7.5.3 Control of documented information
Well, well, well. We’ve finally arrived at the control part of document control. Last week, we talked about what documents are. They’re not just paper anymore. We talked about having a system for creating them with a standard minimum of information which must be included – date, author, revision number, perhaps? And then how they will be reviewed and approved (this should also include by whom and how often).
Once they are created and approved, then what do we do with them? We must control them. Let’s take the ISO9001:2015 requirements one at a time. First, 7.5.3.1:
“7.5.3.1 Documented information required by the quality management system and this International Standard shall be controlled to ensure:
a) it is available and suitable for use, where and when it is needed;
b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity);”
The first sentence tells us what – any documented information that the organization needs for its quality management system PLUS all the specific items named in the standard. Next is availability – however we control the documents, they must also be available for use. This is the first part of documentation that’s tricky. How do we keep the documents pure, but still let people use them? And finally, we must protect them from harm or misuse. Could one make a comparison between our documented information and a zoo? I say YES. Our documents, like wild animals, should be kept in a closure, but visible and available to enjoy. But they must also be protected so that we may continue to interact with them and learn from them on an ongoing basis.
For our documented information, we must first build the enclosure or place of residency, and then make it safe, with limited (but varying) access to ensure our documented information is protected and safe.
And now let’s talk about 7.5.3.2:
“7.5.3.2 For the control of documented information, the organization shall address the following activities, as applicable:
a) distribution, access, retrieval and use;
b) storage and preservation, including preservation of legibility;
c) control of changes (e.g. version control);
d) retention and disposition.”
So, we must next define how our documented information is distributed and accessed. Also, how is it stored and preserved? And, how do we control changes (and indicate where changes have been made and provide a sure way to know we have the correct version)? And finally, what happens to documented information when it is no longer needed or relevant? Boy, this stuff is detailed. But it’s detailed, not just to trip us up with regard to compliance, but also because it matters. Processes can be significantly affected when information is out of date or when changes are made but not communicated.
So, a whole process must be created to address all these issues. Documentation is the most talked about part of this standard, and for decades, organizations have struggled with it. It can certainly start by documenting too many things, but really, it is a control issue. Most organizations do a pretty good job of controlling, say, their employee handbook. Why? Because it’s considered to be important. Important that it clearly communicate expectations. Important in that it must contain all information pertinent to an employee and his relationship with the company. Important in that, should it be misunderstood, it could get someone into trouble. Important in that, should changes in policy be made, but not communicated, it may be difficult to find accountability for noncompliance. So, how do organizations typically treat this important document? With care, that’s how! POOF – the organization figures out how to define who approves it, how it is distributed, how changes are made, how changes are communicated (and to whom), and the organization even figures out how to keep records of this critical communication. There typically is a master copy kept tightly under the control of the human resource director. A copy is carefully reviewed (and signed for by the recipient). A list of who has copies is kept up to date. And new lists are made whenever new versions are distributed. Ah, if only we treated our quality system documentation as carefully!
This section of standard, finishes with two important points.
“Documented information of external origin determined by the organization to be necessary for the planning and operation of the quality management system shall be identified as appropriate, and controlled.” This scoops up anything not created within the organization, but still used and necessary. We don’t get off the hook just because it’s someone else’s document. But it also can give heartburn when we have no influence on whether the document we use, but don’t own, is kept up to date. But we should at least do our due diligence to have a method for keeping tabs on the document to ensure that the people who have access to it through our system have the best information available to them (or are notified when to stop using it).
And finally, there’s this little number, which in my opinion, is an interpretation and clarification of many-a-nonconformance-past.
“NOTE Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information.” (Which definition of “access” do you use?)
THIS WEEK’S HOMEWORK
Have a gander at your document control process. Are all forms of documentation included? Are all the necessary controls in place? Is external information included? This may end up to be quite a project for some. Good luck this week!
Stay involved and engaged – SUBSCRIBE!
