Featured Product
This Week in Quality Digest Live
Standards Features
Lily Chen
The cornerstone of cybersecurity
NIST
The reliable products we buy depend on our attention to detail
Review will assess how program can best advance U.S. competitiveness and address today’s business challenges
Marc Lepere
The current system for rating ethical credentials is meaningless

More Features

Standards News
Program inspires leaders to consider systems perspective for continuous improvement and innovation
Collaboration produces online software for collecting quality inspection data
First responders may benefit from NIST contest to reward high-quality incident command dashboards
The QM certification is awarded for excellence in curriculum design and quality
Three webinars to increase participation and understanding within the world of quality assurance
PRI will provide two additional related certification services: ISO 27017 and ISO 27018
An early warning system lets Arctic people know when bears approach
Appointments are the first for recently established committee to advise the President
ASQ’s five quality certifications are the only ones to earn global recognition by ANSI

More News

Denise Robitaille

Standards

Look, But Don’t Touch

Documents of external origin

Published: Tuesday, September 12, 2006 - 22:00

I was recently asked to comment on the ISO 9001 requirements regarding external documents. My first reaction was to point out a distinctive subtlety in the actual text of the requirement. Many users have gotten into the habit of referring to this category as “external documents” when in fact, the term in subclause 4.2.3 of ISO 9001 is: "documents of external origin." Although this may sound like unnecessary hairsplitting, it really does make a difference. The precisely chosen words help to provide guidance to the intent that underlies this requirement.

Consider the interpretation of each. The term “external document” is ambiguous and vague, leaving the reader baffled as to what exactly falls into this particular grouping. It’s been misconstrued to have several meanings, including any document that isn’t physically at the organization’s location or a document that has been issued and sent out, resulting in a loss of control. By contrast, a document of external origin is explicitly one that originates from outside the organization and contains specific information that the organization needs to fulfill customer requirements, maintain their quality management system (QMS) or comply with statutes, for example.

These documents have their own category because they’re handled differently from those created by the organization. Because of their origins, they carry restrictions. An organization may use them, but it cannot change them, because the authorization for revisions, approvals, withdrawals, etc., resides with those who authored the document. Examples of documents of external origin include:

  • National/international standards (e.g., ISO 9001, ISO/TS 16949, ISO 17025, etc.)
  • Customer specifications (e.g., drawings, schematics, bills of material, contractual requirements, etc.)
  • Industry and product standards (e.g., clean room standards, National Electrical Manufacturers Association codes)
  • Statutory and regulatory requirements (e.g., OSHA, Environmental Protection Agency, Child Safety Protection Act, Food and Drug Administration, et al.)
  • Operating and repair manuals (i.e., manuals needed to use or maintain equipment)

The typical problem that arises with this category is that, because they aren’t created by the organization, individuals don’t perceive these documents as part of the QMS documentation. If it’s not a documented procedure, it’s not a “quality” document. This exacerbates the many artificial dividing lines that create obstacles to a well-integrated quality management system. We’ve got to remind folks that it doesn’t matter if you call it a procedure, a standard operating procedure, a drawing, a directive, a computer-aided design file, a regulation or a customer mandate. If it defines requirements you need to make your organization run or bring product to market, it’s a document that must be controlled.

The level to which such documents are controlled is similar to that of the organization’s own documents and reliant on several criteria, such as criticality, use, risk, etc. Organizations that utilize these documents need to ensure that personnel using them understand what their responsibilities are vis-à-vis the maintenance and disposition of documents of external origin. The level of control entails such items as making sure that individuals are aware of the requirements, have access to them and know how to acquire the most current revision. Specifically, the control that’s exercised over these documents relates to:

  • Access
  • Preservation and security
  • Awareness of the status of revisions
  • Harmonization of requirements from external documents with requirements found within internally generated documents.

Access
Who has access to the documents? Where are they kept? Do you have a listing of these documents, their locations and the individuals responsible for their maintenance? Some companies maintain libraries of technical publications and standards. This doesn’t mean that process owners have to allow unfettered access to anyone. It simply means that these documents are a company asset that must be accessible to key personnel.

If documents are electronically held, have individuals been trained to navigate your company’s Intranet to find them? If they don’t know how to find them on the server, they don’t have access.

Preservation/security
Do you receive specifications, drawings and other documents from your customers? How do you ensure that they’re preserved or protected from inadvertent changes or accidental disposal? In many organizations the default is simply to protect them in the same way they protect their own documents. If the documents include proprietary information, though, the manner in which they’re maintained can become a liability issue. If you have many clients visiting your facility, you may need to make provisions to ensure that your personnel don’t leave them on desktops and benches where they’re easily accessible to any casual visitor.

Awareness of the status of revisions
In the years before Web sites, I had a client who machined a lot of parts to military specifications. The engineers would get requests for quotes every day that cited military specifications. Posted on the wall, in a very large font, was the toll-free number to call to find out the latest revision of any military specification.

This is a prime example of how to bring control to a situation, where the perception is that you have no control. If you can’t revise a document that you need to fulfill a requirement, then you must ensure that there’s consensus on what revision or release date everyone involved has agreed to use.

Harmonization of requirements from external documents with requirements found within internally generated documents
ISO 9001 specifically requires organizations to determine if there are any “… statutory and regulatory requirements related to the product…” (subclause 7.2.1). If you’re in a regulated industry, your process owners (i.e., engineers) need to have access to the documents that define statutory product requirements. If you don’t have access or control of the documents that define these regulatory requirements, how can you ensure that the product conforms?

Similarly, if you have a certified clean room, you can’t have internal documents describing maintenance of the area that diverge from the defined requirements of the entity granting the certification. The same holds true for your QMS certification. You can’t have documents that conflict with the QMS requirements cited in the applicable standard (ISO 9001, AS9100, ISO 13485, TL 9000, etc.)

With documents of external origin, it all boils down to your being able to look but not touch. With the exception of revisions, all other document control requirements apply.

Discuss

About The Author

Denise Robitaille’s picture

Denise Robitaille

Denise Robitaille is the author of thirteen books, including: ISO 9001:2015 Handbook for Small and Medium-Sized Businesses.

She is chair of PC302, the project committee responsible for the revision to ISO 19011, an active member of USTAG to ISO/TC 176 and technical expert on the working group that developed the current version of ISO 9004:2018. She has participated internationally in standards development for over 15 years. She is a globally recognized speaker and trainer. Denise is a Fellow of the American Society for Quality and an Exemplar Global certified lead assessor and an ASQ certified quality auditor.

As principal of Robitaille Associates, she has helped many companies achieve ISO 9001 registration and to improve their quality management systems. She has conducted training courses for thousands of individuals on such topics as auditing, corrective action, document control, root cause analysis, and implementing ISO 9001. Among Denise’s books are: 9 Keys to Successful Audits, The (Almost) Painless ISO 9001:2015 Transition and The Corrective Action Handbook. She is a frequent contributor to several quality periodicals.