Control of documents under ISO9001:2000

(See also our article on How to upgrade to ISO9001:2000)

A new Standard for Quality Assurance was launched around the world in late 2000.  

For those organisations already certified to ISO9001, or those contemplating certification, there are some changed (and expanded) requirements relating to the control of documents. This article will:

• Summarise the main requirements, and
• Discuss the ways in which the document control criteria of ISO9001:2000 vary from those of the 1994 Standard.

New general documentation requirements

Although Clause 4.2.3 in ISO9001:2000 covers ‘control of documents’ (replacing Clause 4.5 in ISO9001:1994), there are important issues connected with documentation in various Clauses of the new Standard. In particular, Clause 4.1 stipulates that:

‘The organization shall..

…

b) determine the sequence and interaction of processes’.

Clause 4.2.2 specifies that the ‘Quality Manual’ of the organisation must contain a ‘description’ of the interaction of processes of the quality management system.

Most certified organisations will have some idea of the sequence of linear processes, for example manufacturing instructions. However, to document the sequence and interaction of non-linear processes, or processes where the interaction is complex, will require detailed analysis and for some organisations an imaginative approach. Use of flowcharts and other visual tools may be required to satisfy this new Clause.

Control of documents

The term ‘documents’ in the new Standard is taken to include ‘data’. This means that any stipulation related to ‘documents’ must also be satisfied for relevant data. The control of ‘records’ is dealt with separately in the Standard in Clause 4.2.4.

The wording of the new document control Clause (4.2.3) is clear and straightforward. It specifies the need to control documents and that a documented procedure or procedures be established to define the controls needed. It then lists seven requirements of compliant document control. They are:

Document approval

Documents must be approved for ‘adequacy’ prior to issue. Approval by ‘authorised personnel’ was required in the past; this condition is now absent, but in practical terms anyone with access to change documents must effectively be ‘authorised’.

The meaning of the term ‘adequacy’ is still open to debate. For most organisations, this will involve review of the technical content of the document as related to organisational processes. It should also involve review of the document for compliance with the applicable Standard(s). generally, then, document approval should potentially involve at least a two-staged review process, with both a subject matter expert ‘owner’ of the document, plus a compliance review to ensure that the requirements of the Standard have been met. The requirement for this review to be before issue of the document means that compliance reviews should not take place through external audits or on a periodic basis.

Review and update of documents

Documents must be reviewed and updated ‘as necessary’ and re-approved. There is no explicit requirement to ‘review’ documents in the old Standard, but the requirement to perform internal audits of processes meant that in practice most documents were ‘reviewed’ and updated ‘as necessary’. Re-approval was also specified in the old Standard; however, there is no longer a requirement for the changes to be approved by the same ‘function/organizations’ that performed the original review.

In most viable document control systems, a specified document owner is responsible for monitoring the currency and content of their documents. This promotes the review, update and re-approval of documents by the same individual, and ensures continuity.

Changes and status of documents

One of the major changes to document control in ISO9001:2000 is that ‘changes’ to documents must be ‘identified’. In the old Standard, the ‘nature of the change’ had to be identified ‘where practicable’. For many organisations, such identification was not practicable and could safely be ignored. Practicability will no longer be a consideration and organisations will have to identify ‘changes’

There is some question about whether the identification must be of the fact of change, or the nature of the change. If the requirement is interpreted to be about the fact of change, then the amendment to the revision status of a document will confirm that change has occurred, and no additional controls must be included.

It is more likely that the new Clause requires that the nature of the change must be identified. This is likely to complicate document control for some organisations. It can be difficult to clearly identify changes within documents themselves. For example, the use of ‘underlining’ or ‘right bars’ is inadequate to describe what changes have occurred, or to identify changes at all when deletions have been made. Some organisations keep a ‘change log’ within each document or as a separate document, but this can be difficult to police, and is generally no clear indication of the full nature of changes made. Other organisations choose to send emails to staff when a change to a document has occurred; for those with a large volume of documents, or frequent changes, the email volume may be excessive and serve to antagonise staff and alienate them from the QA system,

Until this is tested, it is uncertain how the certifying bodies will interpret this Clause. What is certain is that this Clause will require some additional analysis from certified organisations to ensure the simplest and most practical solution for their environment.

This Clause also requires that the ‘current revision status’ of documents is identified. For online documentation, this may be satisfied by the use of publish dates or version numbers.

Relevance and availability at points of use

These requirements are identical to that of the previous Standard, although the wording is somewhat simpler. They require that relevant versions of the applicable documents are available at their points of use.

In paper-based document systems, this requires complex and often unwieldly systems to ensure that specific documents are distributed to those who perform the tasks that are described in them. The versions distributed and the locations of users must also be factored into the system used. Controls for external users of documents (eg. sub-contractors) are imperative,

In most online document control systems, the locations and specific requirements of individual users can be ignored, although paper distribution may still be required for staff at remote locations, in locations where PC use is difficult or where external holders of documents require access.

Legibility and identification of documents

There is no clear parallel between this requirement in the new and old Standard. However, it is clear that any viable document control system would ensure legibility and identification of its documents.

External documents

It is important to remember that ‘documents’ includes documents of external origin that are relevant to the quality system, and so drawings and Standards will also be subject to the same controls as internally generated documents. This includes distribution controls.

Obsolete documents

This requirement specifies that the organisation must prevent the unintended use of obsolete copies of documents, easily achievable through online documentation systems. As in the old Standard there is no explicit requirement to retain obsolete or superseded copies of documents, and online document systems need not be programmed to retain obsolete copies unless specifically required by the business needs of the organisation.

An area of neglect by some certified organisations is explicitly described in this requirement of the Standard. Most organisations have some form of ‘archiving’ procedure (paper or online), often ad hoc. The new requirement specifies that controls must be defined to identify obsolete documents if they are retained for any reason. This will require controlled and documented archiving procedures.

Conclusion

Although at first reading the requirements of Clause 4.2.3 seem to closely resemble the old Clause 4.5, there are some clear differences that have yet to be tested in practical terms. Until more organisations are audited to the requirements of the new Standard, we do not know how certifying bodies will interpret some of the new wording. However, the simplifications of wording and structure in ISO9001:2000 should make compliance easier for most organisations.

Certified organisations (and those seeking certification) should analyse their document control functions and determine whether their existing controls are adequate, easy to use and easy to maintain in the long term. In many cases, upgrading document control through simple online systems may prove to be the most cost-effective answer to compliance.

This article may be reproduced only with the permission of HCi (email HCi ). Copyright HCi, 2001.

Additional keyword: ISO9000:2000