About 99846tom

Document Control

The concept of Document Control is a very old quality system requirement that dates back long before ISO made its’ way to the USA. For many years the most common quality audit finding was related to poorly controlled documents. Now with the advent of computer networks managing documents and records, document issues are among the least noted of quality audit findings. But they do occur, so here is some information to help clarify the concepts and requirements.

Documents come in two types: Controlled and Uncontrolled.
If the document is “controlled” then you are assured that you have the latest revision and will be given the newest revision when a change occurs.

If the document is “uncontrolled” then you have a document for immediate use; however, you must ensure that the document is current.

Documents are often stamped/identified “Controlled.” Uncontrolled copies often have a statement such as “Uncontrolled” or “Printed Copies are Uncontrolled” or “Reference Only”.

The intent is that everyone who needs a document (procedure, work instruction, etc) has access to the controlled version. Uncontrolled documents in use at a workstation for someone to refer to is not acceptable. “How-to” notes taped to a machine is an example of necessary instructions that you have failed to properly document and control.

Q When is an uncontrolled document appropriate?
When the document is sent to requester outside of your organization.
There may be other uses for uncontrolled documents, but if the requester is an employee, they should be looking at a controlled copy.
Q What documents do I need?
Now called “Documented Information” is required for:
Scope and boundaries of your quality management system. Including listing non-applicable requirements and the justification as to why the requirement is not applicable.
Maintain documented information to support the operation of its processes;
General description of relevant interested parties
Description of the processes needed for the quality management system and their application throughout the organization
The sequence and interaction of these processes
Assignment of the responsibilities and authorities for these processes.
Quality Policy
Quality objectives
Control of non-conforming outputs (aka products and services)
maintain documented information that defines the nonconformity and corrective action management processes.
Definition of competency for all those who affect and are a part of the quality management system.
Any process, task, requirement that you determine to need a procedure or work instruction for. It’s your call!

Now called “Retained Documentation” (aka records) are also required and is a part of this document control process. Why? Because forms must be controlled and completed forms are records that must be protected and maintained.

Q If a “form” is completed, is it a record?
Maybe. If it is retained to show evidence of completion and/or conformance, then it is a record. If the data entered on a form is later entered into an electronic system (database, ERP, MRP, etc) then that form is a tool and should not be retained and is not a record. The record is in the system.
Q If there is a controlled form and data are entered on the form, do I need to change the revision of the form?
NO! It is now a record. (yes, this question does come up.)
The QMS Database is designed to manage all the documents and records in one place and gives instruction on how to use the forms. Resulting reports are pre-programed for you.

Q How do I create and change a document or form?
A standard templet for procedures is a good idea. Be sure to include title, revision, change history, date and approvals.
Changes should be documented, and the record should include date of change, what changed and who approved the change. Additionally, consider documenting what caused the change (customer, defects, audit finding), assess the impact on products, processes, WIP, finished goods and is training necessary to communicate the change. All of this is often in a change notice kept as a record.

Q Do I need a Master List of Documents?
No. But it is nice to have.

Q What do I do with old revisions of documents?
Trash them. Most companies keep obsolete documents and never refer to them. If you keep them, put them in a location that most people cannot access, identify them as “Obsolete.”

Q What do I do with documents that are not created or controlled by my company?
Documents of external origin must also be controlled to ensure you are working with the latest revision. This can be done by verifying before use by using resources such as the customer’s portal, internet search, document services website e.g. www.Everyspec.com
Q What records do I need?
A record validates the performance of an activity. The QMS standard you’re working to defines what records (documented information) is required. If you need to prove that you did it, you’ll need a controlled record(s).
Q How long should I keep records?

Check your customer requirements. Your minimum record retention should be the maximum time required by your customer.

Last Word
You may have heard that “ISO is easy, just say what you do, and do what you say.”
This is partially true, just be sure that what you say is said correctly. Documentation needs to include QMS, customer and regulatory requirements.


It may seem too obvious to warrant a specific requirement, but there are employee competency requirements in ISO9001 that are repeated in AS9100, TS16949 and other standards based on ISO9001.
In short, employees and others performing work within the boundaries of the Quality Management System, are required to be competent to perform the required tasks. This applies to consultant auditors, outside process and service providers, temp employees, contractors and regular employees.
How do you define competency? What records are required?
Competency definition is completely up to you. If you think the people in shipping should have a PhD and 10 years of experience, it’s your call. Most all companies define competency in a Job Description. A Job Description is important to have for each position (not person) and serve many functions. These need to be carefully written by a professional who understands your federal, state, city and local legal requirements. They need to be descriptive enough to be useful, but open enough as to not tie you down and make the position inflexible.
To meet your ISO9001:2015 requirements be sure to include appropriate education. This maybe formal classroom education, trade school, specific industry education such as IPC-610, SNT-TC-1A, J-STD, Welding, etc.
You are also required to ensure that required training or experience is defined. Training should include your internal requirements such as safety, QMS, forklift, procedures, LOTO, etc. etc.
Experience is the easiest; define the necessary time in a similar position; 1 year, 5 years as appropriate. Many companies will say “1-3 years’ experience.” What does that mean? Four years of experience is no good? Just say “One or more years of experience.”
Can you hire or promote a person that does not have the education and experience you have defined? Of course, you can. The ISO9001 states that you need to take actions to acquire the necessary competence. This can be training from any source you wish or an internal development program, mentoring program or similar approach. Be sure to evaluate the effectiveness of these actions. This can be a review, exams, “sign-off” by a manager.
You must retain records of competency. If your job description states that the Inspector must have high school education, training in GD&T and be a certified weld inspector, be ready to show records that support this for every employee who is under that job description.
Education records can be:
1. Actual diploma
2. Job application
3. Resume / CV
Training records can be:
• Certificate
• Exam
• Training matrix
• Training in group format where many sign-in to a training session.

Last words:
Job descriptions written by professional HR people often say something like: “Education should at least be high school, and experience should at least be one-year, or any combination deemed acceptable by the hiring manager.”
This kind of loophole helps you with labor law requirements and makes every employee competent regardless of the records presented.
Every willing worker is not always the right person. The intent of this ISO9001 requirements is to ensure that the right person is doing the job.