The ISO 9001 2015 standard has a number of document requirements and specifically calls out 7.5.3 Control of Documented information. To understand what documents or a records are required (the new standard does not make a distinction) first let’s clarify what are documents and records.
The dictionary may have similar definitions for the terms document and record, but within ISO 9001:2015 and quality, they have their own meaning. Documents and records may sound alike but there is a distinction between the two. Documents are created by planning what needs to be done and records are created when something is done. Documents can change and records don’t (must not) change.
Document: Information used to support an effective and efficient organizational operation.
A document consists of any information you use to run your company. Documents originate in the planning phase of the Plan, Do, Check, Act, cycle of the process approach.
Since documents are planning material, they are subject to change (under the Act phase) as we obtain more information (Do phase) and compare those informational or data records (Check phase) to our original plan. Common examples of (QMS) quality management system documents include:
* as needed, to support the operation of processes
The old ISO Standard (9001:2008) required a few documents: Quality policy, Quality objectives, Quality Manual, and a minimum of six procedures. The new ISO Standard (9001:2015) only requires a Quality policy, Quality objectives, and a Scope, plus documents needed to support the system. These support documents are up to the discretion of the company.
1) 4.2.3 Document Control
2) 4.2.4 Record Control
3) 8.2.2 Internal Audit
4) 8.3 Nonconforming Product Control
5) 8.5.2 Corrective Action
6) 8.5.3 Preventive Action
Procedures and a Quality Manual are no longer required by the new ISO 9001:2015, but your company can use them if you decide you want to keep them. Your company mat not be using these documents because of an experienced workforce, a great training program, or a lean visual management discipline. If that is the case, then feel free to remove them from your Quality Management System (QMS).
Record: Evidence about a past event.
A record is generated in the “do” phase of PDCA. Records consist of any data you collect during the operation of your business QMS. Records are facts and should not change. If new facts arise that contradict the old facts (an error), then you should strike through the old fact and record the new fact.
The ISO Standard requires 21 records with most (14) coming from clause 8 Operation. What are these 21 records?
Note there are two new records in bold (8.5.6 and 9.1.1), while some other records have been combined.
Now, with a better understanding of what documents and records are, we can look closer at what is required for control of documented information. The ISO clause 7.5.3 requires that documented information (documents and records) are controlled, but what does that mean?
Some documented information are not plans, but are created through the execution of plans and are considered data. Data is just that, data is not information. Plans create Data, which must be Checked before one Acts (PDCA). Data must be checked or converted into information through the use of charting or trend analysis. So the requirements for documented information data (records) are different because it needs to be identifiable (labeled), stored, protected (uncorrupted), retrievable (you need to use the data), retained (backed-up), but disposed of when obsolete.
Some documented information is created as a part of your organizational (quality) planning. Therefore, ISO requires that these planning artifacts are approved prior to use to ensure they are adequate (appropriate). Documented information needs to be reviewed and updated to ensure the content is accurate. If changes are made to plans then it is imperative that the changes are identified and communicated to anyone that uses those planning artifacts.
Users need legible, up-to-date, and readily available documented information to do their job. The bottom line, documented information needs to be reviewed, approved, legible, up-to-date, communicated, and readily available. That is what ISO 9001:2015 means by control of your documented information, including documented information of external origin.
Documented information is created by planning what needs to be done and data is created when something is done. Some documented information can change (plans) and some documented information doesn’t change (data).
Some documented information (plans) needs to be reviewed, approved, legible, up-to-date, communicated, and readily available. Whereas, some documented information (data) needs to be identifiable, stored, protected, retrievable, retained, but disposed of when obsolete. That is what ISO means by control of documented information.