What is really required… Epilog?

Two weeks later… He writes back (in blue ink):

Can I ask you a question regarding documentation?  It’s in regards to that same client we discussed a couple weeks back. They have half of their forms on an ERP system, and other forms in pdf/hardcopy. They are in the middle of transitioning to the ERP, but not all of the forms are uploaded yet. I understand that the ERP controls the documents that are in it. But for the documents that aren’t, do you feel those documents should have an ID, rev. date? I always felt that if the document was printed out and completed by hand, that it should be controlled. I know the standard is flexible on how the docs are controlled, but when you have a doc system that is half ERP and half not, it’s kind of a grey area. I’m doing a gap audit and have been going back and forth.

Thank You,

My response:

First of all, what is your definition of control?  Does an identification number and revision date really constitute control?

If you are in agreement that the ERP controls documents then you can eliminate those already entered into the system.  That leaves you with pdf files and hard copies.  I would argue that pdf files are controlled by virtue of satisfying d & e below (c is a different issue.)  If they are a Word / Excel or e-file (pdf) they have to reside somewhere on the computer.  Chances are these files are the latest and greatest (old versions overwritten) and pdf cannot be revised.

So all you have to worry about is hard copies.  Now you need to read their procedure and answer a couple of questions specific to c – d.

Let’s look at AS 9101D audit standard (before they ‘mucked things up.’)  These requirements parallel the AS 9100C Standard exactly.  For relation to AS 9100 Rev. D see What is Really Required? Part 1.

If you see evidence that the requirements below are being followed, then they are compliant, if not, they aren’t.  (N/A) indicates the requirement is not relevant to the context of the question.

4.2.3 Control of documents

Documents required by the QMS must be controlled

A documented PROCEDURE must exist and include controls needed for:            

  1.  approval process (N/A)
  2.  review, update, and re-approval process (N/A)
  3. identification of changes and current revision status
  4. documents are available where needed
  5. documents are legible and identifiable
  6.  external documents are identified and controlled (N/A)
  7.  obsolete documents are identified and controlled (N/A)

You must ask yourself the following:

  1. Are the documents current?
  2. Is there a revision record? (It does not have to be on the individual document – just some way to determine you have a current copy.)
  3. Does this record somehow identify changes made?
  4. Are documents available when and where needed?
  5. Can you read them?
  6. Can you tell them apart – but more important, can they?

If you answered YES, then (at the minimum) they have met the requirements.  If you answered NO, then they have not.  If they are AS 9100 Certified look at previous audit findings that might indicate another auditor questioned their control process.  But, they sound as if they are planning on entering all documents into ERP which kind of makes the whole thing moot.

If you still don’t feel warm and fuzzy about this, you could document an OBSERVATION such that the process needs to be completed without undue delay because there is the risk of potential nonconformity.

Figure you (they) only have a year to make it happen and that depends on their surveillance cycle.  It will take you quite a while to document changes to their system – adding context, interested party needs, wants and desires, implementing the new processes (bone up on APQP) and addressing Positive Risk (opportunities,) Training, Full-system Audit (CAPAs) and Management Review.  So plan on being busy…


Certified companies will need to upgrade to AS 9100D by June 14, 2018 and this should coincide with a scheduled surveillance or re-certification audit.   Although, a special audit can also be scheduled and paid for.  If you want to earn your keep, recommend they start preparations now – it will be cheaper in the long run.

I hope this helps.

And for the rest of you… Thanks for reading.

What is really required? Part 2

And now my response.

First the lesson…

You have to remember that all Management System Standards (MSS) are intended for the auditor, not the organization. They are a ‘checklist’ of requirements the organization must meet to be allowed (or stay) in the club. They were never intended as a one-of-a kind way to achieve conformance, but that’s what we made them. There is no requirement for the organization to own a copy, although ISO isn’t complaining. It’s only a requirement for the auditor to have (and use) – and they’re often provided by the CB for the purpose of documenting findings.

The auditors and CBs turned the Standard(s) into the playbooks, best in class benchmarks, have to have, way to do things – not just for document control but for everything and if you don’t have a copy, you don’t know how to play the game. The ABs encouraged and supported this ‘standardization’ of activities – making it easier to police CB activities and ‘ding’ them if their auditors deviated from ‘the way.’ The IAF published guidance documents, ISO published (and sold) technical standards and ISO 9001 Auditing Practices Group created a whole library of guides to auditing, just to get the point across.

What we ended up with by the late 90’s (when I entered the game) was nothing more than a template – enter name here – that was generally accepted as ‘the best way to get the job done.’ My handler gave me a floppy disk (remember them?) with 20 or so individual files, each with the most basic description of the 20 (or so) elements which needed to be addressed, each with the same – insert company name here – instructions to submit to the review committee who added a watermark (to protect their copyright) and sent it off to the customer. It took us about ½ a day to generate a new system, ½ a day to implement (jam it down the customers’ throats,) another day to audit it and then some smoke and mirrors training and management review assistance; 3 – 4 days’ actual work for which they were charged 10 – 12K for the pleasure.

Clients were obviously disappointed with the lack of quality but paid up because there wasn’t any other way to play the game. All the consulting firms were the same. And, you could tell, by the template, which consulting group did the work. There were no graphics, no color, no creativity, no deviation from ‘the way it is done,’ ever! If there was any deviation, the document(s) did not make it out of review. Reject – do over (the right way.)

And this is why auditors (even to this day) expect to see things ‘as they should be.’ Now apply this to document control – enter: Title, ID Number, Revision Level, Revision Date, Dress size, First-Born’s Middle Name, throw in a page number for good measure and sign each in triplicate. Reference Technical Report – ISO/TR 10013:2001, Guidelines for quality management system documentation (cost approx. $125 US.)

And then, I broke the mold… Not only did it change the way we write documents but ittech-report1 upset an awful lot of auditors along the way – things didn’t look the way they expected. It challenged the old norms. It made them think. And that, my friend IS the way it should be!

Now let’s look at your question.

AS 9100C (which is expires midnight 9/14/18) states:

4.2.1 General

Notes 2 and 3 remind us that we, as auditors, need to remain open minded – that what works in one situation may not in another.

Note 1 defines the term “documented procedure” as that which is established, documented, implemented and maintained. This note specifically avoids discussing content because content is at the discretion of the organization and is compliant if that content describes the controls needed and addresses 4.2.3 (a – g.)tech-report2

Hope this helps…

It was very helpful, thank you.

By the way, I love your post this week. I haven’t read the whole post yet but after I read the first sentence, I was thinking I can relate with this guy. Then I quickly figured out that duh, it is me.

I’m looking forward to reading it.

I figure if you have questions, maybe others do as well.

Keep ‘em coming and wait ‘til you see the post on Control of Documents!
– – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Here’s an afterthought…

Not only does Note 1 define the term “documented Procedure” but it goes on to say, A single document may address the requirements for one or more procedures. A requirement for a documented procedure may be covered by more than one document.

Let’s say your client has a quality manual (I know they do because AS 9100C requires it and there won’t be any AS 9100D registration audits until 2017) and that quality manual said that the President or some other Senior Manager is responsible for reviewing, approving (and changes to) AQMS level I and II documents; Level III & IV documents are reviewed, approved and updated by the appropriate process owner; revision level and changes are recorded on the Master Document List; all AQMS documents are available to all staff electronically as read-only and the electronic file is overwritten if updated and documents of external origin are maintained as pdf files. (Identification and legibility should not be an issue because the files are maintained electronically) – technically you have it in one sentence! Would that do it for you?

Absolutely. When you put it like that, I can totally visualize that scenario.

Many Thanks.

What is really required? Part 1

As I’m wrapping up my day, the other day, I noticed a question from a ‘brother wizard’ and as I am to discover, it continues into the following day. What a great excuse for a post.

He writes (in blue ink):

I hope you are well…

I have a new client that runs a bulk of their AS 9100 through a software called uniPOINT (EQMS) and also some through JobBOSS. What is your approach to the electronic / paperless systems? All the same rules apply documentation wise no? I show that they added some new docs but [don’t] have doc numbers or name or rev. My understanding was regardless of whether the system is electronic based or not, they still have to have doc numbers & name & controls in place. Is that your assessment as well?

My response:

Welcome to Document Control 101…

AS 9100 Rev. D states: Documented information required by the quality management system and by this International Standard shall be controlled to ensure:

  • it is available and suitable for use, where and when it is needed;
  • it is adequately protected (e.g., from loss of confidentiality, improper use, or loss of integrity). For the control of documented information, the organization shall address the following activities, as applicable:

  • distribution, access, retrieval, and use;
  • storage and preservation, including preservation of legibility;
  • control of changes (e.g., version control);
  • retention and disposition;
  • prevention of the unintended use of obsolete documented information by removal or by application of suitable identification or controls if kept for any purpose.

When documented information is managed electronically, data protection processes shall be defined (e.g., protection from loss, unauthorized changes, unintended alteration, corruption, physical damage).

Personally I like paperless – if done well, it eliminates many headaches.

Here’s the Bad news – It’s entirely up to the organization to determine what control means to them and how they will address it. There should not be any consideration of what you prefer.

Here’s the Good news – If they stray too far, they will have a hard time convincing anyone that they have control. So, as a consultant, it would be value-added to recommend an ‘ISO Light’ approach that satisfactorily addresses the letter of the law – there’s a lot of wiggle room here. Do not issue an NCR unless there is no observable control.

And by the way, the latest revision gets dangerously close to requiring ISO 27001 & 2 Information Security…

Hope this helps,

Great answer as usual!

So the traveler (issued from JobBOSS), even though printed and initialed as it travels with the job, doesn’t have to have to have a doc number or rev. as long as the procedure outlines what their approach is? Is that how I’m understanding that?

That’s it!

JobBOSS is controlled by Job # (which is readily identifiable.) All process information (Sales, Purchasing, Production, etc. records) tie to that Job # with full traceability.

Read ONLY the words in the Standard. If adequately addressed, the company has defined ‘their version’ of control.

Now, here’s the kicker… I presume they have a procedure; does what they are doing match what they say they are doing? If so, you’re done. If not, you have an NCR.

Thank you. I’m glad I asked.

Because I’m used to the more traditional approach towards controlling docs, I allowed myself to adopt a very narrow interpretation of that element. Your feedback has really opened my eyes and changed the way I look at document control. With that being said,how specific does the control of docs procedure have to be? This company transitioned to this paperless system in the past year. I’m going to review their C of Doc procedure later today. I feel like I’m already over analyzing this…

My response and conclusion next time…