Document Control - Need to control EVERYTHING?

[somashekar]

The charts and graphs reviewed included our defect account totals spreadsheet, sales figures, number of units we produced in a given week, and number of defective units in our WIP product checks, and how we did in our "5S auditing" (i.e. how clean and organized work spaces were). I would not say these charts are necessary to ensure product conformity per se, but are mainly used to track our internal performance. Hope that helps.

Make sure that the records you stated are required by you to demonstrate some evidence of product or process requirement being met.
How ?
List them in your control of records procedure.
In there you will say how identification, storage, protection, retrieval, retention, disposition is done.
If these stated records need to have a date, signature, etc., ensure they are present on all records.
If the formats are predetermined for any of your stated records, and you wish to have them consistently across, the formats can be controlled within your document control procedure.
Revisit your procedures for both 4.2.3 and 4.2.4 objectively and see if you have opportunities to improve them.
Finally, You need not control EVERYTHING, but EVERYTHING that you state as required for your effective QMS operations must be under control.
Take a good step further, and good luck.

 

[PE-2011]

Dear qcqueen94,

Mr.Somasekhar has given correct answer.

 

[PE-2011]

Dear Mr.Somasekhar, I agree with you. Good answer.

 

[Big Jim]

So, these are RECORDS. Your auditor seems to be way off course. Appeal the non-conformity ASAP. If an auditor does not understand the difference between document and record control, s/he is not competent to perform QMS audits. Call your new Registrar and appeal the nonconformity and tell them, in no uncertain terms, not to send this individual to your business ever again.

These are both Documents and Records.

There are many such examples in a quality management system. A blank form, such as an inspection sheet, is a document and needs to be controlled as such. Once entries are made on that blank form, that is that you record on it, it becomes a record and needs to be controlled as such.

It is clear that at least some of what the OP listed are documents that are critical to the quality management system and should be controlled as documents. I'm not sure that a major was warranted, but this is a legitimate nonconformance.

At least that's the way I see it.

 

[Wes Bucey]

These are both Documents and Records.

There are many such examples in a quality management system. A blank form, such as an inspection sheet, is a document and needs to be controlled as such. Once entries are made on that blank form, that is that you record on it, it becomes a record and needs to be controlled as such.

It is clear that at least some of what the OP listed are documents that are critical to the quality management system and should be controlled as documents. I'm not sure that a major was warranted, but this is a legitimate nonconformance.

At least that's the way I see it.

What exactly do YOU mean by "control?" Some folks are obsessive in "control" and think EVERY sheet of paper or electronic record needs the same security as a top secret "eyes only" document in a spy agency. In most organizations, however, control is merely a routine to assure documents are "managed" to assure they are

1. created,
2. approved (primarily to check for accuracy and applicability),
3. held safely (to keep from loss or destruction, primarily, and secondarily, that those which require extra security, like trade secrets, are kept from unauthorized view.)
4. "held safely" also implies measures to prevent unauthorized changes to the documents (records are merely a subset of all documents)
5. stored in a manner which facilitates retrieval when required, which includes a method to assure only the most recent or most pertinent version of versioned documents is retrieved - some call this "Configuration Management"
6. given a retention period (which is reviewed at the expiration to determine whether the document should be retained in an active file, moved to an archive file, or destroyed (not to be confused with "disposed" - a whole other argument))

In the list provided by the OP, some items "might" be considered trade secrets in one organization (sales figures, number of defective units in WIP) and touted publicly in another , depending on the mindset of the managers and owners. Certainly NOT a decision by a third party auditor.

 

[Sidney Vianna]

These are both Documents and Records.

Absolutely NOT. While there are documents that can be deemed both as a record and an instruction, it is clearly not the case here. The OP stated

We have always controlled our forms and procedures

It is clear that at least some of what the OP listed are documents that are critical to the quality management system and should be controlled as documents. I'm not sure that a major was warranted, but this is a legitimate nonconformance.

No, it isn't. The documents as described

The charts and graphs reviewed included our defect account totals spreadsheet, sales figures, number of units we produced in a given week, and number of defective units in our WIP product checks, and how we did in our "5S auditing" (i.e. how clean and organized work spaces were). I would not say these charts are necessary to ensure product conformity per se, but are mainly used to track our internal performance.

are clearly RECORDS. They are capturing data from activities. So, they must be controlled as records. That's all. Any auditor who expects those completed charts (not the forms) to be "signed and rev. controlled" because

"If more than 2 people see a document, it needs to be controlled" and have a rev level and revision date to boot.

are seriously misguided. At least, the way I see it.

 

[Jim Wynne]

These are both Documents and Records.

There are many such examples in a quality management system. A blank form, such as an inspection sheet, is a document and needs to be controlled as such. Once entries are made on that blank form, that is that you record on it, it becomes a record and needs to be controlled as such.

It is clear that at least some of what the OP listed are documents that are critical to the quality management system and should be controlled as documents. I'm not sure that a major was warranted, but this is a legitimate nonconformance.

At least that's the way I see it.

An example of a form that doesn't need control:

"The organization" receives new-part qualification documentation (PPAP, e.g.) from suppliers. There is a documented procedure that describes the review and acceptance requirements. Review is done by a supplier quality person, and the results are given to the purchasing and engineering people responsible for approval. The documented procedure describes the information the reviewer must provide.

The reviewer creates a form to capture the information. Based on the requirements in the review/approval procedure, the reviewer could just as well provide results in a Word document or even an e-mail message, so long as all of the required information is present and in some medium that can be stored as a record of the review. The form created by the reviewer doesn't need to be controlled.

The point here is that there might be lots of situations where forms don't need to be controlled, but the resulting records do. In some instances a form is just a container and not the thing contained.

In other instances, where a need is perceived to closely control the format and continuity of information, control might be necessary, but to aver that every form created must be subject to document control is misguided.

 

[Big Jim]

What exactly do YOU mean by "control?" Some folks are obsessive in "control" and think EVERY sheet of paper or electronic record needs the same security as a top secret "eyes only" document in a spy agency. In most organizations, however, control is merely a routine to assure documents are "managed" to assure they are

1. created,
2. approved (primarily to check for accuracy and applicability),
3. held safely (to keep from loss or destruction, primarily, and secondarily, that those which require extra security, like trade secrets, are kept from unauthorized view.)
4. "held safely" also implies measures to prevent unauthorized changes to the documents (records are merely a subset of all documents)
5. stored in a manner which facilitates retrieval when required, which includes a method to assure only the most recent or most pertinent version of versioned documents is retrieved - some call this "Configuration Management"
6. given a retention period (which is reviewed at the expiration to determine whether the document should be retained in an active file, moved to an archive file, or destroyed (not to be confused with "disposed" - a whole other argument))

In the list provided by the OP, some items "might" be considered trade secrets in one organization (sales figures, number of defective units in WIP) and touted publicly in another , depending on the mindset of the managers and owners. Certainly NOT a decision by a third party auditor.

For the definition of "control" as far as documents are concerned, lets look at the standard.

Documents REQUIRED by the quality management system shall be controlled.

Simple enough?

Then the standard goes on to say that the organization must have a documented procedure on how they will control documents.

a) to approve for adequancy prior to issue,
b) to review and update as necessary and re-approve documents,
c) to ensure that changes and the CURRENT REVISION STATUS of documents is identified,
d) to ensure that relevant versions of applicable documents are AVAILABLE AT POINTS OF USE,
e) to ensure that documents remain legible and readily identifiable,
f) to ensure documents of external origin determined by the organization to be necessary for the planning and operation of the quality management system are identified and their distribution controlled, and
g) to prevent the UNINTENDED USE of OBSOLETE documents, and to apply suitable identification to them if they are retained for any purpose.

Back to that opening line "Documents REQUIRED by the quality management system shall be controlled".

If it is found in use, and it pertains to the quality management system, isn't that prima facia evidence that they have determined that it is needed?

Most of the things listed by the OP look like they are likely in that catagory.

 

[Big Jim]

An example of a form that doesn't need control:

"The organization" receives new-part qualification documentation (PPAP, e.g.) from suppliers. There is a documented procedure that describes the review and acceptance requirements. Review is done by a supplier quality person, and the results are given to the purchasing and engineering people responsible for approval. The documented procedure describes the information the reviewer must provide.

The reviewer creates a form to capture the information. Based on the requirements in the review/approval procedure, the reviewer could just as well provide results in a Word document or even an e-mail message, so long as all of the required information is present and in some medium that can be stored as a record of the review. The form created by the reviewer doesn't need to be controlled.

The point here is that there might be lots of situations where forms don't need to be controlled, but the resulting records do. In some instances a form is just a container and not the thing contained.

In other instances, where a need is perceived to closely control the format and continuity of information, control might be necessary, but to aver that every form created must be subject to document control is misguided.

Agreed, but not all fit that catagory.

 

[Big Jim]

Absolutely NOT. While there are documents that can be deemed both as a record and an instruction, it is clearly not the case here. The OP stated No, it isn't. The documents as described are clearly RECORDS. They are capturing data from activities. So, they must be controlled as records. That's all. Any auditor who expects those completed charts (not the forms) to be "signed and rev. controlled" because are seriously misguided. At least, the way I see it.

I believe that the OP no doubt believes that he is controlling all his forms. It appears that the auditor believes that he did not recognize and thusly did not control some of them. Without seeing the actual situation I cannot answer with full certainty, but it appears highly likely that this is the case. The OP simply missed some.

At least some of the things listed appear to be BOTH documents and records. As docments, the template or form must be controlled. The data collected on them are records and need to be controlled as records. The blank form probably needs to be on the Master List of Documents, or however their procedures says they control documents. The populated or completed forms must be controlled as records, and again within whatever their procedeures says, properly filed so they are retreivable and are protected and stored according to whatever retention times are specified.

May I emphasize that some things are BOTH documents and records.