Chapter 5: Documentation & Procedures

The four-tier hierarchy is the backbone of every successful integrated management system we've seen implemented in Canadian manufacturing plants. Think of it as a pyramid: broad commitments at the top, system-level procedures in the second layer, detailed operational work below that, and evidence at the foundation.

Tier 1: The Integrated Management System Policy Statement

This is the single document that replaces separate quality, environmental, and safety policies. It is signed by your Chief Executive Officer or Plant Director and posted prominently at your facility entrance and break rooms.

It covers:

Your organization's commitment to consistent, safe, and environmentally responsible manufacturing
Commitment to comply with applicable ISO 9001, ISO 14001, and ISO 45001 requirements
Commitment to quality objectives, environmental protection, and zero-harm safety culture
Commitment to worker participation and consultation on safety and environmental decisions
Statement of top management's accountability for the integrated system

Unlike separate policies that often contradict one another or compete for employee attention, a single policy creates organizational coherence. Your workforce sees one voice, one set of priorities, one measurement system.

The IMS Policy is short—typically 1.5 to 2 pages—but it is legally and operationally binding. Every procedure below it flows from this policy. Your registrar will expect to see this document, and your workers should be able to articulate what it means.

Tier 2: Integrated System-Level Procedures

These are the backbone procedures that serve all three standards simultaneously. They define *how* your organization meets the policy statement.

Tier 2 includes:

Integrated document control procedure
Integrated records management procedure
Integrated internal audit procedure
Integrated corrective action and nonconformance management procedure
Integrated management review procedure
Integrated competence and training procedure
Integrated communication and stakeholder engagement procedure

These procedures are written in a single document with reference to all applicable clauses across ISO 9001, ISO 14001, and ISO 45001. For example, your corrective action procedure will have fields for quality nonconformances, environmental incidents, and safety near-misses, but a single workflow and timeline governs all three. This eliminates the nightmare scenario where a quality NCR takes 7 days to close, an environmental incident takes 30 days, and a safety event sits in limbo.

Tier 2 procedures are typically 8–15 pages each and are written in language that a shop floor supervisor can understand and implement.

Tier 3: Standard-Specific Operational Procedures and Work Instructions

Not everything integrates. ISO 9001 requires specific procedures for design and development control, customer-related processes, and product release criteria. ISO 14001 requires specific procedures for environmental aspects assessment and emergency preparedness. ISO 45001 requires specific procedures for hazard identification, risk assessment (HIRARC), and worker consultation on safety decisions.

Tier 3 is where these standard-specific operational procedures live. These are written for a single standard, address clauses that have no parallel in the other standards, and are as detailed as your operation requires.

Work instructions—the step-by-step guides for operators, machinists, and technicians—also live at Tier 3. Tier 3 is the largest layer of the pyramid, containing dozens of procedures, from "Injection Molding Setup and Changeover" to "Environmental Spill Response" to "Lockout-Tagout (LOTO) Procedures."

Tier 4: Records and Evidence

This is where compliance comes to life. Tier 4 includes all evidence that you have actually followed your procedures: audit reports, corrective action logs, training records, calibration certificates, environmental monitoring data, safety incident reports, and customer feedback.

In a modern integrated system, Tier 4 records are searchable and tagged by applicable standard(s), making it easy to pull evidence during an audit. If your registrar asks to see all corrective actions related to ISO 14001 in the past 12 months, a well-structured Tier 4 system retrieves them in minutes, not days.

Not every organization integrates at the same depth, but the procedures listed below are candidates for full integration in every Canadian manufacturing IMS. These are the high-ROI consolidation targets that reduce administrative burden without compromising compliance.

1. Document Control Procedure

A unified document control procedure manages all procedures, work instructions, and forms across all three standards. Instead of three separate document numbering systems, you have one. Instead of separate master lists for quality, environment, and safety procedures, you have one master list with metadata tags.

The procedure includes rules for document creation, review, approval (defining who signs off on what type of document), distribution, version control, and archiving. Modern document management platforms like Qualtrax or ISO Tracker can enforce these rules automatically.

2. Records Management Procedure

This single procedure defines retention times for all records: quality audits, environmental monitoring, safety incident reports, training records, and calibration certificates. It specifies where records are stored (physical and digital), who can access them, and how long they are kept.

For Canadian manufacturers subject to provincial occupational health and safety legislation, some records (e.g., injury reports) may have legal retention requirements that exceed ISO requirements. Your integrated records procedure accommodates both.

3. Internal Audit Procedure

A single internal audit program covers all three standards. Instead of conducting separate quality audits, environmental audits, and safety audits, you conduct integrated audits with one checklist, one schedule, and one team. This is more efficient and surfaces systemic risks that might be invisible if audits are siloed.

The procedure specifies audit frequency (risk-based), auditor qualifications, audit scope, and the reporting format. Your internal audit plan is one document covering all standards and all departments.

4. Corrective Action and Nonconformance Management Procedure

This is arguably the single highest-value consolidation target. Instead of three separate nonconformance systems (Quality NCRs, Environmental Incidents, Safety Events), you have one integrated procedure with a single workflow.

Here's how it works: Any nonconformance—whether a customer complaint, a missed environmental control, or a near-miss accident—enters the same system. The procedure includes standard-specific fields (e.g., customer name for quality issues, environmental media affected for environmental issues, injury details for safety incidents), but the workflow is identical:

Describe the nonconformance
Classify by applicable standard(s)
Assign investigation within 48 hours
Investigate root cause
Define corrective action
Implement and verify effectiveness
Close (typically within 30 days for environmental and safety, 14 days for quality)

Important

A unified system prevents the common scenario where a quality NCR is closed while the underlying environmental or safety risk is ignored, or vice versa. This integration is your best defense against siloed issue management that creates registrar findings.

5. Management Review Procedure

Your top management conducts one integrated management review meeting per year (or more frequently, depending on your risk profile) covering all three standards.

The meeting reviews:

Performance against all objectives (quality, environmental, safety)
Audit findings and trends across all standards
Nonconformance trends and systemic issues
Changes in applicable regulations (environmental law, occupational health and safety regulations, customer requirements)
Resource adequacy and risk assessment
Stakeholder feedback (customers, employees, regulatory agencies)

The meeting output is one management review report documenting decisions, assigned actions, and accountability.

6. Competence, Training, and Awareness Procedure

One procedure governs training records for all standards. Your training matrix identifies roles (e.g., Machine Operator, Quality Inspector, Environmental Technician, Safety Coordinator) and the required training for each role across all standards.

Instead of separate training files for quality, environmental, and safety, you maintain one training record per employee showing all competence assessments and training completion dates. This also makes onboarding faster: new hires receive one integrated orientation covering quality, environmental, and safety expectations.

7. Communication and Consultation Procedure

A single procedure defines how you communicate IMS information internally (to employees) and externally (to regulators, customers, and the public).

It specifies:

How workers are informed of policy changes and system updates
How workers can raise concerns or suggestions related to quality, environment, or safety
How you communicate with regulators (environmental agencies, labour boards)
How you communicate with customers about product quality and environmental commitments

This ensures your organization speaks with one voice on all three fronts.

Even in a fully integrated system, certain procedures must remain standard-specific because they address requirements that exist in only one standard or have fundamentally different objectives.

ISO 9001-Specific Procedures

Customer-Related Processes: How you capture customer requirements, manage contracts, and communicate with customers. ISO 14001 and ISO 45001 have no parallel requirement.
Design and Development Control: How you develop new products or modify existing ones. ISO 14001 requires you to consider environmental aspects in the design process, but the actual design control procedure is quality-specific.
Product and Service Release Criteria: How you ensure products meet customer specifications before shipment. This is purely quality-focused.

ISO 14001-Specific Procedures

Environmental Aspects and Impacts Assessment: How you identify which manufacturing activities have environmental significance (e.g., water use, emissions, waste generation) and assess their impact on the natural environment. This is complex, technical, and unique to environmental management.
Life Cycle Perspective Analysis: ISO 14001 requires you to consider the environmental impact of your product across its entire life cycle—from raw material extraction through end-of-life disposal. This is an environmental-specific analysis with no quality or safety parallel.
Emergency Preparedness and Response: While ISO 45001 requires incident reporting and investigation, ISO 14001 requires pre-planned response procedures for environmental emergencies (e.g., chemical spill, unplanned release to water). These are detailed, site-specific, and require technical expertise.

ISO 45001-Specific Procedures

Talk to an Expert

Need guidance on your certification journey?

Our consultants have prepared more than 250 manufacturers globally — from growing businesses to large enterprises — for successful certification. Get a free, no-obligation consultation tailored to your industry.

Hazard Identification, Risk Assessment, and Risk Control (HIRARC): This is the systematic process of identifying workplace hazards, assessing the risk they pose, and implementing controls. While ISO 9001 touches on operational risk and ISO 14001 requires environmental risk assessment, neither has the depth or worker-participation requirement that ISO 45001 mandates.
Worker Participation and Consultation: ISO 45001 requires formal mechanisms for workers to participate in decisions affecting their safety. While ISO 9001 and ISO 14001 mention employee involvement, ISO 45001 is prescriptive and mandatory. A single procedure for "employee engagement" across all standards would likely underdeliver on this critical requirement.
Return-to-Work and Rehabilitation: ISO 45001 requires procedures for supporting injured workers and facilitating their safe return to work. This is occupational health and safety-specific and may involve collaboration with occupational health physicians, physiotherapists, and labour boards.

Key Consideration: Attempting to force these standard-specific procedures into integrated procedures creates confusion during audits. When your registrar asks to see your HIRARC procedure, they expect to see a robust, detailed document addressing ISO 45001 Clause 8.1. If that procedure is buried in a generic "Risk Assessment" document that also covers product design risks and environmental impacts, the auditor wastes time searching for relevant clauses and may ask follow-up questions that reveal gaps.

Below is a reference table we've developed from working with Canadian manufacturers. Use this as a starting point for your own document structure. Your specific business may warrant adjustments—for example, if you have a very small environmental footprint, you might fully integrate your environmental procedure into operations. Conversely, if you operate in a highly regulated industry like food processing or pharmaceuticals, you might keep more procedures standard-specific.

Procedure	Integration Level	Rationale
1. Integrated Management System Policy	Fully Integrated	Single document covering all commitments; signed by CEO and foundational to entire system
2. Document Control	Fully Integrated	Single numbering system, one master list, universal metadata tagging; efficiency and auditability are maximized
3. Records Management and Archiving	Fully Integrated	One retention schedule, one storage system, universal access rules; reduces redundancy
4. Internal Audit Program	Fully Integrated	One schedule, one checklist framework, one team conducts audits across all standards simultaneously
5. Nonconformance and Corrective Action	Fully Integrated	Single workflow from identification through closure; prevents siloed issue management
6. Management Review	Fully Integrated	One annual/quarterly meeting covering all KPIs, audit findings, and strategic decisions across standards
7. Competence, Training, and Awareness	Fully Integrated	One training matrix, one training record system, one onboarding process; addresses quality, environmental, and safety competence
8. Communication and Stakeholder Engagement	Fully Integrated	One procedure for internal and external communication; ensures consistent messaging
9. Operational Planning and Control	Partially Integrated	Core planning (scheduling, resource allocation, change management) is integrated; standard-specific operational controls remain separate (see items 10, 11, 12)
10. Customer-Related Processes (Quality)	Standard-Specific (ISO 9001)	Requirements for identifying customer needs, contract review, and customer communication are unique to ISO 9001
11. Design and Development Control (Quality)	Standard-Specific (ISO 9001)	While IMS considers environmental and safety aspects, design control is fundamentally a quality process; keep separate from operations
12. Product Release and Delivery	Standard-Specific (ISO 9001)	Criteria for product acceptance and release are quality-focused; integrate the verification step but keep release decision separate
13. Supplier Management and Procurement	Partially Integrated	Supplier selection criteria integrate quality, environmental, and safety expectations; procurement and monitoring procedures may remain quality-focused unless suppliers manage environmental or safety risks for your operations
14. Environmental Aspects and Impacts Assessment	Standard-Specific (ISO 14001)	Complex environmental analysis; no parallel in quality or safety management; unique technical and regulatory requirements
15. Life Cycle Perspective (Environmental)	Standard-Specific (ISO 14001)	ISO 14001-specific requirement to assess product environmental impact from raw material to disposal; no parallel in other standards
16. Emergency Preparedness and Response (Environmental)	Standard-Specific (ISO 14001)	Pre-planned response to environmental emergencies (chemical spill, water contamination); while ISO 45001 requires incident response, environmental emergency procedures require specialized technical controls
17. Hazard Identification, Risk Assessment, and Control (HIRARC)	Standard-Specific (ISO 45001)	Systematic identification of workplace hazards and control measures; depth and worker participation requirements are specific to ISO 45001; do not combine with environmental or product risk assessment
18. Worker Participation and Consultation	Standard-Specific (ISO 45001)	ISO 45001 mandates formal worker participation in safety decisions; while other standards mention employee involvement, this procedure must be robust and transparent to workers
19. Incident Reporting, Investigation, and Follow-Up (Safety)	Partially Integrated	Initial reporting and investigation steps can be integrated; however, injury-specific follow-up (workers' compensation, return-to-work accommodation, occupational health involvement) must address ISO 45001 and provincial OHS legislation specifically
20. Return-to-Work and Rehabilitation	Standard-Specific (ISO 45001)	ISO 45001-specific procedure addressing safe return of injured workers; may involve external occupational health professionals and provincial labour board coordination

Pro Tip: Many Canadian manufacturers apply 80% integration across these 20 procedures, resulting in 12–14 fully or partially integrated procedures and 6–8 standard-specific procedures. The 20% reduction in total document volume translates to roughly 100 hours per year in documentation maintenance alone—time your team can redirect toward process improvement and risk management.

Now that you know which procedures to integrate and which to keep separate, the next question is: *How do I actually organize all these documents so that internal auditors and registrars can find what they need?*

A well-designed document numbering convention and a modern document control platform are your answers.

Document Numbering Conventions

A standard numbering scheme might look like this:

IMS-P-QES-001: IMS Procedure, Quality/Environmental/Safety (fully integrated), document 001
IMS-P-Q-003: IMS Procedure, Quality only (ISO 9001-specific), document 003
IMS-P-E-005: IMS Procedure, Environmental only (ISO 14001-specific), document 005
IMS-P-S-007: IMS Procedure, Safety only (ISO 45001-specific), document 007
IMS-WI-Q-042: IMS Work Instruction, Quality, document 042
IMS-FRM-QES-015: IMS Form (fully integrated), document 015

This convention immediately tells anyone viewing the document which standards it applies to and whether it is a policy, procedure, work instruction, or form.

Document Control Platforms

While you *could* manage an IMS using SharePoint and Excel, modern platforms like Qualtrax, ISO Tracker, or ETQ Reliance offer significant advantages:

Metadata Tagging: Tag each document by applicable standard(s), department, revision status, and owner. Your internal auditor can instantly generate a list of all ISO 14001 procedures or all procedures affecting the Production Department.
Automated Workflows: When a procedure is revised, the system automatically notifies affected departments, tracks review and approval, and archives the old version with a timestamp.
Audit-Ready Reporting: Generate evidence reports by standard, department, or date range in seconds. When your registrar requests "all quality audit reports from Q1 2026," you export a filtered list directly from your system.
Access Control: Restrict access to sensitive procedures (e.g., environmental incident response, safety incident investigation) to authorized personnel while maintaining transparency for the workforce.
Mobile Accessibility: Operators and technicians access current work instructions from phones or tablets on the shop floor, reducing the risk of following outdated printed versions.

Simpler platforms like ISO Tracker, which integrates with Google Workspace, or ETQ Reliance work well for small to mid-sized manufacturers. Larger facilities with multiple sites may justify enterprise solutions.

The cost of implementing a document control platform ($5,000–$50,000 depending on scale and customization) is recovered within the first 18 months through reduced audit preparation time, faster nonconformance closure, and fewer registrar findings related to documentation.

With a clear document hierarchy, a thoughtful integration strategy, and a modern platform supporting it, you've built the foundation for an IMS that scales. In the next chapter, we'll walk through the common mistakes manufacturers make when implementing this structure—and how to avoid them.

Integrated Audit Program: How to Conduct Combined ISO 9001, 14001, and 45001 Audits in Canadian Manufacturing

If you're running three separate internal audit programs in 2026, you're essentially operating three different management systems wearing the same company badge. Most Canadian manufacturers we work with discover this reality the hard way: during a combined registrar audit, when the auditor asks to see how your quality team's purchasing audit connects to your environmental team's supplier audit—and you have no answer.

The integrated audit program is where your Integrated Management System (IMS) becomes real, measurable, and sustainable. It's also where you recover the largest efficiency gains available to you. A typical 200-person Canadian manufacturer running three separate annual audit cycles invests 240–300 audit-days per year across quality, environmental, and occupational health & safety teams.

A properly designed integrated audit program cuts this to 120–150 audit-days—a 40–60% reduction in internal audit labor while actually improving audit depth and coverage consistency.

This chapter walks you through designing, resourcing, and executing a combined audit program that proves to your registrar (and to your board) that your IMS isn't just three standards sharing the same policy manual.

Free ISO Readiness Assessment