If benefits of a document management quality are obvious, the new version of ISO 9001 has somewhat overturned old habits. What changed? How to prepare for this? Here are some tips to help you figure things out before the auditor comes.
What is a document system?
A document system is a structured and organized set of documents of different natures. It can thus consist of procedures, documents, even operating procedures, instructions or technical data sheets. These documents are usually associated with a management system, whether quality, production, security, etc. It’s called a document system as soon as these documents are referenced as belonging to these systems in particular.
ISO 9001:2015: what changed?
Quality Manual will be off the table, as well as the notion of mandatory procedures. So, you will have more freedom regarding this part. However, you can keep them, subject to updating to comply with the standard.
These old mandatory documents are replaced with the appearance of the notion of documented information.
Again, this is not really compulsory. The important thing is to have documented information where the standard requires it; that is, in most chapters, and where you believe that documented information is necessary to ensure the effectiveness of your company's Quality Management System.
Since the notion of mandatory procedure is off the table, you are no longer required to have a procedure for every process. If the process allows it, the documented information attached to it may be other types of documents, such as operating procedures and instructions, and may not include procedures.
At first, you can consider keeping all the existing documents in the company by updating them if necessary.
With this method you will have a minimum of documented information for your processes without having to give your document system an overhaul. In this way, you would limit the risk of receiving remarks or nonconformities on this subject during the audit. You will have the time to reform the documented information that is no longer needed once the certification is achieved.
In this way, you will free up time to make progress with other topics such as process risk approach or definition of SWOT (strengths, weaknesses, opportunities and threats) for example, which require a lot of work and on which it is better to focus more for the audit.
Just make sure to review all the documented information that needs to be reviewed.
Unfortunately, this method may of course not be to your auditor’s liking. Let's not forget that their requirements and control points are dictated by the standard but that each auditor can be more or less sensitive to one strategy or another, one method or another...
Creation and update of Documented Information: no big revolutions.
The standard does not impose any format! It simply asks for some information to appear, such as title, date, author, etc. It is therefore necessary to keep all the information or references previously gathered in the cartridges and more generally on the documents’ cover page of the document system.
The absence of obligations as to the format used gives you freedom to choose how you want to make these references appear. Many companies choose to keep this cover page in order to avoid any inaccuracies.
What I find more interesting is to replace all the textual parts with flowcharts or diagrams, for example.
When it comes to documents for which employees’ feedback often comes down to content that is too heavy or not very encouraging, flowcharts or diagrams may allow you to bring more lightness to your document system and to encourage them to go to it.
When using these formats, you will synthesize your information allowing them to get right to the point. In addition, you will have to dissociate the different steps, elements or interlocutors and make your documents clearer and simpler for a less experienced audience.
Set up a controlled diffusion
Where the 2008 version mainly focused on the notion of "the right document in the right place" the 2015 version goes further. It is no longer just a question of defining who can write, check, update and modify and when / how for every type of document or even for every document.
The 2015 version requires that the Documented Information be available, distributed, accessible, usable, stored, protected and legible; in addition, it also requires the control of the modifications, the preservation and the eliminations of the so-called documented information.
Quality Manager has to make sure that each employee is aware of the existence of all documented information related to their process, and knows how to access it.
It is also important to check that each employee for whom a documented information is relevant knows about it and knows how to access it.
We can call it a controlled diffusion of documented information since they must be distributed and only received by the relevant people in the company.
For this to happen, it is important to start with defining for whom is one or several documented information relevant. This step allows you to determine distribution groups.
Then you need to have system that lets the auditor know that all the people involved have been made aware of the existence of the Documented Information AND have read it. For that purpose, some companies consider reading reports with registration, for example. This method is not required by the standard, but it will allow you to prove to an auditor that you made sure documented information have properly been and received. Any other method may be considered, as long as it allows you to certify that both actions are performed.
There must be a way to make Documented Information accessible and usable by every employee for who they are relevant, and in all their workplaces.
This requirement is sensitive, especially for companies whose premises have little computer infrastructure. They can consider equipping them or they can opt for a paper-based workaround (beware of the risk of forgetting to update) or a digital solution on mobile devices for example (if site constraints make this possible).
Finally, it’s necessary to make sure that everyone involved always use the latest updated version of the Documented Information. Knowing that it must be accessible to all, at any time and in any place, the challenge could be to ensure that it will not be recorded or printed improperly for example.
What can we do about this?
As far as I am concerned, paper forms must be avoided and should be implemented only if no other solution can be found. Indeed, paper documents are often forgotten in drawers or in a binder on a shelf. It is often difficult to remember their number and where they all are, not to mention the unnecessary copies. So, the paper solution leads me to believe it’s too much of a risk of non-compliance during an audit.
Shared directories have some advantages. Unfortunately, confidentiality issues between departments are common. It is not uncommon to meet companies where Quality department members do not have access to all the servers within the company. The only solution is then to create servers allowing exchanges between the Quality department and the other departments, at the risk of multiplying file copies. Most of the time, these servers cannot block data printing and copying. But above all, these servers are only effective if every employee systematically uses them. So, shared servers also present a significant risk of non-compliance during an audit.
Old Intranet can be used but they have the same disadvantages as shared servers in many cases. They are limited in functionality when it comes to modifying documents, changing them, or distributing them, etc.
The choice of a document management system becomes obvious. Whether it is to formalize the documented information, to make it accessible in a secure way, to avoid a large number of documents or to ease the validation steps (workflow). Whatever solution is chosen, it is necessary to make sure that it has all the necessary features to meet the requirements of the standard.