This article focuses on preserving product and service integrity throughout its applicable lifecycle stages, which may include design, product realization, inspection, testing, packaging, transportation, installation, commissioning, maintenance, and deactivation.

While many system integrators apply international standards and follow the ¹Control System Integrators Association’s (CSIA’s) Best Practices and Benchmarks, some may lack full awareness of:

• The applicable codes, standards, statutes, and/or regulations relevant to their marketplace, processes, and products
• The controls required to maintain the technical integrity of products and services across the lifecycle, from development to decommissioning
• The need to monitor and assess changes, along with understanding their potential impact on products and services
• Effective methods for integrating changes while preserving the integrity and effectiveness of the management system

Most quality management system standards recognize the use of standards, codes of practice, or other externally sourced information, the ²American Petroleum Institute’s (API) Spec Q1 goes further by defining high-level controls for integrating and managing external documents.

Note: more information regarding conformance with these requirements is discussed later in this article.

What Are External Documents?

The definition of external documents varies depending on an organization’s context, the industries it serves, and the products or services it provides. These documents may include:

• International codes and standards (sometimes referred to as “normative references”)
• Statutory and/or regulatory requirements
• Requirements from interested parties (e.g., certification bodies, such as the CSIA and the API)
• Customer specifications, drawings and/or other documented information
• Software (e.g., from Rockwell Automation)
• Recognized industry best practices
• Original equipment manufacturers’ documentation, when used to perform activities within the organization’s management system

Organizations frequently receive information related to the use of external documents from their customers during the proposal or contractual discussions process.

What is the Importance of Using External Documents?

The following considerations illustrate examples why it is essential to use relevant external documents—such as industry standards, codes, statutory requirements, and customer specifications—and integrate them into the management system.

1. Risks of not incorporating the requirements may manifest in a variety of ways, which could include:
   • Regulatory noncompliance – may result in penalties, legal action, or loss of operating licenses.
   • Contractual issues – failure to meet customer or contractual requirements could lead to disputes, claims, or cancellation of contracts.
   • Safety and environmental hazards – outdated or missing requirements may compromise worker safety, public health, or environmental protection.
   • Product or service nonconformance – inaccurate or incomplete requirements can lead to defects, failures, or reduced performance.
   • Financial losses – rework, recalls, downtime, and potential legal costs resulting from nonconformities or poor performance.
2. The causes of these risks may be traceable back to gaps such as:
   • The use of outdated design criteria – continuing to use obsolete standards that no longer reflect best practices or regulatory requirements.
   • Incorrect or inadequate material specifications – failing to align with updated performance or safety requirements.
   • Missed new inspection or testing requirements – not detecting changes in verification processes that ensure quality and safety.
   • Noncompliance with safety-related requirements – overlooking revised or newly issued safety rules.
   • A failure to update product realization processes – not incorporating changes into manufacturing, assembly, installation, or service processes.

Obtaining External Documents

External documents may be obtained from a wide range of sources, for example:

1. Document Distributors
   Many distributors provide access to documents from a wide range of standards developers. Examples include:
   • Accuris – accuristech.com/contact/support
   • ANSI Webstore - https://webstore.ansi.org/

   There are many such companies; a quick Google search for “distributors of international standards” will yield an extensive list of options. Similarly, searching “where to obtain statutory requirements” or “where to obtain international statutory requirements” will produce numerous sources.

2. Standards Bodies
   Sometimes the marketplace in which an organization works will contribute to the determination of which external documents that may be needed. The following examples list sources for identifying numerous standards developers:
   • American National Standards Institute: List of Accredited Standards Developers: https://www.standardsportal.org/usa_en/resources/sdo.aspx
   • Wikipedia: List of technical standard organizations: https://en.wikipedia.org/wiki/List_of_technical_standard_organizations

   If a given type of standard is already known more information may be obtained from their website.

Creating a Robust Procedure for Controlling and Using External Documents

Having a robust procedure is the key to maintaining the integrity of the management system when integrating external documents, including any revisions. The six criteria of Spec Q1 related to this subject provides an outline of what the documented procedure should address. Shown below are some general guidelines for implementing this information.

1. Identification and Documentation of Required Documents

   Identifying the applicability of required external documents may present a challenge if an organization hasn’t had this subject previously arise. Shown below are a few examples of how the need for external documents may be uncovered.

   • May be predetermined if an organization or its customer operate in a regulated industry.
   • May become known when specified by customer contractual documents.
   • May be affected by relationships with interested parties. For example, if an organization is certified by an industry organization having a certification scheme, the certification body would be an interested party particularly if they required conformity to their best practices or management system requirements.
   • Normative references (e.g., codes, standards, recommended practices) specified in industry product specifications (such as those published by the API).
   • The need for integrating regulations related to the safe operations of facility equipment (e.g., forklifts, cranes, slings).
2. Access and Distribution of Required Documents, Including Relevant Versions

   Specifying the external documents an organization has committed to may come in the form of agreeing to a license agreement for ongoing use of standards with a document distributor. Regardless of how the external documents are obtained, it is recommended to create a Master External Document List for all externally sourced documents used within the organization. This list helps in:

   • Identifying potential cost savings from industry-specific package deals (while avoiding unnecessary purchases).
   • Tracking documents that must be monitored for future revisions to maintain compliance and technical accuracy.
   • Setting up a tracking mechanism for periodically going to the source of purchase to determine if any revisions to the documents have been made (e.g., 3-6-9-12 months). The frequency may be based upon the type of document and criticality of its application.

   Note:

   1. Document distributors usually have a feature on their websites that allow users to flag the documents they use when they are revised. They typically send an email notification to the individual identified in the license agreement.
   2. If printed copies of the documents are purchased, the external documents would be expected to be controlled as a hardcopy document (i.e., list of distributed documents, serialized and the location to which it went logged).
3. Integration of Requirements Into Product Realization and Any Other Affected Processes

   Newly Obtained External Documents

   An organization should review new external documents to determine how it will be applied to their management system. This review may be more intensive than reviewing a revised external document.

   Revised External Documents

   Likewise an organization should review any changes to external documents; depending upon the degree of changes, the review may be more or less complex. Integration of an external document’s requirements will be dependent which process of the organization’s management system may be affected.

4. Process for Identifying When Changes to Required Documents Have Occurred, Including Addenda, Errata, and Updates

   Note: The words addenda (meaning substantive changes) and errata (meaning editorial changes) are terms used by the API in their standards development practices. These words are synonymous with words such as revision, version, issue, amendment, and corrigendum.

   Tracking External Document Changes

   As previously mentioned methods for identifying when changes have occurred would be through a tracking mechanism internal to an organization, such as calendar reminders or through the receipt of change notifications from a document distributor.

   Gap Analysis, a Tool for Documenting the Integration Process

   A gap analysis is a tool used to compare the current state of an organization’s management system vs. the future state of the management system once the need for integration has been identified. The gap analysis tool is intended to methodically identify, by listing each future change and tracking its implementation.

   Typically, a Gap Analysis Form is used for this purpose; the form could include:

   • The reviewer’s name and position
   • The external document being analyzed (by title and nomenclature)
     • Its current revision level
     • Its newly published revision level
   • Identification of the internal management system document to be revised (including its title and nomenclature)
     • Its current revision level
     • Its new revision level, once changes are made
     • The section(s) to be changed
     • Details of the extent of the change
   • Target completion date
   • Responsibility for making the change
   • Date changes were made
   • When training was performed
   • Date training effectiveness was determined

5. Assessment of Impact of Changes

   Assessment of the change refers to the potential impact of a change. API Spec Q1 provides additional considerations for documenting a Management of Change if a change or changes could create a potentially negative situation. In such a case, a Management of Change would be required to be documented and a Risk Assessment would also be required to be documented to identify the risk severity and likelihood and the possible need for documenting risk mitigations (treatment).

   These practices may add value to an organization if they are dealing with numerous external standards and a potential need to document the integrations of external documents sooner than later.

   Note: As an example, the API standardization process may require that an addenda or errata to an API standard be implemented on a relatively short basis. Additionally some API standards require that the latest edition of referenced normative references (e.g., codes or standards) be used.

   This requirement creates a continual cycle of monitoring potential revisions to external documents and integrating relevant changes into the management system.

6. Integration of Applicable Changes

   Once the gap analysis has been completed, including the documentation of a Management of Change and Risk Assessment, if appliable, the relevant management system document(s) will have to be revised. Once the changes have been documented, reviewed and approved, the changes will have to be implemented and distributed in the same manner as the original document.

   Subsequently applicable personnel should be trained in the changed documents. Sometime thereafter, training effectiveness should be evaluated.

Summary

A robust process for identifying, integrating, and regularly monitoring external documents—such as industry codes, standards, statutes, regulations, and customer specifications—helps ensure that critical information and requirements are consistently recognized and applied within the organization’s management system. By systematically tracking updates and revisions, the organization can proactively address changes before they impact operations. This reduces the likelihood of missing essential information that could lead to regulatory noncompliance, product or service nonconformance, safety incidents, or operational inefficiencies. Ultimately, such a process protects the integrity, reliability, and longevity of the organization’s products or services, while also preserving its reputation and minimizing financial and legal risks.