Tuesday, June 24, 2008

ISO 9001:2000 - Control of Records

In order to comply with the ISO 9001:2000 standard, an organization is required to establish a minimum of six documented “system” procedures. The second of these procedures, by order of appearance, covers the Control of Records, and is identified in clause 4.2.4 of the standard as follows:

"Records shall be established and maintained to provide evidence of conformity to requirements and the effective operation of the quality management system. Records shall remain legible, readily identifiable and retrievable. A documented procedure shall be established to define the controls needed for the identification, storage, protection, retrieval, retention time and disposition of records".*

* ISO 9001:2000, Quality management systems – Requirements, Clause 4.2.4., p. 11

What’s a Record?

In order to understand what a record is, we must begin with another standard in the family, ISO 9000:2000, Quality management systems – Fundamentals and vocabulary. In this standard, we find the definition of a record. Simply put, a record is a document, and can be used as an input from one process to another, but in contrast to documents that are purely informative, a record is generated to state results achieved or to provide evidence of activities performed.

It is because of this difference that different rules apply to the control of records than for the control of documents (clause 4.2.3). Records are not issued, revised or tracked by revision. While a record could be amended to reflect new or updated information, the original record would not be affected.

Types of Records

There are a total of 19 different types of records that are specifically addressed within the ISO 9001 standard. Needless to say, this isn’t all of the records that could be generated during the operation of a quality management system, however these particular records are considered essential to its effective operation.

The records that are identified within the ISO 9001 standard are listed below, along with their corresponding clause number (shown in parenthesis):

- Management review records (5.6.1)
- Records of Education, training, skills and experience (6.2.2)
- Records needed to provide evidence that the realization process and resulting product meet requirements (7.1)
- Records related to the review of customer requirements (7.2.2)
- Design and development inputs (7.3.2)
- Design and development review records (7.3.4)
- Design verification records (7.3.5)
- Design validation records (7.3.6)
- Design and development change review records (7.3.7)
- Supplier evaluation records (7.4.1)
- Validation arrangements for processes (7.5.2)
- Product identification records (7.5.3)
- Records related to customer property (7.5.4)
- Calibration and verification records (7.6)
- Internal audit records (8.2.2)
- Product conformity records (8.2.4)
- Records of the nature of nonconformities and any subsequent action taken (8.3)
- Results of Corrective Actions taken (8.5.2)
- Results of Preventative actions taken (8.5.3)

Controls Required

Creating a procedure to meet the requirements established in clause 4.2.4 is a fairly straightforward task. In clause 4.2.4, the ISO 9001 standard provides us with a clear purpose statement, by requiring that the organization ensure that records remain legible, readily identifiable and retrievable. In addition, clause 4.2.4 also identifies what types of controls should be addressed, giving us a basic outline of what needs to be covered in our procedure - record identification, storage, protection, retrieval, retention time and disposition (disposal).

Being given a purpose statement and an outline, the only information we’re missing are the specific controls used by the organization. In this case, the ISO 9001 standard is neither prescriptive nor specific; it leaves the specific controls up to the implementing organization, to define methods that are consistent with its business needs, quality objectives and customer and/or regulatory requirements.


No comments: