a period of 2-3 years ?
Answer

There are no criteria nor a requirement for document revision in ISO 9001:2015, 7.5.

ISO 13485:2016, 4.2.4, states, “review, update as necessary and re-approve documents.” This leave the review to the discretion of the organization.

Thus, there is no mandatory review frequency and no non-conformance if documents are not revised within a determined time frame.  ISO 13485 does require a review, however. But, the frequency of the review is not mandated.

George Hummel

ISO 9001:2015 Documented Information Requirements

ISO documentation practices, requirements

Question

I am trying to ascertain if I need to write a Quality Manual to comply with ISO 9001:2015. I see some clauses require ‘documented information’. Do I just address those or the entire document?

Answer

Thank you for the question.

To begin with, the new ISO 9001:2015 Standard does not present a requirement for a Quality Manual. Those requirements are now part of Clause 4.3 and 4.4 of the new standard. That information “shall” be maintained as documented information.

You would be wise to 1] Acquire a copy of the 9001:2015 standard if you haven’t already done so. 2] Check in ASQ.org for information explaining the new terminology related to the standard. 3] Consider pursuing the services of a quality consultant for thorough guidance.

Respectfully,

Bud Salsbury
ASQ Senior Member, CQT, CQI

ISO 9001 Electronic Records

Reviewing confidential files, training records, human resources filesQ: I have a few questions about employee training records.  My company is certified to ISO 9001:2008 Quality management systems–Requirements, and we are considering transitioning to electronic records. However, we don’t know what the requirements are from an ISO perspective. Specifically, we want to know:

1. Do we need to retain hardcopy originals, or can we just keep the scanned electronic copies?

2. Does a record need to be in each individual’s file, or can there be a spreadsheet, cross reference-type matrix?

3. How long do they need to be retained?

4. Are there different requirements for environmental and safety type training records?

A: Thank you for contacting the ASQ Ask the Experts Program. Responses to your specific inquiries follow:

  1.  You may retain records in any format or media you desire.  You do not need both hardcopy and electronic.

2. You may use a spreadsheet matrix.

3. Retention times are your determination. Consult with the corporate attorney as to any requirements from the U.S. Equal Employment Opportunity Commission to protect yourself if there is a lawsuit (assuming your organization is located in the United States).

4. Check with the U.S. Occupational Safety and Health Administration (OSHA) and the U.S. Environmental Protection Agency (EPA) regarding requirements for these records.  These are outside the scope of ISO 9001.

George Hummel
Voting member of the U.S. TAG to ISO/TC 176 – Quality Management and Quality Assurance
Managing Partner
Global Certification-USA
www.globalcert-usa.com/
Dayton, OH

Related Content:

Browse the articles below, or find more open access articles and resources about documentation practices in ASQ Knowledge Center search results.

Geometrica Builds ISO 9001 QMS on Wiki, ASQ Knowledge Center

Geometrica, a manufacturer of domes and free-style structures, used a wiki to document its ISO 9001:2008 quality management system. The company attributes its fast track to certification—nine months from beginning to certification—to the ease and efficiency of wikis. Read the case study.

Consultants’ Style: Sometimes Less Is More, Quality Progress

Many small to medium sized organizations hire consultants to help them attain ISO 9001 and ISO 14001 registration. Consultants who base their advice on the organization’s existing practices and do less documentation are usually more effective. Ten companies share their experiences. Read the article.

Explore the ASQ Knowledge Center for more case studies, articles, benchmarking reports, and more.

Browse ASQ magazines and journals here.

ISO 9001 Certification to Meet Customer Requirements

Training, completed training, competance

Q: My company is a small manufacturer that makes one product that I designed and engineered. We have a contract to produce the part for a much larger company. The larger company wants us to become certified to ISO 9001:2008 Quality management systems — Requirements. The company has sent its auditor/Six Sigma black belt to our plant for the third time and stated that our operators (three employees, myself included) are not trained because the training matrix is not filled out.

The auditor also stated that our work instructions are not adequate, that our process flow charts are not good enough, and that our forms (all five forms we use in-house) are not compliant because they lack a form number printed on them. Is there a clear definition of what is required by ISO on any of these items?

We currently have a 2.5 percent nonconformance rate on our parts. These are identified at our 100 percent inspection points – at three, four, or five. Out of the 2.5 percent nonconformance, the 2 percent are able to be reworked and the 0.5 percent is scrapped.

A: Your question has several layers so I will try to offer what answers I think will help.

To begin with, I have to assume that you have a copy of the ISO 9001 standard. If you do not have a copy, you must get one.

At the same time, it would benefit you to acquire the services of a consultant or you can purchase one of the many books that are available which would help you along the way.

(Editor’s note: Browse a list of popular ISO 9001 titles below this Q&A)

Now, in ISO 9001:2008, clause 6.2.2 states that you “shall” do five things with regard to competence, training and awareness.

In ISO documentation, the word “shall” indicates a requirement.  Basically, you are required to identify (document) the training requirements of those whose work can affect conformity to product requirements. There is nothing in the standard that says you must have a “matrix.”

You must have a record showing the training has been completed and of its effectiveness. You must also verify each employee’s competence in doing his/her job on their own. Competence is important. Keep that in mind.

You mentioned in your inquiry that your customer states your work instructions are not adequate, that the process flow charts are not good enough, and that your forms are not compliant because they lack a form number printed on them.

To begin, the standard requires just six documented procedures.

  • Clause 4.2.3 Control of documents
  • Clause 4.2.4 Control of records
  • Clause 8.2.2 Internal quality audits
  • Clause 8.3 Control of nonconforming product
  • Clause 8.5.2 Corrective action
  • Clause 8.5.3 Preventive action

Your written procedures need to be compliant with the standard they are for. (By the way, Most companies have more than just six documented procedures, as it helps their Quality Management System to operate more efficiently)

As for process flow charts I am thinking you are referring to work instructions. The 9001:2008 standard says that work instructions should be available “as necessary.” If you have work instructions written and they are readily available, the auditor should have no cause for concern there.

In addressing your mention of “flow charts,” in all fairness, I cannot respond completely without actually seeing the flow charts in question.  If you mean the process flow charts which often accompany a documented procedure to show a “map” of the process, then you should read clause 4.1 of the standard. You would find that you are required to show “interactions” of the processes. There are no actual ISO requirements for flow charts, but many companies use that format to show the interactions, often in their quality manual. You would need to determine if flow charts are needed to ensure consistent quality.

Finally, let’s talk about forms. How you control your forms or the format should be mentioned in your document control procedure (4.2.3).

Each type of form would need a title, a revision number or letter, and a revision date.  Having a record of these makes it easy to identify which version of a document you are using and if it is the correct revision.

I know that approaching ISO compliance can seem like a bigger than life challenge at first. However, for every step you take, you will realize that standards are beneficial and not nearly as complicated as they might first appear to be.  As noted above, you might want to consider a consultant and/or acquire some reference material. Your customer’s auditor can become a friendly associate.

As a senior member of ASQ, I salute you for running a business dedicated to quality.

Bud Salsbury
ASQ Senior Member, CQT, CQI

ASQ Quality Press books to help you implement ISO 9001:

ISO 9001:2008 for Small and Medium-Sized Businesses, Second Edition

This handbook was developed to help small and medium-sized organizations better understand ISO 9001:2008. It is intended to facilitate implementation and improvement. The establishment, implementation, and maintenance of an ISO 9001–compliant quality management system (QMS) should allow the organization to experience multiple benefits beyond the achievement of certification. Organizations should also see improvements in the quality of products, customer satisfaction, and process effectiveness—all of which ultimately have a positive impact on the bottom line.

Learn more.

A Practical Field Guide for ISO 9001:2008

The purpose of this field guide is to assist organizations, step by step, in implementing a quality management system (QMS) in conformance with ISO 9001:2008, whether from scratch or by transitioning from ISO 9001:2000. It examines each sub-clause of Sections 4–8 of ISO 9001:2008, which contain the requirements, and gives a list of the documentation/documents required, internal audit questions, a summary of management’s responsibilities, and a flowchart of the steps that need to be undertaken to satisfy the requirements. It also includes a sectional cross-evaluation that shows where the requirements in each sub-clause within ISO 9001:2000 appear in ISO 9001:2008.

Learn more.

ISO 9001:2008 Explained, Third Edition

This book explains the meaning and intent of the requirements of ISO 9001:2008 and discusses the requirements as they relate to each product category. Where appropriate, it elaborates on why the requirements are important. It includes a list of typical audit-type questions that an organization may use to appraise compliance with the requirements.

Learn more.

ISO 9001 & Time to Retrieve Records

Q: I am looking for an interpretation for ISO 9001:2008 Quality management systems–Requirements, clause 4.2.4 Control of records: “Records shall remain legible, readily identifiable and retrievable.”

What is considered readily retrievable (i.e., 24 hrs, 48 hrs, 8 hrs, 1 hr)? I have a customer who thinks traceability records should be available within an hour of a request. I interpret readily as 24 hrs. The current ISO and TS specifications do not indicate a time, so a reasonable time to me is 24 hrs to pull the information together.

In addition, the customer’s supplier requirements also do not have any specified time for document retrieval. I did contact our third party registrar auditor and he indicated that 24 hrs would be considered readily retrievable as long as there were no customer specific requirements.

A: There appears to be some confusion between records being “readily retrievable” vs. a customer’s request for the delivery of copies of records.  These are two separate issues.

The first issue:  What is meant by “readily retrievable?”  ISO 9001 does not prescribe any specific timeline or define the term “readily retrievable.”  However, the intent of this requirement is to ensure that objective evidence is available to provide proof of conformance or evidence that requirements have been met.  If the organization is unable to provide records upon request during an audit, the auditor will very likely document this as a nonconforming condition. Records must be available upon demand.

The second issue is response time to customer requests for records.  Although records or evidence of conformance may be “readily retrievable” within the organization,  the response time needed for an organization to provide copies of records to a customer may vary based upon the organization’s work load and availability of resources.   So, it may take an organization an hour, a day or a week to deliver copies of records to a customer.  In the event that the timely delivery of records is critical, requirements for the delivery of records should be stated in a contract or in a PO to provide a timeline or a delivery schedule.  The delivery of copies of records or documents to customers is not addressed in ISO 9001, clause 4.2.4.

Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX
www.astontechconsult.com

AS9100 production rough card

Q: According to our customer requirement, our quality inspectors are signing each step in production rough card in the following way: they apply their personal stamp (which includes their first and last name and personal number), add add a manual signature and date. I tried to convince our customer to give us permission to eliminate the manual signature (as the personal stamp and date are enough), but he doesn’t agree with me.

Is there any official standard for this procedure? I was not able to find any special requirement for this in AS9100 Rev. C  – Requirements for Aviation, Space and Defense Organizations.

A: The AS9100 standard does not dictate any specific method of recording that a production step (clause 7.5.1) or verification step (clause 8.2.4) is complete. AS9100 does require the organization to comply with customer requirements. So this is a requirement which you need to discuss with your customer.

Buddy Cressionnie
International Aerospace Quality Group Americas AS9100 Lead
Voting member of the U.S. TAG to ISO/TC 176
Southlake, TX

Standard Vs. Specification and Guidance Documents

Standards, specifications, guidance, and research

Q: What is the difference between a standard and a specification?

A: There is no single or simple answer to your question. The answer depends upon the context of the question. Relative to the ANSI/ISO/ASQ Q9000 Series: Quality management standards, I direct you to ANSI/ISO/ASQ Q9000:2005 Quality management systems – Fundamentals and vocabulary.

ISO 9000:2005 defines specification as a document that states requirements. A specification can be related to activities (e.g. procedure document, process specification and test specification), or products (e.g. product specification, performance specification and drawing).

ISO 9000:2005 does not define “standard”. The first part of the ISO 9000:2005 introduction reads:

“The ISO 9000 family of standards listed below has been developed to assist organizations, of all types and sizes, to implement and operate effective quality management systems.

ISO 9000 describes fundamentals of quality management systems and specifies the terminology for quality management systems.

ISO 9001 specifies requirements for a quality management system where an organization needs to demonstrate its ability to provide products that fulfill customer and applicable regulatory requirements and aims to enhance customer satisfaction.

ISO 9004 provides guidelines that consider both the effectiveness and efficiency of the quality management system. The aim of this standard is improvement of the performance of the organization and satisfaction of customers and other interested parties.

ISO 19011 provides guidance on auditing quality and environmental management systems.

Together they form a coherent set of quality management system standards facilitating mutual understanding in national and international trade.”

In other words…

ISO 9000 is a standard that describes fundamentals and specifies the terminology.

ISO 9001 is a standard that specifies requirements.

ISO 9004 is a standard that provides guidelines.

ISO 19011 is a standard that provides guidance.

This implies that a standard is a formal document that establishes uniform criteria, methods, processes and practices — which may or may not be requirements.

ISO 9000:2005 also makes a distinction between quality management system requirements and requirements for products using the terms “specifications” and “standards.” It states:

“The ISO 9000 family distinguishes between requirements for quality management systems and requirements for products.

Requirements for quality management systems are specified in ISO 9001. Requirements for quality management systems are generic and applicable to organizations in any industry or economic sector regardless of the offered product category. ISO 9001 itself does not establish requirements for products.

Requirements for products can be specified by customers or by the organization in anticipation of customer requirements, or by regulation. The requirements for products and in some cases associated processes can be contained in, for example, technical specifications, product standards, process standards, contractual agreements and regulatory requirements.”

Joe Tsiakals
Voting member of the U.S. TAG to ISO/TC 176 (ASQ)
Voting member of the U.S. TAG to ISO/TC 210 (AAMI)

ISO 9001 SOPs for HR and IT Departments

Mr. Pareto Head and IT

Q: My company wants to become certified to ISO 9001:2008 Quality management systems–Requirements by the end of this year. We have nearly all of our common standard operating procedures (SOPs) identified and written. But some of our departments—HR and IT in particular—are proving to be a little more difficult as far as identifying activities we might need to document.

Could you provide a few examples of procedures that might be available for  an IT and HR department? More specifically, I’m looking for examples of what others may have done with ISO 9001:2008 in conjunction with corresponding SOPs.

A: ISO 9001:2008 specifically requires the organization to have documented procedures for the following six activities:

4.2.3 Control of documents.
4.2.4 Control of records.
8.2.2 Internal audit.
8.3 Control of nonconforming product.
8.5.2 Corrective action.
8.5.3 Preventive action.

From an ISO 9001:2008 perspective, there are no mandatory procedures required for HR or IT departments as supporting functions for an organization. It is recommended, however, that you have your processes documented to ensure accountability for actions, consistency and standardization.

When there are many employees involved in various organizational functions, the hand-offs between the functions and employees can blur, with little to no accountability for the final outcome. In addition, having processes undocumented is not scalable, repeatable and reproducible as the organization grows larger.

The ISO 9001 website guideline further clarifies that the extent of the quality management system’s documentation can differ from one organization to another based on:

The size of organization and type of activities.
The complexity of processes and their interactions.
The competence of personnel.

While this may not be the right forum to share examples of SOPs, I can provide a typical list of ISO 9001:2008 procedures that may be applicable to HR and IT functions.

A better way to develop procedures for the listed processes is to bring the stakeholders and experts together, map the process in its current state, brainstorm, identify and remove nonvalue-added activities, and then reissue a new value-added procedure.

Typical SOPs in HR

  •     HR planning process.
  •     New employee orientation process, including mandatory training and certifications.
  •     Training needs analysis.
  •     Employee training and development process, which also includes training, skill competency assessments, periodic evaluations and certifications.

Typical SOPs in IT

  •     IT resource planning process.
  •     Data archival, retention, backup and disaster recovery process.
  •     IT hardware and software maintenance and information security management process.
  •     Quality information systems, including infrastructure planning, implementation and improvement.

Govind Ramu
Senior manager, quality systems
SunPower Corp.
San Jose, CA

Ask A Librarian

ISO 9001 Clause 7.5.1 Work Instructions

Mr. Pareto Head and standard work

Q: Within my organization there has been much debate on what a work instruction is. The term work instruction is not defined in the ISO 9001-2008 Quality management systems—Requirements standard (appears in clause 7.5.1).

Our question is that if the organization is providing services such as maintenance and repair of the customer’s equipment, and the customer provides maintenance and repair manuals and publications for this equipment to the organization, would this literature satisfy the requirements of ISO 9001:2008 as work instructions? Any assistance provided would be greatly appreciated.

A: You are correct when you state that “work instructions” is not defined in ISO 9001:2008, nor is it in ISO 9000:2005 Quality management systems–Fundamentals and vocabulary.

Terms are not defined by the Technical Advisory Group (the standard developers)  when it is felt that the general accepted usage is clear and unambiguous. Such is the case with this term. A work instruction is simply what the name implies, instructions to do work. Written instructions might not be necessary and so the phrase “as necessary” is in the text of the standard. It depends on your specific situation.

The challenge to comply with the requirements of clause 7.5.1 is not in the definition (or lack of definition) of work instructions. It is planning and carrying out production and service work under controlled conditions.

Are your work processes controlled? This clause identifies six elements that need to be considered. Work instructions are one of the six elements. Do your operators know what to do? Are they trained? Do they need written instructions? In general, you must make this call, not an auditor. If you are challenged by an auditor, you need to be able to defend you position. But there is no hard and fast rule here.

Let me note that telltale signs of lack of control are frequent errors, defects and rejects. This indicates to an auditor that you don’t have a controlled process. You need to tighten things down including addressing those of the six elements that are at the root cause of your process failures. You might need work instructions or improved work instructions based on process performance.

You mention that your organization maintains customer equipment and that the customer provides manuals. These manuals might be adequate. They might not. Let’s say that part of your maintenance is changing the oil on a gasoline engine. The manual, hopefully, states when this needs to occur. It might not. You probably need to establish a maintenance schedule for changing the oil and lubricating the machine, recording when this is done. Do you need a detailed work instruction on how to change the oil? Probably not. However, the machine might be complicated and have many lubrication points, a number of them not at all obvious. In such a case, a simple work instruction might be useful.

The key is to control your process and use whatever is needed to do so.

Joe Tsiakals
Voting member of the U.S. TAG to ISO/TC 176 (ASQ)
Voting member of the U.S. TAG to ISO/TC 210 (AAMI)

Ask A Librarian