As I’m wrapping up my day, the other day, I noticed a question from a ‘brother wizard’ and as I am to discover, it continues into the following day. What a great excuse for a post.
He writes (in blue ink):
I hope you are well…
I have a new client that runs a bulk of their AS 9100 through a software called uniPOINT (EQMS) and also some through JobBOSS. What is your approach to the electronic / paperless systems? All the same rules apply documentation wise no? I show that they added some new docs but [don’t] have doc numbers or name or rev. My understanding was regardless of whether the system is electronic based or not, they still have to have doc numbers & name & controls in place. Is that your assessment as well?
Welcome to Document Control 101…
AS 9100 Rev. D states:
18.104.22.168 Documented information required by the quality management system and by this International Standard shall be controlled to ensure:
- it is available and suitable for use, where and when it is needed;
- it is adequately protected (e.g., from loss of confidentiality, improper use, or loss of integrity).
22.214.171.124 For the control of documented information, the organization shall address the following activities, as applicable:
- distribution, access, retrieval, and use;
- storage and preservation, including preservation of legibility;
- control of changes (e.g., version control);
- retention and disposition;
- prevention of the unintended use of obsolete documented information by removal or by application of suitable identification or controls if kept for any purpose.
When documented information is managed electronically, data protection processes shall be defined (e.g., protection from loss, unauthorized changes, unintended alteration, corruption, physical damage).
Personally I like paperless – if done well, it eliminates many headaches.
Here’s the Bad news – It’s entirely up to the organization to determine what control means to them and how they will address it. There should not be any consideration of what you prefer.
Here’s the Good news – If they stray too far, they will have a hard time convincing anyone that they have control. So, as a consultant, it would be value-added to recommend an ‘ISO Light’ approach that satisfactorily addresses the letter of the law – there’s a lot of wiggle room here. Do not issue an NCR unless there is no observable control.
And by the way, the latest revision gets dangerously close to requiring ISO 27001 & 2 Information Security…
Hope this helps,
Great answer as usual!
So the traveler (issued from JobBOSS), even though printed and initialed as it travels with the job, doesn’t have to have to have a doc number or rev. as long as the procedure outlines what their approach is? Is that how I’m understanding that?
JobBOSS is controlled by Job # (which is readily identifiable.) All process information (Sales, Purchasing, Production, etc. records) tie to that Job # with full traceability.
Read ONLY the words in the Standard. If adequately addressed, the company has defined ‘their version’ of control.
Now, here’s the kicker… I presume they have a procedure; does what they are doing match what they say they are doing? If so, you’re done. If not, you have an NCR.
Thank you. I’m glad I asked.
Because I’m used to the more traditional approach towards controlling docs, I allowed myself to adopt a very narrow interpretation of that element. Your feedback has really opened my eyes and changed the way I look at document control. With that being said,how specific does the control of docs procedure have to be? This company transitioned to this paperless system in the past year. I’m going to review their C of Doc procedure later today. I feel like I’m already over analyzing this…
My response and conclusion next time…