Mark Hammar
January 28, 2014
Have you ever thought that a documented procedure for records is going overboard? Do you fail to see why this is such an important requirement of any Management Standard (ISO 9001, but also ISO 14001, ISO 27001, etc.)? It is often interpreted that the standard requires that every single piece of paper or information that is generated by your company is required to be kept as a record, but this is far from the truth. The standard requires that controls be maintained for records you create that prove conformance to requirements, for product, service or any other requirements identified by the company, and records that show the effectiveness of the Quality Management System. While some are clearly identified throughout the standard, such as the output of Management Review, the company needs to identify what records they need.
The purpose of records, apart from proof of compliance if anyone comes to question a faulty product or service, is to provide data for your company to use toward improvement of the processes. By ensuring that you have records of your relevant data, you can return to analyze the data to help you improve the processes your company uses. Remember, the main reason for implementing and maintaining a Quality Management System is to have a framework to drive improvement in your business processes.
The reason for a documented procedure is to define controls. The procedure can be a document of words, a flowchart of some sort, or any other form of documentation that the company finds useful, but it does need to be documented, and it needs to define the controls for the following list of six attributes of the process. I have identified some questions to ask on each topic to help make your controls better suited to your needs, but an overall question you need to answer is what customer requirements are there for these aspects of the process.
1) Identification. What is needed to ensure you can find the right record when you need to? Should like records of a product or service be filed together for easy retrieval, or do you have a way to identify all records that would need to be compiled when assessing a given product or service? How will you know a record is missing when gathering a collection of records?
2) Storage. How will you keep your records: electronically, or in paper format? Will they be kept onsite, or offsite? If offsite, how long do you keep a record onsite before moving it?
3) Protection. How do you ensure the records are protected for loss or damage? If the records are paper, is the area where they are stored properly controlled? (I have heard stories of boxes of records found in basements that were wet and unusable.) If the records are electronic, what backup requirements do you need? Do your backups need to be stored separately in case of fire or other emergency at your location?
4) Retrieval. How often will you need to retrieve a record for use? (This may affect the decision above on where the records are located.) If a record is needed, how quickly do you need to get it? I know in the aircraft industry there are requirements by the United States FAA in an airplane crash that all suppliers for that aircraft will provide records for their components within 24 hours to assist the investigation.
5) Retention. How long do you need to keep the records? Does it vary by record, or is there one retention period across all record types? Is the record retention for a product or service related to the time of creation, or the end of life for the product or service?
6) Disposition. At the end of the retention period, what happens to the records? Are they disposed of outright, or does someone need to review the records before they are destroyed? If there is a review, who needs to do this?
Along with the above controls there are three other things that need to be ensured for all records. These seem to be obvious, but there are a couple of things that can happen if they are not protected against.
1) Legibility. When creating a record, do you need to have it typed to avoid unreadable handwriting either in paper records or later scans? Is it written in a language that is understood by those who need to read it? Do you ensure that any scanned versions of a record are readable before destroying any original paper copy, or is it too light or blurry to read?
2) Able to Readily Identify. How hard is it to identify the record as the one you want? Is the identification hard to read or hard to find in the record? Is it hard to identify what the record is for, such as a large list of measurements with no way to identify what was measured or how the measurements relate to the product or service?
3) Able to Retrieve. When you try to retrieve the record, will you be able to? If a record is stored on an older electronic format (such as a floppy disk), will you have the ability to read it? Will your computer be unable to read it, or will it have faded and be unreadable even by the correct hardware? Do you think about this when you change your company software packages?
Remember, the main reason for records is for you to be able to use the data to help improve your processes. If you make your record controls so difficult to use that getting the data you need is nearly impossible, then it will become easier to make decisions based on instinct rather than to ensure good decisions based on facts. It is important to remember that the ISO 9001 standard may tell you the points of the process that require control, but it does not tell you what those controls need to be or how to implement them. Making the process easy or hard to work with is up to you.
Download this free Checklist of Mandatory Documentation Required by ISO 9001:2015 to learn about the structure of documents needed for QMS implementation.