Control of Documents
Document control is core to ISO 9001, and is common to the other management standards.
From ISO 9001:2008:
“Documents required by the quality management system shall be controlled.”
It is one of the six procedures that you must document in ISO 9001:2008.
ISO 9001:2015, says much the same thing:
“Documented information required by the quality management system and by this International Standard shall be controlled”
References to ‘documents’ and ‘records’ have now been replaced by "documented information” to better incorporate information contained in formats that might not be considered “documents”. This includes information embedded in software, digital files, videos, audio recordings, photographs, and also master samples – if that is part of how you communicate requirements.
Regardless of how you hold the information, anything deemed necessary for the organisation to operate, or necessary for the effective functioning of the management system, must be controlled.
There’s no longer a requirement to document the procedure, but the requirements regarding control are much the same.
Writing down how you control documents will make it much easier to train new staff and to audit the process, so even though it’s no longer a required procedure in ISO 9001:2015, we’d recommend you still document the process.
What is required for “control”?
The whole point of controlling documented information is to make sure it is “available and suitable for use” and also “protected.”
You’ll have to think about:
How is documented information identified? Do you specify titles, numbering, dates? Can a document be referred to without any confusion?
What is the best format for this information? Should it be stored as an electronic document? Distributed on paper? It the content better presented as a video instead of a written document? Is the information controlled through software?
Review and approval
When a new document is found, or is created, how is it approved for release? Who reviews documents to make sure they are suitable, and approves them? How will I know a document has been approved?
Distribution, access, retrieval and use
How will you provide access to released documents everywhere it’s needed? Can everyone to get them from the server? What about workers on the shop floor, out on site, on the road? Will they need hard copies, or some other offline distribution method? How do you handle confidential information?
Storage and preservation
How do you protect the documented information from unauthorised changes, or loss? Can anyone edit and delete the files? Do you have master copies stored safely? What about backups?
Control of changes
When changes are made, how do you identify them? How will people know if they do, or don’t, have the updated information? How will I know what has changed between this version and the latest release? How do I know what version my copy is, or the version of this paper copy I found?
How do you review, update and re-approve documents? Do you regularly check to make sure the information is still correct? Who is responsible for checking? How often? Who is responsible for making changes? How is an updated version approved?
Retention and disposition
How do you prevent the use of obsolete documents? How will you make sure that ONLY current documents are in use? Are there hard copies to update? How do you keep track of them? Will you make end users responsible for checking the status of their hard copies before each use? Will you delete/destroy old documents? How will you identify/segregate/archive obsolete documents you might want to keep?
How do you find and control documents from external sources? – e.g. relevant standards, legislation, supplier product specifications. ‘Control’ meaning all of the previous questions on approval, review, updates, access, etc.
Enough with the questions, – how about some answers!
So what do you need to do, in a practical sense, to control documents?
#1 – Put some control information on the document itself – on every controlled document.
Some information will go at the front of the document, and some needs to be on every page (usually in the footer),
Here’s an example of a basic header:
|Title||MSP-04 Control of Documents|
|Person Responsible||Office Manager|
|Date Last Updated||3 March 2016|
|Location||Quality Systems Toolbox|
This header shows what document I’m looking at (‘MSP-04 Control of Documents’), and answers the questions on how to tell this document has been approved (‘Released’), and the version (‘3 March 2016’), who is responsible for approving it (‘Office Manager’), and where to find it (‘Quality Systems Toolbox’)
Here’s an example footer showing information that should be on each page of the document:
|MSP-04||Revision: 3 March 2016||page 1 of 2|
Why on every page?
- Number, name of the document – so you know what it is and can find the master copy, even if the first page is missing. Some people use the location of the master copy instead. e.g., a file path “G:\Documents\ControlDocuments.doc”, or a URL “https://demo.qualitysystems.com/documents/control-of-documents”
- Revision date or number – so you can easily check to see whether the copy you have is the latest, even if the first page is missing, or your different (paper) versions get mixed up.
- Page numbering “page x of y” – so it is easy to see if you are missing a page
#2 Nominate a single place to keep master copies and a register of documents
This is where end users will go to check whether the version they have is the latest version. It may also be the place where they access the documents they need.
In the past, this would have been paper master copies kept in the office, or on the document controller’s hard drive. Access to the documents was through a ‘gate keeper’ person.
More commonly now the document repository is a network drive, or online (e.g., for Quality Systems Toolbox) and access is granted through user accounts, permissions and passwords. However, don’t assume this is enough for all situations. The practicalities of accessing the computer may be difficult/impossible for some locations or some personnel and you may have to distribute hard copies in these cases. Keep track of where they go, so that you can replace them with any updated versions.
The documents register is simply a list of all the documents you control. You’ll need one to keep track of all your management system documents and it helps you to know what needs to be reviewed. Ideally the register will include the title, revision info (date or number or both), status (draft, released, etc.) and who is responsible for the document (a name and/or a job title).
|Number||Title||Revision Number||Revision Date||Document Owner||Status|
|MSP-01||General Requirements||2.0||13 March 2015||Jill Jones||Released|
|FORM-01||Purchase Order||1.0||6 Sept 2014||Bookkeeper||Released|
|POL-03||Health and Safety Policy||3.0||22 June 2015||WHSO||Released|
|POL-04||Drugs and Alcohol Policy||0.6||5 May 2016||Michael Smith||Draft|
Paper-based registers are hard work – each time you update a document you must also update the register – often striking out the old line and adding a new line. Spreadsheet based registers are not much easier to maintain but at least they allow sorting and searching. Online database document systems are easier, since updating the information stored with the document itself should flow through to the register, and sorting documents, searching and creating custom lists (e.g. show all ‘forms’) are usually possible.
Don’t forget to include your external documents in the register. Control processes are the same as for internal documents.
#3 Work out how to manage changes
This is where you answer those other questions.
Changes: In file-server and paper-based management systems, changes are usually tracked in a table on the document itself. Sometimes this can be stored external to the document in the register. Document Management software will usually store the change information in the database, and a changes table is not required on the document itself.
The document itself should indicate it’s revision status (on the hard copy).
Approval: Approving new and edited procedures is best spread around, and approval by the process owner makes the most sense – e.g. the Sales Manager will approve sales related processes. Management system documents (like the procedure for document control), will be the responsibility of the Management Representative or a designated Document Controller. The actual editing of the document may be delegated to someone else.
The process of releasing a new document or update can be as simple as making the document available at the designated central location – either adding it to the repository or changing the permissions to make it available. Notification of the new release to relevant people is usually a good idea, but be wary of sending every new document notification to everyone in your organisation – too many notifications means they will all be ignored.
It is good practice to have some indication on the document itself so that the status of hard copies can be easily determined, e.g. ‘Released’ in the header example above, an approval signature and date added to the footer of a master paper copy.
Review: You need to review documents regularly to make sure they are up-to-date, suitable and still reflect your practices. If the practice has changed (for the better) then the document should be updated, rather than enforcing the old practices from the out-of-date document. Your review will include checking for changes in standards, regulations, specifications, other external documents, and related internal documents. How often will depend on the process – how important it is and also how new and changeable it is. Some documents have regulations stipulating how often they must be reviewed e.g. MSDS must be less than 5 years old. Some of this will be incorporated into Internal Auditing and Management Review, but make sure all your documents are covered (check the document register).
Obsolete documents: Keeping a distribution list for hard copies will help you track down the old copies that must be removed. It’s also common to put the onus on the end user to check their version against the version shown in the document register or the current version in the central repository. Any obsolete documents you want to keep for reference purposes should be clearly marked to make it obvious they are no longer current. It’s best not to store them in the same place as current information.
#4 Implement and Establish the process
You can’t just have a vision or a written procedure detailing your approach to document control. You have to actually make it work.
This means communicating the process to the people who create, edit and use the documented information – probably training of some sort. Making changes to ‘the usual way of doing things’ is never easy and you’ll need to follow up any initial training with reminders and spot checks or mini-audits to ensure ‘the new way’ becomes ‘the way’.
Bear in mind that you may need to adjust your initial plan to better suit your workplace.