An ongoing series of Posts: Practical advice on ISO 9001:2015 Clause 7.5, Documented Information.
NOTE: The advice given here also applies to ISO 14001, ISO 27001, ISO 45001 and other standards having the same HLS structure as ISO 9001.
Table of Contents
- ISO 9001:2015 Clause 7.5, Documented Information.
- What ISO 9001 Says About Documenting Information
- How to Comply with ISO 9001 Documentation Requirements
- DO's
-
- Do establish the format for all documented information.
- Do ensure that all documented information includes an identification and description.
- Do stick with the tried-and-proven model for documentation.
- Do ensure that appropriate identification, format, and media are used and that the document is reviewed and approved when creating and updating documented information.
- Do ensure that documented information is available in a suitable medium whenever needed and that it is adequately protected.
- Do consider what documented information to provide to relevant external interested parties when products and services are sourced externally.
- Do consider a soft-copy system for document control, i.e., for all documents, including records.
- Do have a formal procedure for document approval. It is not necessary for the authorization to be evidenced with a hand-written or digital signature.
- Do consider SharePoint for worry-free document control.
- Do have the necessary controls in place, as part of the system for documenting information and communication, that protects against loss, improper use, or unintended change.
- Do ensure that you have procedures for the control of documented information.
- Do ensure that when records are retained as evidence of conformity, they must be protected from unintended alterations.
- DONT's
ISO 9001:2015 Clause 7.5, Documented Information
In general, ISO 9001 is not prescriptive in terms of the extent of documented information required.
This will vary from organization to organization depending on the size and complexity of the operations and processes, customer, statutory, and regulatory requirements, and the competence of the persons involved. It is for the organization to decide what is needed.
Unlike the ISO 9001:2008 version, there are no requirements in ISO 9001:2015 for:
- A Quality Manual,
- Mandatory procedures, or
- Management representative.
So, what documentation is required, and who’s responsible for maintaining it? Again, it is for the organization to decide what is needed.
What ISO 9001 Says About Documenting Information
Before we discuss specific DOs and DON’Ts, we need to first consider the requirements in the 2015 Standard regarding documentation. The words ‘procedure’ and ‘record’ are nowhere to be found in the Standard, and this is in sharp contrast to the 2008 version.
Instead, the Standard refers to “maintain documented information.” This means ensuring that information is kept up-to-date, e.g., the information contained in documented procedures, manuals, forms, and checklists, information that could be stored in the cloud and downloaded to a smartphone or other electronic device, and other documented information (such as the quality policy and quality objectives).
It also refers to “retain documented information”, This means ensuring that information that is used to provide evidence about whether a requirement has been fulfilled is protected against any deterioration or unauthorized change (that should not occur unless an agreed correction has to be made). So, you can broadly interpret:
“maintain documented information” equals documents other than records.
“retain documented information” equals records.
How to Comply with ISO 9001 Documentation Requirements
Grouped as a list of DO's and DON’Ts, we’ll consider what has evolved as best practices in ISO 9001 documentation since the Standard was published in 2015. In each case, records are likely required, as is a template for them.
DO's
- Do establish the format for all documented information. A different template (standard headings and layout) for each tier of the document is best. For example, you might have different templates for:
- Policy (e.g., quality manual)
- Operating Procedures (e.g., purchase order processing)
- Test Methods (e.g., analysis of metal content)
- Work Instructions (e.g., weekly maintenance routines)
- Do ensure that all documented information includes an identification and description. There are many methods for this, such as defining a title, date, author, or reference number (or a combination of two or more of these methods) that an organization can use to determine the information and its status. External auditors prefer to see 1) reference number, 2) issue date, and 3) approver/authorizer identity – all three!
- Do stick with the tried-and-proven model for documentation. Define your documentation in terms of manuals, procedures, and records. While the Standard permits otherwise, we're not aware of a single organization that does otherwise.
- Do ensure that appropriate identification, format and media is used, and that the document is reviewed and approved when creating and updating documented information.
- Do ensure that documented information is available in a suitable medium whenever needed and that it is adequately protected. Having decided on what documented information is needed for the quality management system, the organization should ensure it is available for all relevant areas, departments, process owners, etc.
- Do consider what documented information to provide to relevant external interested parties when products and services are sourced externally. You should consider the level of control needed to ensure documented information is suitably controlled, considering the media it is in.
Control includes availability, distribution, and protection, for example, from loss of data, confidentiality, improper use, and unintended changes. The organization should ensure the necessary controls are in place as part of the system for documented information and communication and that it is protected from such loss, improper use or unintended change.
- Do consider a soft-copy system for document control, i.e., for all documents, including records. A simple system based on three folders works well. You might choose:
- Development (for new documents or those under review/change. Access strictly limited),
- Active (for all live documents. Available to all on a need-to-know basis),
- Archive (for obsolete documents. Access is strictly limited).
- Do have a formal procedure for document approval. It is not necessary for the authorization to be evidenced with a hand-written or digital signature. Provided the action is formally documented, the removal of a document from a ‘Development’ folder to an ‘Active’ folder will suffice.
- Do consider SharePoint for worry-free document control. Because of the automatic version control, the endless configuration possibilities, the superior encryption and security features, and synchronization (automatically and in the background) with local copies (permitting offline working), we prefer and recommend SharePoint.
- Do have the necessary controls in place, as part of the system for documenting information and communication, that protects against loss, improper use or unintended change. This can be done in many ways, including electronic systems with read-only access and specified permissions in order to access different levels, password protection, or identification (ID) entries.
The level of control can vary depending on where the documented information is to be made available (e.g. increased restrictions for external parties). Information security issues (e.g., protection of intellectual property) and data backup (e.g., multiple encrypted copies to protect against catastrophic data loss, especially loss of records) must also be taken into consideration.
- Do ensure that you have procedures for the control of documented information that address:
- distribution,
- access,
- retrieval and use,
- storage and preservation,
- control of changes,
- retention and disposition.
This also applies to documented information of external origin (e.g., engineering drawings) where they are determined by the organization to be necessary for the planning and operation of the quality management system.
- Do ensure that when records are retained as evidence of conformity, they must be protected from unintended alterations. You should allow only controlled access to such information, e.g. authorized access for relevant persons working on behalf of the organization or restricted electronic access such as “read-only”, as appropriate.
DON’Ts
- Don’t use a hard-copy documentation system. If this is what your organization has currently, the implementation of an ISO 9001 quality system provides an ideal opportunity to switch to a soft-copy system. Yes, we mean a paperless system where hard copies are printed only when essential, for example:
- External party asks for a hard copy, or
- A hard copy is needed for training purposes, or
- A hard copy is needed at a machine to facilitate its set-up or maintenance activity.
- Don’t use a ‘blended’ documentation system. Often chosen as a ‘halfway house’ between a paper-based and a computerized system, this compromise (usually to placate some Neanderthal) is a nightmare to control.
- Don’t omit footer information to identify controlled documents when printed. A typical statement might read:
- ‘Uncontrolled Copy – Valid only on date printed – printed XX-XXX-XX’
- Don’t waste time and effort maintaining signed master copies of controlled documents when, in fact, it is the electronic version on your server that is the true master copy. You can use digital signatures if your organization places a high priority on such status indicators, or you can use location (see above).
Conclusion
External auditors place great emphasis on documents and records during audits. This is because they know historically that this is the area where most non-compliances are evident. So, in ISO 9001 implementation, take the issue of your QMS documentation seriously and follow the advice given above. You may save yourself a lot of difficulty - even embarrassment.
Click on any courses you are interested in and see the full overview of each one.
Related Articles
deGRANDSON Global is an ISO Certified Educational Organization
In
October 2021, we secured certification to three education-related ISO Standards. We now have a university-grade management system in place conforming to the requirements of …
- ISO 21001, Educational Organizational Management System,
- ISO 29993, Learning Services outside formal Education, and
- ISO 29994, Learning Services – additional requirements for Distance Learning.
We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which, in our opinion, are commercially compromised), it is based on independent third-party assessment. It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.