1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

Must all Documented Information be controlled?

Discussion in 'ISO 9001:2015 - Quality Management Systems' started by QualityNoob, Feb 4, 2017.

  1. QualityNoob

    QualityNoob Member

    Joined:
    Nov 11, 2015
    Messages:
    9
    Likes Received:
    2
    Trophy Points:
    2
    (This isn't necessarily a ISO 9001:2015-specific question, but it is certainly relevant to the 2015 revision as well as prior revisions.)

    My organization has struggled with the question of whether the ISO 9001 standard requires all documented information to be controlled.

    We chose to parse of the language of the ISO 9001 standard to carve out the possibility that some documented information could be managed (potentially rather loosely) outside of our main Document Control procedure.

    We defined criteria that determines the scope of processes included the QMS. And then we stated that we considered a written procedure to be "required by the quality management system" for each of these processes (see the first sentence of 7.5.3), while other documents are optional and therefore may optionally be controlled. This means that work instructions, training materials, etc. may optionally be controlled, but it is not required.

    But is this putting too much of a spin on the language of the ISO 9001? Does the mere existence of a document imply that it is "necessary for the effectiveness of the quality management system" (see 7.5.1.b)?

    That certainly seems to be the clear message in http://www.iso.org/iso/documented_information.pdf (section 4b):
    "Where it exists, all such documented information, is also subject to the requirements clause 7.5."

    (And then again, does ISO guidance not incorporated into the standard represent requirements or interpretation of requirements?)

    Thoughts?
     
  2. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Well, it's all the in what you define as "all". Without boundaries, we're unable to reasonably reply with a useful answer. Got any concrete examples we can work with? Clearly, if you take a product, then process centered approach to looking at why documents are necessary, that will help. On the other hand, there's a fundamental principle which you can adopt in any business. Why would you have any information available to people to do their jobs which wasn't properly managed?
     
    PaulJSmith and Pancho like this.
  3. Pancho

    Pancho Active Member

    Joined:
    Jul 30, 2015
    Messages:
    76
    Likes Received:
    84
    Trophy Points:
    17
    Location:
    Cypress, Texas, USA
    A document control procedure should be unobtrusive and useful. If it is, there's no reason to handle any documented information outside of it. If not, then the procedure needs work.
     
    PaulJSmith, RoxaneB and QualityNoob like this.
  4. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    Controls of documented information should be more about your organization's needs and less about what seems to suit ISO 9001.

    If your system is not complex, a procedure is of limited use. It would be far better for process personnel to understand that keeping needed information safe from obsolescence, loss, unauthorized change etc. is a prudent measure because the potential problems from loss of control could affect their results. This should include training materials if they inform people of their expected tasks, so as to ensure people always get the correct information when and where they need it.

    People would probably need help in setting up the controls, which is fine: limited access to networked folders, read-only settings, etc. are not things everyone understands. You can work with them and establish a scheme of what document is where, which is a good idea in any case.

    Do these things and a document control procedure might not be necessary; it is hoped that awareness and risk based thinking replaces "Thou shalt XYZ" procedures that hardly anyone looks at anyway.
     
    QualityNoob likes this.
  5. QualityNoob

    QualityNoob Member

    Joined:
    Nov 11, 2015
    Messages:
    9
    Likes Received:
    2
    Trophy Points:
    2
    Andy,

    I'll use a hypothetical scenario: Let's say my organization has a process to create peanut butter and jelly sandwiches which we deem to be in the scope of our QMS. Our QMS foundational processes (Quality Manual, Document Control) require that the manager accountable for that process establishes a written procedure and manage it in our QMS document control system. But if the manager also decides to create a training presentation (perhaps it covers techniques for effectively spreading the peanut butter), we do not require that they manage that document in our QMS document control system, though we do require that such documents must still "managed so as to maintain adequate process control." In other words, we are allowing for less strict document management for that training presentation because we deem it "not required".

    If I understand from you response, it sounds like you tend toward the camp of "if it exists, someone has decided it is necessary, so it should be controlled."
     
  6. QualityNoob

    QualityNoob Member

    Joined:
    Nov 11, 2015
    Messages:
    9
    Likes Received:
    2
    Trophy Points:
    2
    Pancho,

    It sounds like your take on it is that if there is the apparent need to manage a document from our QMS document control system, then it's probably because it's not an effective document control system.

    I wholeheartedly agree with that and we definitely have some room for improvement in that area.

    But what is your thought as to whether the existence of a document implies that it is "required by the quality management system"? In other words, should all documented information that exists and is relevant to processes in the QMS be controlled?
     
  7. QualityNoob

    QualityNoob Member

    Joined:
    Nov 11, 2015
    Messages:
    9
    Likes Received:
    2
    Trophy Points:
    2
    Jennifer,

    So it sounds like you're suggesting that rather than trying to parse the wording of the ISO 9001 standard so carefully, perhaps an alternative is to establish guidelines and training for what constitutes "control of documents" rather than having an overarching one-size-fits-all procedure that may not work for every document in the QMS. Do I have that right?
     
  8. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    I'm now left wondering if you haven't made too much of what document control is about. IMHO, many organizations have created a bureaucracy on this topic, then look to justify why some documents don't need that level of control. If you create a monster, you must feed it!
     
  9. QualityNoob

    QualityNoob Member

    Joined:
    Nov 11, 2015
    Messages:
    9
    Likes Received:
    2
    Trophy Points:
    2
    You pretty much hit the nail on the head, Andy. I inherited responsibility for our QMS a few years ago but we've been ISO 9001 certified for 20 years. Our document control procedures have not fundamentally evolved in the last 10 years or so. I definitely want to streamline it, but I am struggling with the best approach: What aspects of our doc control processes are truly important and what aspects are overly bureaucratic? Where is the line between sensible and "monstrous".

    So it sounds like your general message (similar to Jennifer and Pancho) is to "lighten up" on document control generally. Make it easier and less bureaucratic so that there is no reason to exclude anything.

    Any general ideas of best practices you can share?
     
    Andy Nichols likes this.
  10. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    Yes. Control is control. I do not know what your procedures are handled with, or why you would want them to be handled with a different system than training documents, when information in both needs to be correct, current, available when and where it's needed, and kept safe. Have two methods if you want, just please understand that training information is worth protecting too. You are also right in questioning if document control has been made too complicated. I think things should be controlled when their use can impact the product/service quality, or the document users' ability to succeed or help each other ensure product/service quality. It has always been about risk. We only just started saying so. Being able to demonstrate a thought process for what to control and how can help show RBT is being done in this support process.

    To control or not to control?

    Vacation schedules? Not necessarily
    Inspection forms? Probably; if they contain any instructions or acceptance parameters, then certainly.
    Training documents?
    - If they tell people how to fill out vacation schedules, not necessarily.
    - If they tell people how to do work impacting product/service quality or help other people to do their part to ensure product/service quality, then yes.

    What sort of email system does your organization use?
     
  11. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Maybe the easiest approach is to have you sanitize what you have for a doc. control procedure (etc) and post it here so we can advise...
     
  12. Pancho

    Pancho Active Member

    Joined:
    Jul 30, 2015
    Messages:
    76
    Likes Received:
    84
    Trophy Points:
    17
    Location:
    Cypress, Texas, USA
    Yes, I'd say that if some information is relevant to a process, then it should be controlled. We even control vacation schedules as such control helps with employee satisfaction, a goal of hr, a function that provides important support to our key processes.

    At the end of this article is an excerpt of our document control procedure.
     
    Atul Khandekar likes this.
  13. RoxaneB

    RoxaneB Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    926
    Likes Received:
    1,081
    Trophy Points:
    92
    Location:
    Ontario, Canada
    Let's look at it from this perspective...does the written procedure contain steps that do not support the effective spreading of peanut butter (to stay with your scenario)? If so, well, what purpose does the procedure serve? Why would an organization choose to control a procedure which essentially says nothing helpful towards supporting the ability to consistently meet customer requirements?

    Let's take it a step further...who says the procedure has to be a typical procedure? Why can't the training presentation, which seemingly helps employees make awesome peanut butter and jelly sandwiches, be the "procedure" or the "work instruction" or "that thing we refer to when we have a Vulcan mind dump and completely forget what needs to be done"?

    Now let's look at the 'what if' scenario...let's pretend I have a hot date tonight (someone tell Andy to stop laughing!) and I come to you to make me a romantic meal for two. I want your best peanut butter and jelly sandwiches. Gourmet bread. Organic peanut butter. And fresh, just-like-grandma-used-to-make strawberry jam. To save time, you have two employees responsible to make my sandwiches. Employee A opens up a file that shows a training presentation from five years ago. Employee B opens up a file that shows a training presentation made just last week. Now my sandwiches will be different and my date may end up being less than memorable.

    Ah, "...but Roxane!" you say..."We would remove that old training presentation and make sure that only the new one was made available to employees!" Hmmm...this sounds like the beginning of document control. ;)

    At the end of the day, what is the document for? If it's to support your employees being actively engaged and accountable for meeting customer requirements, that's the document that should probably be controlled.
     
    Jennifer Kirley, normzone and tony s like this.
  14. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    I'm laughing at the PB & J sammiches!
     
  15. Venson

    Venson New Member

    Joined:
    Feb 9, 2017
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    The simple presence or availability of a documented information shouldn't be used as a basis on requiring the document to be controlled--- the new standard further provides more flexibility to the organisation on determining which documented information needs to be controlled and have even relaxed on the requirements by taking out the wordings on the mandatory documented procedures. From my previous 3rd party auditing experience when we come across documents we test the document for its relevance to the management system, even when important information or process requirements are found (in your example a training module: are its contents already replicated or redundant in other forms of documented information such as documented procedures or work instructions? does its lack of control on not following existing internal document control procedures affect the competence of the staff in performing the process requirements?). Even from the old standard the degree of documentation required related to identifying process requirements can be reduced if the staff involved is able to demonstrate competence (i.e. thru education, training or experience).
     
  16. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    This worries me deeply...
     
    Pancho likes this.
  17. Anpa Sockalingam

    Anpa Sockalingam Member

    Joined:
    Oct 10, 2016
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Does anyone know if an active register (spreadsheet) containing feedback can be managed as a 'controlled document'?
     
  18. normzone

    normzone Well-Known Member

    Joined:
    Aug 3, 2015
    Messages:
    137
    Likes Received:
    77
    Trophy Points:
    27
    Sure it can, as long as your control process defines that spreadsheet as such and specifies the degree and type of control applied.

    Me, I'm wondering about how to go about getting a hot date with [Roxanne B].
     
  19. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Pssst! I have some really, really good peanut butter...
     
  20. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    You define the controls. For an active register, which we could think of as a living document, you would not need revision control for content, but only for format changes - that is, adding or taking away information or making the document substantially different for users. But you might still want to protect it from loss and unauthorized changes, yes?
     
    RoxaneB and Pancho like this.