ISO 9001:2008 Documentation Requirements
ISO 9001:2008 clause 4.1 General requirements requires an organization to “establish, document, implement, and maintain a quality management system and continually improve its effectiveness in accordance with the requirements of this International Standard”
ISO 9001:2008 Clause 4.2.1 General explains that the quality management system documentation shall include:
documented statements of a quality policy and quality objectives;
a quality manual
documented procedures required by this International Standard
documents needed by the organization to ensure the effective planning, operation and control of its processes, and
records required by this International Standard;
The notes after Clause 4.2 make it clear that where the standard specifically requires a “documented procedure”, the procedure has to be established, documented, implemented and maintained. It also emphasizes that the extent of the QMS documentation may differ from one organization to another due to:
the size of organization and type of activities;
the complexity of processes and their interactions, and
the competence of personnel.
All the documents that form part of the QMS have to be controlled in accordance with clause 4.2.3 of ISO 9001:2008, or, for the particular case of records, according to clause 4.2.4.
Guidance on Clause 4.2 of ISO 9001:2008
The following comments are intended to assist users of ISO 9001:2008 in understanding the intent of the general documentation requirements of the International Standard.
a) Documented statements of a quality policy and objectives:
Requirements for the quality policy are defined in clause 5.3 of ISO 9001:2008. The documented quality policy has to be controlled according to the requirements of clause 4.2.3.Note: Organizations that are revising their quality policy for the first time, or in order to meet the amended requirements in ISO 9001:2008, should pay particular attention to clause 4.2.3 (c), (d) and (g).
Requirements for quality objectives are defined in clause 5.4.1 of ISO 9001:2008. These documented quality objectives are also subject to the document control requirements of clause 4.2.3.
b) Quality Manual:
Clause 4.2.2 of ISO 9001:2008 specifies the minimum content for a quality manual. The format and structure of the manual is a decision for each organization, and will depend on the organization’s size, culture and complexity. Some organizations may choose to use the quality manual for other purposes besides that of simply documenting the QMS
A small organization may find it appropriate to include the description of its entire QMS within a single manual, including all the documented procedures required by the standard.
Large, multi-national organizations may need several manuals at the global, national or regional level, and a more complex hierarchy of documentation.
The quality manual is a document that has to be controlled in accordance with the requirements of clause 4.2.3.
c) Documented procedures:
ISO 9001:2008 specifically requires the organization to have “documented procedures” for the following six activities:4.2.3 Control of documents4.2.4 Control of records8.2.2 Internal audit8.3 Control of nonconforming product8.5.2 Corrective action8.5.3 Preventive action
These documented procedures have to be controlled in accordance with the requirements of clause 4.2.3
Some organizations may find it convenient to combine the procedure for several activities into a single documented procedure (for example, corrective action and preventive action). Others may choose to document a given activity by using more than one documented procedure (for example, internal audits). Both are acceptable.
Some organizations (particularly larger organizations, or those with more complex processes) may require additional documented procedures (particularly those relating to product realization processes) to implement an effective QMS.
Other organizations may require additional procedures, but the size and/or culture of the organization could enable these to be effectively implemented without necessarily being documented. However, in order to demonstrate compliance with ISO 9001:2008, the organization has to be able to provide objective evidence (not necessarily documented) that its QMS has been effectively implemented.
d) Documents needed by the organization to ensure the effective planning, operation and control of its processes:
In order for an organization to demonstrate the effective implementation of its QMS, it may be necessary to develop documents other than documented procedures. However, the only documents specifically mentioned in ISO 9001:2008 are:- Quality policy (clause 4.2.1.a)- Quality objectives (clause 4.2.1.a)- Quality manual (clause 4.2.1.b)
There are several requirements of ISO 9001:2008 where an organization could add value to its QMS and demonstrate conformity by the preparation of other documents, even though the standard does not specifically require them. Examples may include:- Process maps, process flow charts and/or process descriptions- Organization charts- Specifications- Work and/or test instructions- Documents containing internal communications- Production schedules- Approved supplier lists- Test and inspection plans- Quality plans
All such documents have to be controlled in accordance with the requirements of clause 4.2.3 and/or 4.2.4, as applicable
e) Records:
Examples of records specifically required by ISO 9001:2008 are presented in Annex B.
Organizations are free to develop other records that may be needed to demonstrate conformity of their processes, products and quality management system.
Requirements for the control of records are different from those for other documents, and all records have to be controlled according to those of clause 4.2.4 of ISO 9001:2008.
Friday, October 9, 2009
Subscribe to:
Post Comments (Atom)
Implementing ISO 27001 into your organisation will provide structure and control that will improve the security of your information. Some of the organisations you work with will want to know that they can rely on your information security systems before trusting you with their information. Through regular ISO 27001 audits you will give them confidence in the knowledge that security risks have been assessed and minimised and, if an incident does occur, you have systems in place to protect and recover information quickly to minimise any disruption to your business.
ReplyDelete