Document Management: Risks, Controls, and a Sample SOP Template

Good documentation is worth the effort you put into it

Most companies face the challenge of managing the documentation they generate—those that are developed to control their business and processes (e.g., standard operating procedures—SOPs) and the associated records as evidence of compliance with those procedures. This may go a step further if the company wishes to obtain or maintain certification to an external standard such as ISO 9001, which includes document-control requirements.

Document management can often be overlooked, especially by new organizations, as it may seem like a lower priority. But it can become unwieldy very quickly for such companies if not addressed from the get-go.

The primary risks are that poor documentation can:
• Have a negative impact on the functioning of a company and its products or services. For example, if an employee follows an out-of-date work instruction in processing a product, it can result in the product going to market not to specifications. The risk here can be great for healthcare products.

…

Want to continue?

By logging in you agree to receive communication from Quality Digest. Privacy Policy.

Create a FREE account

Forgot My Password

Comments

Template

The attached template includes information that will be confusing to readers. The aspects marked "required" (page number, printed copy footer) are not required at all by ISO 9001, and one item marked as "best practice" (revision indicator) *is* actually required by ISO 9001.

So I'm concerned that this article will yet again confuse readers as to ISO 9001's document controls, which -- in prior revisions of the standards -- were simple and easy to understand. The new version confuses things for no reason, and apparently confuses even the experts.

Side note: one of the TC 176 authors claimed that ISO was embracing "oral tradition" over documentation. Let that sink in. ISO wants folks to build products and have a robust quality system based on the Neanderthal culture of telling stories over a campfire, because some lazy companies complained about having to write mandatory procedures. Imagine if those same consultants flew around on airplanes where the pilots had no procedures or checklists, and did whatever their grandfather told them 20 years ago at the kitchen table!

Template

Thanks for your comment. You are correct that ISO 9001 doesn't specifically require a page number. I listed it as such as it would fall under identification (7.5.2 a)); in the parenthetical statement at the end of that clause, it lists some examples. Though page number is not included, one would want to indicate page numbers to avoid the possibility of the pages getting mixed up if the document was printed or a page getting lost. Thanks for pointing out the footer as not an ISO 9001 requirement; I will check with my Quality Digest contact about removing that. It could, however, be considered another best practice - a company doesn't want obsolete or old versions floating around - the statement would alert readers to go find (where located) the latest version to verify. As far as the revision indicator, clause 7.5.3.2 c), doesn't specify that a revision number/indicator must be used, only that a formal process for controlling changes be implemented - as indicated there, "version control," is one example. One could use a revision history table with the date of changes.

A very insightful and informative article.

Thank you Todd, for sharing. This is very insightful and informative.

The aticle is a must-read for anyone in the quality compliance field and looking to stay ahead of the curve.

Thank you

Thanks Elizabeth! I do hope it is helpful.

Doc Mgt

Hi Todd again,

This revised ISO document may assist.

ISO 10013:2021 - Quality management systems

https://www.iso.org › standard

20 Apr 2021 — This document gives guidance for the development and maintenance of the documented information

Doc Mgt

G'day Todd,

Thank you so much for providing the link to the ISO Integrated Use of Mgt System Stds (IUMSS) 2018 HB. We took three years and many international workshops, meeting and a survey, a refreshed Jim the Baker case and some amazing process-based and structured IMS.

If I may provide a few changes:

- Organizations seek Conformance not Compliance to an ISO MSS. Likewise Internal Audit first requirement is for the "documented information" (hard/soft as you said) to the organization's own management system

- ISO/ IEC Policy Directive 2021 changed the Annex SL 9.1 from what you wrote as the High Level Structure (it is now since 2021 the Harmonized Structure supported by the Harmonized Approach) clauses 1-10

- The HS is where 4-10 are the requirements for all ISO Task Groups, Working Groups to use and revise and/or develop ISO Management System Standard "Writers".

- That means what it says, the HS is for ISO MSS Writers - it does not mean as you implied the use the HS (nee HLS) as the basis, format for Users to document their single (ISO 9001) or integrated Management System as if they did, that would be a major Non-conformance to Clause /Reqt 5.1.C where 'Top management shall ...... integrate the ISO XXXX Requirements within the organizations business processes'.

- The HS (nee HLS) clauses are not "processes" therefore cannot be used to show their interfaces as per Clause 4.4.1 not enable clause 6.1 'integrate risks and opportunities' again 'into the organization's business processes' if, as you say, the organization seeks accredited certification

- none of the 100+ ISO IUMSS 2018 HB Cases in Point, as was the cases in the 2008 edition, had IMS's documented by clauses - they are all process based documented accredited IMSs.

Thanks again for the ISO IUMSS 2018 HB reference.