ISO 9001-Clause 4.2 Documentation requirements

ISO 9001-Clause 4.2 Documentation requirements

4.2.1 General

ISO 9001 requirement:
The quality management system documentation shall include

a) documented statements of a quality policy and quality objectives,

b) a quality manual,

c) documented procedures and records required by this International Standard, and

d) documents, including records, determined by the organization to be necessary to ensure the effective planning, operation and control of its processes.

NOTE 1 Where the term “documented procedure” appears within this International Standard, this means that the procedure is established, documented, implemented and maintained. A single document may address the requirements for one or more procedures. A requirement for a documented procedure may be covered by more than one document.

NOTE 2 The extent of the quality management system documentation can differ from one organization to another due to

a) the size of organization and type of activities,
b) the complexity of processes and their interactions, and
c) the competence of personnel.

NOTE 3 The documentation can be in any form or type of medium.

Explanation:

Clause 4.2.1 specifies all the different types of documentation needed for your QMS. The need to have additional documentation beyond those specified in this standard may depend upon – customer; regulatory and your own organizational requirements. Other factors to consider may include complexity of products and processes, effect on quality,risk of customer dissatisfaction, economic risk, effectiveness and efficiency, competence of personnel. Clause 4.2.1d requires you to have documents needed to ensure the effective planning, operation and control for QMS processes. Each organization must determine what documentation is needed to achieve this based upon complexity of products and processes, effect on quality,risk of customer dissatisfaction, economic risk, effectiveness and efficiency, competence of personnel.You must have documented statements of your quality policy and objectives. A procedure is a specific way to perform an activity or process, and it may or may not be written. If it is established, documented, implemented and maintained, it is called a documented procedure. A document is information that is written or recorded on some medium such as paper or computer. A document may specify requirements for e.g. a drawing or technical specification, may provide direction for e.g. quality plan, or show results or evidence of activities performed for e.g. records.

4.2.2 Quality manual

ISO 9001 requirement:
The organization shall establish and maintain a quality manual that includes

a) the scope of the quality management system, including details of and justification for any exclusions (see 1.2),

b) the documented procedures established for the quality management system, or reference to them, and

c) a description of the interaction between the processes of the quality management system.

Explanation:

The quality manual is a special type of document that describes your QMS. Besides describing your QMS, your quality manual could provide information on organizational background and capabilities. It may be used by customers, regulatory bodies, suppliers and company personnel for a variety of purposes. There are many acceptable ways to document your quality manual.  You must define the scope of your QMS in your quality manual. Your QMS scope should include facilities (manufacturing and support locations), products, processes, Quality Management and other standards, etc. Customers will want to know the extent of your capabilities and the Registrar will want to determine the time and effort needed to audit your organization.Provide details of any clause exclusions from your scope, and justification for it. You must justify all exclusions and remember, exclusions can only be made from clause 7.Your quality manual must include a description of the interaction of your QMS processes.You have flexibility in whether or not to include your procedures and lower level documentation with your quality manual or organize them in some other fashion. You may include all or some of your procedures in your Quality Manual or reference them to your Quality Manual. Keep a listing or index at the front or back of your Manual showing the complete list of your procedures whether included or referenced.As a controlled document, the quality manual is subject to all of the controls in clause 4.2.3.

4.2.3 Control of documents

ISO 9001 requirement:

Documents required by the quality management system shall be controlled. Records are a special type of document and shall be controlled according to the requirements given in 4.2.4.

A documented procedure shall be established to define the controls needed

a) to approve documents for adequacy prior to issue,

b) to review and update as necessary and re-approve documents,

c) to ensure that changes and the current revision status of documents are identified,

d) to ensure that relevant versions of applicable documents are available at points of use,

e) to ensure that documents remain legible and readily identifiable,

f) to ensure that documents of external origin determined by the org to be necessary for the planning and operation of the quality management system are identified and their distribution controlled, and

g) to prevent the unintended use of obsolete documents, and to apply suitable identification to them if they are retained for any purpose.

Explanation:

A document is information that is written or recorded on some medium such as paper or computer. Clause 4.2.1 tells you what documents you must include in your QMS. All documents that you determine under clause 4.2.1 to be needed for your QMS processes must be controlled. This clause 4.2.3 provides requirements on how these documents must be controlled. Documents  outside the QMS need not be subject to these controls. This clause requires you to have a documented procedure. Ensure that your procedure specifically addresses each of the control requirements, in terms of who, what when, where and how as applicable. Your procedure must address new and old as well as internal and external documents used by the QMS. You must approve all new QMS documentation prior to issue. Some degree of checking, examination or assessment is inherent in ‘approval for adequacy’. You must periodically determine if any updating or revisions of any QMS documentation is needed, and if they are changed, they must be re-approved for adequacy.

The frequency of this review, responsibility and method must be defined in your procedure. This will be determined by events within your organization and how mature or recent your QMS is. Auditors will explore this if they find that your documents have not changed in years, while the nature of your business has changed significantly. Identify changes made to documents so users know exactly what has changed. There are many ways of doing this on printed as well as computerized documents.  Have a method for revision control such as a revision log and master-list of documents which identifies the current revision status. Again, there are other ways of doing this as well.

Not all documents need to be available everywhere within your organization. You must determine what document is applicable (i.e. needed to assure product or process quality) to a specific process or activity and make the relevant version of that document available to that activity, e.g. providing current packaging and shipping work instructions to the shipping department.Once you determine that certain documents need to be made available at various locations, implement some form of distribution control. There are many ways to do this. One way would be to keep a distribution log.

Documents can take a beating in very harsh environments (covered in oil, dust, acid eaten, weather-beaten, etc.) to the point of being illegible. You must regularly review the condition of frequently used hard copy documents to determine whether they need to be replaced. Documents must also be readily identifiable as to its purpose and scope. A simple heading may suffice, (e.g. In-process Inspection Sheet). Computerized documents are sometimes given file names that don’t identify its contents and this might require numerous files to be opened before you find the right one. Identification also implies effective filing for timely retrieval, whether manual or computerized. A frequent nonconformity is not being able to retrieve a document or record because of poor filing procedures. External documents (such as customer drawings or supplier material/part specifications) must be identified. There are many ways to do this. One way would be to keep a manual or computer list of these documents. Determine who needs these documents and have some form of distribution control. Don’t overlook supplier, regulatory or industry documents. Apply applicable controls to these as well.

Obsolete documents can cause many problems if not controlled. There are many ways to do this. One way would be to provide computerized documents in read-only mode and make only the current version accessible at workstation computer screens. Obsolete hard copy documents can be removed through distribution control. Ensure your procedure a covers methods to disallow unauthorized and unapproved or incorrect documents from being created, used or distributed.If documents are archived, make sure that all such documents are properly identified, indexed and filed, and preferably have controlled or restricted access to them. Nonconformities against the document control process are one of the most frequent audit findings. Develop appropriate performance indicators to demonstrate effective implementation of your document control process. Examples include – number of obsolete or unauthorized documents found being used; number of unauthorized changes found; number of instances documents were not available at points of use; etc. Track trends in these indicators and use this information to tighten your controls and continually improve your document control process.  Use the PDCA to plan, implement, measure and improve your document control process.

4.2.4 Control of records

ISO 9001 requirement:

Records established to provide evidence of conformity to requirements and of the effective operation of the quality management system shall be controlled.

The organization shall establish a documented procedure to define the controls needed for the identification, storage, protection, retrieval, retention and disposition of records.

Records shall remain legible, readily identifiable and retrievable.

Explanation:

A record is a special type of document that provides written evidence of results achieved or activity performed (e.g. an inspection record). Records provide one of the strongest forms of evidence of maintaining and demonstrating the effectiveness of your QMS.  Ensure that your documented procedure for control of QMS records addresses each of the control requirements specified in this clause, in terms of who, what when, where and how. These controls apply to all QMS records whether they are hard copy or computerized.ISO 9001 calls for many records. Some records are specified, while others are implied. The onus is on you to demonstrate or provide evidence (records) of conformity to requirements, whether the specific clauses ask for records or not. Requirements for records may originate from the customer, regulatory, industry, or within your organization. Ensure you maintain records to conform to all of these as applicable. Records may also come from suppliers and vendors. All these records are subject to the above controls. The comments under document control regarding legibility, being identifiable and retrievable apply equally to QMS records.

Readily identifiable – relates to easily determining the purpose and scope of the record, e.g. an inspection record for a product at final inspection. The design of QMS records must prevent confusion or ambiguity in the completion and use of records. Records must be written legibly to be useful. Also make sure that they are not exposed to unauthorized change or alteration. For the duration that they are kept, store records in locations and mediums that will protect against unauthorized access and environmental damage – (covered in oil, dust, acid eaten, weather-beaten, etc.). Regularly review the condition of records. The indexing and filing of records (hardcopy or computer) must ensure easy retrieval. Keep a listing of all the different categories of records and define the retention times associated with each category (inspection and test; sales and purchasing; management review; calibration; training; etc). Retention times are typically determined by customer, regulatory, industry or organizational requirements and policies.

Records must eventually be disposed off once past their defined retention times. Disposition could range from permanent destruction of records to permanent storage in a secure onsite or off-site archive. The intent here is to remove the risk of inadvertent use and availability for current activities and unauthorized access. Depending upon the industry, specific records may be kept indefinitely.

Nonconformities against the process for control of records arise frequently. Develop appropriate performance indicators to demonstrate effective implementation of your record control process. Examples of indicators could include – number of instances of inability to retrieve records; amount of time spent looking for records; number of instances of incomplete records; number of instances of damaged records found; etc. Track trends in these indicators and use this information to tighten your controls and continually improve your record control process. Use the PDCA to plan, implement, measure and improve your process for record control.

Audit Checklist

An audit checklist should cover these areas:

• Does the documented Quality Management System (QMS) include a Quality Policy, Quality Objectives, Quality Manual, Procedures, Work Instructions and Records?
• How does the Quality Manual address the ISO requirements? Does it show the the exclusions which are not applicable? Does it have the all the procedures or reference of  Procedures?
• Does it covers the mandatory 6 Procedures and 19 Records, as required by ISO 9001 std?
• How are QMS controlled documents identified? (Master List?)
• Are personnel using up-to-date “instructional” QMS documents?
• How are these QMS documents kept current? What triggers a review?
• How was the last new QMS document issued? How was the last change or revision handled? Who approved these changes?
• How are new/ changed QMS documents communicated? Was any training done?
• Is there a list of QMS records that are controlled? Verify through sampling that they exist, are legible, are retained, and kept in a secure/safe location. Look at both electronic and paper records.

Mandatory Procedure:
Clause 4.2.1: Not applicable
Clause 4.2.2: Quality Manual
Clause 4.2.3: Procedure for control of Document