How to show Approval for Documents and Training?

[cywork]

Cywork,

It's really, really, really difficult to venture an opinion here without being 'on the spot' or being able to see some specific examples. Perhaps you'd be able to either post a couple to illustrate, or give a specific example of what you do have and what your auditor wasn't satisfied with?

Because that's here is your description and although I've read it, I really don't quite follow it accurately enough to determine and without specific examples, can't assess. Part of what you write sounds as though it does, but then other parts appear to contradict....

Hi Jane,

Thanks for your response. I do realize my post was a bit confusing...I just return from a long trip and still recovering from jetlag.

Please allow me to clarify:

As a background info, the way my company has been controlling document approval prior to the said auditor (let's call him Auditor X) has been approved by previous auditors. My company has been certified since 1994. I recently joined this company a year ago so I have not worked with other auditors besides Auditor X (we had a reassessment in September).

However, we were originally approved by Auditor X for ISO certification and then later were switched to someone else. So this has been the first time for several years that Auditor X has audited us.

Now on to the actual document approval procedure:
We have 3 types of documents (plus the 4th which is just records) - a main procedure (for various major operations e.g. CPA procedure), a sub-procedure or work instruction (more detailed instructions for specific parts of the operation e.g. how to fill out CPA form) and quality forms for keeping quality data (e.g. a completed CPA form).

Prior to me taking over Quality, document approval pretty much consisted of just signatures on the main procedure which automatically approves any sub-procedure or forms generated for that procedure. When I took over, I decided to make it much clearer who approves what so I created a separate Change Request procedure for doc revisions (which for some reason we never had) and updated the Doc control matrix to include approval authorities which is just a job title, no name (our previous doc control matrix only had doc number, doc title and revision level).

On my Change Request form I also have signatures for approving authorities to approve the changes to the documents.

Now the issue the auditor had with me is on our actual sub-procedures and forms there were no indications of approval authorities (no name or job title responsible), which only existed on our main procedures (it has the name of person responsible for everything under the main procedure). Even though I had the Doc Matrix to prove the specific documents had specific approving authorities and the change request form numbers with the signatures are listed on the doc matrix for traceability he said that still doesn't show that my sub-procedures and forms were approved per ISO requirement. But I do have the revision levels on each document which also corresponds with what is listed on the Change Request and Doc Matrix.

Attached are a sample of my doc matrix and the Change Request form.

Because this issue has been written up already I have to make the changes and what I did was for new doc updates I just included on the footnote of the sub-procedures and forms who the doc approval is by job title and added a new form for signatures of revisions. However, I just want to check with others whether I have actually violated the ISO standard in regards to doc approvals.

Thanks again! Sorry this is so long...

 

[JaneB]

the issue the auditor had with me is on our actual sub-procedures and forms there were no indications of approval authorities (no name or job title responsible), which only existed on our main procedures (it has the name of person responsible for everything under the main procedure). Even though I had the Doc Matrix to prove the specific documents had specific approving authorities and the change request form numbers with the signatures are listed on the doc matrix for traceability he said that still doesn't show that my sub-procedures and forms were approved per ISO requirement. But I do have the revision levels on each document which also corresponds with what is listed on the Change Request and Doc Matrix.

Thanks for the stuff you posted, though it's still difficult to say without also seeing whatever your procedure says and seeing actual examples - which of course is what the auditor did see!
But if what you re doing IS covered by the procedure & there's no conflict with it, and the records clearly show that the person with appropriate authority did sign off a revision of sub-proc v1.1 (say), then I am having a bit of difficulty seeing the problem.

As for the NC... not doing it 'Per ISO requirement' is a bit broad - after all the clause itself says there must be a procedure to define requirements for ie, this is something you get to decide (of course within reason, and bearing in mind the importance and impact of said docs).

Because this issue has been written up already I have to make the changes

Actually, no. You don't. If you really disagree with an audit finding & the raising of an NC, then your first port of call is to appeal it to the auditor's Technical Manager, citing your evidence & reasons for disagreeing. I'd try via phone/email and discuss with them. You do NOT have to just automatically take it and make changes.
And why do you need a whole new form for revisions to sub-procs & forms? Sounds a bit cumbersome. Don't these already get signed off by the person who did the ones above them?

PS I understand one might be a little annoyed if all previous auditors have accepted it... but this in & of itself isn't enough, as each auditor has their own responsibility when auditing. Though it does add a bit of weight (possibly) to your argument that it was OK. It's certainly a questin to discuss with the Tech Manager - ie, why did all other auditors accept this over X years if it's not compliant?

Sorry this is so long...

Longer is better when it adds clarity. Brevity isn't always best.

 

[DrM2u]

The ISO9001:2008 standard requires the organization to 'define the controls needed to review and update as necessary and re-approve documents' (clause 4.2.3.a). There are no specifications as to who to perform this or how to prove that this has been done. In other words, you can have your cleaning lady have exclusive access to your electronic documents folders and say that just the fact that she updates the documents constitutes proof that the documents have been reviewed, updated and re-approved. On the other hand, there are other standards (i.e. ISO 13485) that do require that the review is done by qualified personnel. In this case the 'cleaning lady' approach won't cut it anymore.
With regards to auditing all employees, FALSE! Like others said, you audit the process and the employees are part of the process. The audit is a snapshot in time, a sample of the activities, and not everything that takes place. Therefore you will audit only a relevant sample of the employees (also previously mentioned). That means that the employees audited have to be involved in the process but not all employees involved have to be audited (althoug all are subject to being audited).
Another tip: don't hesitate to challenge the auditors or consultants, external or internal. Either you are right and avert false requirements based on individual's expectations, or you are wrong and the auditor can show you where something is specified in the standard. Interpretations can always be debated. Keep in mind that you are the customer and it is your quality system, so don't let any auditor intimidate you or stir you in the wrong direction. This is coming from a former lead auditor with a very large registrar.
That's my two-pennies worth for today ...

 

[JaneB]

The ISO9001:2008 standard requires the organization to 'define the controls needed to review and update as necessary and re-approve documents' (clause 4.2.3.a). There are no specifications as to who to perform this or how to prove that this has been done.

No, the who is left up to the organisation, and rightly so. Re. the no requirement 'prove that this has been done'... strictly speaking yes. But as there is a requirement to control documents, I'd be interested to see how you would expect that to be met without being able to demonstrate (not necessarily 'prove') that the documented procedure is in use.

In other words, you can have your cleaning lady have exclusive access to your electronic documents folders and say that just the fact that she updates the documents constitutes proof that the documents have been reviewed, updated and re-approved.

If you merely took each of the clauses in 9001 in isolation, in theory this would be true. But you can't. Anyone attempting to run that kind of line for their their system would definitely not meet the requirement of 6.2 for personnel to be competent.

Interpretations can always be debated. Keep in mind that you are the customer and it is your quality system, so don't let any auditor intimidate you or stir you in the wrong direction.

Yes, I agree with you here. Good auditors are willing to discuss and debate.

 

[DrM2u]

Maybe I did not express myself clearly. I was trying to say that the 'who' is left to the otganization, and so is the 'how'. That's what I meant by 'no specifications'. No doubt that you have to demonstrate (or prove) through objective evidence that the documents are controlled and that the process matches the documented procedure.

No, the who is left up to the organisation, and rightly so. Re. the no requirement 'prove that this has been done'... strictly speaking yes. But as there is a requirement to control documents, I'd be interested to see how you would expect that to be met without being able to demonstrate (not necessarily 'prove') that the documented procedure is in use.

Let's debate this one ... Clause 4.2.3 does not specify any competency requirements for review, approval, update, identification of changes, etc of documents. Clause 6.2 says that the organization shall determine the necessary competence [...]. So, if I say that for my document control system in my organization all I need is someone with good understanding of file management in a computer and my cleaning lady has these competencies, then she is qualified to perform these duties. I will dare any auditor to prove me wrong, specially if she can prove that she follows the procedure and can demonstrate how she follows it!

If you merely took each of the clauses in 9001 in isolation, in theory this would be true. But you can't. Anyone attempting to run that kind of line for their their system would definitely not meet the requirement of 6.2 for personnel to be competent.


Yes, I agree with you here. Good auditors are willing to discuss and debate.

 

[JaneB]

I was trying to say that the 'who' is left to the organization, and so is the 'how'.

Agree.

No doubt that you have to demonstrate (or prove) through objective evidence that the documents are controlled and that the process matches the documented procedure.

Nope, there is no doubt.

But do I think it is more accurate - and thus far more useful - and especially when taking a provocative stance (eg, 'a cleaning lady could do it') to also give the full picture. So to just quote the 'cleaning lady' alone without referencing the requirement for competency could give someone who doesn't know a lot about the Standard a false understanding of its requirements.

Note: I didn't write all the words that you are ascribing to me in your 2nd quote - many of them are your words, not mine. And I'd rather not be misquoted, particularly on this topic. (I think you're muddling up the quote tags)

 

[Marc]

Sue, don't trust what other people (no matter how well-intentioned) tell you that you 'have to do' this because 'the Standard says'. Always check it out by reading the Standard itself. You've just had the bad experience of having someone misinformed try to infect you with the same misinformed viewpoint. He's wrong. Congratulations on asking the question.

This is how this web site and forum came about. There are a lot of opinions and interpretations (scroll down to What Part Do I Play? (or Who has Control of the Tiller?). I have mine and others have theirs.

A problem in a forum such as this is the level of detail and complexity, not to mention the specificity in general, of a scenario. One has to read through opinions and consider peoples opinions and thoughts. From that one has to decide the best path for their specific scenario. And if there isn't a clear answer, sometimes it's good to add more details in a post so folks can respond in a more specific post.

Bottom line: If you ask a question you will get a lot of opinions. It is up to each individual to decide what is appropriate for their specific scenario and which posters are credible and which posters are not.

 

[JaneB]

Bottom line: If you ask a question you will get a lot of opinions. It is up to each individual to decide what is appropriate for their specific scenario and which posters are credible and which posters are not.

Yes indeedy.

 

[DrM2u]

JaneB,

Please accept my apologies! I did not intend to attribute my words/oppinions to you. I am fairly new to this forum and am still to learn how to do multiple quotes in a reply. There has to be a way to edit my replay but I did not figured it out yet. Correction: managed to edit my previous reply to clarify the quotes.

There is also a reason for providing just a partial disclosure and an instigative statement: it makes people think and questions status quo. Too many of us would not have to or take the time to think, question and analyze if everything was provided to us in full detail and with good reasoning. Of course, I also like a good argument where transfer of knowledge occurs. You seem to enjoy that also!

 

[Caster]

Clause 6.2 says that the organization shall determine the necessary competence [...]. So, if I say that for my document control system in my organization all I need is someone with good understanding of file management in a computer and my cleaning lady has these competencies, then she is qualified to perform these duties. I will dare any auditor to prove me wrong, specially if she can prove that she follows the procedure and can demonstrate how she follows it!

Hmmm...this is a letter of the law approach to ISO for sure.

In fact there is no need at all for a "document controller" position, the process owner can take care of this trivial task with software or even e-mail.

The spirit behind the standard is that when change happens, the impact on the entire system (including suppliers and customers) is evaluated, hopefully by a person or group who are competent to understand the impact of the change.

Somehow this often turns into a doc control clerk making life difficult for everyone. But it doesn't have to be this way.

I lean more to the spirit and less to the letter. I like to have process owners handle changes. It doesn't always happen of course.

Just because you can, should you? Does the cost outweigh the benefit?