Document Control Explained

Because information in document form drives nearly every action in any organization, the ability to control this information usually means the difference between success and failure. Thus, document control remains the single most critical quality assurance discipline. As with many other systems, document control is more successful if it’s simple, intuitive and user-friendly. And the first step toward this end is deciding exactly which documents need to be controlled.

Documents requiring control

“Do I need to control this document?” is one of the most frequently asked questions in organizations working toward, or maintaining, a formal management system. Given the universe of documents possibly requiring control, the question is understandable. Besides, most people would rather not control a document if they don’t have to.

The ISO 9001:2008 standard provides a quick answer to the question of what must be controlled. The first sentence of section 4.2.3 on document control states, “All documents required by the quality management system shall be controlled.” This means that if a document addresses or relates to any of the issues in ISO 9001: it must be controlled. Here are some questions to ask when determining whether a document should be controlled:

  • Does the document guide the production of products (i.e., goods or services) provided by the organization?
  • Does the document guide the verification, inspection or testing of products provided by the organization?
  • Does the document define customer and/or product requirements?
  • Is the document used for controlling processes?
  • Is the document used for decision making by production personnel?
  • Is the document used for collecting data that could be used later for decision making within the scope of the management system (e.g., a form)?
  • Is the information on the document so critical that failure to keep it updated would pose a risk to the organization or its customers?
  • Does the document address or relate to a requirement from ISO 9001:?

If the answer to one or more of these questions is yes, then the document should probably be controlled. For illustration purposes, consider the following scenarios:

An interoffice memo is posted on a wall in the fabrication department. The memo gives a number of functional and packaging requirements for a product that’s fabricated there. Because of where the document has been posted and the information it contains, the memo should certainly be controlled. Ignore the fact that memos are rarely controlled; in this case it provides customer requirements, guides decision making and relates directly to ISO 9001: requirements.

Even if the memo duplicates information contained elsewhere in controlled specifications, the uncontrolled memo would still be a problem. Eventually, there will be a discrepancy between the information on the memo and the information contained in the controlled specifications. The organization should either control the posted memo or get rid of it.

A training department develops videotapes to train employees on the proper setup and operation of production lines. The videotapes are included in the training program for new hires and existing employees. In this case, document control is required because the tapes define process control, guide the production of products and relate to the training requirements of ISO 9001:

Product defect samples are displayed in a lighted glass cabinet in the visual inspection area. The samples illustrate the limits of various defects that can be considered acceptable to customers, and they’re used when inspectors aren’t certain of the criteria. Currently, the display cabinet is labeled “for reference only.” Despite this declaration, the samples should be controlled because they define customer requirements.

An organization develops a checklist that’s used to record the results of product inspection. The blank checklist defines exactly what’s to be inspected, as indicated by the spaces that inspectors must complete. These blank forms need to be controlled as documents, and then as records once they’re completed.

These scenarios highlight the fact that documents needn’t be limited to traditional procedures, work instructions and the like. The term “document” can encompass a wide range of things, all of which might require control–depending on the information they contain. Some examples include:

  • Electronic documentation
  • Photos
  • Drawings, diagrams and sketches
  • Audio tapes and videotapes
  • Product samples and defect samples
  • Paint swatches for color matching
  • Checklists
  • Flow diagrams
  • Blank forms

Document vs. record

It’s obvious from the foregoing list that controlling documents requires thinking of them as more than written procedures. However, before we jump into specifics, let’s clear up some confusion that plagues many organizations, namely, how a document differs from a record.

A document is a living thing. The information contained within it is subject to change; it can be revised. A record, on the other hand, is history. The information it contains can’t be changed because it simply states what’s already happened.

It’s sometimes possible for an item to exhibit characteristics of both a document and a record. Work orders, sales orders and purchase orders, to name a few, can function as both historical records and live documents. In these cases, the item is treated as a document until its real-time informational value has been exhausted. At that point, it’s treated as a record.

Now that we understand what documents are, let’s explore the specific means of controlling them. By the way, one of the six documented procedures required by ISO 9001: is controlling documents, so whatever specific controls an organization decides upon must also be documented–and controlled.

Approving documents

All documents must be approved for adequacy before being used. There are, of course, many ways to accomplish this. Paper-based documents often include spaces for authorized persons to sign or initial. Electronic documents can be approved through a typed name if passwords prevent anyone from falsifying the approval. In much the same way, e-mail can even be used. However, such approval should be visible to the user. Otherwise, the value of approval (i.e., as a cue that the document is OK for use) is lost.

Does the organization need to define who is authorized to approve documents? At least on a basic level, the answer is yes. A statement such as, “Documents must be approved by individuals responsible for managing the tasks described in the document” would satisfy the designation of approval authority. Alternatively, an organization may decide to be much more specific about who can approve documents. But from the titles shown beneath approval spaces, documents typically indicate who is responsible for approving them, and this self-declaration is usually adequate.

Note that a fine line exists between having too few and too many approvals on a document. For documents that cut across departments, the approval list should include all managers who are affected by the document. This provides buy-in and communicates to managers what’s expected. The flip side is that obtaining eight or 10 approvals can take a long time. Strive for the fewest number of approvals that will still provide buy-in for the information described in the document.

Reviewing, updating and reapproving documents

ISO 9001: introduces the requirement that documents must be reviewed, updated as needed, then reapproved. This doesn’t mean routine document revision. The standard requires an organization to review documents periodically to see if they’re still valid. If they are, the organization reapproves them. If they’re not, either a revision is made or the document is declared obsolete. This prevents documents from becoming inaccurate or obsolete over time. If documents are used properly, this should never happen, but we all know that they’re frequently ignored in the press of day-to-day work commitments.

What exactly triggers a document review? An organization can handle this in three ways:

Recall documents on a strictly periodic basis–every year, for instance–and review them, update as necessary and reapprove them. This would certainly satisfy the standard. But it’s sometimes difficult to review documents based strictly on the passage of time. This requires a fair amount of discipline because there’s always something more important to do than reviewing documents. This system’s success depends on the organizational skills of the person in charge of it.

Review, update as necessary and then reapprove documents based on business triggers or real-world events that have the power to affect a document. Some examples include the introduction of new products, equipment and processes; change in business focus; technological breakthroughs; and improved methods or practices. Because this approach is driven by actual events that make document review immediately relevant, it introduces a sense of urgency that’s not present in the periodic approach.

If an organization decides to use this method, it needs to define the business triggers and responsibilities clearly in the document control procedure. The document administrator will typically monitor operations for these business triggers and ensure that the relevant documents are reviewed, updated as necessary and reapproved. If a business trigger hasn’t occurred within a reasonable period of time–say, three years–then documents should be recalled for review anyway.

Use the internal audit process to review documents. Keep in mind, however, that internal audits are sampling processes. By function, they’re only going to examine a representative sample of documents in existence. The standard implies that all documents must be reviewed. If an organization intends to use its internal auditing process to satisfy this requirement, then extra care must be taken when planning and scheduling audits to ensure that all documents are sampled during an extended period.

Identifying changes and revision status

Documents must have revision changes identified. This is typically interpreted as the changes in the most current revision. Thus, if a document is on revision five, it will identify the changes that moved it from revision four to revision five. This identification assists document approvers to see what changed in the document, and it assists users in knowing what’s changed so they can comply with the document’s requirements.

Changes can be identified in a variety of ways, including the following:

  • Change logs at the end of documents
  • List of changes on the cover sheet
  • Underlined, bold, italicized or highlighted changes throughout the document

Revision status simply indicates a document’s most current revision. This is normally indicated by a revision number, letter or date placed directly on the document. The revision status enables users to know whether they have the most current document. For paper-based documents, the revision status normally ties back to a master list or index that tracks the current revisions of all documents. For electronic documents, knowing the current revision is less important because the most current version is provided automatically to all users. Either way, the revision status must still be identified.

Making documents available at points of use

A document is useless if it’s not accessible. ISO 9001: requires that “relevant versions of applicable documents are available at points of use.” This means that current versions of documents must be accessible by the people who need them. It does not mean that everyone must have his or her own copy or computer terminal. If people know where the documents are located, have access to that location and can make use of the information in the documents, then this requirement has been satisfied.

Some organizations develop elaborate schemes for distributing documents to different departments or functions. These often involve “acknowledgment of receipt” sheets that must be signed and returned with obsolete copies of documents.

ISO 9001:2000 doesn’t specifically require such systems, though they may provide some value. Organizations must examine their own operations and decide what will provide the right balance of control and simplicity. Remember that the more bureaucracy involved, the slower the system will work and the more likely that users will attempt to circumvent it.

Making documents legible and identifiable

Legibility means that documents can be read and understood. They should be written in a clear, decipherable manner, in the language spoken by document users. For instance, if a significant number of employees in a particular department speak and read in Spanish, then the documents would need to be legible to them. To do this, the organization could write the documents in Spanish or use graphic documents (e.g., photos or drawings) that can be understood regardless of the prevailing language.

“Identifiable” simply means that documents have a title, document number or other unique identifier that sets them apart from others. Organizations often develop document numbering schemes that relate to the ISO 9001 numbering system. This is well-intentioned but guaranteed to be obsolete in the future. Remember, ISO reviews and revises the 9000 series every five years, and this normally triggers a change in the way the standard is numbered. A better numbering plan would dovetail with an organization’s processes or departments. Such a numbering system will be relevant to employees, and it won’t become obsolete upon the next revision of ISO 9001.

Controlling external documents

An external document is published outside the organization and used within the scope of the management system. The eight questions listed at the beginning of this article will help determine if an external document should be controlled. Examples of external documents possibly requiring control include:

  • Troubleshooting and/or calibration manuals published by equipment manufacturers
  • Test procedures, specifications and/or engineering drawings published by customers or other bodies
  • Instructions, specifications and/or procedures published by suppliers
  • Standards published by industrial organizations applicable to the organization
  • International standards such as ISO 9001:2008

Once external documents have been determined, they must be identified, and their distribution must be controlled. Like internal documents, there must be a title, document number or other unique identifier. Such identification typically comes from the source that publishes the document, and the organization simply adopts it.

Distribution control is important because most external documents arrive in paper form. Knowing where they’re located is critical to controlling the information contained in them. For that matter, paper-based internal documents should also have their distribution controlled, but this isn’t specifically required by ISO 9001: A distribution list simply defines the number of copies in existence and where they’re located. Often the copies are numbered, and these numbers match the locations shown on the distribution list. When documents are revised, retrieving the old copies is much easier when their quantity and location is known.

Controlling obsolete documents

ISO 9001 imposes two controls related to obsolete documents: Their unintended use must be prevented, and they must be identified if they’re retained.

The easiest and most obvious way to prevent the unintended use of obsolete documents is to take them out of circulation. Simply round them up and remove them. This is quite easy when their exact locations are known. Controlling obsolete documents is one more good reason to maintain distribution lists for all paper-based documents, both internal and external.

Organizations often retain obsolete documents to preserve knowledge. These documents can be referred to when comparing, for example, a current process to one used five years ago. If an organization elects to retain obsolete documents, they must be identified by some means the organization considers suitable. This might include marking them as “history,” “obsolete” or “uncontrolled,” or putting them in a specially designated location that has controlled access. Whatever method is devised must ensure that obsolete documents aren’t floating around where they can be used improperly.

A few words on forms

The issue of controlling forms is a sore spot for many people. The resistance usually follows this general theme:

“I just don’t see the value in controlling forms. How are we supposed to do it, anyway?” The bottom line is that forms existing within the scope of ISO 9001: –in other words, forms that address an ISO 9001: requirement applicable to the organization–undeniably require control. Why? Because the primary reason for a form in the first place is to create consistency in the way that data is collected. This can only be enforced when everybody is using the same form, and this only happens through some type of document control.

Fortunately, forms are quite easy to control. Let’s look at two different approaches, both of which are widely used by organizations:

Forms controlled as “attachments” to procedures. In this framework, forms are included within the procedure or documents that describe their use. (Must there be a procedure that describes the use of every form? Of course not, but it makes sense in some cases.) The forms are generally included as the last page or two of the procedure to which they belong. Approving a procedure can also include approving the form attached to it. The same goes for revising and identifying changes. The form is treated like another page of the procedure for control purposes, but it can be reproduced for use independently of the procedure. When the form is revised, the procedure is also revised, and users are made aware of the changes just like any other changed procedure. The drawback of this system, of course, is that organizations are required to revise the entire procedure when the form is revised.

Forms controlled individually. In this framework, forms have individual numbers and revisions. Their approval may be made directly on the original copy or kept elsewhere, such as on a master approval sheet. The current revision of each form is usually indicated by a master list, computer index or even by including it in a special file. When a form is revised, users are notified via memo, e-mail or other means.

Forms are often printed in huge quantities, inevitably just before a minor change occurs that renders them obsolete. If the change was inconsequential, don’t toss out the old forms. They can often be labeled with a disclaimer, “Previous versions of this form may be used.” This will enable an organization to use the old inventory and avoid waste. Keep in mind that this only works when changes to the form are minor and when the form itself isn’t something that bears seriously on the organization’s success.

Document formatting

Fortunately, ISO 9001 doesn’t require any particular format for documents. An organization can decide for itself what format will work best for its mode of operation. Furthermore, it’s not required to stipulate a single type of format or style of document. However, a standardized format or style can be helpful in driving a consistent appearance for all documents. Many organizations stipulate only the content of document headers and cover sheets, while other companies require specific sections in each document such as purpose, scope, responsibilities, equipment and the like. Such decisions are up to the organization.

Whatever style and formatting though, the document control procedure should clearly define it. In fact, many organizations use their document control procedure as a guide for writing documents. In this way, the document control procedure does double duty by describing the control of documents and facilitating document development.


The basic tenets of document control are very simple. Most document control procedures can be drafted in four pages or fewer. Writing a document control procedure is easy: Simply work your way down the list of document control issues raised by ISO 9001:2000 and describe what the organization is doing for each one. Keep it simple and avoid creating too much bureaucracy. An effective document control system will provide documents to users quickly and not slow them down with lengthy procedures.