Required ISO 9001:2000 Documents

Clause 4.2.1 of ISO 9001:2000 identifies the requirement for a quality policy, quality objectives, quality manual, and procedures.

Documented Statement of Quality Policy

ISO 9001:2000, clause 5.3, requires top management to ensure the quality policy is:

  • Appropriate to the purpose of the organization

  • A framework for establishing and reviewing quality objectives

  • Communicated and understood within the organization

  • Reviewed for continuing suitability

The policy must include a commitment to comply with requirements and continually improve the effectiveness of the quality management system.

Note that the quality policy must be controlled, which means paying particular attention to these 4.2.3 sub-clauses:

c. changes and current revision status are identified
d. relevant versions are available at points of use
g. obsolete versions are prevented from unintended use

Documented Statement of Quality Objectives

ISO 9001:2000, clause 5.4.1, requires top management to ensure quality objectives, including those needed to meet product requirements, are established at the relevant functions and levels within the organization.

Quality objectives must be measurable and consistent with the quality policy. Some organization may discover that their current quality objectives are really broadly stated goals instead of specific, measurable targets.

These defined quality objectives are subject to document control since they represent your current plan and will be revised in the future.

Quality Manual

ISO 9001:2000, clause 4.2.2, specifies the minimum content for a quality manual. It must be established and maintained with:

  • Scope of the quality management system

  • Details and justification for any exclusions

  • Procedures or references to the procedures

  • Description of interaction between processes

Although not specifically required in the quality manual as before, providing an outline of the structure of your documented system would be a good idea. Also, the new standard no longer says the quality manual must cover all the requirements of the standard. However, if all the requirements are not addressed, it would appear that they have been excluded from your system.

The format and structure of the quality manual is up to the organization and depends on the size and complexity of their system. Of course, ordering the sections by the clause numbers of the new standard will make it easier to ensure no requirements are overlooked.

The quality manual may be the reader’s first impression of your system. You want it to convey your management commitment to quality and represent your organization well.

Required Procedures

ISO 9001:2000 clause 4.2.1(d) explains that the quality system documentation must include the documented procedures required by the standard. Six documented procedures are identified in the standard (4.2.3, 4.2.4, 8.2.2, 8.3, 8.5.2, and 8.5.3) and have to be controlled in accordance with the requirements of clause 4.2.3.

Some organizations may find it convenient to combine the procedures for several activities into a single procedure, for example, corrective action and preventive action. Others may choose to document an activity with more than one procedure, for example, internal audits.

Procedure for Control of Documents

Documents required by the quality management system must be controlled. A documented procedure must be established to define controls to:

  • Approve documents for adequacy prior to issue

  • Review and update as necessary and re-approve documents

  • Ensure that changes and current document revision status are identified

  • Ensure relevant versions of documents are available at points of use

  • Ensure the documents are legible and readily identifiable

  • Ensure external documents are identified and their distribution controlled

  • Prevent the unintended use of obsolete documents

  • (Apply suitable identification to obsolete documents if they are retained)

Note that reviewing documents and updating them as necessary implies an ongoing review process to ensure your documents are valid and current.

The 1994 version of the standard said the nature of document changes had to be identified, where practical. ISO 9001:2000 dropped the “where practical”. Changes should be identified in the document or an attachment.

The new standard has added that documents must be legible and readily identifiable. ISO 9001:2000 also clarified that control of external documents includes the control of their distribution.

Procedure for Control of Records

Records required for the quality management system must be controlled. These records must be established and maintained as evidence of conformance to requirements and to demonstrate the effective operation of the quality management system. Records must remain legible, readily identifiable, and retrievable.

A documented procedure must be established for the control of records:

  • Identification

  • Storage

  • Protection

  • Retrireview

  • Retention

  • Disposition

Although a few words have been dropped from the description of the activities addressed by the record control procedure, the basic intent is the same
Also, dropping the reference to maintaining pertinent subcontractor records, as well as, dropping the reference to making the records available for customer evaluation, does not in practice eliminate these requirements (if the records are needed to show conformity or satisfy a contract).

Procedure for Internal Audit

The organization must conduct periodic internal audits to determine if the quality management system, conforms to planned arrangements, conforms to requirements of ISO 9001, and is effectively implemented and maintained.

A documented procedure must address the responsibilities and requirements for:

  • Planning audits

  • Conducting audits

  • Reporting results

  • Maintaining records

Prior audit results must now be considered when planning the audit program, in addition to considering the status and importance of the areas to be audited.

The new standard requires the audit criteria, scope, frequency and methods to be defined. We knew to do this based on our audit training, but now it is spelled out as a requirement.

ISO 9001:1994 states the auditor must be independent of those with direct responsibility for the audited activity. The new standard says the auditor must be impartial and objective, and that the auditor cannot audit their own work. The revised text may give small organizations more latitude in assigning auditors.

Although ISO 9001:1994 requires an internal audit procedure, the new standard specifies the procedure must define responsibilities and requirements for planning and conducting audits, reporting results, and maintaining records.

Procedure for Control of Nonconforming Product

The organization must ensure any nonconforming product is identified and controlled to prevent its unintended use or delivery. These activities and related responsibilities and authorities must be defined in a documented procedure.

The ISO 9001:1994 standard identifies several actions that might be taken to deal with nonconforming product. The product could be reworked, accepted by concession, regraded, or rejected or scrapped. The new standard covers these actions in different words.

Clause 8.3 says one way of dealing with nonconforming product is by “taking action to eliminate the detected nonconformity”. This is the definition of “correction” from ISO 9000:2000, which states in a note that the correction may be to rework or regrade the product.

When the new standard refers to actions to preclude the original intended use or application of the nonconforming product, it covers rejecting or scrapping. Both of the standards refer to concessions as an option.

However, there is a new requirement that for any nonconforming product detected after delivery or use, the organization take action appropriate to the effects, or potential effects, of the nonconformity. Be sure to address this possibility in your procedure.

Procedure for Corrective Action

The organization must take corrective action to eliminate the cause of the nonconformity and prevent recurrence. Corrective action must be appropriate to effects of the problem.

The documented procedure for corrective action must define requirements for:

  • Reviewing nonconformities (including customer complaints)

  • Determining the causes of nonconformities

  • Evaluating the need for actions to prevent recurrence

  • Determining and implementing the needed action

  • Records of the results of the action taken

  • Reviewing the corrective action taken

The new standard clarifies that corrective action is to prevent the “recurrence” of a detected nonconformity. Although worded differently throughout the clause, the requirements are basically the same.

Some auditors have expressed a concern that 8.5.2 (f) only requires the “reviewing of corrective action taken”. They point out that clause 4.14.2 (d) of ISO 9001:1994 required “application of controls to ensure that corrective action is taken and that it is effective”. Based on the definition of “review”, corrective actions must still be effective. ISO 9000:2000 defines Review as the “activity  undertaken to determine the suitability, adequacy, and effectiveness of the subject matter to achieve established objectives.”

Procedure for Preventive Action

The organization must determine the action to eliminate the causes of potential nonconformities in order to prevent their occurrence. Preventive actions must be appropriate to the anticipated effects of the potential problem.

The documented procedure for preventive action must define requirements for:

  • Determining potential nonconformities and their causes

  • Evaluating the need for actions to prevent occurrence

  • Determining and implementing the needed action

  • Records of the results of the action taken

  • Reviewing the preventive action taken

The new standard clarifies that preventive action is to prevent the “occurrence” of potential nonconformities. Although worded differently throughout the clause, the requirements are basically the same.

Most organizations have a combined corrective and preventive action procedure. Although the new standard identifies the need for a corrective action procedure and a preventive action procedure, they can be placed together if the resulting procedure addresses the unique differences of their requirements.