Thursday, July 1, 2021

Document Control? Follow the Money!

Previous versions of ISO 9001 detailed the need for a Quality Manual, documented procedures and, at the process-control level, work instructions. It may be noted that these types of documents are no longer prescribed by the international standard, ISO 9001:2015. Now, it is left to the organization to decide what is needed based on an understanding of multiple factors.

This lack of prescription is a major departure from previous ISO 9001 versions. However, once an organization has determined specific documentation is useful, that documentation must still be controlled to an extent. The need for control is something that hasn’t (substantially) changed since ISO 9001 was first released in 1987. Yes, the requirements for controlling documentation are now defined in a clause entitled, “7.5 Documented Information,” but the details of what constitutes the control of documentation are very similar to earlier editions.

The actual requirements for the control of documented information are found in subclause 7.5.3, where it defined what “control” should ensure:

  • Availability and suitability for use, where and when it’s needed
  • Adequate protection (e.g. from loss of confidentiality, improper use or loss of integrity)

Furthermore, the clause goes on to require the following activities to be considered:

  • Distribution, access, retrieval and use
  • Storage and preservation
  • Control of changes
  • Retention and disposition

There’s nothing on the level of rocket science here, yet a review of ISO Certification data shows this is a “target-rich environment” for (external) audit findings. Could it be that the controls an organization implements are too rigid? Have we complicated this simple concept?

If we stop to think about the basics of controlling documents, we need look no further than the bank notes in our wallets, purses, pockets and under the mattress! These are controlled documents that comply (through minting and banking processes) with the activities and requirements previously listed: They are available, protected (from counterfeiting), distributed and change-controlled (with obsolete versions of bank notes being dispositioned as “destroy by incinerating”). All these are controlled by the document source, through some network of people who are responsible for a degree of document control but without the fullest authority for the bank notes.

Throughout the years, as ISO 9001-compliant Quality Management Systems have been implemented by thousands of organizations around the world, the associated documentation and controls often have created monsters that must be fed. You can spot the monsters very easily when you know what to look for, as they tend to make things much more difficult than necessary. Often, people avoid the controls altogether…

Quality management documents frequently bear arcane coding to distinguish the type of document and other parameters. Below is a common example:

0012009 AE 2022010 AC

Broken down part by part:

  • The first block of digits is the Julian date: January 2009
  • The next block with letters represents the quantity of documents created on that date
  • The third block of digits is the date the document was modified: 2/02/2010
  • The fourth block identifies the specific documents revised on that date

Pity the hapless user who tries to locate the “sales quote form” from a long list of similarly coded paperwork…

Organizations faced with compliance to ISO 9001 may have to consider a massive pile of “legacy” documents created in previous years of doing business, wondering, “Do we really have to follow all those controls on these old documents?”

When faced with the potential of codifying hundreds or even thousands of these legacy documents, especially if using the method shown earlier, it becomes obvious that a simpler control solution must be chosen. Some then decide, “Let’s make them uncontrolled!” After all, “control” is a bear. What could be easier than somehow identifying documents as “Uncontrolled – For Reference Only”? Therein lies the trap.

The bait in the trap is the phrase, “For Reference Only.” Think about it – why else would a document be used? Indeed, communities have places where books are stored for exactly that purpose – for reference (in a reference library). We trust that the reference books kept there are the correct version, the latest information and so on. But wait! If we then want to identify the same document as “Uncontrolled,” it’s now untrustworthy - unapproved, not the latest version, changed or something else.

It’s no wonder the people using the documentation of the Quality Management System get so confused when they’re tasked with such a mind-warping challenge! The real, simple answer can be found in your wallet!

1 comment:

  1. This comment has been removed by a blog administrator.



Welcome to the "ISO Myth Busters" Blog! With over 30 years of Quality Management System's experience, I enjoy sharing my ...