Why Does ISO 9000 Emphasis On Document Control?

Think of the Document Control Procedure as ‘evidence’ that an established process or procedure was adhered to in order to satisfy customer requirements. Both Registrars and Internal Auditors will always focus on the quality, continuity and flow of documentation; inconsistencies in this flow of information will indicate a problem and generate a non-conformance.

It is vital that your organization implements and maintains a robust document and record management system pursuant to Clause 4.2. of ISO 9001:2008.

Terms and definitions

To better understand the difference between a document and a record, the following terms and definitions are taken from ISO 9000:2005:

Term, Clause and Definition

Document, 3.7.2, Information and its supporting medium

Record, 3.7.6, A document stating results achieved or providing evidence of activities performed Control of Documents (4.2.3)

Implementing a quality management system might mean that you will be generating new documents and keeping some records that you might not be already keeping. Some of this documentation may seem burdensome until you become more familiar with the quality standard. In general though, the organization must:

- Approve documents before your distribute them
- Provide the correct version of documents at points of use
- Review and re-approve documents whenever you update them
- Specify the current revision status of your documents
- Monitor documents that come from external sources
- Prevent the accidental use of obsolete documents
- Preserve the usability of your quality documents

In order for any organization to demonstrate the effective implementation of its quality management system, it may be necessary to develop documents other than documented procedures. However, the only documents specifically required by ISO 9001:2008 are:

- Quality policy (4.2.1.a)
- Quality objectives (4.2.1.a)
- Quality manual (4.2.1.b)
- Control of Records (4.2.4)

A record is a document that provides traceability; it declares results or presents evidence that the activities undertaken met customer requirements. It is important to identify relevant quality records as you progress your documentation and ensure that records are defined within a procedure or by a system and that it exists and is controlled.

Types of Records required by ISO 9001:2008 Document Control Procedure

5.6.1 Management reviews
6.2.2 e) Education, training, skills and experience
7.1 d) Evidence that the realization processes and resulting product fulfil requirements
7.2.2 Results of the review of requirements related to the product and actions arising from the review
7.3.2 Design and development inputs relating to product requirements
7.3.4 Results of design and development reviews and any necessary actions
7.3.5 Results of design and development verification and any necessary actions
7.3.6 Results of design and development validation and any necessary actions
7.3.7 Results of the review of design and development changes and any actions
7.4.1 Results of supplier evaluations and any actions arising from the evaluations
7.5.2 d) As required by the organization to demonstrate the validation of processes where the resulting output cannot be verified by subsequent monitoring or measurement
7.5.3 The unique identification of the product, where traceability is a requirement
7.5.4 Customer property that is lost, damaged or otherwise unsuitable for use
7.6 a) Basis used for calibration or verification of measuring equipment where no international or national measurement standards exist
7.6 Validity of the previous measuring results when the measuring equipment is found not to conform to requirements
7.6 Results of calibration and verification of measuring equipment
8.2.2 Internal audit results and follow-up actions
8.2.4 Indication of the person(s) authorizing release of product.
8.3 Nature of the product nonconformities and any subsequent actions taken, including concessions obtained
8.5.2 e) Results of corrective action
8.5.3 d) Results of preventive action

Document Control Procedure Summary

Remember that you are in control of the documents and records and not vice versa. Only document and record what is necessary – the fewer documents and records you keep, the fewer things that will be audited, and the more time you will have to actually run your business.

ISO 9000 Standards Certification and Registration

The International Standards Organization is responsible for two major sets of requirements that relate to an overall quality management system to be used by businesses. The ISO 9000 family of standards is the primary set of requirements for most businesses.

Quality management by definition address that the organization does certain things to “fulfill the customer’s quality requirements and applicable regulatory requirements while aiming to enhance customer satisfaction, and achieve continual improvement of its performance in pursuit of these objectives”.
ISO 14000 address the environmental management to minimize harmful effects to the environment. Again, it is a quality management system designed to “achieve continual improvement of its environmental performance.

ISO certification 9000 is the most common. So, let’s take a look at what ISO certification entails and what it means. To become certified, a quality management system must be in place that meets the requirements of the ISO standard. This begins with the business recognizes the requirements and developing a quality system to meet their needs at the same time they meet the requirements.

ISO 9000 certification and ISO 9000 registration are two different entities, though they are often used interchangeably. To achieve ISO certification 9001 , an independent registrar is hired to audit the quality system for thoroughness and compliance to all the standards. When this is accomplished, the business is offered a certificate stating that the quality system conforms to standards within the particular standard.

ISO registration means that the certification has been recorded in its client register. Because most companies have been certified and in turn registered, the terms are offed interchanged in general use. While the term “certification” is the most widely used, “registration” used in North America. Both are completely acceptable, because the business has fulfilled the requirements set forth by ISO.

Risk Management In ISO 9000 Standard

In each human endeavour there is an element of risk; personal, project or financial, or a combination of them all. The job of the responsible individual is to identify the risk and act accordingly. We all do these ‘risky’ things, almost daily, aware that we are taking a risk. Rather than staying away from the risk we become adept at identifying it and having a strategy for dealing with it if the risk materialises. This is what risk management is about, and is an ability that is important in virtually every endeavour.

The popular misconception that risk management is difficult or complicated stems from the bureaucratic methodology of some system-oriented organisations and managers. It is neither complicated or bureaucratic, and need not be. Risk management is basically a simple proposition with a complexity dictated by the nature of the situation to which it applies – usually a project, and the parties involved. In its basic form risk management involves:

1. Identifying risk – Looking for anything that threatens the successful completion of the project against the original requirement. Risks can be environmental, organisational, technical, legal, economic or commercial.

2. Counteracting risk – Taking action to remove or reduce the probability of a risk being realised. The response depends on the nature or seriousness of the risk.

3. Acting when the risk event occurs – Invoking whatever contingency measures were devised for the risk that has materialised.

And for this to happen needs:

4. Monitoring at all stages – This typically means documenting a risk assessment in a profile that identifies the risk, the probability of its occurrence, and the impact if it does materialise. Factors that score paramount are those that require the greatest attention and monitoring. A good risk manager will devise contingency plans that reduce either the probability or the impact of these occurrences, and so remove them from the scene.

Working within a formal structured management system similar to that defined by ISO 9000 requires the application of risk assessment practices to satisfy the requirements of the Standard. Auditors of such systems may not find specific references to risk management in these areas even though the identification of potential failure (8.5.3) is wholly concerned with a topic that is nothing less than risk management.

Well managed risk taking is an essential feature of any forward thinking enterprise, since risk is an element of any progression or advancement. It is the adoption of effective risk management in conjunction with the continuing need to drive forward from a comfortable position that leads to progress and advancement. Doing what we always do purely because the risks appear to be negligible or are well known is to be ‘risk averse’, and for progressive organisations cannot be acceptable. Neither is it acceptable to pursue new ideas without an understanding of their potential benefit, proper planning, a clear idea of the threats to these benefits being achieved , and a strategy for dealing with them should they materialise. We need to manage in a manner that is neither predictable or reckless. Risk assessment is an essential tool to support this strategy.