Before you start yawning, let me point something out. Information drives every action in any organisation, thus the ability to control this information can mean the difference between success and failure. It is important that your staff have access to the latest version of these documents and that changes are bought to their attention. Otherwise you are teaching them the old way of doing things, not the new way.

It doesn’t matter how well you document current best practices, if people aren’t using the latest version you’re wasting your time.

4.2 Documentation Requirements

4.2.3 Control of Documents

What does ISO 9001 Say?

When it comes to documentation, the Standard ISO 9001 Quality Management Systems says this.

Documents required by the quality management system shall be controlled. Records are a special type of document and shall be controlled according to the requirements given in 4.2.4. 

A documented procedure shall be established to define the controls needed:
a) to approve documents for adequacy prior to issue,
b) to review and update as necessary and re-approve documents,
c) to ensure that changes and the current revision status of documents are identified,
d) to ensure that relevant versions of applicable documents are available at points of use,
e) to ensure that documents remain legible and readily identifiable,
f) to ensure that documents of external origin determined by the organization to be necessary for the planning and operation of the quality management system are identified and their distribution controlled, and
g) to prevent the unintended use of obsolete documents, and to apply suitable identification to them if they are retained for any purpose.

Why?

I explained some of the reasons why in the opening paragraph. In addition to this it is important to regulate documents to ensure that:

  • They are useful to your organisation. Resources should not be wasted producing non-essential information.
  • The information they contain is correct and kept up-to-date.
  • Staff can find and use the documents they need in order to do their job.
  • Confidential information is restricted to those who need to know it.

Interpretation

Let’s Break it Down

Documents required by the quality management system shall be controlled. Records are a special type of document and shall be controlled according to the requirements given in 4.2.4. 

There’s nothing in the Standard that says your documents have to be in written word. Process maps, flow charts, diagrams, photos, videos can all be a very effective means of communication, often more so although those of you who’ve struggled to assemble Ikea products may disagree!

Management systems help businesses to control risks and communicate how they want their business to be run (see, I avoided that term “best practice”). This means that controlling the “documents” in your management system is critical. Even videos, flow charts, photos, etc, need to be controlled.

People often confuse documents with records. In ISO management systems a record provides evidence that a task has been completed or results achieved. So I can prove that I did an internal audit because I “wrote” (could be an electronic record and may include pictures to support your findings) an audit report. Another example is that I can prove the required result was achieved because I have a record of the weights of finished products or I have a checklist that shows that all the activities were completed. ISO Standards impose different controls on records because they are time related and once produced they must not be changed.

A documented procedure shall be established to define the controls needed.
In the world of ISO systems “shall” means must. So we must document how we perform the following activities in one or more procedures.

a) to approve documents for adequacy prior to issue.
Before staff use the information in a document to do their job, a knowledgeable person should review the document to check that it is correct (approved). In a large, complex organisation you may need more than one person approving documents because no one person understands every process in the organisation. Indeed, you may even need several people to approve a document. Conversely, in a small organisation, the person who wrote the document could be the person who approves it for use. To ensure that a document is reader friendly and doesn’t omit information you could ask those who will use the document to give their feedback and approve it. Remember though, you only need separate approvers when they add value.

b) to review and update as necessary and re-approve documents.
Management systems are living things. Like animals, if they do not change and evolve in response to their surroundings they will die. Therefore, after a document has been released it will need to be rechecked when, for example:

  • Correcting an error.
  • Preventing an error from recurring.
  • Processes change.
  • Improvements to the document itself are required (so that it is better understood).

The above are random reviews conducted in response to an event. Reviews can also be periodic and thus proactive, These are scheduled regularly (e.g. annually) to ensure that the documents in the system are still suitable. However, if a management system is properly maintained you should not need periodic reviews as the documents should be updated when the processes changes. Therefore I don’t normally include periodic reviews in the systems I develop.

Anyone can request that a document be changed and anyone can review it but, you need to control who can actually make the change and who needs to be consulted. In a large organisation you may need to request permission to change a document, ask who should be consulted so that the changes are accurate, and request that someone be given the responsibility of making the change. In small organisations the person giving permission and making the change is usually the same, the management representative.

c) to ensure that changes and the current revision status of documents are identified.
Let’s face it, no one is going to sit there with the old version and the new version of a document and compare them to see what has changed. You have to make it easy for them to sport the change. This speeds up both the approval process and the implementation process.

Also, staff need to be able to tell, now and in the future, which is the most recent version of a document so that they are following the best current practice, not the old ways.

d) to ensure that relevant versions of applicable documents are available at points of use.
The relevant version of a document is simply the version that should be used for a particular task. It may not be the latest version.  For example, you may need to use an old version of a work instruction if you are repairing a product.

Applicable documents are those needed to carry out work. Not everyone in your organisation needs access to every document in order to perform their job.

Available at points of use means that your staff should be able to access the documents they need at the location where they perform their work. This is important because if people cannot easily access the information they need they will resort to other means of finding it which results in inefficiencies, mistakes, waste and even hazards.

e) to ensure that documents remain legible and readily identifiable.
Legibility refers to the ease with which information in a document can be read or viewed. A document is readily identifiable when it can be distinguished from other documents because, for example, it has a unique name. People used to give documents unique numbers as well but this is not necessary.

f) to ensure that documents of external origin determined by the organization to be necessary for the planning and operation of the quality management system are identified and their distribution controlled.
An external document is one produced by another organisation. It may be in the public domain such as the document ISO 9001 Quality Management Systems – Requirements or it may be produced by your customers or suppliers. It is important to control these documents because, for example, if you have been making a product that meets a customer’s specification and then they change that specification it is important that the old specification is removed from use and replaced with the new one. It is also important that the impact of the new specification on existing processes is assessed and the necessary changes made. This may result in the need to change internal documents.

g) to prevent the unintended use of obsolete documents, and to apply suitable identification to them if they are retained for any purpose.
An obsolete document is one that you no longer need in your management system. The most common reason for no longer needing it is because the procedure, policy, form, etc has been replaced by a newer version. If the obsolete document is not removed from the workplace then it may be inadvertently used. A suitable identification is one that distinguishes an old version from a current version.

How is this Demonstrated?

Your document management procedure needs to explain how documents are approved and who approves them. If having more than one approver adds value then you may need to list the documents in your system and who is responsible for approving each one. Please use their role or job title, not their name because the latter can change frequently. Much of the time those approving documents can simply be stated in the procedure. For example “Documents are reviewed and approved for use by the head of the department.”

A common way of proving that a document had been approved for use was to have the approver sign the document or sign a cover note that did the rounds with the document. These days there is software that captures electronic signatures, electronic document control systems, and management system software such a Mango which will prove that your documents have been approved without you lifting a finger. You can also use emails to prove that a document has been approved for use but you need to ensure that you file these emails so that you can find them again.

In a large organisation you may need a change request register that states some or all of the:

  • Document title and version.
  • Name of the person requesting the change.
  • Reason for the change.
  • What needs to be changed.
  • Name of the person who approved the change request and the date.
  • Names of those to be involved in making the change.
  • Name of the person nominated to actually make the change.

In smaller organisations you may simply request the change and make it through emails or phone calls or during a meeting. Once the document has been changed it needs to go through the approval process already described.

Changes to documents can be drawn to the reader’s attention by:

  • Underlining or bolding the altered words, or something like that.
  • Noting at the beginning or end of the document what has changed.
  • Issuing a email stating what has changed.
  • Attaching the details to the original change request.

It is good practice to explain the reason for the change (but the Standard doesn’t say you have to) and don’t forget that you may need to train staff in the new ways too.

The latest version of a document can be shown by the use of a version number (1, 2, 3, . . . ), issue date, letter (A, B, C, . . . ), or a combination of these. In the interests of keeping it simple I normally use an issue date or version number but not both. However, in your industry it may be important to know how many versions have been issued and how recently the last change was made. If this is the case use both a version number and an issue date.

In an organisation where everyone sits in front of a computer it is easy to make documents available to everyone who needs them. But this is more difficult in a manufacturing or construction environment. Here you need to determine which role or department (not which individual) needs access to which documents. To ensure they can find and read those documents may mean providing a hard copy. Try to avoid this where possible because controlling hard copies creates more work for you. Document availability applies to external documents as well such as a customer’s contracts, drawings and specifications.

To reduce the likelihood of people using old versions of a document you can simply delete the old one, the Standard doesn’t say you have to keep it. If you do need to keep old versions (perhaps for legal reasons, because of the life span of your product, as a record of events, for investigating problems, etc) then label them as old versions by, for example, adding  “Obsolete” to the file name and saving them where they are unlikely to be found and used by mistake. If you have hard copies in the workplace you need to find them all and either remove them or mark them clearly as being obsolete. Don’t forget to tell the people who were using it.

Identify the external documents that impact on the quality of your products and/or services such as, but not limited to, standards, drawings, specifications and contracts. List them in an external document register and record the version number or issue next to each one. Record who is responsible for maintaining them and keeping others informed of updates either in the document register or in a procedure. You also need to state where they are kept and how you ensure that you have the latest version. If it is a customer issued document then you will rely on them to tell you when it changes. Standards Australia has an automatic notifications list that you can place yourself on and these exist for other external documents too. As a minimum you can check once a year that you have the latest versions. The results of this check could be recorded in the minutes of a management review meeting.