#249 How To Meet Documentation Requirements Within ISO  

Most ISO Standards are designed with implementation flexibility in mind. They set the framework without specifying an exact method to meet requirements, giving businesses the freedom to implement them how they see fit.

One of the key requirements you can’t escape, however, is documentation. This is more than a list of key documents you must have in place, it encompasses how you develop, control and store documented information.

In this episode, Ian Battersby dispels common myths around documentation in ISO, explains what the requirements actually mean in practice and how you address each one relevant to documented information.

You’ll learn

• Common misunderstandings about documentation within ISO
• What do current ISO Standards require for Documented Information?
• How do you determine what should be documented information?
• How do modern Standards embed a flexible approach?
• What is considered ‘documented information?’
• Breaking down clause 7.5 Documented information
• How to address clause 7.5.2 Creating and Updating documentation
• How to address 7.5.3 Control of documentation
• A cautionary tale for modern approaches to Documentation

Resources

• Isologyhub

In this episode, we talk about:

[02:05] Episode Summary – Ian dives into the topic of documentation within ISO, dispelling the myths and breaking down the requirements you need to meet relevant to documented information.

[02:40] Common misunderstandings about documentation within ISO: Taking ISO 9001 as the prime example, the most common misunderstanding is that you need a policy manual. This is not true.

This may have stemmed from previous versions of ISO 9001 where certain mandatory procedures were required, such as:

• Control of Documents (Clause 4.2.3)
• Control of Records (Clause 4.2.4)
• Internal Audit (Clause 8.2.2)
• Control of Nonconforming Product (Clause 8.3)
• Corrective Action (Clause 8.5.2)
• Preventive Action (Clause 8.5.3)

There were also mandatory records such as Management Review, calibration, supplier evaluation, design/development reviews etc.

With the introduction of the 2015 version of ISO 9001, the old terms ‘Procedure’ and ‘Record’ have changed into a single term now known as ‘Documented Information’, which breaks down those previous terms into the following:

• Documented information to be maintained — Previously what would have been a procedure (i.e., describing how something should be done)
• Documented information to be retained — Previously what would have been a record (i.e., evidence that something was done)

[05:10] What do current ISO Standards require for Documented Information? The 2015 version of ISO 9001 received the following updates:

• Removed the prescriptive language associated with the old terms
• Gave organisations the flexibility to develop, control and store documented information
• No longer dictates the form that documentation must take

In practice, many people still use the terms procedure and record informally, because they are well understood and conveniently descriptive. But beware using language that reinforces old-fashioned ideas about how we create management systems.

This newer language aligns with modern risk-based thinking, with direct references made to this being included in the Standard. But, while that sounds prescriptive, adopting risk-based thinking has allowed a less prescriptive approach to the standards. It allows you to consider what’s significant to you and so you can plan your system accordingly.

[07:20] How do you determine what should be documented information? The effort you put into documenting something must be consistent with the risk

If, for example, a process is important, if its outcome could be in doubt, if it’s complex to control, if it could lead to damage/harm, if there’s a regulatory requirement, then you should put some effort into documenting how it’s performed.

But, if you maintain that documentation in response to the risk to your organisation and not in response to a prescriptive demand in standard, and if a process attracts less risk, then you can deliver it with less formality and less documentation to be maintained.

The same goes for retaining documentation to evidence that you’ve done what you should. In short: more risk, more documentation retained to demonstrate that you’ve controlled it.

[08:30] How do modern Standards embed a flexible approach? ISO Standards are deliberately flexible. The extent of documented information required depends on the size of your organisation, the complexity of your processes, your customers’ needs, your regulatory environment and the competence of your people.

An organisation of only 10 people will have very different needs compared to one of 10,000, and both can fully conform to the standard. It’s about proportionality, not volume.

[09:20] What is considered ‘documented information? ISO standards don’t care what you call the documents you maintain in order to govern how you deliver your daily work.

Other than using the term process (and the process approach) to underpin how systems should interrelate, ISO 9001 doesn’t specify anything else.

Would you like to use the term procedure?  Or management procedure? Or SOP? Work instruction? Process map, guide, playbook, manual.

Or is your activity embedded in an online system? A workflow? A board?

It doesn’t matter, you can call it what you want, and as long as it’s controlled to the extent that it needs to be.

[11:05] Breaking down clause 7.5 Documented information: ISO 9001 states:

“7.5.1 General:

The organization’s quality management system shall include:

a) documented information required by this International Standard;

b) documented information determined by the organization as being necessary for the effectiveness of the quality management system.

NOTE The extent of documented information can differ from one organization to another due to:

• the size of organization and its type of activities, processes, products and services;
• the complexity of processes and their interactions;
• the competence of persons.”

This reinforces the fact that there is no ‘one size fits all’ approach.

[12:15] How to address clause 7.5.2 Creating and Updating documentation: The Standard states:

“When creating and updating documented information, the organization shall ensure appropriate.”

Note that word, ‘appropriate’.  It doesn’t indicate specifics, it indicates that you should choose certain things according to your own circumstances

So the appropriate things which you should ensure are:

Identification and description:(e.g. a title, date, author, or reference number) One trap many fall into, is the use of reference numbers. In most cases they are unnecessary. Only use them if they mean something or make life easier.

Having reference numbers with department numbering can reinforce the silo mentality; ‘that’s their procedure, not ours’, so it’s best to avoid creating that situation by foregoing reference numbers if possible.

What matters is that any users are able to easily verify that they have the right document, this can be done with a descriptive title, version numbers and a date for the version.

Online documents may have details embedded in metadata or an information box that can make this process easier to implement.

Format and media:

You’ll need to consider language required for certain documentation, as international systems where there are multiple languages used by the workforce, may require additional versions.

You’ll also need to establish which templates or layouts to use. Look and feel will likely be important in the organisation, so you’ll want to keep documents on brand.

Other considerations include:

• The use of process maps, flowcharts, diagrams, tables, or written text.
• The software or application it is created in (e.g. Word, PDF, SharePoint)
• Whether the document is paper-based or electronic

Review and approval for suitability and adequacy:

Documented information requiresappropriate review of content, this is to make sure it does what it should and that all of the above is covered.

You will also need sign-off by someone with the appropriate authority, and that authority is determined based on risk related to that document.

[18:00] How to address 7.5.3 Control of documentation: Let’s break down each part of this clause:

“To ensure that

1. it is available and suitable for use, where and when it is needed;” – It must be circulated, hosted, displayed or whatever, so that those people who are required to see it, use it, know of its content can act on it.

“b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).” – It must be protected so that only the right people see it, so that any confidential information is not inappropriately shared, and no one can use or amend it without the appropriate authority. This is to ensure it remains in the manner it was intended and that its content can’t be altered, corrupted or destroyed.

“7.5.3.2 For the control of documented information, the organization shall address the following activities, as applicable:

a) distribution, access, retrieval and use;

b) storage and preservation, including preservation of legibility;

c) control of changes (e.g. version control);

d) retention and disposition.”

This clause adds some meat to the ideas discussed already

“a) distribution, access, retrieval and use;” – This refers to who receives a document and by what means, whether the right people can access it and know what to do with itat the time they need it, while also considering the sensitivity.

“b) storage and preservation, including preservation of legibility;” – The physical or electronic location of storage and its usefulness over time. You’ll need to ensure that physical things are safe from damage (fire, flood etc) and that electronic formats are protected from obsolescence.

“c) control of changes (e.g. version control)” – Who is allowed to edit, authorise, publish, issue and host a document. Establish a method of ensuring only relevant, current information is accessible by the right people, and record the history of changes where necessary.

“d) retention and disposition.” – Ask yourself: how long should documented information be kept? What’s useful? What’s regulatory? What does the customer want? What do you do when you don’t need it any more? What do you do to prevent access to obsolete information?

[22:30] A cautionary tale for modern approaches to Documentation: These days, we’re seeing more and more systems relying solely on electronic documentation.  This brings big advantages, but also risks.

While there are excellent methods for document control in all sorts of hosting, sharing, collaboration platforms, they still need to be managed.

Too often we see systems with multiple versions of similar documents, naming disasters, obsolete versions, poor formatting, lack of authority, breaches of confidentiality, and the simple inability to find what you want!

Modern systems can help with documented information, but they don’t remove the need for managing documentation.

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on Twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List