ISO 9001:2015 and Documented Information
The first thing we heard about ISO 9001:2015 version was no more need for procedures, quality manuals or records. Hurray, hold a bonfire in the parking lot!
Hold the matches. We now have documented information in place of procedures, manuals and records. So is this an “I gotcha” on the part of ISO?
Not necessarily. Jump into the standard at section 7.4 Communication which says “The organization [your company] shall determine the internal and external communications relevant to the quality management system, including:
- a) on what it will communicate;
- b) when to communicate;
- c) with whom to communicate;
- d) how to communicate;
- e) who communicates.
This gives the company the leeway to communicate in manners other than written procedures. For example instead of having a Work Instruction on how to assemble a product or complete a form, the company could have a video employees could reference instead.
Where is Documented Information required?
In the ISO 9001:2008 there are 6 documented procedures. That is all you needed. So what about the 2015 revision?
Thumbing through the standard I found a requirement for documented information as follows:
- 4.3 Determining the scope of the quality management system – “The scope of the organization’s quality management system shall be available and be maintained as documented information”
- 4.4.2 To the extent necessary, the organization shall:
o maintain documented information to support the operation of its process
o retain documented information to have confidence that the processes are being carried out as planned
- 5.2.2 Communicating the quality policy – “The quality policy shall be available and maintained as documented information
- 6.2.1 Quality objectives and planning to achieve them – The organization shall maintain documented information on the quality objectives.
- 220.127.116.11 General [Monitoring and measuring resources] -The organization shall retain appropriate documented information as evidence of fitness for purpose of the monitoring and measurement resources.
- 7.2 Competence d) – Retain appropriate documented information as evidence of competence
- 7.5.1 General [Documented Information] –The organization’s quality management system shall include documented information required by this International Standard and documented information determined by the organization as being necessary for the effectiveness of the quality management system
- 18.104.22.168 [Control of documented information] – Documented information required by the quality management system and by this International Standard shall be controlled…..
- 22.214.171.124 [Control of documented information] – Documented information of external origin determined by the organization to be necessary for the planning and operation of the quality management system shall be identified as appropriate, and be controlled.
- 8.1 Operational planning and control e)1) and 2) -The organization shall plan, implement and control the processes needed to meet the requirements for the provision of products and services, and to implement the actions determined in Clause 6 by: determining, maintaining and retaining documented information to the extent necessary to have confidence the processes have been carried out as planned and to demonstrate the conformity of products and services to their requirements
- 126.96.36.199 [Review of the requirements for products and services] – The organization shall retain documented information as applicable on the results of the review and on any new requirements for the products and services.
- 8.3.2 Design and development planning j) – the documented information needed to demonstrate that the design and development requirements have been met.
- 8.3.3 Design and development inputs – The organization shall retain documented information on design and development inputs
- 8.3.4 Design and development controls f) – The organization shall apply controls to the design and development process to ensure that documented information of these activities [a-e] is retained
- 8.3.5 Design and development outputs – The organization shall retain documented information on design and development outputs
- 8.3.6 Design and development changes – The organization shall retain documented information on design and development changes and the results of reviews and the authorization of the changes and the actions taken to prevent adverse impacts
- 8.4.1 General [Control of externally provided processes, products and services] – The organization shall determine and apply criteria for the evaluation, selection, monitoring of performance and re-evaluation of external providers based on their ability to provide processes or products and services in accordance with the requirement. The organization shall retain documented information of these activities and any necessary actions arising from their evaluations.
- 8.5.1 Control of production and service provision a) – Controlled conditions shall include, as applicable the availability of documented information that defines the characteristics of the products to be produced, the services to be provided, or the activities to be performed and the results to be achieved;
- 8.5.2 Identification and traceability – The organization shall control the unique identification of the outputs when traceability is a requirement, and shall retain the documented information necessary to enable traceability.
- 8.5.3 Property belonging to customers or external providers – When the property of a customer or external provider is lost, damaged, or otherwise found to be unsuitable for use, the organization shall report this to the customer or external provider and retain documented information on what has occurred.
- 8.5.6 Control of changes – The organization shall retain documented information describing the results of the review of changes, the person(s) authorizing the change, and any necessary actions arising from the review.
- 8.6 Release of products and services -The organization shall retain documented information on the release of products and services. The documented information shall include evidence of conformity with the acceptance criteria and traceability to the person (s) authorizing the release.
- 8.7.2 [Control of non-conforming outputs] – The organization shall retain documented information that describes the nonconformity, describes the actions taken, describes and concessions obtained, and identifies the authority deciding the action in respect of the non-conformity.
- 9.1.1 General [Monitoring, measurement, analysis and evaluation] – The organization shall retain appropriate documented information as evidence of the results.
- 9.2.2 [Internal audits] – The organization shall retain documented information as evidence for the implementation of the audit program and the audit results.
- 9.3.3 Management review outputs – The organization shall retain documented information as evidence of the results of management reviews.
- 10.2.2 [Nonconformity and corrective action] – The organization shall retain documented information as evidence of the nature of the nonconformities and any subsequent actions taken and the results of corrective action.
Whew! That was a lot of documented information, about 30 by my count. So what does this mean, do we need 30 procedures now instead of six or zero as some consultants are claiming?
The Clues as to What to do for Documented Information
Retain Documented Information
First look for the word “retain” before documented information. In most cases this was a “record” in the 2008 version and about 2/3 of the referenced documented information requires information be retained.
If you have an ERP system or a design program or a project program or a database program which automatically retains information such as product test results and release authority there is no need for a procedure or manual directing you to save the data, your system does this for you. If there is not an automated system than there must be some way to communicate, “save this stuff this way”. Does it need to be a procedure? No, but a procedure may be the simplest and easiest method of communication.
The Other 1/3
So let’s look at the other 10 or so requirements of documented information.
- Scope of the quality management system (QMS). Hopefully your QMS is part of the company’s strategic planning, if not there are some more basic issues going on which need to be addressed first. So the scope could be part of the strategic plan. It could also be addressed in a risk/opportunity matrix. Or it could simply be part of the company quality manual. Many companies will need to continue to provide a quality manual because it is a customer requirement. Do they need to regurgitate the standard? No. Put in them the information the standard and your customers require. Organize it to make sense to you, your customers, employees, regulators and any other interested party your company has identified.
- The quality policy is documented information. It can be posted throughout the company via electronic message boards or bulletin boards. Ta da! You’ve got it. Of course the company will want to note which bulletin boards have it in case of an update, not all companies have electronic message boards.
- Quality objectives and planning to achieve them should already be in place. An easy way to maintain them is with a project program like Basecamp. However, such a program isn’t necessary. It can simply be part of the management review minutes.
- Information required by the standard and the organization must be controlled. This includes documents of external origin. So if there is data or communications which is vital to your QMS or that the standard tells the company it must have, it needs to exist and be protected against unauthorized changes. What this information is and how it is to be handled must be communicated. So if a video works, great. If a procedure is the answer, great. If the information is a regulation or a statute than a link to the source of the information may be effective.
- Documented information that the design requirements have been met will include specifications and drawings and records of design reviews. Again, this may be done with a specific program or communicated with a procedure.
- Control of externally supplied products and services requires retained documented information about how suppliers are managed, evaluated and controlled. It is important to suppliers to have this information as well as retaining documented information so a system must be in place to control suppliers. A video might do a good job of explaining this or an e-mail or a procedure.
While procedures are no longer required, they may be the easiest and clearest form of communication for the who, what, where, when, why, and how of an activity. It is acceptable to have new and innovative ideas to communicate and retain documented information. So let’s hear your input. If you didn’t have to have a procedure how would you handle documented information?