I have written a few times about this topic and I just love revisiting one of the fundamentals, so let’s go. The standard wants…
The company's Quality Management System includes: documented information required by the standard; documented information determined by the company as being necessary for the effectiveness of the Quality Management System. When creating and updating documented information the company ensures appropriate: identification and description (e.g. a title, date, author or reference number); format (e.g. language, software version, graphics) and media (e.g. paper, electronic); review and approval for suitability and adequacy. Documented information required by the Quality Management System and by the Standard is controlled to ensure: it is available and suitable for use where and when it is needed; it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity). For the control of documented information the company addresses the following activities as applicable: distribution, access, retrieval and use; storage and preservation, including preservation of legibility; control of changes (e.g. version control); retention and disposition.
Documented information of external origin determined by the company to be necessary for the planning and operation of the Quality Management System is identified as appropriate and is controlled. Documented information retained as evidence of conformity is protected from unintended alterations. Access implies decisions regarding the permission to view the documented information only, or the permission and authority to view and change the documented information.
Deep breath. That is quite a lot to digest. The first thing we need to establish is what is the mandatory maintained documented information. These are; scope, operational process support, quality policy and quality objectives.
So, you need to ‘write’ this stuff down in a controlled manner and here is where to do so. The scope in a quality manual (my recommendation), strategic plan, web site, marketing material. Operational process support documentation in a set of procedures, images, videos, etc. for such things as Sales, Inventory, Product or Service Delivery and any others you may find useful. A quality policy. Yep a good old one-page policy addressing nothing but quality. And lastly a process or framework for quality objectives. Start with a register, reference it from your manual or management review procedure (if you have one, my recommendation) and fully develop to meet the company’s aspirations.
Next is a very long list or the required retained documented information (yes, records). 24 records are required in ISO 9001:2015. This is compared to 21 records required in ISO 9001:2008. Some of the 24 records required by ISO 9001:2015 are repeat requirements, listed twice. So here goes. You get to decide what format, what media. So long as they are legible and retrievable, you are on the right track; 4.4.2 QMS and processes. Retain information on processes carried out effectively (a blanket requirement) to the extent necessary. 220.127.116.11 Calibration retain information on fitness of purpose for measuring instruments. 18.104.22.168 Calibration retain information on basis for calibration where no standards exist. 7.2. d Competence Retain information as evidence of competence. 8.1 e 1 Operations retain evidence of processes being carried out as planned, to the extent necessary. 8.1.e 2 Operations retain information to demonstrate conformity of products and services, to the extent necessary. 22.214.171.124 a Sales, Retain information on the results of review of customer requirements, as applicable. 126.96.36.199 b Sales Retain information on any new requirements for products and services, as applicable. 8.3.3 Design Retain information on design inputs. 8.3.4 b Design Retain information on design reviews. 8.3.4 c Design Retain information on design verifications. 8.3.4 d Design Retain information on design validations. 8.3.5. Design Retain information on design outputs. 8.3.6 Design retain information on design changes (e.g., reviews, authorization, and actions to prevent adverse impacts). 8.4.1 Purchasing retain information on the evaluation, selection, monitoring of performance, and reevaluation of external providers. 8.5.2 Traceability retain information to necessary to enable traceability. 8.5.3 External property retain information on customer or external provider property that is lost, damaged, or unsuitable. 8.5.6 Change management retain information on changes, i.e., review of changes, persons authorizing, and necessary actions arising. 8.6 Product release, retain documented information on the release of products and services, including evidence of conformity and traceability to person authorizing release. 8.7.2 Nonconforming products, retain information on nonconforming products, including description, actions taken, any concessions, and authority deciding on action. 9.1.1 Monitor and measure retain evidence of results of monitoring and measuring (a blanket requirement). 9.2.2 f Internal audit Retain evidence of implementation of audit program and audit results. 9.3.3 Management review Retain evidence of the results of management review. 10.2.2 Corrective action, retain evidence of nature of nonconformity, any actions taken, and results.
My head really hurts. Most company generate most of these records. Use a cross reference table if needed but make sure you can prove what you need to prove during an audit. Otherwise, be aware and be prepared.