Control of Documents

What the ISO 9001 standard requires for document control and some practical examples on how to actually achieve it, including an example document header and footer and an example document register.

Document control is a core process of ISO 9001, and is common to the other management standards.

From ISO 9001:2015:

"Documented information required by the quality management system and by this International Standard shall be controlled"

There's no requirement to have written procedure, but you must meet certain requirements regarding control.

The standard talks about "documented information” rather than 'documents' and 'records' since information contained in all kinds of different formats can be considered as “documented information”. This includes information embedded in software, digital files, videos, audio recordings, photographs, and also master samples.

Regardless of how you hold the information, anything deemed necessary for the organisation to operate, or necessary for the effective functioning of the management system, must be controlled. You can achieve this the old-fashioned way (paper), the more-modern-but-still-time-consuming manual way (file servers & spreadsheets), or use document control software, that is part of Toolbox.

If you'd like to compare your current method with QSToolbox to see if it's worth switching over, try our ROI calculator.

What is required for "control"?

The reason for controlling documented information is to make sure the correct and up-to-date information is available where and when it's needed. To achieve this, there are a number of things you need to think about:

Identification

How is documented information identified? Do you specify titles, numbering, dates? Can you refer to a specific document without any confusion? For example, if there are two forms with very similar titles, then a form number will make it easy to pick the right one.

Format

What is the best format for this information? Should it be stored as an electronic document? Distributed on paper? Is the content better presented as a video instead of a written document? Is the information controlled through the software used?

Review and approval

When a new document is found, or is created, how is it approved for release? Who reviews a document to make sure it is correct and suitable for use? How will I know a document has been approved?

Distribution, access, retrieval and use

How will you provide access to released documents everywhere they are needed? Can everyone to get them from the server? What about workers on the shop floor, out on site, on the road? Will they need hard copies, or some other offline distribution method? How do you handle confidential information?

Storage and preservation

How do you protect the documented information from unauthorised changes, or loss? Can anyone edit and delete the files? Do you have master copies stored safely? What about backups?

Control of changes

When changes are made, how do you identify them? How will people know if they do, or don't, have the updated information? How will I know what has changed between this version and the latest release? How do I know what version my copy is, or the version of this paper copy I found?

How do you review, update and re-approve documents? Do you regularly check to make sure the information is still correct? Who is responsible for checking? How often? Who is responsible for making changes? How is an updated version approved?

Retention and disposition

How do you prevent the use of obsolete documents? How will you make sure that ONLY current documents are in use? Are there hard copies to update? How do you keep track of them? Will you make end users responsible for checking the status of their hard copies before each use? Will you delete/destroy old documents? How will you identify/segregate/archive obsolete documents you might want to keep?

External documents.

How do you find and control documents from external sources? - e.g. relevant standards, legislation, supplier product specifications. 'Control' meaning all of the previous questions on approval, review, updates, access, etc.

Enough with the questions. Give me some answers!

So what do you need to do, in a practical sense, to control documents?

#1 - Put some control information on the document itself - on every controlled document.

Some information will go at the front of the document, and some needs to be on every page (usually in the footer),

Here's an example of a basic header:

controlled document information in header

This header shows what document I'm looking at ('MSP-04 Control of Documents'), and answers the questions on how to tell this document has been approved ('Released'), and the version ('3 March 2016'), who is responsible for approving it ('Office Manager'), and where to find it ('Quality Systems Toolbox')

Here's an example footer showing information that should be on each page of the document:

controlled document eg footer

Why on every page?

#2 - Nominate a single place to keep master copies and a register of documents

This is where end users will go to check whether the version they have is the latest version. It may also be the place where they access the documents they need.

In the past, this would have been paper master copies kept in the office, or on the document controller's hard drive. Access to the documents was through a 'gate keeper' person.

More commonly now the document repository is a network drive, or online, or in document control software (e.g., Quality Systems Toolbox) and access is granted through user accounts, permissions and passwords. However, don't assume this is enough for all situations. The practicalities of accessing the computer may be difficult/impossible for some locations or some personnel and you may have to distribute hard copies in these cases. Keep track of where they go, so that you can replace them when you update to a new version.

The documents register is simply a list of all the documents you control. You'll need one to keep track of all your management system documents and it helps you to know what needs to be reviewed. Ideally the register will include the title, revision info (date or number or both), status (draft, released, etc.) and who is responsible for the document (a name and/or a job title).

controlled documents register

Paper-based registers are hard work - each time you update a document you must also update the register - often striking out the old line and adding a new line. Spreadsheet based registers are not much easier to maintain but at least they allow sorting and searching. Document management software systems are easier, since updating the information stored with the document itself should flow through to the register, and sorting documents, searching and creating custom lists (e.g. show all 'forms') are usually possible.

Don’t forget to include your external documents in the register. Control processes are the same as for internal documents.

In Toolbox, the document register gets updated automatically as you add and update the documents. The document register in Toolbox provides lots of different ways to search so you can quickly get to the document you need.

#3 - Work out how to manage changes

This is where you answer those other questions.

Changes: In file-server and paper-based management systems, changes are usually tracked in a table on the document itself. The change table needs to include the revision number/date along with comments on what changes were made. Document Management software - such as Toolbox will usually store the change information in the database, and a changes table is not required on the document itself. The document must still show its revision number and/or date.

Approval: Approving new and edited procedures is best spread around, and approval by the process owner makes the most sense - e.g. the Sales Manager will approve sales related processes. Management system documents (like the procedure for document control), will be the responsibility of the Management Representative or a designated Document Controller. The actual editing of the document may be delegated to someone else.

The process of approving and releasing a new document or update can be as simple as making the document available at the designated central location - either adding it to the shared file server or changing the permissions to make it available. Some method of notifying relevant people of the new release is usually a good idea.

If you routinely circulate draft documents for review as well as released documents, you'll need to mark documents so that the status of hard copies can be easily determined, e.g. 'Released' in the header example above, or an approval signature and date added to the master paper copy.

Review: You need to review documents regularly to make sure they are up-to-date, suitable and still reflect your practices. If the practice has changed (for the better) then the document should be updated, rather than enforcing the old practices from the out-of-date document. Your review will include checking for changes in standards, regulations, specifications, other external documents, and related internal documents. How often will depend on the process - how important it is and also how new and changeable it is. Some documents have regulations stipulating how often they must be reviewed e.g. Safety Data Sheets must be less than 5 years old. Some of this will be incorporated into Internal Auditing and Management Review, but make sure all your documents are covered (check the document register).

Superseded versions: Keeping a distribution list for hard copies will help you track down the old copies that must be removed. It's also common to put the onus on the end user to check their version against the version shown in the document register, or against the current version in the central repository. Any obsolete documents you want to keep for reference purposes should be clearly marked to make it obvious they are no longer current. It's best not to store them in the same place as current information.

#4 - Implement and Establish the process

Writing down how you control documents will make it much easier to train staff and to audit the process, so we recommend that you document the process.

However, a written procedure detailing your approach to document control is not enough.

You have to actually make it work!

This means communicating the process to the people who create, edit and use the documented information.

Making changes to ‘the usual way of doing things’ is never easy and you’ll need to follow up any initial training with reminders and spot checks or mini-audits to ensure ‘the new way’ becomes ‘the way’.

Bear in mind that you may need to adjust your initial plan to better suit your workplace.