potential audit finding?
Yes. If you’ve made a commitment to perform certain communication activities, then it’s a requirement of the QMS. This is especially the case if the commitment is documented.
7.5 DOCUMENTED INFORMATION
Equivalent to subclauses 4.2.3 and 4.2.4 of ISO 9001:2008.
The distinction between documents and records is gone in ISO 9001:2015. All we have now is “documented information.” Why did they take such a clear-cut concept and mess around with it? After all, most quality practitioners have a pretty clear understanding of the differences. Just to make sure we’re all on the same page, let’s do a quick review:
Document. Living information that is used for decision making or performing tasks. Subject to revision. Think of such things as procedures, policies, instructions, and blank checklists. We usually think about “following” documents because they tend to guide us.
Records. Historical information about things that have already happened. What did we do last week, last month, last year? Not subject to change because you can’t change what already happened.
Previous versions of ISO 9001 had separate sections of requirements for documents and records. They are different from a theoretical standpoint, but things have begun to merge somewhat with the widespread use of digital information. Both documents and records are likely to be digital files that employees access in much the same way. So the writers of ISO 9001:2015 decided to address them together.
Despite the universal use of the term “documented information,” there are clues to let you know whether the standard is asking for a document or a record. If ISO 9001:2015 requires you to “retain documented information,” it means a record. If ISO 9001:2015 requires you to “maintain documented information,” it means a document. Everything hinges on the terms “retain” vs. “maintain.” There are plenty of places in the standard that neither require you to retain nor maintain documented information. ISO 9001:2015 seems to require nothing other than an understanding among the people working within the process. Keep in mind that another way of describing this situation is “tribal knowledge,” which doesn’t make for a very effective QMS. Use your own good sense when deciding what to document or record. Just because ISO 9001:2015
doesn’t explicitly require you to retain or maintain documented information doesn’t mean you shouldn’t do it.
You’re also not required to use the clunky phrases “retain documented information” and “maintain documented information.” If your organization uses the terms records and documents—and everybody understands what these words mean—then you certainly don’t have to change your language. Always strive for simplicity and clarity in your QMS. Few people would argue that the new terms used by ISO 9001:2015 are simpler and clearer. Along those same lines, if you presently have a separate document control procedure and a control of records procedure, you’re under no obligation to combine them. Do what makes sense to you and your organization.
Before we go any further, it’s important to say this: If you already have document control and records control procedures that meet ISO 9001:2008’s requirements, then you already meet ISO 9001:2015’s requirements.
ISO 9001:2015 begins this section by saying that your QMS should include documented information required by the standard and documented information needed by your organization. These requirements are obvious and clear, and probably didn’t even need to be stated. More helpful are the notes at the end of clause 7.5. They basically say that the type and quantity of documented information (documents and records) will differ from company to company, because everybody is different. Don’t blindly adopt documented information just because somebody recommends it. Examine the benefit and make an informed decision. The more voluminous your documentation becomes, the less likely employees are to use or understand it.
Your system for managing documented information doesn’t itself have to be documented. That’s a big change from ISO 9001:2008, which required documented procedures for both document control and control of records. Now you just have to make sure you ensure the following practices are in place when you create and update documented information:
Identification. Documents and records must have titles, document numbers, or something that indicates their identity. As long as you can differentiate between different documented information, knowing which ones address which topics, then you’ve met this requirement.
Format. The documents must be usable for their purpose. The format must be appropriate to the purpose and users, and the media must be accessible and understandable. For example, if the medium is electronic, then users would need to have access to a computer or other interface that can display the electronic media. Another example might relate to a company that has a high percentage of employees who don’t speak English; their documentation would
need to be graphically formatted (to make language irrelevant) or translated into the language predominantly spoken by the employees.
Review and approval. Somebody must review and approve the documented information before it’s used. Who performs this function is completely up to you. There are many different ways to signify review and approval: signatures, initials, email approval, electronic signatures, meeting minutes, or click-box approval within a document control program. Review and approval does have to be traceable, meaning it must be clear who performed it. It should also be secure, which means the organization has prevented imposters from making reviews/approvals under somebody else’s name.
Once the documented information exists, the next logical step is control. Here are the control requirements from ISO 9001:2015:
Availability. The documented information exists where it’s supposed to exist. The organization has dedicated the resources to create the documented information and the information is suitable for the need it was intended to fill. Protection. The documented information is protected from tampering,
unauthorized changes, and damage. People who shouldn’t see the documented information are prevented from seeing it. Appropriate safeguards put in place by the organization to ensure information isn’t misused in any way. System passwords and employee training are two ways to accomplish this.
Distribution. You can access the documented information. Employees don’t struggle to find it, and they understand how to interpret its meaning. If a computer or program is necessary to access the documented information intended for employees, then employees can operate it. In the case of retained information (e.g., records), they can be retrieved within a reasonable amount of time.
Storage. The organization specifies where the documented information is located. This applies to retained documented information (records) and maintained documented information (documents). The location is accurate and verifiable, and there are controls to preserve the information. Preservation could include periodic backups of computer files and periodic monitoring to ensure continued legibility. The controls for “preservation” are very similar to the controls for “protection,” described above.
Change control. The organization is able to ensure that the correct versions of documented information are available. When documented information is revised, the revisions are incorporated into the information in use (after review and approval). There are safeguards in place to prevent employees from incorrectly accessing and using obsolete information.
Retention. We say how long we retain documented information. Remember, the term “retain” refers to records, so this is the requirement for establishing a retention time. Every record in your system could conceivably have a different retention time, and ISO 9001:2015 provides no guidance on the appropriate retention times of records. This is completely up to the organization and its needs. Disposition refers to what happens to the record after the retention times has elapsed. Typical dispositions include archive, shred, or recycle.
Finally, ISO 9001:2015 addresses external documents and preventing unintended alterations of retained information.
An external document is published outside the organization and used within the scope of the management system. Examples of external documents possibly requiring control include:
Troubleshooting and/or calibration manuals published by equipment manufacturers
Test procedures, specifications, and/or engineering drawings published by customers or other bodies
Instructions, specifications, and/or procedures published by suppliers
Standards published by industrial organizations applicable to the organization International standards such as ISO 9001
Once external documents have been determined, they must be identified, and they must be controlled. Like internal documents, there must be a title, document number, or other unique identifier. Such identification typically comes from the source that publishes the document, and the organization simply adopts it. Make sure that all the other aspects of “control” are applied to external documents.
The last requirement provided by ISO 9001:2015 concerns retained documented information that provides evidence of conformity. In other words, records that prove you met requirements. I would say that this statement applies to all records. The organization must ensure that people can’t make unauthorized changes to records. This is a restatement of the protection and preservation requirements already discussed.