My document control procedure may not meet all the requirements of ISO, but I have third level work instructions that do. Is that OK?

Technically yes. ISO requires that you have processes and procedures describing these processes but it doesn’t tell you how to document them. It is thus conforming if your complete process is spread over a number of different documents. However, this is unlikely to be a very useful structure to your documentation and probably does not make the documents effective at defining and communicating the process.

There structures can originate from many situations but typically when the procedure was written, the author was trying to “get ISO” and that’s what they did. The easy way for them to do it was to write a procedure that just mimicked the words in the standard. Thus the procedure meets ISO. Unfortunately it really doesn’t describe the actual processes that are followed to achieve say document control and thus often work instructions are written to explain the different activities — so although they are called work instructions and third level documents they often describe the management processes that would normally be in a procedure. Usually they also contain detail too. That alone would be bad enough, but over the years auditors, customers and others change the procedures and work instructions to suit their needs and what is left is a complex set of documents to describe a simple process, at different levels and containing both detail and management processes.

The goal of documentation is not just to achieve conformance by saying “we have addressed it somewhere” but to focus on what would be the most useful structure of our documentation so that it is easy to communicate the process, to train people in it and to refer to it if we need to.

ISO is such a useful standard. It focuses on the processes for “managing” the activities it introduces. It is the management of document control that is important in clauses 4.2.3 and this can practically be presented in a single document at an appropriate level of detail. ISO got it about right when they included the requirements under each section. Covering these requirements, expanding those that are more important and minimizing those that are less (if any) can be practically achieved in a single document. Thus it is a useful hint (not particularly just for ISO conformance but also for addressing the most common document control requirements) that these subjects could (and perhaps should — because it is useful and practical) be described in a single procedure.

It is still possible that some work instructions are necessary. Typically these would cover the detail of a specific activity but the “management procedure” (the procedure which explains how the process is managed), should describe the overall process including relevant variations and exceptions. How to operate software or levels of authorities would be better covered in lower level documents.