Showing posts with label ISO 9001. Show all posts
Showing posts with label ISO 9001. Show all posts

Wednesday, July 31, 2013

ISO 9001 and Documentation

ISO 9001 compliance becomes increasingly important in regulated industries. How does it affect documentation? Here is how...

What is Document Control?

Document control means that the right persons have the current version of the documents they need, while unauthorized persons are prevented from use.

We all handle many documents every day. These documents include forms that we fill out, instructions that we follow, invoices that we enter into the computer system, holiday schedules that we check for the next day off, rate sheets that we use to bill our customers, and many more.

An error on any of these documents could lead to problems. Using an outdated version could lead to problems. Not knowing if we have the latest version or not could lead to problems. Just imagine us setting up a production line to outdated specifications or making strategic decisions based on a wrong financial statement.

ISO 9001 gives us tools (also referred to as "requirements") that show us how to control our documents.

ISO 9001 Documents

There are no "ISO 9001 documents" that need to be controlled, and "non ISO 9001 documents" that don't need control. The ISO 9001 system affects an entire company, and all business-related documents must be controlled. Only documents that don't have an impact on products, services or company don't need to be controlled - all others need control. This means, basically, that any business-related document must be controlled.

However, how much control you apply really depends on the document.

The extent of your approval record, for example, may vary with the importance of the document (remember, documents are approved before they are published for use).

The Quality Policy, an important corporate policy document, shows the signatures of all executives.

Work instructions often just show a note in the footer indicating approval by the department manager.

Some documents don't even need any approval record: if the person who prepared a document is also responsible for its content (e.g., the Quality Manager prepares instructions for his auditors), a separate approval is superfluous.

On the other hand, identifying a document with a revision date, source and title is basic. It really should be done as a good habit for any document we create.

Please note that documents could be in any format: hard copy or electronic. This means that, for example, the pages on the corporate internet need to be controlled.

Responsibility for Document Control

Document control is the responsibility of all employees. It is important that all employees understand the purpose of document control and how to control documents in accordance with ISO 9001.

Please be aware that if you copy a document or print one out from the Intranet and then distribute it, you are responsible for controlling its distribution! The original author will not know that you distributed copies of this documents, so the original author can't control your distribution.

Dating Documents

ISO 9001 requires to show on every document when it was created or last updated. Many of us may have thought to use our word processor's automatic date function for this, but... should we use the automatic date field on documents?

Generally not. If you enter the automatic date field into a document, the field will automatically be updated to always show the current date, no matter when you actually created or updated the document.

Example: For example, if you use the automatic date field in a fax and you save the fax on your computer for future reference, you won't be able to tell when you wrote the fax: when you open the fax on your computer, it will always show today's date.

The automatic date field is not suitable for document control. Therefore, as a general rule, don't use the automatic date field to identify revision status.

ISO 9001 Documentation

ISO 9001 documentation includes:
  • the Quality Procedures Manual, which also includes corporate policies and procedures affecting the entire company;
  • work instructions, which explain in detail how to perform a work process;
  • records, which serve as evidence of how you meet ISO 9001 requirements.
Policies and Procedures

Our ISO 9001 Quality Manual includes the corporate Quality Policy and all required ISO 9001 Procedures. While most procedures affect only managers, every employee must be familiar with the Quality Policy and with the Document Control procedures. The Quality Policy contains the corporate strategy related to quality and customer satisfaction; all other ISO 9001 documents must follow this policy. The Document Control procedures shows how to issue documents, as well as how to use and control documents.

Continuous Improvement

Implementing ISO 9001 is not a one-time benefit to a company. While you are utilizing the quality manual, quality procedures and work instructions in daily business activities, you are not only benefiting from better quality and increased efficiency but you are also continually improving. In fact, the ISO 9001 requirements are designed to make you continually improve. This is a very important aspect because companies that don't continue to improve are soon overtaken by the competition.

Wednesday, February 15, 2012

Change Control in the Regulated Industries

In my last post, I described change control process in general and I mentioned that in the regulated industries, manufactures are required to use a change control procedures I am going to describe this change control procedure in this post.

A change control procedure is usually one of standard operating procedures (SOP's). It usually includes a change control form. Some companies also use change request forms for suggested changes. This procedure usually includes the following components:

Identification

The identification of the changed device, assembly, component, labeling, packaging, software, process, procedure, manufacturing material, and any other related item or document. The change control form has blank spaces for recording this data.

Effective Date

The effective date of the change which is usually a completion date, or an action to be performed when a specific event occurs, such as "implement the change when the new part is installed, validated, and operational." The blank on the change control form for recording the effective date should not be left empty.

Responsibility

The change procedure should state which department or designee is responsible for each function to be performed.

Revision Number

The change procedure should describe the way the revision level is to be incremented. It is common practice to use sequential numbers for revisions.

Communication

The change procedure should describe the communication of changes to all affected parties such as production, purchasing, contractors, suppliers, etc. As appropriate, the document might include activities that apply to internal operations. Examples are employee training, rework, or disposition of in-process assemblies, use of revised drawings and/or procedures, and disposition of old documents.

Updating Documentation

The change procedure should cover updating of primary and secondary documentation such as instruction manuals. Usually there are no problems with updating or revising primary documentation -- in fact, that is a major reason the given change order is being processed. In contrast, it is rather easy to forget that related secondary documents such as component drawings, instruction manuals or packaging require revision if affected by a given change. The use of a good change control form can alleviate this problem.

Documentation Distribution

Revised documentation should be distributed to persons responsible for the operations affected by the change and old documents removed and filed or discarded, as appropriate. After updated documents have been approved, these documents have to be made available at all locations for which they are designated, used, or otherwise necessary, and all obsolete documents have to be promptly removed from all points of use or otherwise prevented from unintended use.

Remedial Actions

Certain changes may require remedial action. Changes of this nature should be addressed in the change control procedure.

Regulatory Submissions

There may be changes may that require a regulatory submission. The change control procedure should specify if regulatory submissions should be considered when making a change.

Business Factors

The change procedure should also cover other factors such as financial impact, modification of sales literature, update of products in commercial distribution, etc.

Quality Assurance Review

The change procedure should cover if the quality assurance review is required for the change.

This change control procedure is also used for document control.

Changes to documents have to be reviewed and approved by an individual(s) in the same function or organization that performed the original review and approval of these documents unless there is a specific designation that states otherwise. These approved changes have to be communicated to the appropriate personnel in a timely manner. A company has to maintain records of changes to documents.

Change control for documents should include:
  • identification of the affected documents;
  • a description of the change;
  • revision number
  • the signature of the approving individual(s);
  • the approval date;
  • the date when the change becomes effective.
In a case of the regulatory agencies inspection, the change control procedure is usually audited.

Tuesday, February 14, 2012

Change Control

Change control within quality management systems (QMS) and information technology (IT) systems is a formal process used to ensure that changes to a product or system are introduced in a controlled and coordinated manner. It reduces the possibility that unnecessary changes will be introduced to a system without analysis, introducing faults into the system or undoing changes made by other users of software.

The goals of a change control procedure include minimal disruption to services, reduction in back-out activities, and cost-effective utilization of resources involved in implementing a change.

Change control is used in a wide variety of products and systems. For Information Technology (IT), it is a major aspect of the broader discipline of change management. Typical examples from the computer and network environments are patches to software products, installation of new operating systems, upgrades to network routing tables, or changes to the electrical power systems supporting such infrastructure.

Change control process can be described as the sequence of of six steps: record/classify, assess, plan, build/test, implement, close/gain acceptance.

Record/classify

A user initiates a change by making a formal request for something to be changed. The change control team then records and categorizes that request. This categorization would include estimates of importance, impact, and complexity.

Assess

Change control team makes an assessment typically by answering a set of questions concerning risk, both to the business and to the process, and follow this by making a judgment on who should carry out the change. If the change requires more than one type of assessment, the head of the change control team will consolidate them. Everyone with a stake in the change then meet to determine whether there is a business or technical justification for the change. The change is then sent to the delivery team for planning.

Plan

Management will assign the change to a specific delivery team, usually one with the specific role of carrying out this particular type of change. The team's first job is to plan the change in detail as well as construct a regression plan in case the change needs to be backed out.

Build/test

If all stakeholders agree with the plan, the delivery team will build the solution, which will then be tested. They will then seek approval and request a time and date to carry out the implementation phase.

Implement

All stakeholders must agree to a time, date and cost of the implementation of the change. Following the implementation, it is usual to carry out a post-implementation review which would take place at another stakeholders meeting.

Close/gain acceptance

When the user agrees that the change was implemented correctly, the change can be closed.

Change Control in a Regulatory Environment

In a Good Manufacturing Practice (GMP) or ISO 9001 regulated environment, change control activities and procedures apply to software, labeling and packaging, device manufacturing processes, production equipment, manufacturing materials, and all associated documentation such as quality system procedures, standard operating procedures, quality acceptance procedures, data forms, and product-specific documentation. Change control is also applied to any production aids such as photographs and models or samples of assemblies and finished devices.

Any regulated industry has a compilation of documents containing the procedures and specifications for a finished product. It includes specifications and all other documentation required to procure components and produce, label, test, package, install, and service a finished product. Manufacturers are to prepare, control changes to, and maintain these documents using change control procedure which is in fact the document control procedure.

In my next post, I will describe the change control procedure as it applies to documentation in a regulated industry.

Thursday, January 5, 2012

ISO 9001 and Document Control

ISO 9001 specifies requirements for a Quality Management System (QMS) where an organization needs to demonstrate its ability to consistently provide product that meets customer and applicable statutory and regulatory requirements.

An organization is required to establish, document, implement, and maintain a quality management system and continually improve its effectiveness.

A cornerstone of the QMS is document control. Therefore, in order for an organization to meet ISO 9001 requirements, it must have a document control system in place. Auditors pay particular attention to document control.

Document control is an essential preventive measure ensuring that only approved, current documents are used throughout the organization. Inadvertent use of out-of-date documents or not approved documents can have significant negative consequences on quality, costs, and customer satisfaction.

What is Controlled Document?

Let's define controlled documents. Controlled document is any document that is used to perform work and not for reference. Furthermore, ISO 9001 states that documents required by the QMS should be controlled.

The QMS includes the following documents: statements of quality policy and quality objectives, quality manual, procedures, and records determined by the organization to be necessary to ensure the effective planning, operation, and control of its processes.

The format and structure of the quality policy, quality objectives, and quality manual is a decision for each organization, and will depend on the organization’s size, culture and complexity.

A small organization may find it appropriate to include the description of its entire QMS within a single manual, including all the documented procedures required by the standard. Large, multi-national organizations may need several manuals at the global, national or regional level, and a more complex hierarchy of documentation.

ISO 9001 specifically requires the organization to have documented procedures for the following six activities:

1. Control of documents

2. Control of records

3. Internal audit

4. Control of nonconforming product

5. Corrective action

6. Preventive action

Some organizations may find it convenient to combine the procedure for several activities into a single documented procedure (for example, corrective action and preventive action). Others may choose to document a given activity by using more than one documented procedure (for example, internal audits). Both are acceptable.

Some organizations (particularly larger organizations, or those with more complex processes) may require additional documented procedures (particularly those relating to product realization processes) to implement an effective QMS.

Other organizations may require additional procedures, but the size and/or culture of the organization could enable them to be effectively implemented without necessarily being documented. However, in order to demonstrate compliance with ISO 9001, the organization has to be able to provide objective evidence that its QMS has been effectively implemented.

The typical controlled document types include:
  • policies - the company’s position or intention for its operation;
  • procedures - responsibilities and processes for how the company operates to comply with its policies;
  • work and/or test instructions - step-by-step instructions for a specific job or task;
  • forms and records - recorded information demonstrating compliance with documented requirements;
  • drawings - those that are issued for work;
  • process maps, process flow charts, and/or process descriptions;
  • specifications;
  • internal communication;
  • production schedules;
  • approved supplier lists;
  • test and inspection plans;
  • quality plans.
The type and extent of the documentation will depend on the nature of the organization’s products and processes, the degree of formality of communication systems and the level of communication skills within the organization, and the organizational culture.

Document Control Procedure

ISO 9001 states that the procedure for document control should be established which should include the following:

1. To approve documents for adequacy prior to issue.

Document approvals are mandatory and must be kept as a record as well. When determining who should approve a particular document, limit approvals to those with direct knowledge or responsibility for the document.

Approval signatures must be recorded prior to the release and use of the document. Approvals may be in the form of a written signature or a password-protected electronic approval record. The date of all approvals must precede the document's release date.

While not explicitly stated, this requirement also applies to temporary memos or postings that are used to communicate QMS or product-related requirements. Any temporary documents must be clearly identified, signed and dated. It is advisable to include an expiration date on temporary documents to ensure they are removed from use when intended.

2. To review and update as necessary and re-approve documents.

All documents must be reviewed periodically and updated and re-approved if needed. This review can be tied to a company's internal audit process, management review or scheduled on some periodic (annual) basis. A record of such reviews must be kept.

3. To ensure that changes and the current revision status of documents are identified.

When a document is updated, a record must be kept of the change, including the reasons for and nature of the change. In addition, current revision status must be maintained. This includes the current development stage (draft, review, approval, etc.) and the date or revision level (number or letter) identifying the current version of the document.

4. To ensure that relevant versions of applicable documents are available at points of use.

The storage and access of documents must easily allow individuals to find the appropriate version of a document to use where needed. Older versions of a document that are still needed (e.g. specifications for an older product) may remain active if necessary, but the revision level must be made clear.

You should consider where designated controlled locations of your documents will be established and whether short-term reference copies of controlled documents will be permitted. Typically, the easier it is for employees to access controlled copies when needed, the fewer times they will feel the need to use an uncontrolled copy of a document. Ensuring timely and convenient access to documents is frequently the source of high costs and repeated discrepancies.

5. To ensure that documents remain legible and readily identifiable.

The format and storage of documents must protect a document from being rendered unreadable due to wear or damage and that every document can be clearly identified through a title, document number or other suitable identification.

6. To ensure that documents of external origin determined by the organization to be necessary for the planning and operation of the quality management system are identified and their distribution controlled.

Documents that do not originate within the organization, but are necessary for ensuring quality and meeting customer requirements must also be controlled. These can include customer, supplier or industry documents. However, the extent of control is limited to clear identification and controlled distribution. A log or other record would suffice to track external documents.

7. To prevent the unintended use of obsolete documents, and to apply suitable identification to them if they are retained for any purpose.

Out-of-date documents or older versions of revised documents must be protected from unintentional use. This usually requires segregation or disposal of obsolete documents. Any obsolete documents that are kept for reference or other purposes must be clearly identified through markings, separate storage areas, or other means.

Controlled documents need to be clearly identified. Hard copy documents need to be stamped. Electronic documents need to be watermarked so that when they are printed, they could be identified that they are controlled documents and a user needs to verify an electronic version prior to use of this document.

Main Objectives

These are some of the main objectives of an organization’s documentation system:

1. Communication of Information

Documentation is viewed as a tool for information transmission and communication.

2. Evidence of conformity

Documentation is viewed as provision of evidence that what was planned, has actually been done.

3. Knowledge sharing

Documentation is used to disseminate and preserve the organization’s experiences. A typical example would be a technical specification, which can be used as a base for design and development of a new product.

Measuring Success

How can you measure the performance of your document control process? Here are some suggested metrics:

User satisfaction – Periodically survey your employees regarding the usability of your documentation. Use the results to improve the format of your documents and training of your authors.

Document errors – Track the number of document revisions due to information mistakes in your documentation. Results will often reveal weaknesses in your review and proofreading processes.

Up-to-date – Count the number of document revisions or audit discrepancies stemming from a document that is out-of-date. This will tell you whether your periodic document reviews or obsolete document provisions are effective.

Cycle time – Measure the time it takes a document to be developed or revised from initial draft to release. Work to improve the efficiency of your document control process as you would any other business process.

Cost – Consider tracking the costs associated with your documentation including developing, revising, storing, retrieving, distributing, filing, auditing, reviewing, approving, etc. Of these potential costs, document retrieval is often an expensive hidden cost generated when individuals must search endlessly for a document because of inadequate indexing, organization, storage or training.

Results of the performance measures of your document control process can help you determine how to drive continual improvements into your entire QMS.

In my next posts I will describe electronic systems that are used for document control.