Procedures and ISO 9001:2015
Previous versions of ISO 9001 used terminology such as “document” or “documented procedures”, “quality manual” or “quality plan”. As part of the alignment of the latest standard with other management standards, ISO 9001:2015 has brought these together under a common clause of “documented information”. This term also includes what was previously referred to as records i.e. documents needed to provide evidence of conformity with requirements.
In relation to procedures the latest standard is now less prescriptive e.g. there is no longer a requirement for the six mandatory procedures that was in the 2008 standard.
Does this mean there is no longer a requirement in ISO 9001:2015 for any procedures? No, the requirement is still there however it is now less prescriptive and it is linked to another new element in the standard – risk.
The majority of references to “documented information” in the 2015 standard are phrased in a way that:
a) Requires something to be in writing e.g. Quality Policy or
b) Requires a record of the evidence that something has been done to be documented.
However there is one section of one specific clause that would be interpreted as a requirement for procedures. This is clause 7.5.1 (b) which states - the organization’s quality management system shall include documented information determined by the organization as being necessary for the effectiveness of the quality management system.
The important parts of this clause are:
a) “necessary for the effectiveness of the quality management system” – a way of ensuring system works e.g. through procedures
b) “determined by the organization” – this is stating that it is the organization’s decision on whether or not there is a procedure established for a specific process
As with any situation that requires a decision there should be clear criteria for making that decision.
One criteria used by an organization regarding whether or not to have a procedure could be that if a process goes out of control the consequence could be serious e.g. defective product going into the market place.
This requires the organization to apply risk based thinking to the planning and implementation of its quality management system processes to determine the extent of documented information, in the form of procedures that it will generate to ensure control.
So the conclusion is that procedures are still a requirement of ISO 9001 however the extent of these should be determined by the organisation based on the level of risk.