Slide 62 of 262
4.2.3 Control of Documents
NOTE: There are no new requirements for Control of Documents from the 1994 version.
Documents required by the quality management system shall be controlled. Records (Also see: 4.2.1e) are a special type of document and shall be controlled according to the requirements given in 4.2.4.
A documented procedure shall be established to define the controls needed...
The key words are "...as necessary..." Your company may decide procedures are only reviewed when changed. This fulfills the requirement.
The secondary 'qualifier' which confuses people is where it says: "...and re-approve..." which on its face appears to be implying a review unrelated to a change in the document. With some QS registrars the requirement is a minimum yearly review of procedures.
But the ISO document does not say that nor does it give an 'appropriate' timeframe for such review. So - it's up to you.
A discussion may come up from the auditor in how often a document is reviewed for relevance. There is no single answer. What the auditor is looking for is that you ensure that documents do not ‘get lost’. Some companies put a 1 year review on certain documents. Some 2 years. Many companies reference documents which were changed within the last year or two and try to explain that this is evidence that documents are being reviewed and changed. But that is reactive. The auditor will be looking for some sort of plan or policy (e.g. policy: “All departmental managers shall review and re-approve procedures relevant to their department yearly.”) They may look for evidence this is in fact happening.
c) To ensure that changes and the current revision status of documents are identified,
This is typically done with a database, spreadsheet listing (document matrix), document control software or the like. I have seen simple systems where a read-only directory was established and the document ‘matrix’ was simply a print of the directory listing. To find current revision level one only had to open the document and check it’s header.
d) To ensure that relevant versions of applicable documents are available at points of use,
If people need them, they have to be ‘readily’ available. The definition of ‘readily’ is open for discussion. In the case of ‘work instructions’, typically they should be at the place the person does the work. But every company and process is different. The question really boils down to common sense. If a person has a relatively constant need for a document, it should be at hand. But – let’s consider the case of a non-conformance procedure. It is not (hopefully) being utilized frequently and as such may be located away from where the person is working. Engineering specifications would most probably be located in the engineering area (yeah, I know – so much is on ‘the network’ anymore that in some companies this is not much of an issue). With one client the auditor had a hard time accepting the fact that a document in Chicago was readily available in Cincinnati. No, it wasn’t online either. Stumped? Think FAX. It was a seldom referenced document. In today’s world with all the intranets, this should not be an issue for most documents.
e) To ensure that documents remain legible and readily identifiable,
Legible: This is typically not a problem except with paper documents in greasy or wet environments and the like. At the very least, have a policy on the use of white-out. White-out should NOT be allowed on ‘quality records’.
Identifiable: Title, document number or similar identifier.
Retrievable: Can we find and get to it? See d) above as well.
One auditor gave a minor, threatened a major, for the use of ‘whiteout’ by a client employee recently. I lost this challenge, but not based upon “Show me where it says…”. He simply said he would not argue – that the use of whiteout made the record illegible. Before you say, “Well, I think whiteout on a data record is a bad idea anyway…” -- This was a daily schedule ‘copy’ (the original is in the computer), not data per se. The employee explained it was her personal reminder. The auditor added that he expected to see this as a defined quality related record by the next audit. My opinion is the auditor was being an ass and over-stepped the intent. This was a service company – not a military manufacturing facility.
f) To ensure that documents of external origin are identified and their distribution controlled, and
This is an oldie from the original. It is also a sticking point with many companies and auditors. There is no Black-and-White to go by. The trigger is supposed to be “…if a document could affect the quality of the product, it has to be controlled…” This leaves many documents wide open for interpretation. Some are quite clearly applicable (e.g. customer prints). Some are not so clear (e.g. catalogues). For thought, you might want to take a read of https://elsmar.com/Forums/showthread.php?t=2462 (it’s short).
The bottom line is: You have to take a good look at what documents and specifications you use and ensure you have identified what documents of external origin you have, which you have to control and why, and what ones you have but do not control and why. This should be an output from your in-house sweeps.
g) To prevent the unintended use of obsolete documents, and to apply suitable identification to them if they are retained for any purpose.
The heart of the matter – to prevent unintended use of the wrong (out dated) document (internal or external). How do you do this? Do you physically retrieve all outdated paper copies? Is everything on the computer? If people can do printouts of documents, how do you ensure they do not use them after the original is revised? Be realistic. The best way I believe is when a procedure is revised, ensure there is a meeting or other method to ‘train’ the changes. At this meeting people should be admonished to destroy and illegitimate printouts. If you do distribute paper procedures, an email or memo to each person on the distribution list detailing the change and asking them to destroy the old version should be sufficient. Many companies require some sort of response – such as a returned e-mail or a signed memo – to evidence that the person in fact did receive the e-mail or memo and understands the contents, etc.