Bretta Kelly  |  01/29/2009

ISO 9001 Documentation Is Like a Box of Chocolates

Don’t worry about the packaging; it’s the content you sink your teeth into.

Standards such as ISO 9001 mandate documentation requirements as part of a company’s compliance with the standard. Although the requirements are intentionally broad-based and open, many organizations tend to over-document their systems. ISO 9001:2008 requires a manual and six documented procedures. AS9100 requires seven, and ISO 14001 requires one. Yet companies continue to write additional procedures, often for the wrong reasons. Let’s end the confusion about implementing a management system vs. documenting one.

A common belief is that the standards’ requirements are satisfied if detailed procedures exist to define a system. Additionally, many managers and executives think that a documented procedure for every element in the company results in better control and accountability. Although no requirements are enumerated in these standards for procedure format, more emphasis is placed on this than on the information contained within the procedures.

For example, ISO 9001 requires a documented procedure for controlling a nonconforming product. The standard doesn’t describe what the documented procedure should look like, how it should be titled, or even how it should be controlled. ISO 9001 doesn’t state that a scope, purpose, reference documents section, or any other type of format is required. The documented procedure can be a flowchart, a one-page instruction sheet, or a 15-page detailed document. It’s always the company’s choice.

Additionally, the documented system doesn’t have to be complicated or overly specific. A company can start with a set of templates to define an ISO quality management system, so long as it’s committed to revising these documents to reflect what the company actually does as it evolves.

Stuck on formatting

It’s not just companies that tend to over-document. Misinformed consultants and auditors expect to see procedures written in the formal manner described above. This prevailing mindset began 20 years ago, when quality systems started to migrate from older U.S. military requirements to ISO 9001 requirements.

Let’s be clear: The objective for documenting a management system is content, not packaging. Unfortunately, some companies think that they can buy a ready-made, documented system and become ISO 9001-compliant, but generic templates simply can’t portray every organization’s unique system. Companies must assess and document their management systems to reflect their operating processes. It’s absurd to think that all companies operate in the same way and can therefore use the same documented management system.

Getting through a third-party audit is difficult when a company doesn’t customize or understand its templated system. When the auditor is asking questions, the company representative often struggles to respond because he or she doesn’t know where in the system the answer resides. This is never a problem when a company defines its own system.

Some companies are quite proud of their systems. They will give the auditor a 30-page quality manual along with 20 procedures averaging 10 to 15 pages each. The documents are beautifully written, with perfect formatting and spacing. The procedures are revision-controlled and impressive, but once the auditor begins comparing actual processes to the procedures, there’s usually a disconnection between the two. Many times these procedures call for specific forms, timelines for completion, and other unnecessary details. Companies often set higher standards than they can maintain. Procedures are often obsolete minutes after they’re written and approved.

Registrars estimate that the majority of nonconformances found in external audits are not due to a company’s ability to meet a standard’s requirement, but rather to the company’s inability to meet a requirement in one of its own internal documents. Again, documents must be written to define a process and not simply make it look more impressive. When processes change, procedures must change simultaneously. If a procedure isn’t required, it shouldn’t exist. There’s nothing wrong with training documents, videos, and flow diagrams to illustrate how to conduct a process. Written procedures are often overkill.

What’s really happening?

The following true story illustrates these points. A small company implemented a system for compliance to AS9100 using a set of templates that were claimed to meet the aerospace standard’s requirements. Its quality manager left the company before the stage-one audit was scheduled, but he told the owner that he went through the templates to make sure it matched the company processes.

The stage-one audit revealed that the company was in no way ready for the audit. None of the employees knew what the documents said or where to find required information. Furthermore, the system wasn’t entirely implemented. Company managers threw the templates in the trash and documented a new system from scratch, focusing on what they actually did. The new system was elementary--just the required procedures, a few flowcharts, and a seven-page quality manual. One month later, the company was registered to AS9100 with no findings of nonconformance--a 100-percent score.

This company didn’t change anything about how it managed its business. In one month, it went from a failed audit to a perfect score. The only difference was the manner in which the organization documented its processes.

The myth of process templates

The same holds true for companies that use a software program to maintain their management systems.

A set of documents alone doesn’t make a company compliant to ISO 9001, and neither does a software package by itself. There’s a significant difference between saying, “We use a quality management software system and therefore meet all the requirements of the standard,” and “We use software to execute processes more efficiently, track data more effectively, and simplify the overall compliance process.”

Another example of an over-documented or inaccurate system is having multiple documents covering the same processes or programs. There’s no difference between the continual improvement found in lean programs and in aerospace or ISO standards, for instance. There’s only confusion over the terminology, as seen in figure 1, below.

Much of the confusion lies in misunderstanding these different programs. AS9100 and ISO 9001 include internal audits, corrective and preventive action, and many other similar elements. Companies often operate a stand-alone lean program not even referenced in their ISO 9001 or AS9100 documentation. This leads to a mismatch between documented procedures and current processes. It also duplicates efforts that cost additional money for compliance and system maintenance. The same situation exists in other industries, such as having a separate food safety program in the food industry. Similarly stray programs that remain undocumented in management systems often include customs, emergency response, safety and security programs, hazardous material programs, and even separate employee policy manuals.

If a company has spent thousands of dollars and training hours for a lean program, then its ISO 9001 or AS9100 program should reference the training in all areas of continual improvement. Some of the required procedures for ISO 9001 or AS9100 that should include references to lean programs can be seen in figure 2, above.

There’s no reason for a company to have separate processes for internal audits, corrective action, or preventive action just to comply to ISO 9001.

Often, a company’s ISO 9001 continual improvement processes (e.g., objectives, data analysis, internal audit, management review, and corrective action/preventive action) are prescriptive. Typically, internal audits are scheduled by element or section of the standard and audited once a year. An audit log is maintained, and progress is recorded about the assigned corrective actions. The corrective action reports (CARs) are written up and kept in a CAR log, and preventive action reports (PARs) are documented and logged as well. Other results may be documented on similar forms. During an audit, when asked about preventive actions, the company will report that one preventive action was accomplished in the past year and recorded on the PAR form (which must be used per company procedure). Then the auditor walks down the hallway and sees that eight kaizen events have been accomplished during the past four months, and that more than 20 preventive actions are assigned and accomplished with these events. The company has no idea that these preventive actions “count” as preventive actions in its ISO 9001 system.

A documented process doesn’t have to be called an “internal audit” or a “management review.” It can be called anything, so long as the company collects and analyzes data, sets and measures objectives, assesses and audits processes and performance, and assigns and carries through with actions.

A few simple rules

The following rules should be considered when documenting your management system:

A written procedure isn’t necessary for every process and program. You must write some procedures because they’re required, such as an internal audit procedure, but the standard doesn’t require you to write a procedure for every type of internal audit or program your company has. One procedure can describe the different processes and programs.

Don’t write a procedure for the sake of writing one. Learn and understand when a procedure is required.

Don’t write a procedure around how you want to do a process or think a process should be done. The procedure should reflect what you actually do.

Create the documentation in a format that makes the most sense for the process or people using the document. (Don’t be afraid of pictures and videos, and don’t be afraid to call them “training materials.”)

Don’t forget that the majority of audit nonconformances are cited because the procedure didn’t reflect the actual process, not because the process didn’t comply to the standard.

If an instruction manual is used for training, it’s acceptable to say so. Be specific in saying that it’s not a document describing an operational process. In reality, most documented processes exist to train personnel. When personnel are trained and competent in a process, the document loses its importance until new employees are hired.

Appearance and formatting aren’t important. It’s content that matters.

For more information about the ISO 9001 standard, see the Quality Digest knowledge guide, “What Is ISO 9001:2015?”


About The Author

Bretta Kelly’s picture

Bretta Kelly

Bretta Kelly is the owner/operator of Business Management Systems Consulting LLC (BMSC). Kelly began consulting in 1999, implementing, managing, training, and auditing ISO 1994, ISO 9001:2000, and AS 9100 programs for semiconductor, aerospace, chemical, cosmetic, and distribution companies. Currently Kelly conducts third-party audits for several registrars; she conducts internal audits and facilitates management reviews as well. Kelly also provides seminars for internal process auditing and how to conduct management reviews and set measurable objectives. Kelly holds bachelor’s and master’s degrees in industrial engineering, and certifications for Exemplar-QMS Lead Auditor, Probitas-AS 9100 Auditor, HACCP, and SQF 1000 and 2000 auditing and expert training.



Respected ms.Bretta

This ISO documentation part you have covered in-depth.and it was easy to understand for beginers.very nice