An ongoing series of Posts: Practical advice on Clause 7.5, Documented Information, of ISO 9001:2015
In general, ISO 9001 is not prescriptive in terms of the extent of documented information required.
This will vary from organization to organization depending on the size and complexity of the operations and processes; customer, statutory and regulatory requirements; and the competence of the persons involved. It is for the organization to decide what is needed.
Unlike the 2008 version, there are no requirements for:
- A Quality Manual,
- Mandatory procedures, or
- Management representative.
So, what documentation is required and who’s responsible for maintaining it? Again, it is for the organization to decide what is needed.
Before we discuss specific DOs and DON’Ts, we need to first consider the requirements in the 2015 Standard regarding documentation. The words ‘procedure’ and ‘record’ are nowhere to be found in the Standard, and this in sharp contrast to the 2008 version.
Instead, the Standard refers to “maintain documented information”, this means ensuring that information is kept up-to-date, e.g. the information contained in documented procedures, manuals, forms and checklists, information that could be stored in the cloud and downloaded to a smartphone or other electronic device, and other documented information (such as the quality policy and quality objectives).
It also refers to “retain documented information”, this means ensuring that information that is used to provide evidence about whether a requirement has been fulfilled is protected against any deterioration or unauthorized change (that should not occur, unless an agreed correction has to be made). So, you can broadly interpret:
“maintain documented information” equals documents other than records.
“retain documented information” equals records.
Under DOs and DON’Ts, we’ll consider what has evolved as best practice since the Standard was published in 2015.
- And in each case records are likely required, as is a template for them.
- Do establish the format for all documented information. A different template (standard headings and layout) for each tier of the document is best. For example, you might have different templates for:
- Policy (e.g. quality manual)
- Operating Procedures (e.g. purchase order processing)
- Test Methods (e.g. analysis of metal content)
- Work Instructions (e.g. weekly maintenance routines)
- Do ensure that all documented information includes an identification and description. There are many methods for this, such as defining a title, date, author, or reference number (or a combination of two or more of these methods) that an organization can use to determine the information and its status. External auditors prefer to see 1) reference number, and 2) issue date, and 3) approver/authoriser identity – all three!
- Do stick with the tried-and-proven model for documentation. Define your documentation in terms of manuals, procedures and records. While the Standard permits otherwise, we re not aware of a single organization that does otherwise.
- When creating and updating documented information, do ensure that appropriate identification, format and media is used, and that the document is reviewed and approved.
- Do ensure that documented information is available in a suitable medium whenever needed, and that it is adequately protected. Having decided on what documented information is needed for the quality management system, the organization should ensure it is available for all relevant areas, departments, process owners etc.
- Do consideration what documented information to provide to relevant external interested parties when products and services are sourced externally. You should consider the level of control needed to ensure documented information is suitably controlled, considering the media it is in.
- Do consider a soft-copy system for document control, i.e. for all documents including records. A simple system based on three folders works well. You might choose:
- Development (for new documents or those under review/change. Access strictly limited),
- Active (for all live documents. Available to all on a need-to-know basis),
- Archive (for obsolete documents. Access strictly limited).
- Do have a formal procedure for document approval. It is not necessary for the authorisation to be evidenced with a hand-written or digital signature. Provided the action is formally documented, the removal of a document from a ‘Development’ folder to a ‘Active’ folder will suffice.
- Do consider SharePoint for worry-free document control. Because of the automatic version control, the endless configuration possibilities, the superior encryption and security features, synchronisation (automatically and in the background) with local copies (permitting off-line working), we prefer and recommend SharePoint.
- Do have the necessary controls are in place, as part of the system for documented information and communication, that protects against loss, improper use or unintended change. This can be done in many ways, including electronic systems with read-only access and specified permissions in order to access different levels, password protection or identification (ID) entry.
- The level of control can vary depending on where the documented information is to be made available (e.g. increased restrictions for external parties). Information security issues (e.g. protection of intellectual property) and data backup (e.g. multiple encrypted copies to protect against catastrophic data loss, especially loss of records) must also be taken into consideration.
- Do ensure that you have procedures for the control of documented information that address:
- retrieval and use,
- storage and preservation,
- control of changes,
- retention and disposition.
- This also applies to documented information of external origin (e.g. engineering drawings) where they are determined by the organization to be necessary for the planning and operation of the quality management system.
- Do ensure that when records are retained as evidence of conformity, they must be protected from unintended alterations. You should allow only controlled access to such information, e.g. authorized access for relevant persons working on behalf of the organization or restricted electronic access such as “read-only”, as appropriate.
- Don’t use a hard-copy documentation system. If this is what your organization has currently, the implementation of an ISO 9001 quality system provides an ideal opportunity to switch to a soft-copy system. Yes, we mean a paperless system where hard copies are printed only when essential, for example:
- External party asks for a hard copy, or
- A hard copy is needed for training purposes, or
- A hard copy is needed at a machine to facilitate its set-up or maintenance activity.
- Don’t use a ‘blended’ documentation system. Often chosen as a ‘halfway house’ between a paper-based and a computerised system, this compromise (usually to placate some Neanderthal) is a nightmare to control.
- Don’t omit footer information to identify controlled documents when printed. A typical statement might read:
‘Uncontrolled Copy – Valid only on date printed – printed XX-XXX-XX’
- Don’t waste time and effort maintaining signed master-copies of controlled documents when, in fact, it is the electronic version on your server that is the true master-copy. You can use digital signatures if your organization places a high priority on such status indicators or you can use location (see above).
External auditors place great emphasis on documents and records during audits. This is because they know historically that this is the area where most non-compliances are evident. So, in ISO 9001 implementation take the issue of your QMS documentation seriously and follow the advice given above. You may save yourself a lot of difficulty - even embarrassment.
Note: First published June 2018; revised and updated September 2021.