ISO 9001:2000 Clause 4.2.3d - Document Management Systems, Passwords, Point of Use

[simon999]

4.2.3d - Document Management Systems, Passwords and Points of Use

Hello,

I would be very grateful if you could help me with the interpretation of the following clause in ISO9000:2000: -

Section 4.2.3d states “relevant versions of applicable documents are available at points of use”

The part that I need help with is “points of use.”

In the company that I used to work for, I was responsible for the procurement of a document management system (DMS) for our department.

When a user wants to create a document, this is done from within the tool by selecting an appropriate document type (e.g. Test Specification). The DMS then creates the document from the correct template and gives the document an appropriate number and revision.

The DMS therefore enforces correct use of document templates and the company’s numbering and versioning rules.

However I was then told that the DMS was not compliant with ISO9000 because users had to log on to the DMS using a user-id and password.

To access the DMS users had to: -

1) Log on to the their PC using their user-id and password
2) Click on a shortcut for the DMS.
3) Log on to the DMS by entering their normal PC user-id and password.

Even though every user in the department had their own DMS user-id (which was the same as their normal PC/network user-id), I was told that this was not “point of use” and therefore was not compliant with ISO9000.

As a result, all the document templates were then copied to the company’s intranet, which was not password protected once the user had logged on to the PC network.

As far as I’m concerned, this negated many of the benefits of purchasing the DMS in the first place.

Therefore, for future reference, I would very much like to know if what I was told is correct or not. Does having to enter a password contravene the “point of use” rule?

I was also given a second reason for copying the templates onto the intranet. Other parts of the company, in other countries and involved in a different field of work, did not have access to the DMS. I did not regard this as a problem because they were involved in a different field of work and would never need access to the templates and documents that my department used.

I was told that it did not matter that the other departments never needed access to our documents, they must be made available anyway, so they were all copied to the intranet.

Section 4.2.3d explicitly says “applicable documents”, so if a document or template is not normally used by a department then surely it is not an “applicable document” and therefore does not need to be “available at points of use”?

Thanks in advance for your help.

Best Regards,
Simon

 

[Wes Bucey]

Wow, Simon! Lots of "he said, she said" type of issues in your post.

In my opinion, whoever told you the original Document Management System using individual passwords was NOT "point of use" was using a completely different definition of "point of use" than most of us agree upon.

Here's how I define the concept of having a document "AVAILABLE AT POINT OF USE":

Any time a document may need to be used for reference during production, review, revision, or any other business process, either an electronic or hard copy of the document should be available to the individual, whether it is at a desk, conference table, work station, or field installation.

Organizations sometimes use ebooks, laptops, or portable DVD viewers with libraries of appropriate disks of potentially needed documents for each of their field technicians who may encounter a variety of products or situations in their daily routine. The reading device may have individual locks or passwords known only to the technician.

Similarly, some workers have computer terminals at their desks or work stations and may work on a variety of products or projects during a work day or work week. Documents for those products and projects can be available through a password on the computer (regardless of whether the documents are on the local machine or through a network.)

Document Management Systems often offer a variety of levels of access, depending on need or security measures. These can be fine tuned to the point where the system administrator can encode each document to limit access to only certain authorized individuals. Therefore ALL documents can be on the system, but "available" only to the person or persons so authorized at the place where they may be required. In addition, most DMS have an "audit" function which gives a record of who accessed a document (including date and time) and whether or not the person printed or modified the document.

In my opinion, the decision to make the documents available on the intranet defeated the value and purpose of the Document Management System. All the security systems in the DMS have been circumvented and the documents are no longer secure nor are they any more available than they were before this move.

 

[Claes Gefvenberg]

Hello simon, and welcome to the Cove

I was then told that the DMS was not compliant with ISO9000 because users had to log on to the DMS using a user-id and password.

---

Even though every user in the department had their own DMS user-id (which was the same as their normal PC/network user-id), I was told that this was not “point of use” and therefore was not compliant with ISO9000.

Doh! Not compliant??? I can see why you want a second opinion, and you'll get one: On what grounds would a perfectly good DMS be less compliant than acessing the same data via the intranet??? Your previous setup worked, did it not?

In my opinion, whoever told you the original Document Management System using individual passwords was NOT "point of use" was using a completely different definition of "point of use" than most of us agree upon.

I share that opinion... A very different definition indeed, and clearly not the one put forward in the standard.

/Claes

 

[simon999]

Thanks very much Claes and Wes for replying so quickly and thanks for confirming what I had suspected was true. It's a shame that I was not aware of this forum when the issue arose at the time. If I had been able to present
alternative opinions from a reliable source then a lot of wasted effort would have been avoided.

Thanks again for your help.

Best Regards,
Simon

 

[Claes Gefvenberg]

It's a shame that I was not aware of this forum when the issue arose at the time.

I know what you mean Simon. I felt the same way when I first found the Cove. I'll admit that it took me a while to start posting, but it immediately provided me with a support I had been lacking: To be able to discuss things with people actually working with these matters in real companies in the real world.

The collective competence here is second to none imo. That gives you a lot of backbone when those interpretation battles appear.

/Claes