The ISO 9001 2015 standard has a number of document requirements and specifically calls out 7.5.3 Control of Documented information. To understand what documents or a records are required (the new standard does not make a distinction) first let’s clarify what are documents and records.
What is Documented Information?
The dictionary may have similar definitions for the terms document and record, but within ISO 9001:2015 and quality, they have their own meaning. Documents and records may sound alike but there is a distinction between the two. Documents are created by planning what needs to be done and records are created when something is done. Documents can change and records don’t (must not) change.
Document: Information used to support an effective and efficient organizational operation.
A document consists of any information you use to run your company. Documents originate in the planning phase of the Plan, Do, Check, Act, cycle of the process approach.
Since documents are planning material, they are subject to change (under the Act phase) as we obtain more information (Do phase) and compare those informational or data records (Check phase) to our original plan. Common examples of (QMS) quality management system documents include:
- 5.2.2 Quality Policy (Required)
- 6.2.1 Quality Objectives (Required)
- Quality Manual (No Longer Required)
- 5.3 Organization Chart *
- 4.1 / 4.2 Business plans *
- 4.2 Scope (Required, replaces Quality Manual)
- 4.4.1 Process Maps *
- 8.2 Customer Requirements
- 8.4.3 Approved Supplier List *
- 8.4.3 Purchasing Criteria
- 8.5.1 Control Plans (i.e. Advanced product quality planning or APQP) *
- 8.5.1 Procedures and Work Instructions *
- 9.2.2 Internal Audit Schedule
* as needed, to support the operation of processes
Procedure Documents No Longer Required by ISO 9001:2015
The old ISO Standard (9001:2008) required a few documents: Quality policy, Quality objectives, Quality Manual, and a minimum of six procedures. The new ISO Standard (9001:2015) only requires a Quality policy, Quality objectives, and a Scope, plus documents needed to support the system. These support documents are up to the discretion of the company.
What were the Documented Procedures Required by ISO 9001:2008?
Clause 4 Documents (2 procedures)
1) 4.2.3 Document Control
2) 4.2.4 Record Control
Clause 8 CAPA (4 procedures)
3) 8.2.2 Internal Audit
4) 8.3 Nonconforming Product Control
5) 8.5.2 Corrective Action
6) 8.5.3 Preventive Action
Procedures and a Quality Manual are no longer required by the new ISO 9001:2015, but your company can use them if you decide you want to keep them. Your company mat not be using these documents because of an experienced workforce, a great training program, or a lean visual management discipline. If that is the case, then feel free to remove them from your Quality Management System (QMS).
Record: Evidence about a past event.
A record is generated in the “do” phase of PDCA. Records consist of any data you collect during the operation of your business QMS. Records are facts and should not change. If new facts arise that contradict the old facts (an error), then you should strike through the old fact and record the new fact.
There are 21 required records within ISO 9001:2015
The ISO Standard requires 21 records with most (14) coming from clause 8 Operation. What are these 21 records?
Note there are two new records in bold (8.5.6 and 9.1.1), while some other records have been combined.
Clause 7 Support (3 records)
- 18.104.22.168 Evidence of fitness for purpose of monitoring and measurement resources (similar to old 7.6)
- 22.214.171.124 Basis used for calibration or verification, where measurement traceability is a requirement and standards don’t exist (similar to old 7.6)
- 7.2 Evidence of competence (similar to old 6.2.2)
Clause 8 Operation (14 records)
- 8.1 confidence that the processes have been carried out as planned and to demonstrate conformity of
products and services to requirements (similar to 7.1.d)
- 126.96.36.199 Results of the review of requirements related to products and services (similar to old 7.2.2)
- 8.3.2 Confirm that design and development requirements have been met (similar to old 7.3.1)
- 8.3.3 Design and development Inputs (similar to old 7.3.2)
- 8.3.4 Design and development controls (similar to old 7.3.4, 7.3.5, 7.3.6)
- 8.3.5 Design and development process outputs (similar to old 7.3.3)
- 8.3.6 Design and development changes (same as to old 7.3.7)
- 8.4.1 Results of external provider evaluations, performance, and re-evaluations (same as old 7.4.1)
- 8.5.1 Characteristics of the products and services, Activities to be performed and the results to be achieved (similar as old 7.5.1)
- 8.5.2 Unique identification of process outputs, where traceability is a requirement (same as to old 7.5.3)
- 8.5.3 Customer property damage notice (same as to old 7.5.4)
- 8.5.6 Results of the review of production changes, the personnel authorizing the change, and any necessary actions (new)
- 8.6 person(s) authorizing release of products and services for delivery (same as to old 8.2.4)
- 8.7.2 Actions taken on nonconforming process outputs, products and services, including concessions obtained and the person or authority that made the decision dealing with the nonconformity (same as old 8.3)
Clause 9 Performance Evaluation (3 records)
- 9.1.1 Evidence of results that ensure monitoring and measurement activities are implemented in accordance with the determined requirements (new)
- 9.2.2 Evidence of the audit program and audit results (similar to old 8.2.2)
- 9.3.3 Evidence of the results of management reviews (same as old 5.6.1)
Clause 10 Improvement (1 record)
- 10.2.2 Nonconformities, subsequent actions taken, and results of corrective action (same as old 8.5.2)
Different Types of Documented Information
Now, with a better understanding of what documents and records are, we can look closer at what is required for control of documented information. The ISO clause 7.5.3 requires that documented information (documents and records) are controlled, but what does that mean?
Some documented information are not plans, but are created through the execution of plans and are considered data. Data is just that, data is not information. Plans create Data, which must be Checked before one Acts (PDCA). Data must be checked or converted into information through the use of charting or trend analysis. So the requirements for documented information data (records) are different because it needs to be identifiable (labeled), stored, protected (uncorrupted), retrievable (you need to use the data), retained (backed-up), but disposed of when obsolete.
ISO 188.8.131.52 Control of Documented Information
Some documented information is created as a part of your organizational (quality) planning. Therefore, ISO requires that these planning artifacts are approved prior to use to ensure they are adequate (appropriate). Documented information needs to be reviewed and updated to ensure the content is accurate. If changes are made to plans then it is imperative that the changes are identified and communicated to anyone that uses those planning artifacts.
Users need legible, up-to-date, and readily available documented information to do their job. The bottom line, documented information needs to be reviewed, approved, legible, up-to-date, communicated, and readily available. That is what ISO 9001:2015 means by control of your documented information, including documented information of external origin.
Documented Information Explained
Documented information is created by planning what needs to be done and data is created when something is done. Some documented information can change (plans) and some documented information doesn’t change (data).
Some documented information (plans) needs to be reviewed, approved, legible, up-to-date, communicated, and readily available. Whereas, some documented information (data) needs to be identifiable, stored, protected, retrievable, retained, but disposed of when obsolete. That is what ISO means by control of documented information.