Missing in Action
New standards beg question, ‘Where have all the documents gone?’
by Thea Dunmire
There was a hit song in the 1960s titled "Where Have All the Flowers Gone?"1 Originally written in 1955 by Pete Seeger and Joe Hickerson, the song was a catchy tune sung around campfires at summer camp and also became a political ballad.
Many of those reviewing the current draft of the revisions to ISO 9001—Quality management systems—Requirements, and ISO 14001—Environmental management systems—Requirements, are asking, "Where have all the documents gone?"
This question has been prompted by the fact that the words "document," "procedure" and "record" have all but disappeared from the draft international standard (DIS) for ISO 9001 and ISO 14001.
Does this mean documented procedures and records are no longer required?
What has replaced those words is a new term—"documented information." The use of this new term is one of many changes to International Organization for Standardization (ISO) management system standards (MSS) imposed by Annex SL, an addition to the ISO directives that mandates the use of a common high-level structure and terminology.
This new term is defined as "information required to be controlled and maintained by an organization and the medium on which it is contained."2 It should be noted that the draft of the revised version of ISO 9000—Quality management systems—Fundamentals and vocabulary further defines the word "information" as "meaningful data" and "data" as "facts about an object," with an "object" being further defined as anything "perceivable or conceivable."
It is interesting to compare the definition of document that was included in the prior versions of ISO 14001 and ISO 9001 as "information and its supporting medium" to the definition of the new term being used in the DIS of both standards—"documented information."
A new concept has been added. "Documented information" is now, by definition, limited to just the information that is "required to be controlled and maintained by an organization." As a result, other information, even if important, arguably is not documented information and, therefore, does not need to be controlled.
This raises the question of who determines what information is required to be maintained. Is it the organization? Is it the certifying body? Is it a regulator or other interested party?
Examples of the impact of this change in terminology in the draft standards include:
- Instead of requiring the organization to "ensure that its environmental policy is documented" in clause 4.2 of ISO 14001:2004, clause 5.2 of the ISO/DIS 14001:2015 states "the environmental policy shall be available as documented information."
- Currently, clause 4.2.1 of ISO 9001:2008 contains an explicit documentation requirement that includes the documents needed by the organization "to ensure the effective planning, operation and control of its processes." This has been replaced with, "The organization shall maintain documented information to the extent necessary to support the operation of processes and retain documented information to the extent necessary to have confidence that the processes are being carried out as planned," as stated in clause 4.4.
In both of these examples, the documentation requirements have become more ambiguous.
Similar changes have been made throughout ISO/DIS 9001:2015 and ISO/DIS 14001:2015. Requirements for procedures and records are gone, and requirements to maintain and retain documented information have been added.
To help organizations understand the new concepts and to make the transition to the new standards, an explanation is provided in an annex to ISO/DIS 14001:2015 that the phrase "maintain documented information" is intended to refer to documents, which include procedures, and the phrase "retain documented information" is intended to refer to records.
This means requirements for documented procedures and records are not truly gone. They are now stated as follows:
- Maintain documented information means having documented procedures.
- Retain documented information means keeping records.
In developing new documentation for their management systems and revising their existing documentation, organizations must be mindful of the impact of these changes.
Implementing the changes
So what does this mean for users of these standards?
First, rather than simply relying on the ISO standards to clearly and explicitly state what must be documented, organizations must make their own determination concerning what documented information is required. This may provide new flexibility to some organizations. They may be able to rely on other types of process controls in place of documentation, such as automated control systems.
Because the documentation requirements set out in the standards are more ambiguous, however, documentation determinations may need to be justified. Because different organizations may have different interpretations of what constitutes documented information, accreditation and certification bodies may find it more difficult to maintain consistency in their interpretation of the ISO 9001 and ISO 14001 requirements. Certification bodies may end up developing their own policies regarding the need for management system documentation.
Second, organizations will still be required to determine whether information needs to be maintained or retained; that is, whether it must be controlled as a document or record. Although explicit provisions for document control and record control have been eliminated from ISO/DIS 9001:2015 and ISO/DIS 14001:2015, the requirements previously associated with these clauses simply have been lumped together in a new Clause 7.5.3—Control of documented information.
It will now be up to organizations to determine which of the subclauses in clause 7.5.3 apply to what documented information and which do not.
Finally, to the extent organizations increasingly rely on computerized data rather than paper documentation, additional requirements for process validation, data integrity, confidentiality and information availability must be addressed. Satisfying these requirements will present new and often complex challenges for many organizations.
So, the documentation requirements of the ISO standards have not gone away—they have become more difficult to assess.
Long time passing
Those familiar with the lyrics of the song "Where Have All the Flowers Gone?" are aware that the answer to this question in the song is, "Long time passing."
There are those who view the elimination of explicit documentation requirements from ISO standards as a good thing—a move to update the ISO standards to make them modern. In their view, leaving the determination of which information must be maintained as documented information undefined is an improvement.
They envision a world in which information is primarily electronic data, and process control is increasingly dominated by automated computer systems; a world where the line between a process and a procedure is blurred, and the distinction between data and records is nonexistent. No more procedures in three-ring notebooks. No more paper records in filing cabinets.
Others are not so sure. They mourn the loss of clarity and certainty associated with explicit requirements in the ISO standards for documented procedures and records. They are uncertain that leaving it to organizations to determine what must be documented and recorded, and what does not, is an improvement.
They are concerned about a world in which information has no physicality and computers are in control of processes. They are concerned that just as computers can retain vast amounts of data, the same data can be deleted with a few keystrokes. They value the permanence of paper.
Only time will tell which view is right.
- Peter Seeger and Joe Hickerson, "Where Have All the Flowers Gone?" 1955.
- International Organization for Standardization and International Electrotechnical Commission, ISO/IEC Directives, Part 1, Annex SL.
Thea Dunmire is the president of ENLAR Compliance Services, where she specializes in helping organizations implement management systems. She has participated internationally in the development of multiple International Organization for Standardization (ISO) standards. She is currently the chair of the ANSI Z1 auditing subcommittee, which focuses on alignment of auditing requirements across the ISO management system standards. Dunmire has a law degree from Syracuse University in New York.