© 2009 MAS Solutions LLC. All Rights Reserved.
ISO 9001:2008 - Document Control
President, MAS Solutions LLC.Something I run into, with seemingly alarming regularity, are document control systems that are overly conceived, ridiculously complex and unnecessarily constrictive. This is somewhat of a mystery to me, as with so much emphasis placed on this area, it nevertheless seems to also be one of the areas that most organizations struggle with. It’s not that the requirements of the ISO 9001 standard are difficult to meet - it’s the fact that many organizations seem compelled to go “above and beyond” the requirements of the standard, implementing practices that makes the management of this function harder than it should be.
Clause 4.2.3 of the ISO 9001 standard requires that documents used by an organization’s QMS be controlled. This is one of only six clauses within the ISO 9001 standard where a written procedure is required, and it's pretty clear on what controls need to be addressed. If we review the actual requirements of the standard, we can see what’s really needed…
Approve documents prior to issue;
Let’s be practical for a moment. How many signatures do you actually need? Many organizations require the signature of the President, Management Representative, Quality Manager, et al. This practice is fine, provided there’s a reason for it. Requiring signatures for the sake of having signatures doesn’t add any real value, particularly if it's only a “rubber-stamp” or "CYA" type of exercise – is the President, CEO, CFO, etc. of the company really going to read (and do they really need to read) all of these documents?
While the actual approvals will need to be defined by the organization, document approval should be left to the responsible party (e.g., process owner) and other appropriate stakeholders. Top Management doesn’t need to sign every piece of paper - and just a note from experience - they typically don’t want to. If a document can be adequately reviewed and approved by just one or two functions within an organization, that’s all the approvals that a document really needs.
Review and update as necessary and re-approve documents;
The requirement here is for "as necessary". This can be a periodic/scheduled review, or it can be a review performed on an as-needed basis in order to address a deficiency or negative trend that has been identified. You already perform a management review, so this may serve as the perfect opportunity to review the documentation that makes up your system as well. You will need some method of recording this review, however this can be accomplished in any manner that suits the organization.
Updates and the subsequent re-approval of documents should only be performed as needed and should not be used merely to satisfy the requirement for the above review - it's an unnecessary and wasteful practice. Should a document require updating and re-approval, this responsibility would typically remain with the same approval authority as the original version.
Note here also, that many codes, standards and/or specifications are only updated on a periodic basis (not annually), so there isn’t much reason to review and/or update related internal documents more frequently, unless there was a cause to do so.
Ensure that changes and the current revision status of documents are identified;
The standard requires that documents changes be identified and the revision status noted. In most cases, this can be accomplished by a revision history that’s included as part of the document, with changes noted in the document's margins (“black line”), by notes in the revision history, or by reference to a change record (in many cases, a “Change Request”). Revisions can then be identified by numbers (1, 2, 3...), letters (A, B, C…) or some combination thereof. The organization should maintain some form of master list or register identifying which documents are used by the system and each document’s current revision status.
Ensure that relevant versions of applicable documents are available at points of use;
It’s becoming rarer in this day-and-age to come across companies that don’t maintain a network server. By virtue of having these documents in a dedicated folder (or network drive) this requirement is satisfied, provided access is allowed to those personnel that require it. It should be communicated however that all printed version of such documents are “uncontrolled” and that the user should refer to the server for the most recent version. Limiting access to the printing of documents can be helpful; although it is not essential to control, provided that any printed copies of documents are destroyed immediately after use.
If paper-copies of documents are used, this activity should be limited to those cases where absolutely necessary. The control of such copies can require a considerable amount of administration, often requiring resources dedicated to this activity. As the span of such control (e.g., the number of document recipients) is increased, consideration should also be given to the management of revisions and the timing/scheduling of their release, as perpetual updating and re-updating of paper copies not only creates a lot of work, but can also cause considerable confusion in communicating necessary information to affected parties.
In many cases, functions utilizing paper-copies can benefit from a planned revision and release schedule (e.g., monthly, quarterly, annually, etc.) as opposed to issuing a revised document each time that the need for a minor correction or editorial change is identified. This approach would not apply to “Major” issues which affect process performance and/or product conformance however, as these issues would require an immediate update when identified.
Ensure that documents remain legible and readily identifiable;
In cases where documents maintained in an electronic format, legibility really isn’t an issue. In the case of paper-copies, ensuring that document remain in a useable condition is typically a responsibility of the document recipient. As far as identification is concerned, each document should be assigned some form of identifier (number, letters or combination thereof – even just a title is fine) which allows the document to be referenced within the system and identified as part of the documentation that makes up the system.
Ensure that documents of external origin are identified and their distribution controlled; and
Make a list of the documents that you use. This can include applicable codes, standards and specifications (yes – including ISO 9001:2008), as well as any customer specifications or instructions. Customer designs are also considered documents, so if you maintain these, than this requirement would apply as well. In such cases, you wouldn't be responsible for the approval or updating of these documents (they’re not yours) however you are still required to ensure that you have the most recent versions and that they are made available to affected personnel at points of use.
Prevent the unintended use of obsolete documents, and to apply suitable identification to them if they are retained for any purpose.
This requirement pretty much speaks for itself. The simplest approach to complying with this requirement is to ensure that there aren’t documents lying around. Use of electronic systems makes this task easier, as the copy maintained on the network or server is the current version and all others are considered obsolete; however if paper-based copies are used, instructions should be given with any document updates for the disposition of the documents being superseded. Superseded and/or obsolete documents should either be destroyed or if retained, marked as “obsolete”, “superseded” or in a similar manner. While a copy of each superseded document should be retained, it should be maintained as a file copy and controlled in an area where it would not be accessible for use.
I’d like to make a final note that nowhere within the standard is there any reference made to complex numbering schemes, the use of “control”, “uncontrolled”, “obsolete or other stamps, colored paper, revision checklists, transmittal letters or receipts. While some of these requirements may help the organization ensure compliance with the clause of the standard, they are supplemental controls that have been defined by the organization, not prescribed by the standard.
If you having problems keeping your document control function in line, perhaps you need to actually re-read the standard. The problems that you are suffering through may be problems that you are creating for yourself. Your controls should add to the effectiveness of the function, and not just create additional bureaucracy and administration. A properly developed and implemented document control function should be an effective, sustainable, efficient aid in helping an organization communicated necessary information to affected parties.
Is this how your document control system works?
Want updates when new articles are added? - Join our mailing list
The Quality Management Specialists™
Articles
Our Locations
Resource Center
