One of the first things that many people mention when discussing ISO9001 is documents – as in “you’re going to need a lot of documents”. Whilst this may be true in many cases, it’s by no means the main purpose of creating a quality management system, or QMS. However, it is somewhat inevitable that your QMS will contain documents and that they will need to be controlled.
In this article we’re going to look at the what, why and how of achieving this fundamental building block of ISO9001.
What is ISO9001 documented information?
Previous versions of the ISO9001 standard used to talk about “documents and records” but in recent years this has been replaced with the more general term of “documented information”. This is defined in ISO9000 (the fundamentals and vocabulary companion to ISO9001) as:
“information required to be controlled and maintained by an organisation and the medium on which it is contained.” (term 3.8.6)
So it’s important to be clear from the start that we’re not necessarily talking about paper here. Many a Quality Management System does include paper documents and records, and that’s fine where appropriate, but there’s no requirement in ISO9001 to use paper. What we’re really interested in is the information, and that could be held in a wide variety of different forms, including Microsoft Word documents, spreadsheets, presentations, smartphone apps, cloud applications, microfiche and paper forms.
Which documented information do we need to have for ISO9001?
The 2015 version of the ISO9001 standard is less prescriptive than the previous one, so the list of documented information that you must be able to demonstrate has grown shorter. However, there are still many points in the standard that insist on having something to show an auditor, and these include:
The scope of the QMS
How the processes of the QMS operate and how you can tell that they are working
The quality policy
Your quality objectives
Monitoring and measurement tool calibration and verification
Evidence of competence of people involved in the QMS
Customer requirements, and changes to them
Design and development inputs, outputs and changes
Production information about what is to be produced and how it is released
Traceability information where applicable
Damage to customer property
Management reviews and internal audits reports, including around nonconformities found
So the standard tells you the kind of information that needs to be documented, without laying down any strict rules about document structure, titles or medium.
What are the requirements around the control of documented information?
Having clarified what information needs to be documented for the effective operation of your QMS, the ISO9001 standard sets out the areas that must be considered to ensure that information is available appropriately, commonly referred to as ISO9001 document control.
This means you need to think about questions such as:
How do we identify and label it when it is initially created?
What format and medium should it be held on?
Who will check that the information is correct (and how often)?
How do we make it available to the right people at the right time?
How will people know that they are using the latest version of the information?
How do we protect the information so that it is not lost, damaged or stolen?
How will we handle changes to the information?
The answers to the above questions are going to depend on relevant factors such as the industry you’re in, the size and culture of the organisation, the competence of the people involved, the technology available, the criticality of the processes and even unpredictable factors such as the weather.
For example, the approach taken for a pharmaceutical company making life-saving drugs to very tight tolerances will differ from that of a company making bespoke garden chairs. Both require an emphasis on quality, but the consequences of using inaccurate or out of date information during the manufacturing process will differ in seriousness.
How do organisations control their documented information?
Unsurprisingly, most of the documented information for ISO9001 purposes is nowadays held electronically. As previously stated, this will be in a mixture of formats, including office applications and online systems. A process approach for ISO9001 document control is often used that addresses the full lifecycle of a particular type of documented information.
For more traditional “documents” this will include defining who can create them, who must approve them, how version numbering will work, where they should be stored and how people will access the latest version. This is best achieved using a workflow or document management system such as Microsoft SharePoint, Confluence or Huddle. Such tools can often inform users when a new version of a document has been approved and can usually help with automated version numbering too.
For some environments good old fashioned paper works well and provides a level of simplicity and visibility that some electronic tools can lack. This may be especially true in an environment where computer usage is difficult, for example where heavy gloves need to be worn or online access is patchy.
Final thoughts
ISO9001 document control needs to be fully thought through and adapted according to the specific need. The standard allows for a wide degree of variability in how the basic principles are applied, but remember it’s really about the information rather than the medium on which it is held.
