ISO 9001 PROCESSES and PROCEDURES
After spending the past couple months exploring the higher-level ISO 9001 requirements such as Context of the Organization and Leadership, let’s start looking at some of the core ISO 9001 processes and procedures beginning with the “Support” processes defined under section seven of the ISO 9001 standard. While your organization may have established processes which satisfy many of the ISO 9001 support requirements, it is important to review all the ISO requirements to ensure full compliance for critical functions such as People, Competence, Communication, Infrastructure, Measuring Resources, and Organizational Knowledge.
The next two articles will break down the support processes defined in Section seven of the ISO 9001 standard. While we won’t have the time and space to look at all the support processes in detail, we will provide an overview of all the ISO support processes along with a detailed look at the Documented Information and Change Management processes.Our ISO 9001 eCoach leaning course provides significant detail along with implementation tools for all the ISO 9001 support processes and procedures.
The ISO 9001 support processes are those that are generally focused on supporting all aspects of the organization. These processes tend to touch, influence, and impact most if not all functions within the organization. ISO 9001 defines the following support requirements which must be satisfied:
- People / Competence: Ensure that organizational personnel have the requisite skills, experience, knowledge, and training to execute their assigned roles and responsibilities.
- Awareness: Your employees must be aware of key ISO 9001 processes and procedures along with policies and objectives.
- Communication: Effective communication is key to running any organization and integral to any effective management system.
- Infrastructure / Environment: ISO 9001 requires management to provide proper facilities, equipment, resources, and working conditions.
- Monitoring and Measuring Resources: Often referred to as calibration or metrology, this requirement requires period verification or calibration of measuring devices where applicable.
- Organizational Knowledge: New to the 2015 version of the ISO 9001 standard, companies now must determine, maintain, and disseminate key knowledge and information throughout the organization.
We’ll take a closer look at these support processes in the next EBS article. Let’s use the remainder of this article to examine two key support processes, Documented Information and Change Management.
Documented information (documentation) is the lifeblood of your ISO 9001 management system and your document control process is the heart. By establishing an effective documented information process that is appropriate for your organization, you create a solid foundation for the ISO 9001 management system and your entire operation. Not getting this part right could result in inefficiencies, costly mistakes, and a constant battle to ensure your processes are correctly and adequately executed and documented. Not having appropriate and compliant records could spell disaster during an audit.
Before we go too far, let’s first clarify some definitions:
- Documented Information (Maintained) – When ISO 9001 refers to “maintained documented information” they are talking about process documentation such as procedures, policies, work instructions, forms, templates, or any other documents which define or describe how your processes are carried out or provide a method or artifact to capture process information as records.
- Documented Information (Retained) – ISO 9001 requirements that define a need for “retained documented information” are referring to records which capture the resultant outputs (data, information, decisions, actions, results, etc.) from your processes. These are the completed forms, templates, meeting minutes, reports, approvals, etc. that must be controlled and retained, and which provide objective evidence supporting your processes activities.
Documented Information Requirements (7.5.1 – General)
With the release of the 2015 version of the standard, ISO 9001 no longer specifies that you create and maintain specific procedures. In other words, the standard doesn’t define certain procedures that must exist for your management system to be compliant. However, don’t misinterpret that to mean that you don’t need to have any procedures at all. Procedures and other documented information must exist where needed to operate your company and management system. It’s just that ISO 9001 no longer mandates what those are.
Open your ISO 9001 standard and review the requirements stated in clauses 4.4.2 and 7.5.1 which say that you need documentation required by the ISO 9001 standard and to effectively support the management system. From these requirements you can see that you must still maintain appropriate process documentation, but it is entirely up to you to determine what that documentation is, what it contains, and how it is structured and formatted.
While specific procedures aren’t mandated by ISO 9001, there are a significant number of records required by the standard. EBS offers a free document (ISO 9001 Documented Information Checklist) which lists all the ISO 9001 required records which must be retained. You probably already, either formally or informally, capture information and records that satisfy some of the ISO requirements and may just need to fine tune what is already established to be in compliance. Records must also be retained in a manner that protects and preserves the record and doesn’t allow anyone to make unintended changes. Also, make sure your records are organized in a manner that allows for quick and easy access. There is nothing more stressful and frustrating than not being able to locate and produce a requested document during an audit.
Are Procedures Really Needed
So, while ISO 9001 says that appropriate documentation is required, does this mean that traditional procedures must be established and maintained? Maybe not. In the end, all ISO is really stating is that you need to ensure your processes are under control and procedures are just one option for controlling these processes. Rather than using traditional written procedures or SOPs, processes can be controlled using checklists, process maps or flow charts, detailed work instructions, diagrams, photos, etc. As long as the appropriate information is provided to those who need it, when they need it, in a manner that ensures the process is carried out in a controlled manner, then you are in good shape. Keep is simple, but make sure that it is effective and appropriate for your organization. If you elect not to document a specific process, ensure that all employees can consistently speak to and describe all aspects of the process.
According to the ISO 9001 notes associated with clause 7.5.2, documentation may differ across different organizations based on the size of the organization, what it does, process complexities, and the level of personnel and competency. You obviously need to consider these factors when determining the type and level of documentation for your organization.
We recommend that you establish some type of documented control for each process within your organization. These don’t have to be twenty-page detailed procedures, but they should be commensurate to the complexity of the process and adequately communicate all necessary information to the individuals that need it. This is just too important to leave to tribal knowledge and it removes any ambiguity and confusion about what you do, how and when it’s done, who does it, etc. Certainly, don’t over-complicate things and always strive for simplicity while ensuring documentation is appropriate and effective.
Documented Information Requirements (7.5.2 –Creating & Updating)
You need to establish some type of document control or revision control system to manage your documentation. Per the ISO 9001 standard this system needs to ensure that documents are somehow identified, appropriately formatted, and reviewed and approved prior to distribution and use. How you do this is up to you and will be largely driven by the approach and methods you select to control your management system. Whatever you decide, we highly recommend that you attempt to make your documentation “electronic” wherever possible.
No matter what type of system you pick, you will need to establish your document naming and numbering convention. To be honest, you don’t need to assign both document names (titles) and numbers to control your documents. One or the other is sufficient, but most management systems we have seen use both. Again, your call here.
Documented Information requirements (7.5.3 – Control of Documented Information)
ISO 9001 says that your documented information needs to be suitable (content, format, etc.) for use, made available where needed, and protected. Your review and approval process should ensure suitability, and your document control and distribution system must disseminate documentation where needed and protect it from inappropriate or unauthorized access or use. All records must be protected from loss or damage and remain legible for the duration of their retention. Paper documents should be stored in an environment where they won’t deteriorate over time. Electronic records should be backed up to protect them from computer or server failures, natural disasters, or any other threats. If needed, use your risk management (risks and opportunities) process and tools to assess documentation risks and define appropriate mitigation activities.
You will need to define your requirements for retention of documentation along with disposition of obsolete or expired documents. This includes both maintained and retained documented information including older versions of procedures and other process documentation. You can define your obsolescence policies and process for all documentation in a Documented Information procedure or you can provide this information in each procedure for the documentation associated with that process. Back in the day of paper documentation, this was more critical as companies dedicated a rather large amount of physical storage space to maintain reams of paper documents in filing cabinets and banker boxes. We’ve even seen larger companies that paid for off-site storage for their older records. Assuming that the majority of your documentation is in electronic format and given the rather low cost of electronic storage space, we just recommend that you keep all documentation indefinitely, but you still need to define this as part of your retention policy.
Document Change Control
You must have a document revision control system to manage the release of new documentation and document changes. In general, you probably should capture the following information when releasing new documents or revising existing ones:
- A description of the changes,
- All affected documentation,
- Relevant document revision levels,
- Why the changes are needed,
- Who initiated or made the changes,
- Who reviewed and approved the changes,
- The release or effectivity date for the changes.
Also, be sure to define any training that needs to be completed, usually prior to release for use. Processes and requirements for training can be defined in your “competency” or “training” documentation.
You might also consider capturing links or references to other key management system processes and activities related to document revisions. This includes corrective actions, nonconformances, audits, customer complaints, etc. This information becomes very valuable when trying to trace a document change to the corresponding action that drove the change or vice versa. It definitely makes life easier during audits.
Document control or management system software applications provide automation of the document or change control process including electronic workflows for review, approval, release, and distribution of the revised document. Some now have workflows for completing training prior to release of the revised or new documents. Be sure to consider some of these software applications when determining the best solution for controlling documentation and other key aspects of your ISO management system.
In addition to your internal documentation, ISO 9001 also requires you to maintain and control documents of external origin that are necessary to operate the organization and the management system. One example of this type of document would be the ISO 9001 standard itself along with any other ISO or regulatory standards application to your organization. Also consider engineering standards (MIL, IEEE, UL, etc.) or similar documents used for production. Any external document that is referenced by your management system or operations should be controlled and maintained.
Change management provides an overall process for defining, evaluating, approving, and controlling changes to products, services, processes, and the management system. This is directly tied to the document control process discussed earlier in this article, as any organizational change will need to consider the need for new or revised documentation.
Change Management Requirements
Change management requires full consideration of the functions, products, and processes impacted and all associated risks that might be incurred by the organization when implementing changes. Not only does ISO 9001 require that changes be planned, but it only makes sense that any change within an organization would necessitate a commensurate level of planning effort and activities. ISO 9001 doesn’t provide a specific set of change requirements, but rather scatters change clauses and requirements throughout the standard including:
- 5.3e (Organizational Roles, Responsibilities, & Authorities),
- 6.3 (Planning of Changes),
- 7.1.6 (Organizational Knowledge),
- 8.1 (Operational Planning & Control),
- 8.2.4 (Changes to Requirements for Products & Services),
- 8.3.6 (Design & Development Changes),
- 8.5.6 (Control of Changes).
Note that clause 8.3.6 is part of the Design & Development processes. If you do not design and develop products as part of your operations and have taken an exemption from this section of the standard, then you can disregard this clause when developing your change management process. Changes to product or service designs should be executed following established Design & Development processes.
Change Management Processes
Whenever you make changes to or within the management system, ISO 9001 states that you must consider:
- The purpose and scope of the change,
- The risks and potential consequences,
- The integrity of the management system,
- The impact to and availability of resources (internal and external),
- The impact to roles, responsibilities, and authorities,
- The impact to organizational knowledge including the need for new or additional knowledge,
- The level of control needed to implement the change,
- Changes to documented information,
- Who must be informed of changes to requirements for products and/or services,
- Who and how changes to products, services, and processes will be reviewed, approved, and controlled,
- Documented information to be retained which describes changes, change controls, and change authorizations.
In addition to processes required to manage permanent changes, many organizations establish a process for “Temporary Deviations”. These are, just as the title indicates, short-term changes to address an issue or deficiency with the intention of not implementing a long-term solution. These are usually established to overcome issues in production around equipment, materials, external providers, specifications, etc. with the expectation that normal activities will resume in a short period of time. If you feel that such a process would be beneficial from time to time in your organization, then put one in place.
A word of caution thought; these temporary deviation processes can be abused, and we have seen companies that run under temporary deviations for months or years at a time without actually addressing the issue or making the change permanent. Be sure to establish clear boundaries around your temporary deviation process and only use it within the spirit for which it was designed. Auditors will pick up on abuses which might result in a rather significant audit nonconformity.
Change Management Implementation
So what does all this mean and how is it implemented? To implement an effective change management process and satisfy all these requirements, develop a process that does the following:
- Defines and documents the change including the reasons for the change,
- Determines and evaluates the impact of the change on the organization (products, services, processes, etc.), including inherent risks and the impact on organizational knowledge,
- Develops plans to facilitate and control the change,
- Requires authorized personnel to review and approve the change and associated plans,
- Verify change effectiveness and ensure no adverse impacts or undesired effects.
In summary, documented information and change management are two key support processes to be established for most ISO organizations. Be sure to fully consider the scope and requirements of these processes as they are developed and implemented to ensure that they are effective for your organization. While implementing a manual, paper-based system seems quicker and easier on the front end, investing in appropriate software applications will most likely return dividends later down the road as your ISO 9001 processes and procedures grow and become more complex. No matter what system you choose, focus on keeping documents and records in electronic format whenever possible.
We’ll take a closer look at the remaining ISO 9001 support processes in the next EBS blog article.