Control of Documents
Document control is core to ISO 9001, and is common to all the other management standards.
From ISO 9001:2008:
“Documents required by the quality management system shall be controlled.”
That “shall” word in there means you have to do it. Here it is again:
“A documented procedure shall be established to define the controls needed”
This “shall” word makes this one of the six procedures that you must document in ISO 9001:2008.
For those already making the transition to ISO 9001:2015, the requirements regarding control of ‘documented information’ are much the same. It’s just the requirement to have a written procedure that has been dropped, and ‘documents’ is now broadened to ‘documented information’. For most companies, writing the process steps down will make it much easier to train new staff and to audit the process to make sure everything is happening as it should. We’d recommend you document the process anyway.
So what are the “controls needed”?
Answer these questions in your documented procedure and you’ll satisfy the requirements for ISO 9001 Document Control:
How do you approve documents for release? – who approves them? How will I know a document has been approved?
How do you review, update and re-approve documents? – Do you review on a regular basis? (you should) Who does the review? Who is responsible for making changes? How is an updated version approved?
How do you identify the changes that have been made and how do you identify the revision status? – How will I know what has changed between this version and the latest release? How do I know what version my copy is, or the version of this paper copy I found?
How do you provide access to the correct version where it’s needed? e.g. on the shop floor – Are there hard copies to update? How do you keep track of them? Who is responsible for distributing or updating to the latest version?
How do you find and control documents from external sources? e.g. relevant standards, legislation, supplier product specifications. ‘Control’ being all the previous questions on approval, review, updates, access…
How do you prevent the use of obsolete documents? How will you make sure that ONLY current documents are in use? Will you make end users responsible for checking the status before each use? Will you delete/destroy old documents? How will you identify/segregate/archive obsolete documents you might want to keep?
Enough with the questions – how about some answers!
So what do you need to do, in a practical sense, to control documents?
#1 – put some control information on the document itself – on every controlled document.
Some information will go at the front of the document, and some needs to be on every page (usually in the footer),
Here’s an example of a basic header:
|Title||4.2.3 Control of Documents|
|Person Responsible||Management Representative|
|Date Last Updated||3 March 2012|
|Location||Quality Systems Toolbox|
This header shows what document I’m looking at (‘4.2.3 Control of Documents’), and answers the questions on how to tell this document has been approved (‘Released’), and the version (‘3 March 2012’), who is responsible for approving it (‘Management Representative’), and where to find it (‘Quality Systems Toolbox’)
Here’s an example footer showing information that should be on each page of the document:
|4.2.3 Control of Documents||Revision Date: 3 March 2012||page 1 of 2|
Why on every page?
- the number/name of the document – so you know what it is and can find the master copy, even if the first page is missing. Some people use the file path or URL of the master copy. e.g. “G:\Documents\ControlDocuments.doc”, or “https://demo.qualitysystems.com/documents/control-of-documents”
- the revision date or number – so you can easily check to see whether the copy you have is the latest, even if the first page is missing, or your different (paper) versions get mixed up.
- page numbering “page x of y” – so it is easy to see if you are missing a page
#2 Nominate a single place to keep master copies and a register of documents
This is where end users will go to check whether the version they have is the latest version. It may also be the place where they access the documents they need.
In the past, this would have been paper master copies kept in the office, or on the document controller’s hard drive. Access to the documents was through a ‘gate keeper’ person. More commonly now it is a file server, or online (e.g., for Quality Systems Toolbox) and access is granted through user accounts, permissions and passwords.
The documents register is simply a list of all the documents you control. You’ll need one to keep track of all your management system documents and it helps you to know what needs to be reviewed. Ideally the register will include the title, revision info (date or number or both), status (draft, released, etc.) and who is responsible for the document (a name and/or a job title).
|Number||Title||Revision Number||Revision Date||Document Owner||Status|
|MSP-01||General Requirements||2.0||13 March 2013||Jill Jones||Released|
|FORM-01||Purchase Order||1.0||6 Sept 2008||Bookkeeper||Released|
|POL-03||Health and Safety Policy||3.0||22 June 2011||WHSO||Released|
|POL-04||Drugs and Alcohol Policy||0.6||5 May 2013||Michael||Draft|
Paper-based registers are hard work – each time you update a document you must also update the register – often striking out the old line and adding a new line. Spreadsheet based registers are not much easier to maintain but at least they allow sorting and searching. Online database document systems are easier, since updating the information stored with the document itself should flow through to the register, and sorting documents, searching and creating custom lists (e.g. show all ‘forms’) are usually possible.
#3 Establish (and document) the process
This is where you answer those other questions.
Approval: Approving new and edited procedures is best spread around, and approval by the process owner makes the most sense – e.g. the Sales Manager will approve sales related processes. Management system documents (like the procedure for document control), will be the responsibility of the Management Representative. The actual editing of the document may be delegated to someone else.
The process of releasing a new document or update can be as simple as making the document available at the designated central location – either adding it to the repository or changing the permissions to make it available. Notification of the new release to relevant people is usually a good idea, but be wary of sending every new document notification to everyone in your organisation – too many notifications means they will all be ignored.
It is good practice to have some indication on the document itself so that the status of hard copies can be easily determined, e.g. ‘Released’ in the header example above, an approval signature and date added to the footer of a master paper copy.
Review: You need to review documents regularly to make sure they are up-to-date, suitable and still reflect your practices. If the practice has changed (for the better) then the document should be updated, rather than enforcing the old practices from the out-of-date document. Your review will include checking for changes in standards, regulations, specifications and other external documents. How often will depend on the process – how important it is and also how new and changeable it is. Some documents have regulations stipulating how often they must be reviewed e.g. MSDS must be less than 5 years old. Some of this will be incorporated into Internal Auditing and Management Review, but make sure all your documents are covered (check the document register).
Changes: In file-server and paper-based management systems, changes are usually tracked in a table on the document itself. Sometimes this can be stored external to the document in the register. Document Management software will usually store the change information in the database, and a changes table is not required on the document itself.
The document itself should indicate it’s revision status (on the hard copy).
Access: These days, access is usually via logging on to the file server or online document repository. However, don’t assume this is enough for all situations. The practicalities of accessing the computer may be difficult/impossible for some locations or some personnel and you may have to distribute hard copies in these cases. Keep track of where hard copies go for future reference when updates need to go out and you need to remove the obsolete versions.
External Documents: Finding new external documents required for your business will come about during normal operations as well as through management review. Control processes are the same as for internal documents.
Obsolete documents: Keeping a distribution list for hard copies will help you track down the old copies that must be removed. It’s also common to put the onus on the end user to check their version against the version shown in the document register or the current version in the central repository.