ISO 9001: It’s About the Records, Not the Documents

Let’s end the confusion about implementing a management system vs. documenting one

Published: Thursday, December 20, 2018 - 13:03

Back in January 2009, I wrote an article for Quality Digest titled “ISO 9001 Documentation Is Like a Box of Chocolates.” Here we are, almost 10 years later, all of the ISO 9001 and related standards have been updated, yet companies still misunderstand what to document, how to document, or why to document procedures for their quality management systems (QMS).

This article offers examples and explanations of where QMS are over-documented and describes ways in which they can be simplified. The purpose is to illustrate how far off many companies are from understanding the difference between implementing and documenting a QMS. When you are getting registered to ISO 9001:2015 (and this includes any standard that is based on ISO 9001:2015), the emphasis should be entirely on the records (i.e., outputs of your processes) showing compliance to the requirements of the standard, not how the system in question is documented. The length of your quality manual and the number of procedures a company has are irrelevant; the primary focuses when getting registered to the standard should be whether the records meet the requirements of the standard, and what the measurable objectives defined by your company may be.

Let’s end the confusion about implementing a management system vs. documenting one.

The latest standard, ISO 9001:2015, does not mandate any required procedures or manual; AS9100D and ISO 9001:2015 mandate only one procedure for control of nonconforming outputs and a quality manual. Despite this, companies continue to write additional procedures, often for the wrong reasons.

ISO standards’ emphasis on control of documents and records

Since I have been auditing and implementing ISO 9001 systems and aerospace systems, the standards have changed significantly. It is amazing how many companies that documented their original QMS 15 or 20 years ago still try to maintain over-documented systems. These systems hold the company captive to requirements that no longer exist. In the past, ISO 9001 required procedures for every element of the standard. It specifically required a master document list for the procedures, and a records matrix of lists of records and procedures specifying where they were located, how they were indexed, and who the owner was. When these requirements were in place, most records and procedures were hard-copy records and were filed in different departments, so having files indexed made sense.

In that early era of the standards, the world was documented solely on paper. Every department, and thus every area of the company, required controlled document books so that procedures could be easily accessible. Documents of the past had a relatively specific format: purpose of document, scope of document, reference to specific forms (with form numbers), reference to related procedures (with the procedure numbers), and the occasional revision of the reference procedure, among other things. Every time an update was made to a procedure the master lists and controlled document books had to be amended with the new procedure. The latest revision of a procedure not being in the controlled document book, an old revision being at someone’s workstation or in their office, or the master document list not being updated with the latest revision were all common nonconformities at that time.

Over time companies began going paperless. Controlling documents was one of the first things that was automated; companies began sharing documents on a server, sites were set up for the documents, and software was developed for the sole purpose of controlling documents. Now there are complete QMS software packages available and related applications to share documents electronically. Not only does this remove the need for controlled document books, master lists, and matrices of records, but the standards themselves have been updated to the point where none of these controls are required, either.

Despite all of the things that have changed over the years, companies are still holding themselves captive to these obsolete requirements. I believe there are two reasons why companies are still over-documented. The first is relatively straightforward: Companies wrote their original system years ago, and each time a standard was upgraded, rather than simplifying or redocumenting their system, they altered the existing system, and over time the system grew. The second reason is that many auditors still have an expectation when they audit that the company should have master lists as well as records matrices and procedures for every section of the standard. If the company is not familiar enough with the updated standards that do not require these procedures, they may have a hard time defending their simplified system to a registrar or customers and resort to keeping the over-documented system to satisfy them.

During the past 20 years, I have audited many different QMS in different industries. I have found myself in situations where a company’s processes are excellent, it has clear records that show compliance to all the requirements in the standard, customer satisfaction is excellent, and it has perfect performance to objectives. Until I have to ask if the company has any procedures or documents that define their processes, the audit often goes smoothly. It is important to note that in the latest ISO 9001:2015 standard, there are no required documents, not even a requirement for a quality manual. In the latest AS9100D/ISO 9001:2015 standard, only a quality manual and a procedure for how to control nonconforming outputs is required. If the company has procedures outside of these requirements, they become part of the audit. Hypothetically, a company could meet all of the requirements of the standard, have a very high level of performance to objectives, and very clear records, but if it doesn’t meet the requirements of its own internal documents, I am forced to write a nonconformity. Sometimes the error is something minor; it is not uncommon for the company to claim it keeps a records matrix but hasn’t added the record in question to the matrix; or it might claim the record is kept in a purple folder for 24 hours, but along the way it was changed to a blue folder for 48 hours, among other things. It is nonconformities like these that have become extremely saddening to me.

When I am consulting with a company, we are either implementing an ISO or AS system, or simplifying an existing system that is over-documented. The first thing we do is review what is required and what is not, so the company understands the latest requirements of the standard. Then we agree that every document should have a purpose. Depending on the company’s history, this can be a difficult topic to agree on. On occasion I have the company retrieve its entire documented system and do what I call “spring cleaning.” Regardless of the season, I have companies do the following with their documents:

Three piles are made (or categories if we are doing it electronically). One pile is for required procedures (e.g., required per the standard the company is compliant with, required by a customer, required by the company, and it wants that included in the audit).

The next pile is for any documents that are not required and do not have to be followed exactly as written but could be useful for reference, or if the company was training a new person. You can identify these documents by asking the question, “When is this document used?” If the answer is, “Only when we are being audited” or, “Only if we are training a new person,” then it goes in this second pile.

The final pile is for documents that are no longer valid, have no value, or have become unused. You can identify these documents by asking the question, “Does anyone ever use or look at this document?” The documents in pile three are obsolete. The documents in pile two can be identified as training/reference/guideline documents, and by definition do not have to followed exactly as written and therefore do not require any updates. The first pile, the required documents (required by your company, the standard, or a customer), are now considered your quality and/or business management system. Further simplification of only the documents in this pile should be done to take out any information or requirements that should not be in there.

For example, I have audited systems or simplified them for companies that have very specific, 10-page procedures for how they do purchasing. When I interview the purchasing personnel, many times the person doing purchasing has been doing it for more than 15 years. Not only do veteran purchasers commonly fail to reference the purchasing procedure when they are doing the purchasing process, they are most likely the people who wrote the procedure in the first place. If the company wants to have a procedure or instruction for purchasing in the required pile, my suggestion would be a one-page work instruction or flowchart that describes the basics for purchasing. Otherwise, it should go in the pile containing the training documents.

Just as every document should have a purpose, every training, audit, and data collection initiative should have a purpose. A company should never write a document, conduct an audit or training, or collect data unless there is a clear objective. Audits should be done only on processes that are not performing, have new people, or are high risk. Don’t audit for the sake of auditing. Never write a document for the sake of writing a document, either; write only what is required and what makes processes simpler. Remember to identify the process and its purpose. There is no reason why any company can’t choose to work smarter rather than harder.

Documented information (documents and records in the ISO 9001:2015 standard)

This note comes straight from Section 7.5 of ISO 9001:2015:

Note: The extent of documented information for a quality management system can differ from one organization to another due to:
• The size of organization and its type of activities, processes, products and services;
• The complexity of processes and their interactions;
• The competence of persons.

The most recent standard, ISO 9001:2015, is divided into 10 sections. The first three sections are introductions and definitions. Section 4 of the standard is titled “Context of the Organization” and includes requirements for defining the scope of your business management system (BMS); understanding your company and the needs and expectations of interested parties (interested parties are internal and external, for example, your employees, suppliers, and customers). Section 5 is titled “Leaders” and is about management commitment and responsibilities. This section also includes requirements for customer focus and defining your quality policy. Section 6 is titled “Planning” and includes requirements for taking actions to address risk and opportunities, setting measurable objectives and planning to achieve them, or to make changes to your BMS. Section 7 is titled “Support” and includes requirements for resources (e.g., people, infrastructure, environment, calibration, tribal knowledge), competence and awareness, and documented information (the new terminology for documents and records). Section 8 is titled “Operation” and includes requirements for planning, producing, and controlling whatever product or service the company provides.

Finally, sections 9 and 10 are titled “Performance Evaluation” and “Improvement.” Section 9 includes requirements for how to measure customer satisfaction, conduct internal audits, and perform management reviews. Section 10 defines what to do when processes do not meet the desired result; these are control of nonconformance and corrective action.

In the prior standards, there was a section for preventive action; this small section at the very end of the standard has been removed and has now been replaced with “Actions Taken to Address Risk and Opportunities” and is now sprinkled throughout the entire standard. This is very important. Instead of just looking at preventive action as a project or something separate you do to prevent something bad from happening (e.g., late delivery, customer dissatisfaction), ISO 9001:2015  encourages you to evaluate risk in every action you take, and always be aware of taking actions that prevent risk or create an opportunity for improvement. If a company is spending a lot of time conducting processes that generate data, but does not analyze those data, set objectives and goals, and take actions to address risk or act on opportunities to improve, then it is a waste of time to collect the data in the first place.

Are QMS templates good or bad?

Using templates to implement or simplify a company’s QMS is dependent on the type of templates and level of experience in the company with the given standard. If the templates basically plug in the company name and merge it in a generic QMS that is “compliant” with the standard, this would make for a difficult audit process and probably not be very value added, unless there is a high level of experience within the company about the standard. If the templated system forces you to customize it so it specifically describes how your company’s processes work, and the template complies to the given standard, your chances of success in an audit are much more probable. The same holds true for companies that use a software program to maintain their management systems.

A set of documents alone doesn’t make a company compliant to ISO 9001 or AS9100, and neither does a software package by itself. There’s a significant difference between saying, “We use a quality management software system and therefore meet all the requirements of the standard,” and, “We use software to execute processes more efficiently, track data more effectively, and simplify the overall compliance process.”

Misconceptions of implementing a QMS

There are many different interpretations of the ISO 9001 standard. In an effort to highlight some common misunderstandings, some of the myths, urban legends, or misperceptions about requirements will be examined.

Perception: Implementing and maintaining ISO 9001 is expensive.
False: It does not have to be expensive. A company simply needs to document its management system based on what it already does and put in place the programs required to improve on its processes.

Perception: The ISO 9001 system is a quality system (i.e., it belongs in the quality department or is the responsibility of the quality manager). Many organizations feel they need to hire somebody full-time to manage the ISO 9001 system (for example, internal audit coordinator, corrective action coordinator, ISO coordinator).
False: The ISO 9001 system covers an entire business, starting with customer requirements, review and acceptance of those requirements, executing those requirements, measuring and monitoring processes to ensure requirements are being met, and ultimately, delivering a product or service that meets those requirements to ensure customer satisfaction.

Because ISO 9001 is based on the process approach of plan, do, check, and act, it is important that the company learn and understand the standard before implementing or documenting a management system. One way to accomplish this is to send key employees to an ISO 9001 course or hire a trainer or consultant.

A consultant’s role is to teach employees the requirements of the standard and help them define their management system. The foundation of the management system needs to be based on the company’s culture, products, and services, and how it will meet and continually improve on these requirements.

The common-sense approach to documenting a management system

There are many requirements in the standard that say one must “define” a process. Defining a process is not the same as documenting a process; it can be defined verbally, with pictures, in a video, or in a document. If a company has a process and it is deciding if it needs a procedure, flowchart, or work instruction to “define” it, the following questions should be asked, and the management systems should be documented according to the answers:
• In order to perform this process consistently and correctly, does the company need step-by-step instructions to be used by the operator while performing the process? If the answer is yes, then document the steps of the process to be used by the operator.
• In order to train employees on this process, are step-by-step instructions needed? If the answer is yes, the process can be documented as an instruction or as a training or guideline document that is used only for training new employees and not for conducting the process. Consider training videos in this instance.
• Did the last auditor say a process needed to be documented? This is not a valid reason to document a process.

A management system should not be documented for the sake of documenting a management system. If a document is written that nobody ever looks at or uses, and it is collecting dust on a shelf or taking up space on a computer, then it should be eliminated. The reason to document a process of any kind is so there is a clear understanding of the roles, responsibilities, tasks, inputs, outputs and—most important—measurable criteria of the process.

For example, if a company says that all forms will have a form number and revision on them, then all forms must have this. The standard does require forms to be controlled or to have a number or revision. This would be an example of a company adding a requirement beyond the requirements of the ISO 9001 standard. Requirements should only be added when it will benefit the company by ensuring better processes. Do not add this type of requirement based on a perception of the standard or advice given by an outside party—including an auditor.

How to decide if you need a documented procedure

The number and comprehensiveness of the documents written for a company should be directly related to the company’s size, complexity of its processes, and maturity of its workforce. ISO 9001:2015 refers to documents and records as “documented information.” Although the required procedures are no longer mandated by the standard, retaining documented information (records) is still in place and the most important part of implementing a QMS. A new requirement in the standard requests specific care related to documents managed electronically using a software system because most documented information is in digital form. This has a direct relationship on the level of documentation required in modern QMSs. Many processes are automated, and the records are maintained electronically, which in turn removes the need to write a document for it.

The internal audit process is an excellent program to use to determine if a process requires a documented procedure or not. For example:
• As an auditor, you must evaluate if the process is being performed consistently, with consistent and acceptable results.
• An auditor can do this by asking questions of several people performing the process.
• Ask the people the questions individually.
• If the answers are consistent, a documented procedure is not necessary
• Some sample questions: Can you explain the steps to this process? What records do you need to complete for this process?
• The need for a procedure will generally depend on the complexity of the process and the training of the people responsible for the process.
• Often, companies using a complete QMS software will have less need for procedures due to the clarity and simplicity of managing their processes within the software.
• In many organizations, an excellent training program eliminates the need for procedures.
• If, by contrast, there is not consistency among the people observed or interviewed, or there is not consistency in the records resulting from the process between the people being observed or interviewed, then a documented procedure may be appropriate.

Implementations gone bad

Some of the horror stories about ISO 9001 implementations include companies that have binders of procedures, work instruction, and forms and have been trying to implement ISO 9001 unsuccessfully for years. Some have spent $50,000 and others more than $200,000 on internal resources or consultants. Some have had a prior quality manager who wrote a management system and then left the company, and no other employee knew how to continue the management system requirements. Some have gone through three quality managers, each defining, adding to the last management system, or adding confusion by changing requirements.

In many instances, companies that have invested considerable time and money in the process of certification have a hard time letting go of it even when it has proven ineffective or useless. A company must decide if it wants to chase bad money with good money when faced with this problem. It must consider letting the existing management system go and documenting a new and effective management system from scratch. An important part of the ISO 9001 standard is taking action to address risk and opportunities. Therefore, it is simple common sense to change or improve a management system and the associated philosophy when that management system is found ineffective.

Why do companies over-document their management systems?

Some companies have over-documented their management systems to the point where they are useless, based on misperceptions or an inadequate understanding of ISO 9001. Nowhere in the standard does it say how a company is required to do a process; it simply says that a company needs to meet a requirement—generally the customer requirements.

It is the company’s prerogative to decide how it defines processes and how it meets requirements. This is important and the main reason why companies often struggle and fail to create a cost-reducing, effective ISO 9001 program. Many companies, when trying to implement an ISO 9001 program, define it based on what they think the standard implies or what an auditor may expect to see. If not for ISO 9001 requirements, most companies would never implement something they did not need to succeed in business. However, when it comes to implementing an ISO 9001 system, companies define many of the programs based on perception and not on the company’s actual processes or culture.

Perception: It is mandatory to have a document—for example, work instruction, flow chart, procedure—for every process in the company.
False: ISO 9001 states, “NOTE the extent of the quality management system documentation can differ from one organization to another due to the size of organization and type of activities, the complexity of processes and their interactions, and the competence of personnel.”

Perception: It is mandatory to have form numbers and revision or date control on all forms.
False: Nowhere in the standard does it even talk about forms or controlling forms.

Perception: It is mandatory to have a master list of documents or a master list of records that states information such as where they are stored and how long they are kept.
False: Nowhere in the standard does it talk about master lists.

So many companies write 30- to 60-page manuals that have so much detail and often refer to outdated processes or requirements. When written correctly, the manual could be a perfect marketing tool to send to customers that simply tells them the scope of the management system and provides a picture of the interrelation of processes. The interrelation of processes can be as simple as an overall picture of how a company’s processes flow.

The standard does not dictate how to do any of the company’s processes; it simply provides guidelines and states that a company must define how it performs its processes and measures the effectiveness of them. A company should not document processes or procedures based on perceptions of the standard or what an auditor looks for. A company must document its management system based on how it conducts business.

Any other work instructions—flowcharts or procedures that a company feels it needs to effectively produce the given product or service—should be done in a format that best suits the purpose controlling these processes. The most important part of documenting any type of process—management process or product process—is to define the inputs, outputs, and measurements of the process. The better a company defines how to measure each process, the easier it will be to monitor the outputs (data) and pinpoint the areas that require improvement.

The level of complexity or volume of a documented management system has nothing to do with the size or complexity of the processes of a company. The only direct relationship that would be found regarding the level of documents a company requires would be the effectiveness of training programs. The more effective the training programs are, the fewer documents one would expect to see. For example, a work instruction may be needed to teach an employee how to do something (training guideline/reference document), but after training, there is no more requirement for that document.

A few simple rules

The following rules should be considered when documenting your management system:
• A written procedure isn’t necessary for every process and program. You may write some procedures if they are required by a customer or the given standard.
• Don’t write a procedure for the sake of writing one. Learn and understand when a procedure is required or needed.
• Don’t write a procedure around how you want to do a process or think a process should be done. The procedure should reflect what you actually do. Often it can be as simple as referencing the software that you use to manage that process.
• Create the documentation in a format that makes the most sense for the process or people using the document. (Don’t be afraid of pictures and videos, and don’t be afraid to call them “training materials.”)
• Don’t forget that the majority of audit nonconformances are cited because the procedure didn’t reflect the actual process, not because the process didn’t comply to the standard.
• If an instruction manual is used for training, it’s acceptable to say so. Be specific in saying that it’s not a document describing an operational process. Most documented processes exist to train personnel. When personnel are trained and competent in a process, the document loses its importance until new employees are hired.
• Appearance and formatting aren’t important. It’s content that matters!

About The Author

Bretta Kelly

Bretta Kelly is the owner/operator of Business Management Systems Consulting LLC (BMSC). Kelly began consulting in 1999, implementing, managing, training, and auditing ISO 1994, ISO 9001:2000, and AS 9100 programs for semiconductor, aerospace, chemical, cosmetic, and distribution companies. Currently Kelly conducts third-party audits for several registrars; she conducts internal audits and facilitates management reviews as well. Kelly also provides seminars for internal process auditing and how to conduct management reviews and set measurable objectives. Kelly holds bachelor’s and master’s degrees in industrial engineering, and certifications for Exemplar-QMS Lead Auditor, Probitas-AS 9100 Auditor, HACCP, and SQF 1000 and 2000 auditing and expert training.