ISO 9001:2008 - Mandatory Procedures and Other Procedures
By Koos Gouws
It is always fascinating to hear the responses of auditors when they audit quality management systems and ask for procedures. There seems to be a lot of controversy surrounding procedures, and the proof that a procedure does in fact exist.
The standard itself is actually very clear on the issue. The problem arises due to the inexperience and sometimes lack of knowledge on the part of the auditors themselves.
In the standard the following phrase (or similar) is found on a number of occasions:
" A documented procedure shall be established to define...."
"This is a clear indication that we need to have a document that contains the details of such a procedure. The standard goes on to explain what is meant by the term 'documented procedure'.
"Documented procedure .... means that the procedure is established, documented, implemented and maintained"
There are only 6 clauses in the standard that specifically mentions the need for a documented procedure. These are:
· 4.2.3 Control of documents
· 4.2.4 Control of records
· 8.2.2 Internal audit
· 8.3 Control of nonconforming product
· 8.5.2 Corrective action
· 8.5.3 Preventive action
These documents must exist within the quality management system, and are not negotiable. Noncompliance in this regard is a non-conformance, without any argument. In fact, without these procedures the organization will not be recommended for certification.
What then about all the other procedures that we create within the quality management system, and why do we do it?
Let us look at an example: Under clause 5.6 we find that organizations often present a procedure for conducting management reviews to auditors. Is this really required? The answer is a definite "NO". The standard requires that the quality management system shall be reviewed by top management at planned intervals. It explains what needs to be discussed in these reviews. (5.6.2 is not an agenda, it merely tells us what areas should be covered during the reviews, together with the policy and objectives).What is required are records of the reviews that were conducted. If the auditee provides the auditor with proof of management reviews conducted, and that these are done at regular intervals, the auditor has no grounds to issue a non-conformance.
This brings us to another point. The standard does not ask for a management review schedule or plan. It merely states:
"...at planned intervals..."
If the auditor enquires about when the reviews are taking place, and there is consensus between the different participants, and it can be deemed as "regular", it is perfectly acceptable.
In other places in the standard similar requirements exist, e.g.:
· 7.1 "Output from this planning shall be in a form suitable for the organization's method of operation"
· 7.2.3 "Determine and implement effective arrangements for communicating with customers ..."
· 7.4.1 "... ensure that purchased product conforms to specified purchase requirements."
In none of these examples does it state that there must be a documented procedure, or what the format must be.
There are many more such examples in the standard, none of which requires a "documented procedure". Why then do organizations document more than just the 6 mandatory required procedures? It is partly because of the requirement under clause 4.2.1d that states the following:
"Documents, including records, determined by the organization to be necessary to ensure the effective planning, operation and control of its procedures."
Typically the 'other' documented procedures include these or at least some of these procedures:
· Planning (5.4, 7.1, 8.1)
· Internal communication (5.5.3)
· Management review (5.6)
· Resource management (6)
· Competency and training (6.2.2)
· Customer processes (7.2)
· Design and development (7.3)
· Purchasing (7.4
· Operational control (7.5.1)
· Validation of special processes (7.5.2)
· Product identification and traceability (7.5.3)
· Customer property (7.5.4)
· Preservation of product (7.5.5)
· Control of monitoring and measuring devices (7.6)
· Customer satisfaction monitoring (8.2.1)
· Process monitoring (8.2.3)
· Product monitoring (8.2.4
· Analysis and improvement (8.4, 8.5.1)
None of these procedures are mandatory, and if the organization can demonstrate that a process does exist, even if it is in the heads of those persons to whom they are relevant, it must be accepted by the auditor.
There is, however, another very important issue. If a documented procedure does not exist, the onus of proof that a procedure is in place rests on the auditee. Therefore, it is often easier to show a written procedure to the auditor, than to try to prove that a procedure which has not been document in fact does exist. If it will be relatively easy to demonstrate that a procedure is in fact followed, there is no reason to document it.
There is a catch. If a procedure has been documented, and the organization does not comply with the requirements of the procedure, it is a non-conformance. One of the criteria for auditors when conducting and audit is that of the audit criteria (those things against which the audit is carried out). Clause 8.2.2a states:
"... conforms to planned arrangements, ...to the requirements of this international standard, and to the quality management system requirements established by the organization ..."
The lesson to be learnt is to be careful what we document. Read the requirements of the standard. If a documented procedure is not required by ISO 9001:2008, ask yourself: "What will the consequences be if I do not document?"
An afterthought, records are an entirely different issue. About 19 mandatory records are required by the standard, and must be complied with.
Want to ask a question or wish to make a comment. Please Contact us for any services that are not listed here.
"Trying the Impossible, Using the Remarkable to Obtain the Unobtainable"