This article is written to meet the following sections of the Standards:

BRCGS Food Safety Issue 83.1 Food safety and quality manual
3.2 Document control
3.3 Record completion and maintenance
BRCGS Packaging Issue 63.1 Product safety and quality management system
3.2 Document control
3.3 Record-keeping
BRCGS Agents & Brokers Issue 3
3.1 Product safety and quality systems manual
3.2 Documentation control
3.3 Record completion and maintenance
3.4 Customer focus and communication
Storage & Distribution Issue 43.1 General documentation requirements
3.4 Customer contractual arrangements
14.2 Inspection contract review
FSSC22000 Version 5.1ISO 22000:2018 7.5 Document information
IFS Food Version 72.1.1 Document management
2.1.2 Records and documented information
4.16.6 Maintenance supplier contracts
SQF Edition 92.2 Document Control and Records

Product safety and quality management system

To ensure that the Standard is met, a product safety and quality management system is needed. The basis of this is made up of a set of documents.

What the documents are called on site varies and really doesn’t matter, it’s the content that’s important. However, they typically are:

  • Procedures or policies
  • Work instructions or standard operating procedures (SOPs)
  • Records or forms

Historically, a product safety and quality management system would have a set of polices and a set of procedures. A policy would detail the intention of what must be done. And then the procedure would set out how that policy was going to be achieved.

Today, it’s more typical to have a policy statement on the procedure, rather than having a separate document – such as a ‘Purpose’ section.

The next level of document is a work instruction or SOP. These provide step-by-step detail on how to complete the tasks that are outlined in the procedure.

And then, the final level of documents are record forms – when completed these provide the records to show that the work instructions or SOPs are being followed.

Pack 2: Document Management eDocs

This pack provides you with a robust foundation for your product safety and quality management system, including the step-by-step process of how to manage the document control system.

Tell me more

Pack 2: Document Management eDocs

Documents and records

There’s a difference between a document and a record. A document is something that is pre-written and ensures compliance to the Standard.

A record is a piece of evidence, to prove that something occurred and/or to provide results of something. Typically, records provide evidence that monitoring has happened at a particular point in time.

For example, a form is a document. The completion of that form is a record.

Document control

A procedure must be in place which ensures that documents are:

  • Reviewed and approved prior to issue.
  • Any amendments to the documents are recorded and authorised.
  • Changes follow a change control procedure.
  • When new documents are issued, the old documents must be removed from use.

Document ControlThe purpose of document control is to ensure that only the most up-to-date and authorised procedure is used at any time. If any out-of-date document was used, then the tasks completed may not be compliant to the Standard.

Those that authorise the documents must be trained to the document control procedure and must be competent in the subject on the procedure.

Amendments to the documents must be logged, so all changes are traceable. Every time a change is made to a document the document control must be updated.

When a new version of the document is issued, any old copies must be made inaccessible so that they’re not used by mistake. This means digital copies and hard copies. Where hard copies are provided, they must be rescinded when a new version is issued.  Where copies are held digitally, then access to printing must be restricted somehow – so that uncontrolled hard copies are not available. Having uncontrolled copies around site means that you can’t ensure that they’re all rescinded when a new version is issued.

Document control must be placed on all documents that contain information that is required to meet the Standard. The document control should include:

  • The document name and reference,
  • who authorised the document,
  • the date,
  • and the version number.

When a new issue of a document is created, it must be trained out. However, not all versions may require training. Therefore, it’s acceptable to have a version control system that defines whether training is required. For example, whole number versions may require training (e.g. version 1, version 2), whereas partial numbers may not require training (e.g. version 1.1, version 1.2).

A change that wouldn’t require training, would be changes that don’t affect compliance to the Standard, such as spelling or grammar corrections.

When training is required, it’s good practice to document how long from issuing a new version the period of retraining will take. During this time there will be a transition from the old document to the new version of the document.

Digital storage

Documents or records that are held in digital format must be:

  • Stored securely,
  • backed up,
  • and controlled like you would if they were in hard format.

Stored securely

So, what do we mean by this? Well, it means that anyone who shouldn’t be able to view or edit to them, shouldn’t be able to. This is to make sure that any sensitive information is secure. And also, so that documents or records aren’t altered, without following the correct change control procedure.

This applies to records too. Which means, it applies to data held on software systems, such as specification systems, ERP (e.g. SAP or Microsoft Dynamics365) or document management systems.  It also applies to information held on spreadsheets and documents held in document drives.

This means that documents and records must be behind either a key, passcode, or login of some sort.

Whichever method you choose, you just need to make sure that it’s robust enough to ensure that only authorised personnel can get to the digital files. And this should be tested as part of the internal audit programme.

Backed up

Having hard copies of documents is fairly outdated now. Yes, we sometimes like to print them out and have them in a folder to show the auditor, but generally they’re stored digitally. With cybercrime becoming more and more common now, it’s important to have a backup.

We know a company who were hacked, and they lost everything – and we mean everything! The technical manager had to write everything again from scratch – can you imagine that? You may think that you’ve got a backup in place and you’re ok, but so did that technical manager. Their backup happened every 24 hours – which was great. But, when it backed up, it would overwrite the previous backup. Which meant, that by the time they’d realised what had happened, the backup had backed up the corrupted system, overwriting the good backup from the day before – not so great.

So, we recommend that you find out the detail of your backup system in place. It might be a dull thing to do, but if you’re ever put in that situation, you’ll be glad you did it! And again, make sure the backup is tested during internal audits.

Controlled like it was in hard format

It’s accepted that documents must have document control. And it’s also accepted that records must be dated and signed by those who have completed them.

But, this simple principle isn’t always applied to digital documents and records.

For example, it’s common to see spreadsheets without document control. And it’s also common for spreadsheets to be initialled as a signature – however this isn’t a unique signature. Anyone could sign a record like this. A signature should be unique, like it would be if it were in written format. A digital signature is acceptable, where a piece of software will log who did it, based on their unique (and secure) login details.

Think about how you hold digital documents and records – check all the different systems that you use secure, backed up and controlled like they would be if they were in hard copy.

Pack 2: Document Management eDocs

This pack provides you with a robust foundation for your product safety and quality management system, including the step-by-step process of how to manage the document control system.

Tell me more

Pack 2: Document Management eDocs

Record retention

Records must be archived for a stated period of time. And the archived records must be stored, so that they can be retrieved:

  • In a timely manner,
  • and then used.

This means, there must be a filing system. Also, the way the records are filed must be recorded so that anyone can find the right documents quickly when needed – for example, in a traceability or recall situation.

When the documents are retrieved, they need to be in a fit state – so they can be used. For hard copies this means, they shouldn’t be stored in damp conditions for example.

Think about how your records are filed and if this filing system is communicated to everyone who may need to access them. If they can be accessed 24/7 and if the storage of the documents means that they will be in good condition, throughout the storage period.

Customer focus

Customer focus has been a topic that’s been in, out and then put back in again! Currently, it’s only in the BRCGS Agents & Brokers Standard – as it’s been removed from the others. There’s no reason why it would be only in one Standard, as it’s a valid requirement if applied properly.

The basis of customer focus is to ensure that you identify what special measures your customers require, which may be the implementation of their specific standards or the completion of KPI reporting.


ContractsContracts must be in place with all of your customers and suppliers. The contracts (or agreements) must include the requirements of the product or service supplied to your customers, and the product or service provided by your suppliers.

Contracts should include all of the specific requirements for example:

  • All product related information which wouldn’t be on the product specification, such as mixed load and security requirements.
  • What can and can’t be subcontracted.
  • Legislation that must be applied.
  • Customer standards which must be applied.
  • Customer requirements, such as review meetings or KPIs.
  • Certification standards and required grades.
  • Traceability requirements e.g. use of certain software.

The contract must be document controlled so that it’s clear which is the most up-to-date version. And it should be signed by both parties to show that there’s agreement to it, on both sides.

Pack 2: Document Management eDocs

This pack provides you with a robust foundation for your product safety and quality management system, including the step-by-step process of how to manage the document control system.

Tell me more

Pack 2: Document Management eDocs

Have your say…

Share your thoughts…

Your email address will not be published.

We've tagged this article as: , , ,