Personal control of design drawings/documents

[Ace]

Is there an ISO Standard and/or some type of regulatory requirement that explains how product drawings are supposed to be controlled? I'm not just talking about the regular document control per clause 4.2.3 of ISO 9k2k, I am referring to controls regarding faxing, printing, distributing, emailing drawings that are proprietary and should not be disclosed to the general public/vendor. During my internal audits, I find several drawings strewn about the fax machine, the printer/copy machine, trash receptacle, etc.
I appreciate any advice available.
Rodolfo

 

[mshell]

Ace,

I am not aware of any standard for this issue (I could be wrong). What does your control of document procedure say?

mshell

 

[Wes Bucey]

Ace,

I am not aware of any standard for this issue (I could be wrong). What does your control of document procedure say? mshell

IMO, we're dealing here with the difference between "Control" and "Security"

Control issue (including configuration management) ensures no one uses obsolete document. This entails Procedures for obtaining a document to use for a particular purpose. If you walk into the locker room and pick up a blueprint off the floor, are you going to go out to the shop and build from that "uncontrolled" blueprint? Probably not. However, if it is a secret project, you might be concerned from a security standpoint if the janitor walks out of the building with a copy that was carelessly left around on a fax machine or copy machine.

IMO, Control is a QMS issue, security is a BMS (Business Management System) issue.

 

[Douglas E. Purdy]

The Dichotomy

IMO, we're dealing here with the difference between "Control" and "Security"

Control issue (including configuration management) ensures no one uses obsolete document. This entails Procedures for obtaining a document to use for a particular purpose. If you walk into the locker room and pick up a blueprint off the floor, are you going to go out to the shop and build from that "uncontrolled" blueprint? Probably not. However, if it is a secret project, you might be concerned from a security standpoint if the janitor walks out of the building with a copy that was carelessly left around on a fax machine or copy machine.

IMO, Control is a QMS issue, security is a BMS (Business Management System) issue.

Wes,

Interesting assessment, but you are seperating a QMS from a BMS. In many of the forums there is a contingency that believe the QMS and BMS should be one and the same. If these drawings or documents are customer property, we are to safeguard it according to 7.5.4. You would think that the same would be true for the organization's proprietary information even though the standard does not apparently state such a requirement.

Doug

 

[Wes Bucey]

Wes,

Interesting assessment, but you are seperating a QMS from a BMS. In many of the forums there is a contingency that believe the QMS and BMS should be one and the same. If these drawings or documents are customer property, we are to safeguard it according to 7.5.4. You would think that the same would be true for the organization's proprietary information even though the standard does not apparently state such a requirement.

Doug

"Control" of any document, customer's or organization's, DOES entail security of the original document and subsequent revisions. Control DOES imply a procedure for limiting proliferation of uncontrolled copies where the document could fall into hands that could use the document to the detriment of the organization (internally, by building nonconforming product from obsolete drawings; externally, by stealing confidential information.)

The Standards don't address the BMS, they address the QMS. The organization's BMS responsibility is to determine which documents are in the sensitive category where outsiders should not be privy to the information contained. Once determined, appropriate security measures can be applied on individual documents to which they pertain.

My organization's Procedure for protecting against static electricity during assembly is Controlled, is proprietary (because we designed it for our operation), but is not "sensitive," whereas our Procedure for assembling a "black box" is Controlled, is proprietary, and VERY sensitive. We definitely guard the black box procedure and don't allow any "uncontrolled" copies, while we have freely distributed uncontrolled copies of our anti-static procedure to suppliers as a template to set up similar procedures. ("Controlled" copies in our universe are issued to individuals by name, with a "push" mechanism for revisions, collecting the obsolete copies.)

 

[Claes Gefvenberg]

I'm not just talking about the regular document control per clause 4.2.3 of ISO 9k2k, I am referring to controls regarding faxing, printing, distributing, emailing drawings that are proprietary and should not be disclosed to the general public/vendor. During my internal audits, I find several drawings strewn about the fax machine, the printer/copy machine, trash receptacle, etc.

Hi Ace,

IMO you could easily incorporate rules for handling the mentioned issues in your Document Control procedure if you need them. From what you're telling us it would seem that you do.

It's your system, remember? You decide what should be in it.

/Claes

 

[Douglas E. Purdy]

Safeguarding is not Security?

"Control" of any document, customer's or organization's, DOES entail security of the original document and subsequent revisions. Control DOES imply a procedure for limiting proliferation of uncontrolled copies where the document could fall into hands that could use the document to the detriment of the organization (internally, by building nonconforming product from obsolete drawings; externally, by stealing confidential information.)

The Standards don't address the BMS, they address the QMS. The organization's BMS responsibility is to determine which documents are in the sensitive category where outsiders should not be privy to the information contained. Once determined, appropriate security measures can be applied on individual documents to which they pertain.

My organization's Procedure for protecting against static electricity during assembly is Controlled, is proprietary (because we designed it for our operation), but is not "sensitive," whereas our Procedure for assembling a "black box" is Controlled, is proprietary, and VERY sensitive. We definitely guard the black box procedure and don't allow any "uncontrolled" copies, while we have freely distributed uncontrolled copies of our anti-static procedure to suppliers as a template to set up similar procedures. ("Controlled" copies in our universe are issued to individuals by name, with a "push" mechanism for revisions, collecting the obsolete copies.)

I take it then that you do not see the 'safeguard' in 7.5.4 as 'security.' Of course neither term is in 9000 vocabulary.

Doug

 

[Wes Bucey]

I take it then that you do not see the 'safeguard' in 7.5.4 as 'security.' Of course neither term is in 9000 vocabulary.

Doug

Interesting thought. You are correct. I only interpreted 'safeguard' according to maintaining original of physical or electronic document from damage or unauthorized change. Sometimes it gets pretty easy to indulge in "paralysis by analysis" in seeking ever more nuanced definitions of Standards. Sometimes, not always, "Occam's Razor" is really the best way to interpret most documents.:truce:

Definition: OCCAM'S RAZOR: No more things should be presumed to exist than are absolutely necessary. (Alex Paterson)

 

[sheryljuco]

It's your system, remember? You decide what should be in it.

/Claes

i believe so, ISO standard is there to guide our QMS and it is in our organizations discretions on how we will do the details of controls such in this case. GOD BLESS!