The ISO 9001 quality standard has a number of documentation requirements and specifically calls out 4.2.3 Control of Documents and 4.2.4 Control of Records. The dictionary may have similar definitions for the terms document and record, but within ISO 9001:2008 and quality, they have their own meaning. To understand the difference, first let’s clarify the difference between documents and records.
Documents and records may sound alike but there is a big difference between the two. Documents are created by planning what needs to be done and records are created when something is done. Documents can change and records don’t (must not) change.
Document: Information used to support an effective and efficient organizational operation.
A document consists of any information you use to run your company. Documents originate in the planning phase of the Plan, Do, Check, Act, cycle of the process approach.
Since documents are planning material, they are subject to change (under the Act phase) as we obtain more information (Do phase) and compare those informational or data records (Check phase) to our original plan. Common examples of (QMS) quality management system documents include:
The ISO Standard requires a few documents: Quality policy, Quality objectives, Quality Manual, and a minimum of six procedures. The required ISO procedures are:
1) 4.2.3 Document Control
2) 4.2.4 Record Control
3) 8.2.2 Internal Audit
4) 8.3 Nonconforming Product Control
5) 8.5.2 Corrective Action
6) 8.5.3 Preventive Action
Record: Evidence about a past event.
A record is generated in the “do” phase of PDCA. Records consist of any data you collect during the operation of your business QMS. Records are facts and should not change. If new facts arise that contradict the old facts (an error), then you should strike through the old fact and record the new fact.
The ISO Standard requires 21 records with most (14) coming from clause 7 product realization. What are these 21 records?
1) 5.6.1 Records from management reviews (minutes, results, actions).
2) 6.2.2 (e) Education, training, skills and experience records/files.
3) 7.1 (d) Evidence that the realization processes and resulting product fulfill requirements.
4) 7.2.2 Results of the review of requirements relating to the product and actions arising from the review.
5) 7.3.2 Design and development inputs.
6) 7.3.4 Results of design and development reviews and any necessary actions.
7) 7.3.5 Results of design and development verification and any necessary actions.
8) 7.3.6 Results of design and development validation and any necessary actions.
9) 7.3.7 Results of the review of design and development changes and any necessary actions.
10) 7.4.1 Results of supplier evaluations and actions arising from evaluations.
11) 7.5.2 (d) As required by the company to demonstrate the validation of processes where the resulting output cannot be verified by subsequent monitoring or measurement.
12) 7.5.3 The unique identification of the product, where traceability is a requirement.
13) 7.5.4 Customer property that is lost, damaged or otherwise found to be unsuitable for use.
14) 7.6 (a) Standards used for calibration or verification of measuring equipment where no international or national measurement standards exist.
15) 7.6 Validity of previous results when measuring equipment is found not to conform with its requirements.
16) 7.6 Results of calibration and verification of measuring equipment.
17) 8.2.2 Internal audit results.
18) 8.2.4 Evidence of product conformity with the acceptance criteria and indication of the authority responsible for the release of the product.
19) 8.3 Nature of the product nonconformities and any subsequent actions taken, including concessions obtained.
20) 8.5.2 Results of corrective actions.
21) 8.5.3 Results of preventive actions.
Now, with a better understanding of what documents and records are, we can look closer at what is required for control of documents (4.2.3) and records (4.2.4). Both ISO clauses require that documents and records are controlled, but what does that mean?
Documents are created as a part of your organizations planning. Therefore, ISO requires that these planning documents are approved prior to use to ensure they are adequate (appropriate). Documents need to be reviewed and updated to ensure the content is accurate. If changes are made to plans then it is imperative that the changes are identified and communicated to anyone that uses those planning documents.
Users need legible, up-to-date, and readily available documents to do their job. The bottom line, documents need to be reviewed, approved, legible, up-to-date, communicated, and readily available. That is what ISO wants from the control of your documents.
Records are not the plan. Records are created by plans. Records are data, but data is not information. Data must be converted into information through the use of charting or trend analysis. So the requirements for records are different. Records need to be identifiable (labeled), stored, protected (uncorrupted), retrievable (you need to use the data), retained (backed-up), but disposed of when obsolete.
Documents are created by planning what needs to be done and records are created when something is done. Documents can change and records don’t change. Documents need to be reviewed, approved, legible, up-to-date, communicated, and readily available. Records need to be identifiable, stored, protected, retrievable, retained, but disposed of when obsolete. That is what ISO means by control of documents and control of records.
Download a free sample policy and procedure example from the ISO 9001 Manual now.