ISO9001 in 2021 Week by Week - Week 25 – 7.5.3 Control of documented information

This is a 52 week discussion of ISO9001:2015. Each week, we discuss a specific clause of the ISO9001:2015 standard in detail and look for ways to trim the fat. (As a member of TAG/TC176, the committee responsible for review and revision of ISO9001, (possible revision in 2023), I’ll keep you posted on what I learn all year!)

(It is strongly recommended that you purchase a copy of ISO9001:2015  for reference).  And, be sure to do your homework!

7.5.3 Control of documented information

Last week, we talked about what documents are.  They’re not just paper anymore.  We talked about having a system for creating them with a standard minimum of information which must be included – date, author, revision number, perhaps?  And then how they will be reviewed and approved (this should also include by whom and how often).

Once they are created and approved, then what do we do with them?  The answer is, we must control them.  Let’s take the ISO9001:2015 requirements one at a time.  First, 7.5.3.1:

“7.5.3.1  Documented information required by the quality management system and this International Standard shall be controlled to ensure:

a)  it is available and suitable for use, where and when it is needed;

b)  it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity);”

The first sentence reminds us again of which documents should be controlled.  And it is any documented information that the organization needs for its quality management system PLUS all the specific items named in the ISO standard.  Next is availability – however we control the documents, they must also be available for use.  This is the first part of documentation that’s tricky.  How do we keep the documents pure, but still let people use them?  And finally, we must protect them from harm or misuse.  

For our documented information, we must first build the enclosure or place of residency, and then make it safe, with limited (but varying) access to ensure our documented information is protected and safe.

And we should also keep in mind that protection includes protection of intellectual property.  Drawings, specifications, test methods, etc provided to or from your customers and suppliers also fall under these requirements.  Your organization may choose to deal with different kinds of documents using different tools, environments and libraries, but the control rules still apply, regardless of the type or location of a document.

And now let’s talk about 7.5.3.2:

“7.5.3.2  For the control of documented information, the organization shall address the following activities, as applicable:

a)  distribution, access, retrieval and use;

b)  storage and preservation, including preservation of legibility;

c)  control of changes (e.g. version control);

d)  retention and disposition.”

So, we must next define how our documented information is distributed and accessed.  Also, how is it stored and preserved?  And, how do we control changes (and indicate where changes have been made and provide a sure way to know we have the correct version)?  And finally, what happens to documented information when it is no longer needed or relevant?  Boy, this stuff is detailed.  But it’s detailed, not just to trip us up with regard to compliance, but also because it matters.  Processes can be significantly affected when information is out of date or when changes are made but not communicated.

So, a whole process must be created to address all these issues. Documentation is the most talked about part of the ISO9001 standard, and for decades, organizations have struggled with it.  It can certainly start by documenting too many things, but really, it is a control issue. Most organizations do a pretty good job of controlling, say, their employee handbook.  Why?  Because it’s considered to be important.  Important that it clearly communicate expectations.  Important in that it must contain all information pertinent to an employee and his relationship with the company.  Important in that, should it be misunderstood, it could get someone into trouble.  Important in that, should changes in policy be made, but not communicated, it may be difficult to find accountability for noncompliance.  So, how do organizations typically treat this important document?  With care, that’s how!  POOF – the organization figures out how to define who approves it, how it is distributed, how changes are made, how changes are communicated (and to whom), and the organization even figures out how to keep records of this critical communication.  There typically is a master copy kept tightly under the control of human resources.  A copy is carefully reviewed (and signed for by the recipient).  A list of who has copies is kept up to date.  And new lists are made whenever new versions are distributed.  Ah, if only we treated our quality system documentation as carefully!

This section of the standard finishes with two important points.

“Documented information of external origin determined by the organization to be necessary for the planning and operation of the quality management system shall be identified as appropriate, and controlled.” This scoops up anything not created within the organization, but still used and necessary.  We don’t get off the hook just because it’s someone else’s document.  But it also can give heartburn when we have no influence on whether the document we use (but don’t own), is kept up to date.  But we should at least do our due diligence to have a method for keeping tabs on the document to ensure that the people who have access to it through our system have the best information available to them (or are notified when to stop using it).

How do we do this and what exactly are documents of external origin?  They’re specifications, industry standards, machine manuals, software guides – the kinds of things you might refer to in daily operations.  There are so many resources out there that we intentionally direct people to use.  But, we must remember to control them in some way.  Most documents these days are going to be online.  Wherever you maintain your library of procedures, work instructions, etc, you can locate links to your external documents in the same library and use the same controls (assign an owner, a review date, etc).  Just make sure someone is keeping an eye on what is being shared as reference material or included in what you’re distributing as training and reference materials.  If you’re old school and have a master document list, maintain a list of external documents and do the same thing – assign an owner, a review date, etc.  Obviously, your document owner still won’t have responsibility for the revision of the actual document, but they can be a gatekeeper to ensure your organization has access to only the correct version of the document. 

Here’s a simple example – you might have a big old set of MIL-STD (military standards), or say, GM (General Motors) material specifications, or ABEC (Annular Bearing Engineering Committee) bearing standard tolerances, or AQL (Acceptable Quality Level) tables in your industry.  Many people within your organization might share these in a hardcopy library, or you might be sending each other links to these resource materials.  Unfortunately, you might be at risk for sharing the wrong things if it’s not verified.  For example, what if rather than accessing the source of the resource, a supplier or blogger or random website has the table or spec you need (but it’s not the source of the table).  You might begin to rely on a copy of that table that may or may not be being kept up to date.  It’s better to have a central location with verified links to ensure the right people are accessing the right information at the right time.  You still don’t control the revision of these documents, but you do have a modicum of control over them and your organization’s access to them. 

And finally, there’s this little note in the standard:

“NOTE  Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information.”

In summary, all required documentation must be made available for use where and when it is needed.  But it must also be controlled (meaning protected from uncontrolled changes, distributed properly when changes are made, and maintained up-to-date to all users at all times).  This includes documents of external origin.

THIS WEEK’S HOMEWORK

Have a gander at your document control process.  Are all forms of documentation included?  Are all the necessary controls in place?  Is external information included?  This may end up to be quite a project for some, but it’s critically important to have a robust document control system in order for your quality system to function properly.

Here’s a quick tip.  Many companies overlook their quality policy as one of the first documents that should be controlled.  Companies tend to put up posters, pass out trinkets, print banners, and post their quality policy on their website.  Don’t forget to put controls in place to ensure that should the quality policy change over time, those old copies will be found and disposed of.  Lots of companies have made this mistake and have found themselves noncompliant because of a simple oversight of the obvious.  Good luck this week!

Click here to receive a FREE DOWNLOAD  list of what documents are required by ISO9001.  You’ll be shocked at how short the list actually is.  

This weekly series is a DIY guide including lots of FREE STUFF like templates, examples and tutorials.  So, SUBSCRIBE today and we’ll keep it coming to your inbox weekly.

But, if you’re ready for more - if you’re ready to TRANSFORM your organization, we can team up LIVE or VIRTUAL for IMPLEMENTATION of ANY or ALL ISO9001 Clauses.  We’ll lead your team and build a fully compliant foundation for your quality system so you and your team can understand the requirements and have the confidence to continue forward on your ISO9001 journey toward BETTER QUALITY.   World Class Quality, ISO9001 certification, lower costs and higher yields are just the beginning of the benefits of a robust quality system.  Connect with us today and LET'S GET STARTED!

Watch this 3-minute video about another great resource to accompany this series.   Get the self-directed, on demand, online learning series ISO9001 in Plain English, today and you'll get:

• A clear understanding of the requirements of ISO9001:2015
• Proven tips to build a robust quality system that's easy to use
• Ways to reduce documentation and paperwork (yes, really!!)

Each video is about 15 minutes and targets a specific element of ISO9001, (with over 6 hours of total content!).  We translate all the gobbledegoop into Plain English you can understand and leverage the requirements to get maximum VALUE from your quality efforts. 

For a deeper dive into the process side of your quality system, get Tribal Knowledge - The Practical Use of ISO, Lean and Six Sigma Together, a simple guide to UNITE ISO9001, lean and Six Sigma to create a robust quality system with better results.  Read what ASQ American Society for Quality – Quality Progress Magazine  had to say about it. 

We look forward to continuing this YEAR LONG journey with you.  SUBSCRIBE today and the series will come to you weekly to get you off to a great start and your quality system reinvigorated.