I was recently asked to comment on the ISO 9001 requirements regarding external documents. My first reaction was to point out a distinctive subtlety in the actual text of the requirement. Many users have gotten into the habit of referring to this category as “external documents” when in fact, the term in subclause 4.2.3 of ISO 9001 is: "documents of external origin." Although this may sound like unnecessary hairsplitting, it really does make a difference. The precisely chosen words help to provide guidance to the intent that underlies this requirement.
Consider the interpretation of each. The term “external document” is ambiguous and vague, leaving the reader baffled as to what exactly falls into this particular grouping. It’s been misconstrued to have several meanings, including any document that isn’t physically at the organization’s location or a document that has been issued and sent out, resulting in a loss of control. By contrast, a document of external origin is explicitly one that originates from outside the organization and contains specific information that the organization needs to fulfill customer requirements, maintain their quality management system (QMS) or comply with statutes, for example.
These documents have their own category because they’re handled differently from those created by the organization. Because of their origins, they carry restrictions. An organization may use them, but it cannot change them, because the authorization for revisions, approvals, withdrawals, etc., resides with those who authored the document. Examples of documents of external origin include:
- National/international standards (e.g., ISO 9001, ISO/TS 16949, ISO 17025, etc.)
- Customer specifications (e.g., drawings, schematics, bills of material, contractual requirements, etc.)
- Industry and product standards (e.g., clean room standards, National Electrical Manufacturers Association codes)
- Statutory and regulatory requirements (e.g., OSHA, Environmental Protection Agency, Child Safety Protection Act, Food and Drug Administration, et al.)
- Operating and repair manuals (i.e., manuals needed to use or maintain equipment)
The typical problem that arises with this category is that, because they aren’t created by the organization, individuals don’t perceive these documents as part of the QMS documentation. If it’s not a documented procedure, it’s not a “quality” document. This exacerbates the many artificial dividing lines that create obstacles to a well-integrated quality management system. We’ve got to remind folks that it doesn’t matter if you call it a procedure, a standard operating procedure, a drawing, a directive, a computer-aided design file, a regulation or a customer mandate. If it defines requirements you need to make your organization run or bring product to market, it’s a document that must be controlled.
The level to which such documents are controlled is similar to that of the organization’s own documents and reliant on several criteria, such as criticality, use, risk, etc. Organizations that utilize these documents need to ensure that personnel using them understand what their responsibilities are vis-à-vis the maintenance and disposition of documents of external origin. The level of control entails such items as making sure that individuals are aware of the requirements, have access to them and know how to acquire the most current revision. Specifically, the control that’s exercised over these documents relates to:
- Access
- Preservation and security
- Awareness of the status of revisions
- Harmonization of requirements from external documents with requirements found within internally generated documents.
Access
Who has access to the documents? Where are they kept? Do you have a listing of these documents, their locations and the individuals responsible for their maintenance? Some companies maintain libraries of technical publications and standards. This doesn’t mean that process owners have to allow unfettered access to anyone. It simply means that these documents are a company asset that must be accessible to key personnel.
If documents are electronically held, have individuals been trained to navigate your company’s Intranet to find them? If they don’t know how to find them on the server, they don’t have access.
Preservation/security
Do you receive specifications, drawings and other documents from your customers? How do you ensure that they’re preserved or protected from inadvertent changes or accidental disposal? In many organizations the default is simply to protect them in the same way they protect their own documents. If the documents include proprietary information, though, the manner in which they’re maintained can become a liability issue. If you have many clients visiting your facility, you may need to make provisions to ensure that your personnel don’t leave them on desktops and benches where they’re easily accessible to any casual visitor.
Awareness of the status of revisions
In the years before Web sites, I had a client who machined a lot of parts to military specifications. The engineers would get requests for quotes every day that cited military specifications. Posted on the wall, in a very large font, was the toll-free number to call to find out the latest revision of any military specification.
This is a prime example of how to bring control to a situation, where the perception is that you have no control. If you can’t revise a document that you need to fulfill a requirement, then you must ensure that there’s consensus on what revision or release date everyone involved has agreed to use.
Harmonization of requirements from external documents with requirements found within internally generated documents
ISO 9001 specifically requires organizations to determine if there are any “… statutory and regulatory requirements related to the product…” (subclause 7.2.1). If you’re in a regulated industry, your process owners (i.e., engineers) need to have access to the documents that define statutory product requirements. If you don’t have access or control of the documents that define these regulatory requirements, how can you ensure that the product conforms?
Similarly, if you have a certified clean room, you can’t have internal documents describing maintenance of the area that diverge from the defined requirements of the entity granting the certification. The same holds true for your QMS certification. You can’t have documents that conflict with the QMS requirements cited in the applicable standard (ISO 9001, AS9100, ISO 13485, TL 9000, etc.)
With documents of external origin, it all boils down to your being able to look but not touch. With the exception of revisions, all other document control requirements apply.
Add new comment