In the earlier versions of ISO9001 (or ISO9000 for even earlier versions) standards, much emphasis was given to set up documented procedures, because ISO9001 was originally established as a guide to assess suppliers, and auditors always wanted to see that suppliers had clearly documented procedures for the operators to follow and to avoid misoperation. The emphasis on the documents, however, resulted into a significant burden for organizations to fulfill the requirements of ISO9001. A pile of documents were established, and needed to be reviewed and updated promptly and properly to ensure their suitability and adequacy. To reduce this burden, ISO has been gradually reducing the mandatory requirements on the documented procedures. In ISO9001:2008, only a quality manual and 6 documented procedures were mandatorily required. In ISO9001:2015, even these documents are no longer necessary. This is one of the key changes in the ISO9001:2015. It now only requires that an organization shall have documented quality scope, quality policy and quality objectives. Organizations can just choose to have or not have any other documented procedure based on their own needs.
Once an organization decides to establish and maintain a documented procedure, it shall follow and meet the document control requirements as specified in 7.5 of ISO9001:2015. Before discussing what shall be done to fulfill these requirements, let's first ask one question: why did ISO set up the requirements for document control? It has the following purposes:
- To ensure that all the documented procedures followed by the employees are suitable and adequate. Otherwise, it may cause disruption or mistakes in the company's operation.
- To ensure that the documented procedures are always available for their users to refer to when they are needed.
- To ensure that the commercial confidentiality and intellectual properties of the organization and its related parties are well guarded.
Let's discuss the steps above one by one in more details.
1. Identification of needs to create a new documented procedure or update an existing documented procedure
As mentioned in the beginning of this article, it is not mandatory to have written documents other than the quality scope, quality policy and quality objectives according to ISO9001:2015. So it is really up to the organization to decide whether it's needed to create a document. If a process is well understood by the relevant parties and it achieves the intended results, it is OK not to establish a document to specify how the process should be carried out. On the other hand, if there's any ambiguity, it's better to create a document to clarify the flow and the relevant responsibility of the process. If the organization has frequent customer audits, it's also suggested to have documents to describe the flows of each process. Based on personal experience, customers usually like to see the evidences in black and white.
After documented procedures are established, the organization shall identify the needs to update them to keep them suitable and adequate. The needs can come from events such as internal changes, corrective actions, improvements, new customer requirements, new standards, new legal requirements, etc. In all these events, the coordinators (e.g. the owner to review customer requirements) should identify what documents should be updated, and then notify the document owners to update them. The above events should not be closed until all the relevant documents are updated properly. In real life, people often fail to identify and update all the documents related to these events. Therefore, other than the events-triggered mechanism, the organization shall also require the document owners to have a regular review of each existing document (e.g. once a year) to see whether it is still suitable and adequate and update it as needed.
2. Drafting of the document and application for review and approval
An owner of each document must be clearly assigned. When a documented procedure needs to be created and updated, the owner should draft the document according to the following requirements:
- The document must have a proper identification. Generally the document must have a document number, a title and a revision number.
- The document must have a clearly specified effective date.
- The revision history of the document must be clearly described.
- The document shall contain the other necessary information for the effective implementation of a process, such as the responsibilities and the competency of relevant persons, the flow of the process, the communication within the process or with other processes, etc.
The drafter of the document shall submit the document for review and approval before publishing, to ensure that the document is suitable and adequate.
3. Document review and approval
The reviewer and approver must have solid knowledge and understanding of the process, so that he/she can tell any mistake and inadequacy in the document. Their responsibility is to ensure that all the necessary information for the effective implementation of the process is specified in the document and there's no ambiguity or incorrect instruction in the document.
The organization can decide based on the document scope who should be reviewer and approver. For example, if the document is applicable in the whole company, it's usually reviewed by the department head of the process owner, and then approved by a member of the top management team (e.g. management representative if your company still keeps this position). If the document is applicable only in a department, it just needs to be reviewed by a junior supervisor and then approved by the department head.
4. Publishing & distribution of the new document and retrieval of obsoleted revision
After the approval of the newly created/updated document, it's officially published. It should then be distributed to the users of the document. For an updated document, the original revision must be obsoleted and retrieved as well to prevent misuse.
The above steps can be done in paper or electronically. If the users of the documents do not require hard copies, it is highly recommended to use an electronic system to go through above steps.
The above steps also apply to the process to obsolete an existing document. The only difference is that in the 4th step, no publishing and distribution is needed. Instead, a notice should be sent out for the obsoleting of the document.
All the documents published and in use shall be properly stored and protected. If they’re in soft copies, they should be safeguarded from unauthorized copy, edit and deletion. If they're in hard copies, they should be protected from loss, damage and deterioration, and they should also be prevented from unauthorized duplication. A common way to identify unauthorized copies and prevent their use is to have a “controlled copy” stamp on the paper documents (please refer to the template of the document in the end of this article) before distributing them, so that employees know that any document without the original stamp is not authorized and should not be followed.
If the documents are confidential, they should also be safeguarded from unauthorized access, copy and distribution. The organization may set up some criteria to define the confidentiality level of documents, and define the persons with authority to access, copy and distribute these documents. Unauthorized persons should not have the opportunity to access, copy and distribute the confidential documents.
Finally, let me give one template of a documented procedure. What shall be written in each section of this document is explained in the words highlighted in blue. The “effective date” of the document needs special attention. It is the date when the document becomes effective and should be followed. It is not the date when the document is published. “Effective Date” should be later or same as the publishing date.
No comments:
Post a Comment