The ISO 9001:2015 quality standard has a number of documentation requirements and specifically calls out 7.5 Documented information, which replaces 4.2.3 Control of Documents and 4.2.4 Control of Records in the previous ISO 9001:2008. To understand the difference, first let’s clarify the difference between documents and records.
Difference Between a Document and a Record
Documents and records may sound alike but there is a big difference between the two. Documents are created by planning what needs to be done and records are created when something is done and record the event. Documents can be revised and change, where as records don’t (must not) change.
Document: Information used to support an effective and efficient organizational operation.
A document consists of any information you use to run your company. Documents originate in the planning phase of the Plan, Do, Check, Act, cycle of the process approach.
Since documents are planning material, they are subject to change (under the Act phase) as we obtain more information (Do phase) and compare those informational or data records (Check phase) to our original plan. Common examples of (QMS) quality management system documents include:
- Quality Policy (Required)
- Quality Objectives (Required)
- Quality Manual (Required)
- Organization Chart
- Process Maps
- Business plans
- Control Plans (i.e. Advanced product quality planning or APQP)
- Internal Audit Schedule
- Procedures and Work Instructions (Six Required)
- Approved Supplier List
- Purchasing Criteria
- Customer Requirements
Required ISO 9001:2015 Documents
The ISO Standard requires a few documents: Quality policy, Scope, Process support, and Quality objectives, but the latest standard no longer requires a Quality Manual, or the minimum of six procedures, these are now optional.
The required (now optional) ISO procedures were:
Clause 4 Documents (2 old procedures)
1) 4.2.3 Document Control (now part of 7.5)
2) 4.2.4 Record Control (now part of 7.5)
Clause 8 CAPA (4 old procedures)
3) 8.2.2 Internal Audit (required activity under 9.2)
4) 8.3 Nonconforming Product Control (required activity under 8.7)
5) 8.5.2 Corrective Action (required activity under 10.2)
6) 8.5.3 Preventive Action (required activity under 6.1 renamed “risk”)
Record: Evidence about a past event.
A record is generated in the “do” phase of PDCA. Records consist of any data you collect during the operation of your business QMS. Records are facts and should not change. If new facts arise that contradict the old facts (an error), then you should strike through the old fact and record the new fact.
There are 21 required records within ISO 9001:2016
The ISO Standard requires 21 records with most (14) coming from clause 8 product realization. Two records have been merged into other clause: 7.6 Validity of results investigation is now a part of 8.3.4 design controls and 8.5.3 Results of preventive actions is now part of 6.1.
What are the 21 records now?
Clause 7 Resources (3 records)
1) 22.214.171.124 Evidence of fitness for purpose of monitoring and measurement resources. (similar to old 7.6)
2) 126.96.36.199 Basis used for calibration or verification, where measurement traceability is a requirement and standards don’t exist. (similar to old 7.6)
3) 7.2 Evidence of competence (similar to old 6.2.2)
1) 8.1 confidence that the processes have been carried out as planned and to demonstrate conformity of products and services to requirements. (similar to 7.1d)
2) 188.8.131.52 Results of the review of requirements related to products and services. (similar to old 7.2.2)
3) 8.3.2 Confirm that design and development requirements have been met. (similar to old 7.3.1)
4) 8.3.3 Design and development Inputs (similar to old 7.3.2)
5) 8.3.4 Design and development controls (similar to old 7.3.5, 7.3.6)
6) 8.3.5 Design and development process outputs. (similar to old 7.3.3)
7) 8.3.6 Design and development changes. (same as to old 7.3.7)
8) 8.4.1 Results of external provider evaluations, performance, and re-evaluations. (same as old 7.4.1)
9) 8.5.1 Characteristics of the products and services, Activities to be performed and the results to be achieved (similar as old 7.5.1)
10) 8.5.2 Unique identification of process outputs, where traceability is a requirement. (same as to old 7.5.3)
11) 8.5.3 Customer property damage notice. (same as to old 7.5.4)
12) 8.5.6 Results of the review of production changes, the personnel authorizing the change, and any necessary actions. (NEW)
13) 8.6 person(s) authorizing release of products and services for delivery. (same as to old 8.2.4)
14) 8.7.2 Actions taken on nonconforming process outputs, products and services, including concessions obtained and the person or authority that made the decision dealing with the nonconformity. (same as to old 8.3)
Clause 9 Management Responsibility (3 records)
1) 9.1.1 Evidence of results that ensure monitoring and measurement activities are implemented in accordance with the determined requirements. (NEW)
2) 9.2.2 Evidence of the audit program and audit results. (same as to old 8.2.2)
3) 9.3.3 Evidence of the results of management reviews. (same as to old 5.6.3)
Clause 10 Management Responsibility (1 records)
1) 10.2.2 Nonconformities, subsequent actions taken, and results of corrective action. (similar to old 8.5.2)
Difference Between Document Control and Record Control
Now, with a better understanding of what documents and records are, we can look closer at what is required for documented information. The ISO clause require that documented information be controlled, but what does that mean?
ISO 7.5.2 Creating and Updating
Documents are created as a part of your organizations planning. Therefore, ISO requires that these planning documents are approved prior to use to ensure they are adequate (appropriate). Documents need to be reviewed and updated to ensure the content is accurate. If changes are made to plans then it is imperative that the changes are identified and communicated to anyone that uses those planning documents.
Users need legible, up-to-date, and readily available documents to do their job. The bottom line, documents need to be reviewed, approved, legible, up-to-date, communicated, and readily available. That is what ISO wants from the control of your documents.
ISO 7.5.3 Control of Information
Records are not the plan, records are created by plans. Records are data collected by operating the quality management system, but data is not information. Data must be converted into information through the use of charting or trend analysis. So the requirements for records are different. Records need to be identifiable (labeled), stored, protected (uncorrupted), retrievable (you need to use the data), retained (backed-up), but disposed of when obsolete.
Documents are created by planning what needs to be done and records are created when something is done. Documents can change and records don’t change. Documents need to be reviewed, approved, legible, up-to-date, communicated, and readily available. Records need to be identifiable, stored, protected, retrievable, retained, but disposed of when obsolete. That is what ISO means by documented information, it is the same as the old control of documents and control of records. It is now referred to as documented information control and technically we do not refer to them as documents and records, although I still think that it makes a lot more sense to use the old terminology when describing the difference between document control and record control.
Download free ISO 9001 2015 procedures examples from the ISO 9001 Manual now.