Document Management: Risks, Controls, and a Sample SOP Template

Good documentation is worth the effort you put into it

Published: Monday, March 13, 2023 - 13:03

Most companies face the challenge of managing the documentation they generate—those that are developed to control their business and processes (e.g., standard operating procedures—SOPs) and the associated records as evidence of compliance with those procedures. This may go a step further if the company wishes to obtain or maintain certification to an external standard such as ISO 9001, which includes document-control requirements.

Document management can often be overlooked, especially by new organizations, as it may seem like a lower priority. But it can become unwieldy very quickly for such companies if not addressed from the get-go.

The primary risks are that poor documentation can:
• Have a negative impact on the functioning of a company and its products or services. For example, if an employee follows an out-of-date work instruction in processing a product, it can result in the product going to market not to specifications. The risk here can be great for healthcare products.

• Result in not obtaining or maintaining an ISO quality management system certification (if the company wants that). This can affect the revenue of companies, as some business customers require evidence of certification to a quality standard such as ISO 9001 before entering into an agreement to use the company as a supplier.

How does one address these document management challenges and potential risks to their company? We’ll look at ISO 9001, because it’s the internationally recognized standard for quality management systems (QMS) and includes document management and control requirements (clause 7.5).

We should first define “documented information” as referenced in ISO 9001:2015 (clause 7.5.1). The definition is in ISO 9000:2015—“Quality management systems—Fundamentals and vocabulary,” in section 3.8. To be brief, documented information is described there as “...information required to be controlled and maintained by an organization.”

Clause 7.5.1 of ISO 9001:2015 requires that a company QMS maintain documented information required by the standard, and documented information determined by the company as being necessary for the effectiveness of its QMS.

Thus, the minimum required to be maintained by ISO 9001 is the scope of the QMS, the quality policy and objectives, and those documents determined as necessary to support and control the operation of processes and ensure the effectiveness of the QMS, with the goal being customer satisfaction.¹ Also, the extent of documented information can vary, depending on such things as the size of the company, the complexity of its processes, and the type of services and/or products it provides. One should carefully consider the risks of having inadequate documentation (e.g., SOPs) to control its processes. If that is lacking, resulting in distribution of a defective product, a company opens itself up to potentially undesired consequences (e.g., for FDA registered facilities developing medical devices, it could lead to substantial fines, lawsuits, and loss of reputation).

Additionally, the standard requires companies to retain documentation (e.g., records) for the purpose of providing evidence of actions taken as planned and results achieved. There are too many to list here, but they include training records and those records indicating that processes were conducted as planned. Even if you do not plan to seek certification, maintaining this documentation is also recommended for tracking actions taken and reference purposes.

Note: Documented information may be on paper and/or in electronic format.

If your organization does not currently have a policy or procedure for document management itself—one is not specifically required by ISO 9001—it’s still recommended to ensure adequate control of your documented information. Even without one, there are requirements in the clause that must be met for your documented information if you want to be certified to the standard. These include (clauses 7.5.2 thru 7.5.3.2):
• Proper identification (e.g., title, date, author) and review and approval
• Protection (e.g., from loss of confidentiality) and controls over their distribution, access, storage, and use
• Appropriate control when changes are made (e.g., changes reviewed, version control)

While not ISO 9001 requirements, the following best practices can also be considered by your organization—again, depending on its size and complexity of processes. These include establishing the following:
• A designated department and/or lead responsible for overseeing your organization’s documented information and ensuring compliance with internal and any external document management requirements
• A system (electronic is preferred, e.g., an off-the-shelf document management e-system) to manage document creation, approval, and revisions; access/use; and retention. Recommended components of such a system would be ensuring edit rights for documents to the document owners, and availability of only the latest, approved, and read-only version.
• Standardization of document templates to ensure consistency of SOPs, forms, etc. If you seek certification to ISO 9001, you will also need to ensure the templates you develop are compliant with clause 7.5.2.

Documents can be ubiquitous and wide ranging in type and function, depending on a company’s size and processes. Make sure you have control over them.

I hope this helps you get started if your company is just getting off the ground, or, if your company is established and already has a document management system in place, reassess it if you find it necessary.

Here is a link to a document template that contains the key elements you need to get started.

Reference

1. There are other ISO management standards that also include document management requirements (e.g., ISO 14001), so you’ll want to review those for any differences from ISO 9001 if you want to be certified to them as well. Further, the same high-level structure of certain ISO management system standards, such as ISO 9001 and 14001, allows your company to operate a single (“integrated”) management system that can meet two or more management system standards simultaneously (guidance here).

Quality Digest does not charge readers for its content. We believe that industry news is important for you to do your job, and Quality Digest supports businesses of all types.

However, someone has to pay for this content. And that’s where advertising comes in. Most people consider ads a nuisance, but they do serve a useful function besides allowing media companies to stay afloat. They keep you aware of new products and services relevant to your industry. All ads in Quality Digest apply directly to products and services that most of our readers need. You won’t see automobile or health supplement ads.

Our PROMISE: Quality Digest only displays static ads that never overlay or cover up content. They never get in your way. They are there for you to read, or not.

So please consider turning off your ad blocker for our site.

Thanks,
Quality Digest

About The Author

Todd Hawkins

Todd Hawkins is a Quality and Continuous Improvement Advisor at FedEx Corporate.

Comments

03/14/2023 - 15:42 pm — Michael McLean

Doc Mgt

G'day Todd,

Thank you so much for providing the link to the ISO Integrated Use of Mgt System Stds (IUMSS) 2018 HB. We took three years and many international workshops, meeting and a survey, a refreshed Jim the Baker case and some amazing process-based and structured IMS.

If I may provide a few changes:

- Organizations seek Conformance not Compliance to an ISO MSS. Likewise Internal Audit first requirement is for the "documented information" (hard/soft as you said) to the organization's own management system

- ISO/ IEC Policy Directive 2021 changed the Annex SL 9.1 from what you wrote as the High Level Structure (it is now since 2021 the Harmonized Structure supported by the Harmonized Approach) clauses 1-10

- The HS is where 4-10 are the requirements for all ISO Task Groups, Working Groups to use and revise and/or develop ISO Management System Standard "Writers".

- That means what it says, the HS is for ISO MSS Writers - it does not mean as you implied the use the HS (nee HLS) as the basis, format for Users to document their single (ISO 9001) or integrated Management System as if they did, that would be a major Non-conformance to Clause /Reqt 5.1.C where 'Top management shall ...... integrate the ISO XXXX Requirements within the organizations business processes'.

- The HS (nee HLS) clauses are not "processes" therefore cannot be used to show their interfaces as per Clause 4.4.1 not enable clause 6.1 'integrate risks and opportunities' again 'into the organization's business processes' if, as you say, the organization seeks accredited certification

- none of the 100+ ISO IUMSS 2018 HB Cases in Point, as was the cases in the 2008 edition, had IMS's documented by clauses - they are all process based documented accredited IMSs.

Thanks again for the ISO IUMSS 2018 HB reference.

03/14/2023 - 08:59 am — Elizabeth Magu (not verified)

A very insightful and informative article.

Thank you Todd, for sharing. This is very insightful and informative.

The aticle is a must-read for anyone in the quality compliance field and looking to stay ahead of the curve.

03/14/2023 - 16:35 pm — Michael McLean

Doc Mgt

Hi Todd again,

This revised ISO document may assist.

ISO 10013:2021 - Quality management systems

https://www.iso.org › standard

20 Apr 2021 — This document gives guidance for the development and maintenance of the documented information

03/14/2023 - 09:54 am — Todd Hawkins

Thank you

Thanks Elizabeth! I do hope it is helpful.

03/13/2023 - 12:13 pm — ChrisParis

Template

The attached template includes information that will be confusing to readers. The aspects marked "required" (page number, printed copy footer) are not required at all by ISO 9001, and one item marked as "best practice" (revision indicator) *is* actually required by ISO 9001.

So I'm concerned that this article will yet again confuse readers as to ISO 9001's document controls, which -- in prior revisions of the standards -- were simple and easy to understand. The new version confuses things for no reason, and apparently confuses even the experts.

Side note: one of the TC 176 authors claimed that ISO was embracing "oral tradition" over documentation. Let that sink in. ISO wants folks to build products and have a robust quality system based on the Neanderthal culture of telling stories over a campfire, because some lazy companies complained about having to write mandatory procedures. Imagine if those same consultants flew around on airplanes where the pilots had no procedures or checklists, and did whatever their grandfather told them 20 years ago at the kitchen table!

03/13/2023 - 15:11 pm — Todd Hawkins

Template

Thanks for your comment. You are correct that ISO 9001 doesn't specifically require a page number. I listed it as such as it would fall under identification (7.5.2 a)); in the parenthetical statement at the end of that clause, it lists some examples. Though page number is not included, one would want to indicate page numbers to avoid the possibility of the pages getting mixed up if the document was printed or a page getting lost. Thanks for pointing out the footer as not an ISO 9001 requirement; I will check with my Quality Digest contact about removing that. It could, however, be considered another best practice - a company doesn't want obsolete or old versions floating around - the statement would alert readers to go find (where located) the latest version to verify. As far as the revision indicator, clause 7.5.3.2 c), doesn't specify that a revision number/indicator must be used, only that a formal process for controlling changes be implemented - as indicated there, "version control," is one example. One could use a revision history table with the date of changes.

Quality Digest