We hear this question all the time. The official definition from the ISO High Level Structure is “a set of interrelated or interacting activities which transforms inputs into outputs”. So what does that mean? It means you can basically define anything you do as a process. Based on the requirements in ISO 9001 you simply have to establish, implement, maintain and continually improve your processes and interactions in accordance with the standard. Maintain infers that you must document them. The rest of the shall’s say they have to be determined (inputs and outputs, sequence and interaction, methods to ensure effective operation, resources needed), Assign (responsibilities and authorities), Address risks and opportunities and evaluate.
So, as long as you meet all of those requirements you are OK. My personal opinion is that you should limit the number of processes because it causes your certification auditors to document more in a report, especially for AS 9100. At times it is not a bad idea to make your auditor happy.
The format of the documentation is also up to you, flowcharts, word documents, charts, even a video could work.
The ISO 9001 standard does not call out any other type of documentation, it only refers to documented information. This means it doesn’t matter if you call it a procedure, work instruction, manual, policy, SOP or whatever. Although, if you want to you can.
So this document that used to be in everyone company’s quality manual is no longer needed.
Risk is the newest term used in management systems for this decade. In terms of functioning quality systems, all should have addressed risk prior to the term being use. Most do not consider that the purpose of the requirement in the previous standards for preventive action was to address risk.
Each process should address risk during planning and evaluation. When you think about it, most companies are addressing risk on a constant basis. When you receive a request for quote, or review a purchase order from a customer, what is the purpose of the review? To determine and act on risk. Why do you take time to determine whether a supplier is acceptable? Why do you plan your processes? What do you consider when doing this? Risks!!
In addition to the normal course of doing business, you also have the review of metric and performance which leads to risk analysis. An organization may implement a risk action or opportunity based on company performance or an objective or target which has not been achieved.
The new requirements have brought about a state of panic from many companies which is unfounded. The point is to use common sense when planning your system. Do not create documents which are non value added just to meet a requirement that you do not understand. Quality Innovations can help you understand and document these processes in order to prevent unnecessary work.
Documented Information is a new terms used in the High Level Structure of the ISO management system standards directed by ISO/IEC. This means that the terms is transferred into each of the management standards, ISO 9001, AS 9100, IATF 16949, ISO 14001 and ISO 45001. Effectively, this new term has replaced the previous requirement for document control in 4.2.3 and and record control in 4.2.4. Section 7.5 of the latest standards highlights the requirements for documented information.
In summary, the same rules apply as before with less specificity. You still need to identify each document uniquely. You still need to ensure that the current version of a document is used (control of changes and protection). They still need to be reviewed and approved for suitability and adequacy. There is still no mention of requiring a master list or a specific numbering scheme as many think. There is still no requirement to stamp every hard copy uncontrolled or invalid after 24 hours. Yes, these are methods to control documents, however they are not required.
There are many acceptable simplified ways to control documents which do not require document change forms or logs or wet signatures or stamps or watermarks or PDF conversions. We can help you understand what the standard requires.
Whatever methods you derive to control documents, they must be suitable for your organization and stand the test of an audit. Often the more complicated, the more risk of failure.
Also, the only mention of record control is in retention and disposition of documented information. The most important thing to remember when reading the standard, is that if the standard refers to maintaining documented information it is referring to document control, if it refers to retaining documented information it means record control. It does not say specifically that you have to document a record retention period, however most customers require this and you need to demonstrate that you address the retention and disposition of records in your system.