Featured Product
This Week in Quality Digest Live
Standards Features
Megan Wallin-Kerth
MasterControl’s Matt Lowe talks competition, data, and what quality does for a company
Using the CASCO Toolbox to repair and restore
Todd Hawkins
Good documentation is worth the effort you put into it
Rupa Mahanti
With data as the fuel of the digital economy, data governance is the much needed brake
Bryan Christiansen
Workplace policies that reduce accidents and enhance safety

More Features

Standards News
Creates one of the most comprehensive regulatory SaaS platforms for the industry
Yotrio and SunVilla to provide interactive, 3D-enabled assembly via BILT app
KCP25C grade with KENGold coating sets new standard for wear and productivity in steel turning
Takes action to mitigate risk of medical devices shortage
Standards, testing help autonomous vehicles drive safely
Offering production versatility and throughput with increased detection sensitivity and low energy consumption
New lines improve software capability and analysis
Automotive cybersecurity on Feb. 9, and AS9145 on Feb. 28

More News

Denise Robitaille


Look, But Don’t Touch

Documents of external origin

Published: Tuesday, September 12, 2006 - 22:00

I was recently asked to comment on the ISO 9001 requirements regarding external documents. My first reaction was to point out a distinctive subtlety in the actual text of the requirement. Many users have gotten into the habit of referring to this category as “external documents” when in fact, the term in subclause 4.2.3 of ISO 9001 is: "documents of external origin." Although this may sound like unnecessary hairsplitting, it really does make a difference. The precisely chosen words help to provide guidance to the intent that underlies this requirement.

Consider the interpretation of each. The term “external document” is ambiguous and vague, leaving the reader baffled as to what exactly falls into this particular grouping. It’s been misconstrued to have several meanings, including any document that isn’t physically at the organization’s location or a document that has been issued and sent out, resulting in a loss of control. By contrast, a document of external origin is explicitly one that originates from outside the organization and contains specific information that the organization needs to fulfill customer requirements, maintain their quality management system (QMS) or comply with statutes, for example.

These documents have their own category because they’re handled differently from those created by the organization. Because of their origins, they carry restrictions. An organization may use them, but it cannot change them, because the authorization for revisions, approvals, withdrawals, etc., resides with those who authored the document. Examples of documents of external origin include:

  • National/international standards (e.g., ISO 9001, ISO/TS 16949, ISO 17025, etc.)
  • Customer specifications (e.g., drawings, schematics, bills of material, contractual requirements, etc.)
  • Industry and product standards (e.g., clean room standards, National Electrical Manufacturers Association codes)
  • Statutory and regulatory requirements (e.g., OSHA, Environmental Protection Agency, Child Safety Protection Act, Food and Drug Administration, et al.)
  • Operating and repair manuals (i.e., manuals needed to use or maintain equipment)

The typical problem that arises with this category is that, because they aren’t created by the organization, individuals don’t perceive these documents as part of the QMS documentation. If it’s not a documented procedure, it’s not a “quality” document. This exacerbates the many artificial dividing lines that create obstacles to a well-integrated quality management system. We’ve got to remind folks that it doesn’t matter if you call it a procedure, a standard operating procedure, a drawing, a directive, a computer-aided design file, a regulation or a customer mandate. If it defines requirements you need to make your organization run or bring product to market, it’s a document that must be controlled.

The level to which such documents are controlled is similar to that of the organization’s own documents and reliant on several criteria, such as criticality, use, risk, etc. Organizations that utilize these documents need to ensure that personnel using them understand what their responsibilities are vis-à-vis the maintenance and disposition of documents of external origin. The level of control entails such items as making sure that individuals are aware of the requirements, have access to them and know how to acquire the most current revision. Specifically, the control that’s exercised over these documents relates to:

  • Access
  • Preservation and security
  • Awareness of the status of revisions
  • Harmonization of requirements from external documents with requirements found within internally generated documents.

Who has access to the documents? Where are they kept? Do you have a listing of these documents, their locations and the individuals responsible for their maintenance? Some companies maintain libraries of technical publications and standards. This doesn’t mean that process owners have to allow unfettered access to anyone. It simply means that these documents are a company asset that must be accessible to key personnel.

If documents are electronically held, have individuals been trained to navigate your company’s Intranet to find them? If they don’t know how to find them on the server, they don’t have access.

Do you receive specifications, drawings and other documents from your customers? How do you ensure that they’re preserved or protected from inadvertent changes or accidental disposal? In many organizations the default is simply to protect them in the same way they protect their own documents. If the documents include proprietary information, though, the manner in which they’re maintained can become a liability issue. If you have many clients visiting your facility, you may need to make provisions to ensure that your personnel don’t leave them on desktops and benches where they’re easily accessible to any casual visitor.

Awareness of the status of revisions
In the years before Web sites, I had a client who machined a lot of parts to military specifications. The engineers would get requests for quotes every day that cited military specifications. Posted on the wall, in a very large font, was the toll-free number to call to find out the latest revision of any military specification.

This is a prime example of how to bring control to a situation, where the perception is that you have no control. If you can’t revise a document that you need to fulfill a requirement, then you must ensure that there’s consensus on what revision or release date everyone involved has agreed to use.

Harmonization of requirements from external documents with requirements found within internally generated documents
ISO 9001 specifically requires organizations to determine if there are any “… statutory and regulatory requirements related to the product…” (subclause 7.2.1). If you’re in a regulated industry, your process owners (i.e., engineers) need to have access to the documents that define statutory product requirements. If you don’t have access or control of the documents that define these regulatory requirements, how can you ensure that the product conforms?

Similarly, if you have a certified clean room, you can’t have internal documents describing maintenance of the area that diverge from the defined requirements of the entity granting the certification. The same holds true for your QMS certification. You can’t have documents that conflict with the QMS requirements cited in the applicable standard (ISO 9001, AS9100, ISO 13485, TL 9000, etc.)

With documents of external origin, it all boils down to your being able to look but not touch. With the exception of revisions, all other document control requirements apply.


About The Author

Denise Robitaille’s picture

Denise Robitaille

Denise Robitaille is the author of thirteen books, including: ISO 9001:2015 Handbook for Small and Medium-Sized Businesses.

She is chair of PC302, the project committee responsible for the revision to ISO 19011, an active member of USTAG to ISO/TC 176 and technical expert on the working group that developed the current version of ISO 9004:2018. She has participated internationally in standards development for over 15 years. She is a globally recognized speaker and trainer. Denise is a Fellow of the American Society for Quality and an Exemplar Global certified lead assessor and an ASQ certified quality auditor.

As principal of Robitaille Associates, she has helped many companies achieve ISO 9001 registration and to improve their quality management systems. She has conducted training courses for thousands of individuals on such topics as auditing, corrective action, document control, root cause analysis, and implementing ISO 9001. Among Denise’s books are: 9 Keys to Successful Audits, The (Almost) Painless ISO 9001:2015 Transition and The Corrective Action Handbook. She is a frequent contributor to several quality periodicals.