The ISO 9001:2008 Clause 4.2. Documentation Requirements defines all documentation as a tool for information transmission and communication. The type and extent of the documentation will depend on the nature of the organization’s products and processes, the degree of formality of communication systems, and the level of communication skills within the organization, and the organizational culture. This includes any validation documentation that proves what was intended has been achieved.
The documentation facilitates knowledge sharing within the organization to disseminate and preserve the organization’s experiences. A typical example would be a technical specification, which can be used as a base for design and development of a new product. These documents can exist in many forms:
• Paper
• Magnetic
• Electronic or optical computer disc
• Photograph
• Master sample
It is important to note that as a medical device packaging organization, all documentation must also be compliant to the FDA Code of Federal Regulations – Quality Systems Regulation, 21CFR Part 820.40 Document Controls and any electronic records must also be complaint to the FDA Code of Federal Regulations – Electronic Records; Electronic Signatures, 21 CFR Part 11.10, Controls for closed systems, 11.30, Controls for open systems, 11.50, Signature manifestations and 11.70, Signature/record linking.
21CFR Part 11 covers compliance requirements for medical devices as well as pharmaceutical, healthcare, food, and other FDA-regulated industries. This standard requires companies to implement controls such as system validation, protection of electronic records and signatures, audit trails, and documentation for software and systems that are involved in processing the required quality documents and records to be compliant with ISO 9001:2008 and 21 CFR Part 820.
Clause 4.2.1 General states that the quality management system documentation shall include:
a) documented statements of a quality policy and quality objectives
b) a quality manual
c) documented procedures required by this International Standard
d) documents needed by the organization to ensure the effective planning, operation, and control of its processes, and
e) records required by this International Standard
The notes after Clause 4.2 make it clear that where the standard specifically requires a “documented procedure,” the procedure has to be established, documented, implemented, and maintained. It also emphasizes that the extent of the QMS documentation may differ between organizations due to the size of organization and type of activities, the complexity of processes and their interactions, and the competence of personnel. All the documents that form part of the QMS have to be controlled in accordance with clause 4.2.3 of ISO 9001:2008, or, for the particular case of records, according to clause 4.2.4.
ISO 9001:2008 specifically requires the organization to have “documented procedures” for the following six activities:
1) 4.2.3 Control of documents
2) 4.2.4 Control of records
3) 8.2.2 Internal audit
4) 8.3 Control of nonconforming product
5) 8.5.2 Corrective action
6) 8.5.3 Preventive action
There are several requirements of ISO 9001:2008 where an organization could add value to its QMS and demonstrate conformity by the preparation of other documents, even though the standard does not specifically require them. Examples may include:
• Process maps, process flow charts, and/or process descriptions
• Organization charts
• Specifications
• Work and/or test instructions
• Documents containing internal communications
• Production schedules
• Approved supplier lists
• Test and inspection plans
• Quality plans
All such documents have to be controlled in accordance with the requirements of clause 4.2.3 and/or 4.2.4, as applicable.
Organizations are free to develop other records that may be needed to demonstrate conformity of their processes, products, and quality management system. Requirements for the control of records are different from those for other documents, and all records have to be controlled according to those of clause 4.2.4 of ISO 9001:2008.
The medical device industry is not unique in the requirements for document control and management of records. Standards that regulate the food, pharmaceutical, biopharmaceutical, semiconductor, microelectronics, aerospace, and automotive industries also require similar document control and management of records.
To be compliant with the requirements of the standards listed above for the effective management of the specified documents and associated records can be a daunting task. Management of all documentation within an organization may be performed in-house controlled by one department or may be contracted with an outside supplier. Outside suppliers can provide document destruction services and storage and retrieval services for an organization’s quality records as well as financial and personnel records. It is important to select a service provider that is NAID (National Association for Information Destruction) certified and can provide the required services for your organization.
There are also commercial software systems that can be adapted to your quality management system requirements. It is important to select a service provider that offers a software system that is both 21 CFR Part 11 and EU-GMP compliant.
Jan Eudy is a technical resource for ESD, cleanroom, food, and healthcare garments and products. At Cintas, she directs the quality system and ISO registration for cleanrooms and supports validation and sterile services. She is President Emeritus and Fellow, Institute of Environmental Sciences and Technology.
This article appeared in the March 2014 issue of Controlled Environments.