by Craig Cochran
Because information in
document form drives nearly every action in any organization, the ability to control this information usually means the difference between success and failure. Thus, document control remains the
single most critical quality assurance discipline. As with many other systems, document control is more successful if it's simple, intuitive and user-friendly. And the first step toward this end
is deciding exactly which documents need to be controlled.
Documents requiring control
"Do I need to control
this document?" is one of the most frequently asked questions in organizations working toward, or maintaining, a formal management system. Given the universe of documents possibly requiring
control, the question is understandable. Besides, most people would rather not control a document if they don't have to.
The ISO 9001:2000 standard provides a quick answer to the
question of what must be controlled. The first sentence of section 4.2.3 on document control states, "All documents required by the quality management system shall be controlled." This
means that if a document addresses or relates to any of the issues in ISO 9001:2000, it must be controlled. Here are some questions to ask when determining whether a document should be controlled:
Does the document guide the production of products (i.e., goods or services)
provided by the organization?
Does the document guide the verification, inspection or testing of products provided by the organization?
Does the document define customer and/or product requirements?
Is the document used for controlling processes?
Is the document used for decision making by production personnel?
Is the document used for collecting data that could be used later for decision making within the scope of the management system (e.g., a form)?
Is the information on the document so critical that failure to keep it updated would pose a risk to the organization or its customers?
Does the document address or relate to a requirement from ISO 9001:2000?
If the answer to one or more of these questions is yes, then the document should probably be controlled. For illustration purposes, consider the following scenarios:
An interoffice memo is posted on a wall in the fabrication department. The
memo gives a number of functional and packaging requirements for a product that's fabricated there. Because of where the document has been posted and the
information it contains, the memo should certainly be controlled. Ignore the fact that memos are rarely controlled; in this case it provides customer requirements,
guides decision making and relates directly to ISO 9001:2000 requirements.
Even if the memo duplicates information contained elsewhere in controlled
specifications, the uncontrolled memo would still be a problem. Eventually, there will be a discrepancy between the information on the memo and the information
contained in the controlled specifications. The organization should either control the posted memo or get rid of it.
A training department develops videotapes to train employees on the proper
setup and operation of production lines. The videotapes are included in the training program for new hires and existing employees. In this case, document control is
required because the tapes define process control, guide the production of products and relate to the training requirements of ISO 9001:2000.
Product defect samples are displayed in a lighted glass cabinet in the visual
inspection area. The samples illustrate the limits of various defects that can be considered acceptable to customers, and they're used when inspectors aren't
certain of the criteria. Currently, the display cabinet is labeled "for reference only." Despite this declaration, the samples should be controlled because they define
An organization develops a checklist that's used to record the results of product inspection. The blank checklist defines exactly what's to be inspected, as indicated
by the spaces that inspectors must complete. These blank forms need to be controlled as documents, and then as records once they're completed.
These scenarios highlight the fact that documents needn't be limited to traditional procedures, work instructions and the like. The term "document" can encompass a
wide range of things, all of which might require control--depending on the information they contain. Some examples include:
Drawings, diagrams and sketches
Audio tapes and videotapes
Product samples and defect samples
Paint swatches for color matching
Document vs. record
It's obvious from the foregoing list that controlling documents requires thinking of
them as more than written procedures. However, before we jump into specifics, let's clear up some confusion that plagues many organizations, namely, how a document differs from a record.
A document is a living thing. The information contained within it is subject to change; it can be revised. A record, on the other hand, is history. The information it
contains can't be changed because it simply states what's already happened.
It's sometimes possible for an item to exhibit characteristics of both a document
and a record. Work orders, sales orders and purchase orders, to name a few, can function as both historical records and live documents. In these cases, the item is
treated as a document until its real-time informational value has been exhausted. At that point, it's treated as a record.
Now that we understand what documents are, let's explore the specific means of controlling them. By the way, one of the six documented procedures required by
ISO 9001:2000 is controlling documents, so whatever specific controls an organization decides upon must also be documented--and controlled.
All documents must be approved for adequacy before being used. There are, of
course, many ways to accomplish this. Paper-based documents often include spaces for authorized persons to sign or initial. Electronic documents can be
approved through a typed name if passwords prevent anyone from falsifying the approval. In much the same way, e-mail can even be used. However, such
approval should be visible to the user. Otherwise, the value of approval (i.e., as a cue that the document is OK for use) is lost.
Does the organization need to define who is authorized to approve documents? At least on a basic level, the answer is yes. A statement such as, "Documents must be
approved by individuals responsible for managing the tasks described in the document" would satisfy the designation of approval authority. Alternatively, an
organization may decide to be much more specific about who can approve documents. But from the titles shown beneath approval spaces, documents
typically indicate who is responsible for approving them, and this self-declaration is usually adequate.
Note that a fine line exists between having too few and too many approvals on a
document. For documents that cut across departments, the approval list should include all managers who are affected by the document. This provides buy-in and
communicates to managers what's expected. The flip side is that obtaining eight or 10 approvals can take a long time. Strive for the fewest number of approvals that
will still provide buy-in for the information described in the document.
Reviewing, updating and reapproving documents
ISO 9001:2000 introduces the requirement that documents must be reviewed, updated as needed, then reapproved. This doesn't mean routine document
revision. The standard requires an organization to review documents periodically to see if they're still valid. If they are, the organization reapproves them. If they're not,
either a revision is made or the document is declared obsolete. This prevents documents from becoming inaccurate or obsolete over time. If documents are used
properly, this should never happen, but we all know that they're frequently ignored in the press of day-to-day work commitments.
What exactly triggers a document review? An organization can handle this in three ways:
Recall documents on a strictly periodic basis--every year, for instance--and review them, update as necessary and reapprove them. This would certainly satisfy
the standard. But it's sometimes difficult to review documents based strictly on the passage of time. This requires a fair amount of discipline because there's always
something more important to do than reviewing documents. This system's success depends on the organizational skills of the person in charge of it.
Review, update as necessary and then reapprove documents based on business
triggers or real-world events that have the power to affect a document. Some examples include the introduction of new products, equipment and processes;
change in business focus; technological breakthroughs; and improved methods or practices. Because this approach is driven by actual events that make document
review immediately relevant, it introduces a sense of urgency that's not present in the periodic approach.
If an organization decides to use this method, it needs to define the business
triggers and responsibilities clearly in the document control procedure. The document administrator will typically monitor operations for these business triggers
and ensure that the relevant documents are reviewed, updated as necessary and reapproved. If a business trigger hasn't occurred within a reasonable period of
time--say, three years--then documents should be recalled for review anyway.
Use the internal audit process to review documents. Keep in mind, however, that internal audits are sampling processes. By function, they're only going to
examine a representative sample of documents in existence. The standard implies that all documents must be reviewed. If an organization intends to use its internal
auditing process to satisfy this requirement, then extra care must be taken when planning and scheduling audits to ensure that all documents are sampled during an extended period.
Identifying changes and revision status
Documents must have revision changes identified. This is typically interpreted as
the changes in the most current revision. Thus, if a document is on revision five, it will identify the changes that moved it from revision four to revision five. This
identification assists document approvers to see what changed in the document, and it assists users in knowing what's changed so they can comply with the document's requirements.
Changes can be identified in a variety of ways, including the following:
Change logs at the end of documents
List of changes on the cover sheet
Underlined, bold, italicized or highlighted changes throughout the document
Revision status simply indicates a document's most current revision. This is
normally indicated by a revision number, letter or date placed directly on the document. The revision status enables users to know whether they have the most
current document. For paper-based documents, the revision status normally ties back to a master list or index that tracks the current revisions of all documents. For
electronic documents, knowing the current revision is less important because the most current version is provided automatically to all users. Either way, the revision
status must still be identified.
Making documents available at points of use
A document is useless if it's not accessible. ISO 9001:2000 requires that "relevant versions of applicable documents are available at points of use." This means that
current versions of documents must be accessible by the people who need them. It does not mean that everyone must have his or her own copy or computer terminal.
If people know where the documents are located, have access to that location and can make use of the information in the documents, then this requirement has been satisfied.
Some organizations develop elaborate schemes for distributing documents to different departments or functions. These often involve "acknowledgment of
receipt" sheets that must be signed and returned with obsolete copies of documents.
ISO 9001:2000 doesn't specifically require such systems, though they may provide
some value. Organizations must examine their own operations and decide what will provide the right balance of control and simplicity. Remember that the more
bureaucracy involved, the slower the system will work and the more likely that users will attempt to circumvent it.
Making documents legible and identifiable
Legibility means that documents can be read and understood. They should be
written in a clear, decipherable manner, in the language spoken by document users. For instance, if a significant number of employees in a particular department speak
and read in Spanish, then the documents would need to be legible to them. To do this, the organization could write the documents in Spanish or use graphic
documents (e.g., photos or drawings) that can be understood regardless of the prevailing language.
"Identifiable" simply means that documents have a title, document number or other unique identifier that sets them apart from others. Organizations often develop
document numbering schemes that relate to the ISO 9001 numbering system. This is well-intentioned but guaranteed to be obsolete in the future. Remember, ISO
reviews and revises the 9000 series every five years, and this normally triggers a change in the way the standard is numbered. A better numbering plan would
dovetail with an organization's processes or departments. Such a numbering system will be relevant to employees, and it won't become obsolete upon the next revision of ISO 9001.
Controlling external documents
An external document is published outside the organization and used within the
scope of the management system. The eight questions listed at the beginning of this article will help determine if an external document should be controlled. Examples
of external documents possibly requiring control include:
Troubleshooting and/or calibration manuals published by equipment manufacturers
Test procedures, specifications and/or engineering drawings published by customers or other bodies
Instructions, specifications and/or procedures published by suppliers
Standards published by industrial organizations applicable to the organization
International standards such as ISO 9001:2000
Once external documents have been determined, they must be identified, and their distribution must be controlled. Like internal documents, there must be a title,
document number or other unique identifier. Such identification typically comes from the source that publishes the document, and the organization simply adopts it.
Distribution control is important because most external documents arrive in paper form. Knowing where they're located is critical to controlling the information
contained in them. For that matter, paper-based internal documents should also have their distribution controlled, but this isn't specifically required by ISO
9001:2000. A distribution list simply defines the number of copies in existence and where they're located. Often the copies are numbered, and these numbers match
the locations shown on the distribution list. When documents are revised, retrieving the old copies is much easier when their quantity and location is known.
Controlling obsolete documents
ISO 9001:2000 imposes two controls related to obsolete documents: Their
unintended use must be prevented, and they must be identified if they're retained.
The easiest and most obvious way to prevent the unintended use of obsolete
documents is to take them out of circulation. Simply round them up and remove them. This is quite easy when their exact locations are known. Controlling obsolete
documents is one more good reason to maintain distribution lists for all paper-based documents, both internal and external.
Organizations often retain obsolete documents to preserve knowledge. These documents can be referred to when comparing, for example, a current process to
one used five years ago. If an organization elects to retain obsolete documents, they must be identified by some means the organization considers suitable. This
might include marking them as "history," "obsolete" or "uncontrolled," or putting them in a specially designated location that has controlled access. Whatever
method is devised must ensure that obsolete documents aren't floating around where they can be used improperly.
A few words on forms
The issue of controlling forms is a sore spot for many people. The resistance usually follows this general theme:
"I just don't see the value in controlling forms. How are we supposed to do it, anyway?" The bottom line is that forms existing within the scope of ISO
9001:2000--in other words, forms that address an ISO 9001:2000 requirement applicable to the organization--undeniably require control. Why? Because the
primary reason for a form in the first place is to create consistency in the way that data is collected. This can only be enforced when everybody is using the same
form, and this only happens through some type of document control.
Fortunately, forms are quite easy to control. Let's look at two different
approaches, both of which are widely used by organizations:
Forms controlled as "attachments" to procedures. In this framework, forms are included within the procedure or documents that describe their use. (Must there be
a procedure that describes the use of every form? Of course not, but it makes sense in some cases.) The forms are generally included as the last page or two of
the procedure to which they belong. Approving a procedure can also include approving the form attached to it. The same goes for revising and identifying
changes. The form is treated like another page of the procedure for control purposes, but it can be reproduced for use independently of the procedure. When
the form is revised, the procedure is also revised, and users are made aware of the changes just like any other changed procedure. The drawback of this system, of
course, is that organizations are required to revise the entire procedure when the form is revised.
Forms controlled individually. In this framework, forms have individual numbers and revisions. Their approval may be made directly on the original copy or kept
elsewhere, such as on a master approval sheet. The current revision of each form is usually indicated by a master list, computer index or even by including it in a special
file. When a form is revised, users are notified via memo, e-mail or other means.
Forms are often printed in huge quantities, inevitably just before a minor change
occurs that renders them obsolete. If the change was inconsequential, don't toss out the old forms. They can often be labeled with a disclaimer, "Previous versions
of this form may be used." This will enable an organization to use the old inventory and avoid waste. Keep in mind that this only works when changes to the form are
minor and when the form itself isn't something that bears seriously on the organization's success.
Fortunately, ISO 9001 doesn't require any particular format for documents. An organization can decide for itself what format will work best for its mode of
operation. Furthermore, it's not required to stipulate a single type of format or style of document. However, a standardized format or style can be helpful in driving a
consistent appearance for all documents. Many organizations stipulate only the content of document headers and cover sheets, while other companies require
specific sections in each document such as purpose, scope, responsibilities, equipment and the like. Such decisions are up to the organization.
Whatever style and formatting though, the document control procedure should clearly define it. In fact, many organizations use their document control procedure
as a guide for writing documents. In this way, the document control procedure does double duty by describing the control of documents and facilitating document development.
The basic tenets of document control are very simple. Most document control
procedures can be drafted in four pages or fewer. Writing a document control procedure is easy: Simply work your way down the list of document control issues
raised by ISO 9001:2000 and describe what the organization is doing for each one. Keep it simple and avoid creating too much bureaucracy. An effective
document control system will provide documents to users quickly and not slow them down with lengthy procedures.
About the author
Craig Cochran is a project manager with the Center for International Standards & Quality, part of the Georgia Institute of Technology's Economic
Development Institute. He has a bachelor's degree in industrial management from the Georgia Institute of Technology and a master's degree in business
administration from the University of Tennessee. He's also certified as a QMS lead auditor by the RAB. CISQ can be reached at (800) 859-0968 or on the
Web at www.cisq.gatech.edu. Cochran can be reached via e-mail at firstname.lastname@example.org
. Letters to the editor regarding this article can be sent to email@example.com .