ISO 9001 documentation requirements

ISO 9001 has a number of requirements relating to procedures and registrations that needs to be met:

• Keep records of certain activities such as indicated in the standard
  (e.g. complaints, contract review, etc)
• A number of procedures are required for certain activities (see below)
• A number of aspects of your activities should be defined (see below)

ISO 9001: 2008 requires that your quality management system contains a number of documents. The standard indicates that a single document may cover the requirements for one or more procedures. In practice, the procedure for corrective and preventive actions are often combined. The standard requires the following documents, such as:

Six procedures:

• Control of documents
• Control of records
• Internal audits
• control of nonconforming product
• corrective actions
• preventive actions

A quality policy, which includes:

• A commitment to meet the customer requirements
• A "framework" for the establishing and reviewing quality objectives
• Quality objectives that are relevant and measurable

 

A quality manual containing:

• the scope of the quality management system (which activities are covered by the quality management system);
• details of and justification for any exclusions;
• the for the quality management system established documented procedures, or a reference to it;
• a description of the interaction between the processes of the quality management system;

 

Records of the quality management system:

• management review (5.6.1)
• education, training, skills and experience (6.2.2. e)
• evidence that products meet the requirements (7.1 d)
• the results of the assessment of product requirements and corrective actions (7.2.2)
• input regarding product requirements (7.3.2)
• evaluation results of design and development and any necessary actions (7.3.4)
• results of the verification of design and development and any necessary actions (7.3.5)
• results of the validation of design and development and any necessary actions (7.3.6)
• evaluation results of design changes and any necessary actions (7.3.7)
• supplier evaluations and any necessary actions (7.4.1)
• validation of processes for production and the provision of services (7.5.2. d)
• unique identification when traceability is required (7.5.3)
• damage, loss or unsuitable customer property (7.5.4)
• the basis used for calibration or verification (7.6. (a))
• validity of previous measurement results when it is shown that the measuring equipment was not functioning in accordance with the requirements (7.6)
• results of calibration and verification (7.6)
• internal audits (8.2.2)
• persons authorized for release of the product (8.2.4)
• nature of deviations (of products) and any measures taken (8.3)
• results of corrective actions (8.5.2)
• results of preventive actions (8.5.3)

 

The standard also requires that a number of things must be 'defined ' which generally means that it should be documented, but this is not strictly necessary. An action can be agreed verbally. If everyone is trained properly there is no need to document it. ISO9001: 2008 requires that the following is defined:

• authorities and responsibilities
• product requirements

 

The standard requires that a number of things should be determined:

• the sequence and interaction of the processes;
• methods to ensure that implementation and control of the processes is effective;
• the customer's requirements (will be in different places);
• the resources needed for the quality management system and continuous improvement;
• the ability of employees to carry out their work;
• the working environment, to work in a correct way to run;
• product requirements;
• the need for product specific processes;
• the required product-specific verification, validation, monitoring, inspection and testing activities, and the acceptance criteria for the product;
• the different design steps and their assessment (if you are designing);
• the measuring instruments used for measuring and checking your product or service;
• the method of determining customer satisfaction;
• the data necessary to determine the suitability of the quality management system and continuous improvement;

 

In addition, there are many other actions that the standard requires, but there is no requirement for  using procedures (except if you decide to document it) nor that registrations are kept. As long as the actions are performed under controlled conditions you meet the requirements of ISO 9001: 2008.

Having said this, it can happen that the auditor (in-or external) has problems with activities for which no procedures or records are maintained. This is their problem. The auditor will need to find other ways to verify proper implementation. In practice this is pretty easy for an experienced auditor.

The standard says "... the organization shall determine and manage the work environment needed to achieve conformity to product requirements”  to deliver products that meet customer requirements. You can explain to the auditor how this happens within your organization and they can verify implementation. They can talk to employees to determine whether the work environment is indeed sufficient.

Basically the standard requires that you define how you manage your processes and have the necessary resources available to deliver the products according to customer requirements. The standard requires monitoring of your processes and products and analysis of the results to ensure continuous improvement.