What are you looking for?
Document Control in ISO 9001
8 March 2019
Document control is one of the ISO 9001:2015 requirements that affects virtually every part of your organization. It has the potential to prevent costly mistakes on all levels. But during audits, document control issues tend to be the most common nonconformities.
In this article we'll show you how to best implement document control without getting hung up in bureaucracy. Our tips will also help you to pass your next audit without document control related nonconformities.
What Is Document Control?
Most of us handle documents every day. They include forms, instructions, invoices, holiday schedules, rate sheets, and many more. An error on any of these documents could cause problems, as could using an outdated document or not knowing if you have the form's latest version.
Imagine setting up a production line to outdated specifications or making strategic decisions based on a wrong financial statement. This is why ISO 9001 places so much importance on the control of documents and records, or as ISO calls it, "documented information".
Document control means that the right persons have the current version of the documents they need, while unauthorized persons are prevented from use.
ISO 9001:2015 gives you the tools (also referred to as "requirements") that show you how to control your documents and records through a comprehensive document management system. These controls include unique identification for all documents, version control, and identification of revisions. As is the case with all ISO 9001 requirements, you are free to choose how to apply the requirements to your own organization. This means you can adopt a simplified approach that achieves the biggest benefits without added bureaucracy.
Note that documents can be in hardcopy or electronic format. Control of electronic documents tends to be easier as many standard file storage systems allow you to automate document management.
Records are a special kind of documented information. Unlike documents, which get revised and kept up-to-date, records are static. They show results achieved or provide evidence of activities that have been performed. And because records are proof of something, they aren't revised.
Controlling records is nevertheless a necessity, for example, to ensure they remain available for a specified time period and are discarded afterwards. The controls differ, depending on your company. There are email and storage applications that allow you to automate access, retention, and destruction requirements.
All business-related documents must be controlled. The only documents that don't need to be controlled are those that don't impact on your products, services or company. Your ISO 9001 document control procedure explains how to control documents.
How Much Control?
While business-related documents must be controlled, how much control you apply depends on the individual document.
The extent of your approval record, for example, may vary with the importance of the document (remember, documents are approved before they are published for use).
The Quality Policy may even show the signatures of all executives.
Work instructions often just show a note in the footer indicating approval by the department manager.
Some documents don't need a separate approval record: if the person who prepared a document is also responsible for its content (e.g., the quality manager prepares instructions for his auditors), a separate approval (and record of approval) is superfluous.
On the other hand, identifying a document through a revision date, source and title is basics. It should be done as a good habit for every document you create.
Who Is Responsible for Document Control?
Document control is the responsibility of all employees who create or use documents. Each staff member needs to understand the purpose of document control and how to follow your company's document control procedure. So be sure that your staff has access to the procedure and knows where to find it.
Improve your document control system and reduce the chances of audit nonconformities by following these tips.
Print-outs and copies
Be aware that if you copy a document, electronic or hardcopy, or if you print an electronic document and then distribute it, it is you who will be responsible for controlling the distribution. The original author won't know you distributed copies, so he/she can't control your distribution.
The following example illustrates the issue. The HR manager publishes the holiday schedule on the corporate intranet and the main bulletin board. You make copies of the schedule and distribute them throughout your department. At the same time, the HR manager discovers a mistake on the schedule, corrects it, and re-publishes the corrected schedule with a big, red annotation on the intranet and bulletin board. Will the staff in your department know about the update or rely on the printouts you distributed?
Your word processing program includes a function to automatically show the current date. Use this function wisely.
Don't use this function to indicate the date of creation or revision in the footer of your documents. The field would automatically update to the current date, no matter when you actually created or revised the document.
Don't use the automatic date field in a fax that you save on your computer for future reference. You won't be able to tell when you wrote the fax as the document would always show today's date.
If you have a document that you frequently update and print, you might be tempted to use the automatic date function under the assumption that the document with the latest date is the most current printout. However, if you print the same, unrevised document on different days, each printout will show a different date while the printouts are identical. This will inevitably lead to confusion.
When applied to forms, the ISO 9001 document control requirements can be a bit confusing. The reason is that forms can be both documents and records.
Blank forms are similar to work instructions as they guide the user to provide specific information. If the form is outdated or incomplete, the user may not be prompted to supply the necessary information. Blank forms must therefore be controlled like a document and show a revision date in the footer.
Once filled in, however, the form becomes a record that is kept on file. At this point, you need to be concerned with filing, storage, archiving and destruction. Your company's record retention guidelines specify the needed controls. Note that the revision date in the footer, which indicates the revision of the blank form, will neither be changed nor removed.
Document control requirements apply to your entire organization and all its staff. Though ISO 9001:2015 allows organizations much flexibility in the way they adopt the document control requirements, many companies implement cumbersome and bureaucratic systems. For starters – and contrary to common belief – a global "master list of documents" is not required. Also, dedicated document control or "compliance" software is generally not necessary as standard file server software and applications like Microsoft Office already include the necessary features.
Apply our simplified approach and implement an effective, user-friendly document control system without fuss. No matter if you are setting up a new ISO 9001 system or improving an existing one, you'll benefit from our business-oriented approach.
If you enjoyed this article, subscribe for updates
Stay in touch with our free resources on ISO 9001
We won't send you spam. Unsubscribe at any time.
How have you implemented document control? What works and what doesn't work for you? Let us know in the comments below (all relevant, respectful feedback is welcomed per our guidelines).
Thanks. Your message has been sent. We'll get back to you as soon as possible.
We'll reply ASAP