Control of Documents
What the ISO 9001 standard requires for document control and some practical examples on how to actually achieve it, including an example document header and footer and an example document register.
Document control is a core process of ISO 9001, and is common to the other management standards.
From ISO 9001:2015:
"Documented information required by the quality management system and by this International Standard shall be controlled"
In the old version of the standard (ISO 9001:2008), it was one of six required documented procedures
There's no longer a requirement to document the procedure, but the requirements regarding control are much the same.
References to 'documents' and 'records' have now been replaced by "documented information” to better incorporate information contained in formats that might not be considered “documents”. This includes information embedded in software, digital files, videos, audio recordings, photographs, and also master samples – if that is how you communicate requirements.
Regardless of how you hold the information, anything deemed necessary for the organisation to operate, or necessary for the effective functioning of the management system, must be controlled. You can achieve this the old fashioned way (paper), the time-consuming manual way (file servers & spreadsheets), or use document control software, like Toolbox. (Watch Toolbox document control in this how-to video )
What is required for "control"?
The whole point of controlling documented information is to make sure it is "available and suitable for use" and also "protected."
There are a number of things you need to think about:
How is documented information identified? Do you specify titles, numbering, dates? Can you refer to a specific document without any confusion? For example, if there are two forms with very similar titles, then a form number will make it easy to pick the right one.
What is the best format for this information? Should it be stored as an electronic document? Distributed on paper? Is the content better presented as a video instead of a written document? Is the information controlled through the software used?
Review and approval
When a new document is found, or is created, how is it approved for release? Who reviews documents to make sure they are suitable? How will I know a document has been approved?
Distribution, access, retrieval and use
How will you provide access to released documents everywhere they are needed? Can everyone to get them from the server? What about workers on the shop floor, out on site, on the road? Will they need hard copies, or some other offline distribution method? How do you handle confidential information?
Storage and preservation
How do you protect the documented information from unauthorised changes, or loss? Can anyone edit and delete the files? Do you have master copies stored safely? What about backups?
Control of changes
When changes are made, how do you identify them? How will people know if they do, or don't, have the updated information? How will I know what has changed between this version and the latest release? How do I know what version my copy is, or the version of this paper copy I found?
How do you review, update and re-approve documents? Do you regularly check to make sure the information is still correct? Who is responsible for checking? How often? Who is responsible for making changes? How is an updated version approved?
Retention and disposition
How do you prevent the use of obsolete documents? How will you make sure that ONLY current documents are in use? Are there hard copies to update? How do you keep track of them? Will you make end users responsible for checking the status of their hard copies before each use? Will you delete/destroy old documents? How will you identify/segregate/archive obsolete documents you might want to keep?
How do you find and control documents from external sources? - e.g. relevant standards, legislation, supplier product specifications. 'Control' meaning all of the previous questions on approval, review, updates, access, etc.
Enough with the questions! Give me some answers.
So what do you need to do, in a practical sense, to control documents?
#1 - Put some control information on the document itself - on every controlled document.
Some information will go at the front of the document, and some needs to be on every page (usually in the footer),
Here's an example of a basic header:
This header shows what document I'm looking at ('MSP-04 Control of Documents'), and answers the questions on how to tell this document has been approved ('Released'), and the version ('3 March 2016'), who is responsible for approving it ('Office Manager'), and where to find it ('Quality Systems Toolbox')
Here's an example footer showing information that should be on each page of the document:
Why on every page?
- Number, name of the document - so you know what it is and can find the master copy, even if the first page is missing. Some people use the location of the master copy instead. e.g., a file path "G:\Documents\ControlDocuments.doc", or a URL https://www.qualitysystems.com/
- Revision date or number - so you can easily check to see whether the copy you have is the latest, even if the first page is missing, or your different (paper) versions get mixed up.
- Page numbering "page x of y" - so it is easy to see if you are missing a page
#2 - Nominate a single place to keep master copies and a register of documents
This is where end users will go to check whether the version they have is the latest version. It may also be the place where they access the documents they need.
In the past, this would have been paper master copies kept in the office, or on the document controller's hard drive. Access to the documents was through a 'gate keeper' person.
More commonly now the document repository is a network drive, or online (e.g., for Quality Systems Toolbox) and access is granted through user accounts, permissions and passwords. However, don't assume this is enough for all situations. The practicalities of accessing the computer may be difficult/impossible for some locations or some personnel and you may have to distribute hard copies in these cases. Keep track of where they go, so that you can replace them with any updated versions.
The documents register is simply a list of all the documents you control. You'll need one to keep track of all your management system documents and it helps you to know what needs to be reviewed. Ideally the register will include the title, revision info (date or number or both), status (draft, released, etc.) and who is responsible for the document (a name and/or a job title).
Paper-based registers are hard work - each time you update a document you must also update the register - often striking out the old line and adding a new line. Spreadsheet based registers are not much easier to maintain but at least they allow sorting and searching. Online database document systems are easier, since updating the information stored with the document itself should flow through to the register, and sorting documents, searching and creating custom lists (e.g. show all 'forms') are usually possible.
Don’t forget to include your external documents in the register. Control processes are the same as for internal documents.
#3 - Work out how to manage changes
This is where you answer those other questions.
Changes: In file-server and paper-based management systems, changes are usually tracked in a table on the document itself. The change table needs to include the revision number/date along with comments on what changes were made. Document Management software - such as Toolbox will usually store the change information in the database, and a changes table is not required on the document itself. The document must still show its revision number and/or date.
Approval: Approving new and edited procedures is best spread around, and approval by the process owner makes the most sense - e.g. the Sales Manager will approve sales related processes. Management system documents (like the procedure for document control), will be the responsibility of the Management Representative or a designated Document Controller. The actual editing of the document may be delegated to someone else.
The process of approving and releasing a new document or update can be as simple as making the document available at the designated central location - either adding it to the shared file server or changing the permissions to make it available. Some method of notifying relevant people of the new release is usually a good idea.
If you routinely circulate draft documents for review as well as released documents, you'll need to mark documents so that the status of hard copies can be easily determined, e.g. 'Released' in the header example above, or an approval signature and date added to the master paper copy.
Review: You need to review documents regularly to make sure they are up-to-date, suitable and still reflect your practices. If the practice has changed (for the better) then the document should be updated, rather than enforcing the old practices from the out-of-date document. Your review will include checking for changes in standards, regulations, specifications, other external documents, and related internal documents. How often will depend on the process - how important it is and also how new and changeable it is. Some documents have regulations stipulating how often they must be reviewed e.g. MSDS must be less than 5 years old. Some of this will be incorporated into Internal Auditing and Management Review, but make sure all your documents are covered (check the document register).
Superseded versions: Keeping a distribution list for hard copies will help you track down the old copies that must be removed. It's also common to put the onus on the end user to check their version against the version shown in the document register, or against the current version in the central repository. Any obsolete documents you want to keep for reference purposes should be clearly marked to make it obvious they are no longer current. It's best not to store them in the same place as current information.
#4 - Implement and Establish the process
Writing down how you control documents will make it much easier to train staff and to audit the process, so even though it's no longer a required procedure in ISO 9001:2015, we'd recommend you still document the process.
However, a written procedure detailing your approach to document control is not enough. You have to actually make it work!
This means communicating the process to the people who create, edit and use the documented information - probably training of some sort.
Making changes to ‘the usual way of doing things’ is never easy and you’ll need to follow up any initial training with reminders and spot checks or mini-audits to ensure ‘the new way’ becomes ‘the way’.
Bear in mind that you may need to adjust your initial plan to better suit your workplace.