AS9120 7.5.3.2 Control of Documented Information - Audit Nonconformance

[QualityStandardsGirl]

Got a non conformance for 7.5.3.2 Control of Documented information for The organization has not fully defined the protection processes (e.g., protection from loss, unauthorized changes, unintended alteration, corruption, physical damage). is managed electronically, when documented information is managed electronically. With the objective evidence as The document control procedure does not define the process for managing electronic document protection.

In our Quality Manual it states - All documents are posted electronically; a master list is not required. The electronic control is sufficient to preclude use of invalid or obsolete documents and to protect documentation from loss, unauthorized changes, unintended alteration or physical damage. Documented information necessary for (company) OMS system and applicable standards are readily available and suitable for use when and where needed; this will be through the use of electronic media.
Changes to documents will be subject to the same review and approval process as was performed for their original release unless specifically designated otherwise. These changes when directly affecting our customer’s contracts and/or regulatory authorities will be properly coordinated with them. Authorized individuals will be supplied adequate information to base their review and approval upon.

Is this not sufficient to fulfill this requirement of the standard or do we have to specifically spell out what procedures IT has in place to manage the protection of these documents???

 

[Al Rosen]

Got a non conformance for 7.5.3.2 Control of Documented information for The organization has not fully defined the protection processes (e.g., protection from loss, unauthorized changes, unintended alteration, corruption, physical damage). is managed electronically, when documented information is managed electronically. With the objective evidence as The document control procedure does not define the process for managing electronic document protection.

In our Quality Manual it states - All documents are posted electronically; a master list is not required. The electronic control is sufficient to preclude use of invalid or obsolete documents and to protect documentation from loss, unauthorized changes, unintended alteration or physical damage. Documented information necessary for (company) OMS system and applicable standards are readily available and suitable for use when and where needed; this will be through the use of electronic media.
Changes to documents will be subject to the same review and approval process as was performed for their original release unless specifically designated otherwise. These changes when directly affecting our customer’s contracts and/or regulatory authorities will be properly coordinated with them. Authorized individuals will be supplied adequate information to base their review and approval upon.

Is this not sufficient to fulfill this requirement of the standard or do we have to specifically spell out what procedures IT has in place to manage the protection of these documents???

Yes, you need to describe it.

When documented information is managed electronically, data protection processes shall be defined (e.g., protection from loss, unauthorized changes, unintended alteration, corruption, physical damage).

 

[doctall41]

backups, password protection, read-only, etc

 

[Kronos147]

Is it possible to put both the statement of non-conformance and the objective evidence for more effective feedback?

 

[QualityStandardsGirl]

Statement of Nonconformity

• The organization has not fully defined the protection processes (e.g., protection from loss, unauthorized changes, unintended alteration, corruption, physical damage). is managed electronically, when documented information is managed electronically.

Objective Evidence

• The document control procedure does not define the process for managing electronic document protection

 

[Big Jim]

Yes, you need to describe it.

Interesting.

Written procedures are not required anymore. Procedures aren't even mentioned in the standard, not even where the AS enhancements require written procedures for control of nonconforming product and corrective actions use different terminology. "The organizations nonconformity control process shall be maintained as documented information . . . " "The organization shall maintain documented information that defines the nonconformity and corrective action management process."

Do you find similar wording about document control? I don't. Does "define" mean document if the requirement to document isn't included with the shall? I don't think so.

It does mean that you need to explain yourself, but it doesn't mean document.

I suspect the auditor doesn't understand this either.

 

[QualityStandardsGirl]

Interesting.

Written procedures are not required anymore. Procedures aren't even mentioned in the standard, not even where the AS enhancements require written procedures for control of nonconforming product and corrective actions use different terminology. "The organizations nonconformity control process shall be maintained as documented information . . . " "The organization shall maintain documented information that defines the nonconformity and corrective action management process."

Do you find similar wording about document control? I don't. Does "define" mean document if the requirement to document isn't included with the shall? I don't think so.

It does mean that you need to explain yourself, but it doesn't mean document.

I suspect the auditor doesn't understand this either.

But then I will ask the question how do you define it? Is it just verbally known? To me I would think documented information means that it has to be documented somewhere which would mean document would it not?

 

[Al Rosen]

Interesting.

Written procedures are not required anymore. Procedures aren't even mentioned in the standard, not even where the AS enhancements require written procedures for control of nonconforming product and corrective actions use different terminology. "The organizations nonconformity control process shall be maintained as documented information . . . " "The organization shall maintain documented information that defines the nonconformity and corrective action management process."

Do you find similar wording about document control? I don't. Does "define" mean document if the requirement to document isn't included with the shall? I don't think so.

It does mean that you need to explain yourself, but it doesn't mean document.

I suspect the auditor doesn't understand this either.

I believe if you have a documented procedure the control of electronic data needs to be defined in the procedure. If there is no documented procedure, you must be prepared to describe the controls.

 

[Big Jim]

But then I will ask the question how do you define it? Is it just verbally known? To me I would think documented information means that it has to be documented somewhere which would mean document would it not?

Document control does not require a written procedure (does not require that you maintain documented information that describes how you do it). The only two topics that require written procedures are control of nonconforming outputs and preventive actions.

I might question if what you have in you manual is a written procedure or if it is just an explanation.

To satisfy the auditor I would suggest that you revise your manual so that you show what you are doing addresses all of the shalls for document control line by line. State the requirement and show how your method addresses it.

I suggest doing this reluctantly, as I believe what you have is probably adequate and you are only doing it to satisfy the auditor, not to satisfy the requirements of the standard.

 

[Big Jim]

I believe if you have a documented procedure the control of electronic data needs to be defined in the procedure. If there is no documented procedure, you must be prepared to describe the controls.

I'm not sure that what is in the manual is a procedure. Are you? Either way it would be very beneficial to be ready to explain in greater detail how each document control requirement is being met.