1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

ISO 9001: 2008 auditing issues

Discussion in 'ISO 9001:2008 - Quality Management Systems' started by Sysysy, Jun 8, 2016.

  1. Sysysy

    Sysysy New Member

    Joined:
    Jun 8, 2016
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    I conducted ISO 9001: 2008 internal audit for my company previously and there is a finding on retention period issue for a quality record. The document owner (from IT dept) refused to include the retention period of the record as the task is done annually once. When the task is carried out, a record will be added in the form. There are 15+ lines in the form which means that it can last for the next 10 over years (1 year 1 record). In this matter, it is quite difficult for the owner to indicate a figure for the retention period, can I have your advice on this matter? Thanks!
     
  2. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Of what relevance has the record to product quality or the QMS? You might want to revisit why you need this record...
     
  3. Sysysy

    Sysysy New Member

    Joined:
    Jun 8, 2016
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    It is for one of our system validation procedure. This system is an important system used to store all our production data. Once IT guys done the yearly validation, they need to sign off the validation form (one year one record).
     
  4. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    Just to clarify, is the retention period intended for the form that is designed to last for more than 10 years or the records that are logged into the form?

    Although ISO 9001:2008 mentioned retention, this doesn't necessarily mean that there must be a definite time limit that must be set for all records. Retention of records will depend on the need of the process owner or the organization concerning their records. They may opt to declare a retention period of "n/a", "as long as the company exists", "as long as the worker is employed", etc.
     
    Andy Nichols likes this.
  5. RoxaneB

    RoxaneB Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    926
    Likes Received:
    1,081
    Trophy Points:
    92
    Location:
    Ontario, Canada
    My organization was actually given a finding for indicating a record retention of "n/a". We decided to flip the idea of retention around and rather than always indicate a maximum amount of time, we recognized that some records (such as those from I.T.) were best handled by indicating a minimum amount of time. For Sysysy, we would have said "minimum one year (or whatever is appropriate) from last validation date". So, with 15 lines, you could be looking at a record being maintained for 16 years (if the validation is done annually).

    If this is a hard-copy form, consider developing an electronic form or method to indicate that the validation was completed by the authorized/appropriate personnel and the results of the validation.
     
    Ganesh Sundaresan likes this.
  6. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    This may no longer valid, eventually, since the 2015 version in clause 7.5.3.2 specifies:
    "For the control of documented information, the organization shall address the following activities, as applicable:
    a) distribution, access, retrieval and use;
    b) storage and preservation, including preservation of legibility;
    c) control of changes (e.g. version control);
    d) retention and disposition."
     
  7. Ganesh Sundaresan

    Ganesh Sundaresan Active Member

    Joined:
    Jul 31, 2015
    Messages:
    66
    Likes Received:
    36
    Trophy Points:
    17
    The Auditor might find it "applicable" for a certain information though.
     
  8. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    Since the ISO 9001 standard is littered with subjective phrases such as "where applicable", "as applicable", "as necessary", and "as appropriate", it's left to the organization to determine and decide "applicability", "necessity" and "appropriateness" and NOT by the auditor.

    Before clause 7.5.3.2 it is clearly stated in 7.5.1 that:
    The organization’s quality management system shall include:
    a) documented information required by this International Standard;
    b) documented information determined by the organization as being necessary for the effectiveness of the quality management system.

    An auditor would find him/herself "out of line" if he/she determines for the organization what is applicable or not.
     
    Emzeeem, MCW8888 and Andy Nichols like this.
  9. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Well said, Tony!
     
  10. Ganesh Sundaresan

    Ganesh Sundaresan Active Member

    Joined:
    Jul 31, 2015
    Messages:
    66
    Likes Received:
    36
    Trophy Points:
    17
    An Auditor is duty-bound to verify the Client Organization's ability to judge the "applicability" factor, I thought. That's what he's paid for at least.
     
  11. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    Since auditors need to evaluate objectively, they cannot just impose to any organization what the auditor's consider "applicable or not applicable" to the organization. If an auditor find him/herself in a situation where an organization's claim of "non-applicability" is difficult to accept based on his/her knowledge and experience, the auditor should ask first him/herself: “Would the absence of the “as necessary, as applicable or as appropriate” put the organization at risk of not meeting the organization's customer or applicable statutory and regulatory requirements?”
    [​IMG]A “YES” answer supported with objective evidence will establish the “applicability”, “necessity” and “appropriateness”.
     
  12. Ganesh Sundaresan

    Ganesh Sundaresan Active Member

    Joined:
    Jul 31, 2015
    Messages:
    66
    Likes Received:
    36
    Trophy Points:
    17
    Am in complete agreement there. That's perhaps one reason why I used "might" in my earlier statement. Just a possibility.