The Importance of Document Control: a Complete Overview

By ,

Why is Document Control Important?

The multiple elements of Integrated HSEQ (Health, Safety, Environment, and Quality) Management Systems (MS) require the creation and maintenance of documents and records. The many documents involved make it critical to have a procedure in place that manages all aspects of the documents, from creation to archiving, ensuring efficient functioning of the system. This process, an essential element of ISO 14001, 9001, and 45001 is necessary for the success of any management system and is referred to as Document Control.

Operationally Excellent Document Control ensures:

  • effective management of the HSEQ business processes
  • compliance with legislative requirements
  • clear ownership and buy-in by affected parties
  • consistent procedures and timelines for review, revision, and approval of pertinent documents
  • improved opportunities for procedure adherence and training efficiencies
  • easily retrievable and accurate records

Roles & Responsibilities for Document Control

To be sustained, the document control business process requires clear ownership, with roles & responsibilities and competencies defined and accepted by the responsible parties. The challenge comes in ensuring consistency in the application of the requirements.

Management and Supervisors

Management and supervisors have the overall responsibility for the identification, storage, protection, retrieval, retention, and disposition of all HSEQ MS documents. It is their responsibility to ensure:

  • the engagement of appropriate Subject Matter Experts (SME’s), and stakeholders when creating or revising documents
  • the compliance of the new and revised documents with regulatory/legislated standards
  • the development and verification of appropriate site-specific procedures/operations standards by only qualified, competent personnel
  • active reviewing and signing off as applicable of the site-specific procedures and operational standards by appropriate personnel
  • the recency of specific procedures and operational standards by an annual review or as the need for changes is identified (following Management Of Change process as required)

Operations Personnel

The operations personnel are responsible for:

  • following the revision request process as stated in Document Control
  • providing the most recent copy to the HSEQ Document Administrator when developing or revising site-specific procedures
  • archiving the old documents to avoid duplicates and ensuring that only the most recent copy is provided for storage and upload to any HSEQ MS electronic systems.
  • ensuring the retention and filing of documentation according to the standard and as per existing Records and Information Management (RIM) policies
  • implementing the rules around privacy and security are ensuring that they are widely understood.
  • identifying the need for and creating site-specific procedures and/or operational standards
  • referencing the relevant Operation Standard that applies for the activity/task they are conducting as well as when developing site-specific procedures
  • reviewing and signing off on the site-specific procedures associated with their role in the risk ranking of the activities/tasks they perform
  • verifying the accuracy of all site-specific procedures or operational standards
  • updating site-specific procedures and operational standards when errors are identified or changes are required (follow MOC process as required)

HSEQ MS Document and Records Administrator

The HSEQ MS Document and Records Administrator are responsible for:

  • Managing and maintaining documents housed within HSEQ MS
  • Managing all revision requests
  • Ensuring that only the most recent version of a document is stored and uploaded the HSEQ Intranet site

Third Party Resources

Third party resources are responsible for:

  • providing copies of pertinent documents for record retention
  • ensuring rules around privacy and security are understood and implemented
  • supporting the use of electronic document and record software systems

The Various Types of Documents and Records & their Meaning

It is important to understand the purpose of all the different types of documentation and what their specific requirements are.


Information and its supporting medium, i.e. any paper or computer file that contains HSEQ Management System information to be followed (for example, HSEQ and technical operating procedures, records and forms). Documents are live, e.g. they reflect a “what” or “how” that can be changed by the owner.  


A document stating results achieved or proving objective evidence that activities were performed. These are not live documents but rather provide a snap-shop in time e.g. a record is a filled out form or template referenced in a procedure or work instruction. Once filled out they are not live and subject to change.

Obsolete Documents

Those documents that have been replaced by a new version or are no longer required.

Controlled Document

Defined current documents that are used to plan and/or control any processes or operations that affect the HSEQ Management System.

Uncontrolled Document

Any copy of HSEQ MS controlled documents that are used for reference purposes only.  These documents must bear the markings “uncontrolled copy”. Or any paper or computer data file that contains HSEQ Management Systems information to be followed and is not controlled.

Master Document List

An index for controlled documents that define the HSEQ MS. The master document list usually contains, at a minimum, the title, and the date of issue, the revision date and location of the document.

How to Decide on the “Right” Documentation

Extensive documentation is not effective documentation because of the burden of maintaining it, and being held accountable for all its requirements. The mantras “Say what you do and do what you say” and “it didn’t happen if you can’t prove it through documentation and records” should be kept in mind as you develop the minimal amount of documentation required.

To filter what to document, analyze your business processes to determine what is needed. For example, beyond the required HSEQ MS element documents, the safety-critical processes and procedures often require written policies and procedures. Hazard and risk assessments are also a good place to start in determining documentation and record needs, as is the legal registry.

Please note some elements of ISO management “Plan-Do-Check-Act” systems require documentation to be auditable and meet third-party certification requirements.  

Required Documents and Records for Your ISO HSEQ Management System

Some of the documents required by ISO 14001, 9001, and 45001 Management Systems are:

  • HSEQ policies;
  • HSEQ duties, roles and responsibilities for implementing MS Legal & Other Requirements;
  • HSEQ Objectives and Targets; and
  • documents, including records, necessary to ensure the effective planning, operation and control of processes that relate to the management of HSEQ related aspects and risks.

All documentation must be legible, dated (with dates of revisions) and readily identifiable, maintained in an orderly manner, and retained for a specified period in most certification programs, to meet regulatory expectations and help provide a due diligence defence in the event of an incident.

Procedures and responsibilities should be established and maintained concerning the creation and modification of the various types of documents as per some of the generic roles and responsibilities referenced above.

Document Hierarchy: 4 Levels of Documentation

The document hierarchy defines the structure with which the HSEQ management system documents are created.  

4 levels of documents iso document hierarchy

This document Hierarchy is often portrayed as a pyramid, with the levels reflecting the status and quantity of documents typically developed within an operationally excellent HSEQ MS.

Level 1 Documentation – Vision and Policy

Vision and Policy documents are useful to customers as they provide assurance that senior management has defined and specified requirements/expectations for key business HSEQ related business processes. The Policy establishes the statement of values and commitments and is the guiding principle for the Vision.

Level 2 Documentation – Standards and  Procedures

Level 2 includes HSEQ Management System standards and procedures that:

  • describe the Who, What, When and Where of the business processes used to meet the requirements of the higher level policies and Standards.
  • describe the integration of controls processes
  • describe the process flow, linkages, combination and integration of departments, functions etc.

Level 2 documents can be created either based on department or by cross-discipline teams focusing on specific elements of HSEQ MS. These documents should be made available at point of use: e.g. Sharepoint type software so workers have access.

Level 3 Documents – Operational Documentation

These documents explain the details of specific tasks or activities – the “how” of performing a specific task.

The need for documentation is based upon the complexity of processes, workforce stability, past issues, regulatory needs, and industry standards.

These documents must be available, known and used by personnel and must be kept current and controlled to achieve operational excellence and high HSEQ performance.

Examples of operational documentation include guides, work instructions, plans, forms, drawings, flowcharts, work practices, training plans, and computer templates.

Level 4 Documents – Records

These documents provide objective evidence of activities carried out and the results achieved in accordance with Levels 1,2 and 3 documentation.

These documents can be either mandatory or implied by the HSEQ Management System (i.e. intent derived by interpreting standards it is based upon)

HSEQ records include:

  • individual training needs analysis, records and assessment results
  • calculation results, monitoring, inspection and audit reports/follow up
  • quality spills
  • reports from the rehearsal of emergency and crisis communication plans
  • minutes from management reviews and relevant committee meetings
  • communications with regulatory authorities
  • incident and emergency reports (immediate, follow up, final), Quarterly Reports and Annual Reports

Active Records are those which are maintained for a period of one to two years within each department as required to conduct day-to-day operations.

Inactive Records are those which are either:

  • no longer required to conduct day-to-day operations but must be retained by the department for specific periods of time, or
  • no longer required by the department and therefore must either be destroyed or retained to meet shareholders, contractual, or regulatory requirements.

Retention value

Records should  be retained only if they are of value to your organization in any of the following categories:

  • Administrative Value: the record is required for employees to perform their duties.
  • Audit Value: the record is part of an audit trail.
  • Historical Value: the record is of importance in documenting the organization’s history and contribution to their stakeholder community.
  • Legal Value: the record provides evidence to support the organization’s position in a legal proceeding.
  • Regulatory Value: the record is required to meet regulatory or statutory requirements

Document Control Implementation

Figure 1 – Process for Creating or Revising Document

importance of document control process for creating or revising document flowchart

The emphasis should not be on the ‘system’, but on the implementation and maintenance of the HSEQ Management System. HSEQ documentation should be an integral live functioning support for the day to day business processes.

Where possible, multiple needs should be integrated into single documents. Beyond the step by step instructions for the workers, the procedure can contain needed information on health and safety/process safety-related hazards and controls, quality management issues, and environmental aspects. The documents should also be written to as low as possible grade level to facilitate the use. Photos should be utilized as a visual aid at the task level.

Any new or modified documents should be reviewed to determine their impact on operations and companies should consider using an implementation date and effective date strategy to ensure adequate time is provided for training and awareness.

When creating an integrated HSEQ MS that already has an existing and comprehensive document control system (e.g. a document control system implemented as part of the ISO 9000 quality system), the existing document control should be used instead of creating and maintaining a new and separate system. This will cut down on user confusion and facilitate training and awareness.

Each controlled document must bear a unique identification, issue date, revision date and show approval where appropriate, and documents and/or data printed from the HSEQ MS company Intranet site should be identified as printed by a privileged user and marked as controlled.

Document Control and Due Diligence

Due Diligence refers to all reasonable care to protect the environment whenever possible in every situation. It can also contribute to a successful defence of a company in the event of an incident or at least mitigate potential penalties. 

Proving Due Diligence

The onus is on the defendant to prove due diligence. This means an organization must be able to prove that they took all reasonable care to prevent an incident from occurring (example:  spill, emission limit exceeded, or a worker injured).

Document Control helps to ensure due diligence by guaranteeing that the current versions of relevant documents are available at all locations where operations essential to the functioning of the HSEQ MS related to the incident were performed. Examples include maintenance and inspection procedures and records, sampling records, employee and contractor training, operator manuals, work instructions, alarm systems and records, emergency response plans, drills, equipment etc.

At the very least one should be able to prove that the documentation is current and accurate. that employees are following their requirements. Procedure adherence checks should be performed to validate the efficacy of the documents.

The efficacy of the document and records program should be monitored annually by tracking key performance indicators such as the number of :

  • revision requests received
  • revisions made to existing documents
  • new documents created
  • document reviews completed
  • incidents where non-conformance was listed as one of the root causes

This Due Diligence checklist ensures that you are following due diligence to protect the health and safety of your workers.


Document Control helps organizations verify their conformance with all legal and other requirements as well as facilitate the implementation of  an effective management system.

To maximize the benefits of document control, it is critical to ensure that all company personnel follow the system business processes when creating, reviewing, updating and retaining documents, policies, objectives, records, etc. that fall within the scope of the HSEQ MS or as required by legislation. It is the responsibility of the HSEQ MS representative to determine the best method for controlling HSEQ MS documents, but all personnel must be familiar with the document control procedures in order for the system to work effectively and create benefit versus increased liability.

The documents should be developed by relevant subject matter experts and have clear ownership, and any changes should be through the formal management of change business process.

Without this one source of truth business process that clearly defines the What and the How it is almost impossible to become operationally excellent.