Guidance on Document and Record Control

You may be familiar with the ISO 9001:2000 requirements for document control in clause 4.2.3 and for record control in clause 4.2.4. However, are you aware of the extra requirements that the industry sector schemes have added to those basic requirements and the available guidance on document and record control? If you’ve thought about expanding or strengthening your control of documents and records, this article may identify possible improvements for your system.

We will first review the ISO 9001:2000 document and record control requirements, and then examine the additional requirements contained in:

  • AS9100:2004 (aerospace)
  • TL 9000:2001 (telecommunications)
  • ISO/TS 16949:2002 (automotive)
  • ISO 13485:2003 (medical devices)
  • ISO 14001:2004 (environmental)

By examining what these industry schemes viewed as shortcomings in ISO 9001:2000, you may identify new practices, regardless of your current standard.  Then, we will look at the guidance in these standards:

  • ISO 9004:2000 (quality)
  • ISO 90003:2004 (software)
  • ISO 15489:2001 (records)
  • ISO/TR 10013:2001 (documentation)

But first, what is the difference between a document and a record? We need to know the difference if we are going to control them. Documents are written plans and can change, therefore, they have revision levels. Examples are manuals, procedures, and instructions.

Records are the evidence of what was done, therefore, they have retention periods. Examples are reports, meeting minutes, and test data. Superseded documents become records. And, blank forms are controlled as documents, but become records when they are completed.

REQUIREMENTS: Document Control

ISO 9001:2000 Document Control (4.2.3)
1. Approve documents for adequacy prior to issue.
2. Review, update as necessary, and re-approve them.
3. Identify changes and current revision status.
4. Ensure documents are available at points of use.
5. Identify and control documents of external origin.
6. Ensure documents are legible and identifiable.
7. Prevent unintended use of obsolete documents.
8. Identify obsolete documents if they are retained.

AS9100:2004 Document Control (4.2.3)
The extra Aerospace requirement is to coordinate document changes with customers, and/or regulatory authorities in accordance with contract, or regulatory requirements.   

ISO/TS 16949:2002 Document Control (
The extra Automotive requirements are:
1. Review, distribute, and implement customer engineering specifications and changes.
2. Complete on the customer-required schedule.
3. Review ASAP (not to exceed two working weeks).
4. Keep a record of the change implementation date.
5. Update documents as part of the implementation. 

TL 9000:2001 Document Control (4.2.3.C.1)
The extra Telecommunications requirement is to establish and maintain a documented procedure to control all customer-supplied documents and data if these documents and data influence the following product activities:

  • Design
  • Verification
  • Validation
  • Inspection and Testing
  • Servicing

ISO 13485:2003 Document Control (4.2.3)
The extra Medical Device requirements are:
1. Review and approve documents (ISO 9001:2000 only says approve documents).
2. Ensure changes are reviewed and approved by:

  • the original approving function,
  • or designated function with access to pertinent information.

3. Define period for keeping at least one obsolete copy.
4. Ensure documents to which medical devices have been manufactured and tested are available:

  • for at least the lifetime of medical device,
  • not less than the retention of any resulting records, or
  • as specified by regulatory requirements.

ISO 14001 Document Control (4.4.5)
The 1996 version of the EMS standard included extra requirements:

  • Include dates of revision (not just revision status)
  • Maintain documents in an orderly manner
  • Retain documents for a specified period
  • Write the procedure to cover the creation and maintenance of various types of documents

However, ISO 14001:2004 specifies the same document control requirements as ISO 9001:2000.

GUIDANCE: Document Control 

ISO 9004:2000 Guidance on Documentation (4.2)
The generation, use, and control of documentation should be evaluated with respect to the effectiveness and efficiency of the organization against criteria such as:

  •  Functionality (e.g., speed of processing)
  •  User friendliness; Resources needed
  •  Policies and objectives
  •  Requirements for managing knowledge
  •  Benchmarking of documentation systems
  •  Interfaces used by customers, suppliers, and interested parties

And, access for people in the organization and others should be based on the organization’s communication policy.  

ISO 90003:2004 Guidance on Document Control 

The software guidance standard includes a note at clause 4.2.3 to refer to 7.5.3 for more information on document control as part of configuration management. Clause states that the configuration management discipline is applicable to related documentation. 
ISO/TR 10013:2001 Guidance on Document Control
(Clause 6.1)
1. Documents should be reviewed before issue to ensure their clarity, accuracy, adequacy, and proper structure.
2. Users should have the opportunity to comment on usability and if documents reflect actual practices.
3. Document release should be approved by managers responsible for their implementation.
4. Copies should have evidence of release authorization.
5. Evidence of document approvals should be retained.

(Clauses 6.2, 6.3)
1. Distribution method should ensure pertinent issues are available to all personnel who will need the information.
2. Distribution and control may be aided by using serial numbers of individual document copies for recipients.
3. Document distribution may include external parties, e.g., customers, registrars, and regulatory authorities.
4. A process for initiation, development, review, control, and incorporation of changes should be provided.
5. The same approval process as for original documents should be applied when applying changes.

(Clause 6.4)
1. Document issue and change control are essential to ensure document contents are properly approved by authorized persons and approval is readily identifiable.
2. A process should be established to ensure that only the appropriate documents are in use.
3. Revised documents should be replaced by latest revision.
4. A document master list may be used to assure users that they have the correct issue of authorized documents.
5. Organization should consider recording change history for legal and/or knowledge preservation reasons.

REQUIREMENTS: Record Control

ISO 9001:2000 Record Control (4.2.4)
1. Establish and keep records as evidence of conformity
2. Use to show effective operation of quality system
3. Keep legible, readily identifiable and retrievable
4. Establish a documented procedure to control:

  • identification and protection,
  • storage and retrieval, and
  • retention time and disposition of records.

AS9100:2004 Record Control (4.2.4)
1. Define in procedure the method for controlling records created by and/or retained by suppliers.
2. Make records available for review by:

  • customers and
  • regulatory authorities

in accordance with contract or regulatory requirements.

TL 9000:2001 Record Control (4.2.4)

No additional requirements beyond those in ISO 9001:2000.

ISO/TS 16949:2002 Record Control
(Clause 4.2.4)
Note 1: “Disposition” includes disposal.
Note 2: “Records” include customer-specified records.

Satisfy regulatory and customer requirements for control of records.

ISO 13485:2003 Record Control (4.2.4)
Retain records for a period of time:

  • At least equivalent to lifetime of medical device,
  • Not less than 2 years from date of product release,
  • Or, as specified by relevant regulatory requirements.

ISO 14001 Record Control
The 1996 version of the EMS standard (clause 4.5.3) stated to:
1. Include training records
2. Include results of audits and reviews
3. Maintain environmental records traceable to:

  • activity,
  • product, or
  • service.

4. Record the retention times
(source: ISO 14001:1996, clause 4.5.3)

However, ISO 14001:2004, clause 4.5.4, specifies the same record control requirements as ISO 9001:2000.

GUIDANCE: Record Control

ISO 15489:2001 Guidance on Record Management
ISO 15489-1:2001 is an information and documentation standard on records management. Its companion document, ISO/TR 15489-2:2001, provides further explanation and guidance on implementation options.

1. Records are created and used to conduct business activities and should be authentic, reliable, and usable.
2. Records should be preserved and made accessible.
3. Records should comply with policies, standards, and legal requirements.

A records management program should decide on:

  • Records to create for each process
  • Information to include in the records
  • Form, structure, and technologies to be used
  • Retrieval, use, and transmittal of the records
  • Retention periods and the disposition process
  • Organization of records to support their use

Records should be kept in a safe, secure environment only for as long as they are needed or required.
(See more guidance in ISO 15489-1 and ISO/TR 15489-2)

ISO 90003:2004 Guidance on Record Control 
Evidence of conformity to requirements may include:

  • Documented test results
  • Problem reports, including any related to tool problems
  • Change requests
  • Documents marked with comments
  • Audit and assessment reports
  • Review and inspection records (e.g., those for design reviews, code inspections, and walkthroughs).

Examples of evidence of effective operation may include:

  • Resource changes (people, software, and equipment)
  • Estimates, e.g., project size and effort
  • How and why tools, methods, and suppliers selected
  • Software license agreements (procured and supplied)
  • Minutes of meetings
  • Software release records

1. Consider legal requirements when setting retention times
2. Retention and access of electronic records, should consider the rate of media degradation, availability of devices, and software needed for access
3. Records may include information held in email systems
4. Protection from computer viruses, and unapproved or illegal access, should be considered
5. Proprietary information in records should be assessed to determine erasure methods at end of retention period

ISO/TR 10013:2001 Guidance on Records (4.11)
1. Records should indicate conformity with system  requirements and specified product requirements
2. Responsibilities for preparation of records should be addressed as part of the system documentation

Note: Records are not generally under revision control since records are not subject to change.

ISO 9004:2000 Guidance on Documentation
The term “documentation” refers to both documents and records, so the ISO 9004 guidance covered earlier under document control also applies to record control.

Summary on Document and Record Control 
This article summarized the document and record control requirements of ISO 9001:2000, plus the requirements of:

  • AS9100:2004 (aerospace)
  • TL 9000:2001 (telecommunications)
  • ISO/TS 16949:2002 (automotive)
  • ISO 13485:2003 (medical devices)
  • ISO 14001:2004 (environmental)

Guidance on documentation in ISO 9004:2000 was addressed, plus guidance from:

  • ISO 90003:2004 (software)
  • ISO 15489:2001 (records)
  • ISO/TR 10013:2001 (documentation)

If you have any document control or record control questions, please let me know (