Carlos Pereira da Cruz Can you imagine the possible consequences of selling a product or service that no longer complies with legislation because the seller was not aware of legislative changes? Can you imagine receiving a complaint from a customer because he claims that the product received no longer meets the last version of an ISO standard that your company mentions in the product specification sheet? Well, external document control aims to prevent those cases from happening.
What does ISO 9001:2015 mean by external documents?
ISO 9001:2015 clause 7.5.3.2 mentions that documented information of external origin must be determined, identified and controlled.
What is a documented information of external origin? It is documented information relevant to the quality management system (QMS) and issued by an external entity. Examples of those issuers can be: customers, suppliers, legislators, regulators, standardization bodies, or business partners.
First of all, let’s distinguish the two kinds of documented information of ISO 9001:2015:
- Documented information that must be retained (let us use the old term “records” to describe them); and:
- Documented information that must be maintained (let us use the old term “documents” to describe them).
Records issued by an outside party can be a customer order, a calibration certificate, or a maintenance report. Relevant records must be determined, and control rules defined. Where and how do you look for a particular record? How long will the organization keep the record? How do you minimize risks concerning those records?
Documents of external origin relevant for the QMS can be, for example, Product Specifications, Logistics Specifications, Material Safety Data Sheets, Legislation, Permits, Standards, Platform Rules, or Work Instructions.
If you need help with identifying an external document, the List of External Documents can be helpful.
External documents must be determined and surveilled
A QMS must determine what the relevant documents of external origin are. For example, an organization can use a register that, for each relevant document, can list: name of the document, issuer of the document, updated version and date, internal distribution (who inside the organization use the document), and responsibility for control (who inside the organization is responsible for controlling).
Documents of external origin relevant for a QMS have a particular challenge not applicable to records:
- How do you know if the document is still updated?
- If the document was changed, what are the implications? Do the changes in the document imply changes in the practices of the organization?
- Who will investigate those implications?
- How do we know if a new relevant document was issued?
The issuer may know your organization or not, and may care for your organization or not. That way one can draw a matrix about the relationship between an organization with a QMS and the issuers of documents of external origin. Something like:
- Documents of external origin issued by entities on quadrants 1 and 3 must be kept under surveillance: someone must periodically check if the issuer made any changes to the existing document or if the issuer issued new relevant documents (for example, legislation and standards)
- Documents of external origin issued by entities on quadrant 2: the issuer will typically be responsible for informing and sending updated information (for example, work instructions sent by contractor to external provider of processes)
- Documents of external origin issued by entities on quadrant 4: the issuer will generally contact to inform and involve in the change (for example, governments and multinationals in small countries).
External documents control avoids unpleasant surprises
An effective external document control practice avoids unpleasant and costly surprises. Complaints, recalls, dead inventory, rework and scrap are possible consequences of failing to control external documents.
Be sure that your QMS knows:
- what are the relevant documents of external origin
- who is responsible for checking, with what frequency, if external documents from quadrants 1 and 3 were changed or newly published
- who is going to do what when there are changes or new documents;
- get new versions or new document
- update register
- distribute new version or new document
- check if it is applicable
- plan changes
- implement changes
- confirm that changes were implemented
In a world where organizations work more and more with other organizations, in ever more complex networks of interested parties, the importance of external documents control is going to increase and become more visible.
To learn more about the basic ISO 9001 documents, check this free Checklist of Mandatory Documentation Required by ISO 9001:2015.
