How to publish your QMS on your Intranet : ISO 9001 requirements

On this page we examine those requirements of ISO 9001:2000 which apply to documents and records. We state the requirement and explain any implications of using an intranet as a means of holding your QMS.

relevant ISO 9001:2000 requirements

We have extracted only the relevant requirements. The section heading gives the section 9001 reference. This is followed by a quotation of the relevant requirements in bold. Following this is a discussion of the implications.

4.2.1 Documentation requirements, General

This is fairly clear. They use the word "documentation" but don't want it to be limited to paper (or "hard-copy"). It can be stored as any form of "soft-copy".

4.2.2 Quality manual

The organization shall establish and maintain a quality manual that includes ...

4.2.3 Control of documents

Records are a special type of document and shall be controlled according to the requirements given in 4.2.4.

c) to ensure that changes and the current revision status of documents are identified,

d) to ensure that relevant versions of applicable documents are available at points of use,

This becomes much easier for those staff who have access to the intranet. For those that don't, you may need to implement a scheme whereby they receive printed copies of documents when they are changed. If you do this, you will need to implement a register of who has which document. This should not be any more onerous than it would be were there no intranet. It is generally a good idea to mark the intranet copies with a message to the effect that the document is "uncontrolled when printed". This means that anyone who prints a paper copy for reading on the train or wherever, will be covered. The printed copies given to those who need them would need to have this legend deleted (use a pen).

Note: you can't legitimately distribute printed copies with the words "uncontrolled: for information only" or similar. If someone needs a copy of a QMS document for his work, then it needs to be a controlled copy. That is, if the original is updated, then the copy needs to be updated too; that is what is called a "controlled copy". (The only exception that I can envisage is for someone who suffers from insomnia; he may need a copy of some of the QMS documents to help with his problem.)

A common problem here is when staff print out a copy of a document as they find the printed medium easier than the screen to work with. A solution is to print on the document a statement to the effect that "this document may be out of date after xyz date". You get the document to insert the date printed plus (say) three days where it says xyz date.

You may have a problem with staff who use notebook PCs and who are on the road much of the time. How do you keep their QMS files up to date? A solution to this problem is to define the subset of the QMS which they need and to distribute this when there are changes. For example: if you have service engineers who need part of the QMS, you list the files that they need, and when necessary you copy the files to another folder. You use WinZip or similar to create a zip file and send this to your service engineers by e-mail. They then use WinZip to extract into their QMS folder what they have been sent. You can create a "self-extracting zip file" which is sent as a .exe file, and will extract itself without having WinZip on the engineer's PC.

Here is an example of this. In column 4 of the table, where there is a darker colour, it means that the file is part of so-called "gklss" and is distributed as gklss.exe.

To assist with version control of gklss, we always distribute a file named edition.nnn in gklss.exe where nnn is a serial number. The user can then look in his QMS folder and will see a set of edition.nnn files (for example: edition.001, edition.002, edition.003). The nnn gives the edition of gklss that he has. The edition files need have no content.

There is a technical problem with Web browsers caused by "caching". Web browsers don't download every file every time they need them. In order to reduce network traffic and increase their response speed, they keep copies of what they have downloaded on disc in what is called a "cache". This means that if a file changes on the server, but keeps the same name, the Web browser may simply use the file from its cache rather than fetching it from the server; the Web browser will not be using the right version of the file. As a result, you won't be sure that users will get the latest version of a QMS document as soon as you change it.

The Web browser will have a setting for how often it refreshes its cache. You could set it to "refresh every fetch", but that would not be an efficient way of working. Instead, you need to ensure that your Web server sets an expiry time for every file in the QMS (say, 24 hours). This will ensure that no file stays in a Web browser cache or proxy cache for more than 24 hours. If 24 hours is not satisfactory for you, you will need to do something a little more complicated with the Web server.

f) to ensure that documents of external origin are identified and their distribution controlled,

If you don't keep them on the intranet, you simply keep them where you would have kept them without an intranet. It is a good idea to keep a list of external documents on the intranet, which people can read, and update as required.

If you have documents which are in soft-copy form, then the problem is simpler. You keep them in appropriate folders on a file server on the intranet. You keep a list of internal documents in a database (or spreadsheet) on the intranet, and put hyperlinks in the list. In the database, you also need to record the names of the people who have copies of these documents, so that they may be advised or sent or sent copies when the documents are updated.

g) to prevent the unintended use of obsolete documents, and to apply suitable identification to them if they are retained for any purpose.

There will be occasions when it is necessary to use previous versions of a document (for example, on a project or job which was planned according to the old versions). In this case, you would need to keep a copy in a project folder (on the computer system) and make it plain that this was indeed an obsolete document.

In the general case, the use of the intranet largely prevents the use of obsolete documents as they will disappear from view when they are updated. You need to ensure that this is indeed the case in your intranet setup, but usually this will not be a problem.

4.2.4 Control of records

Records shall be established and maintained to provide evidence of conformity to requirements and of the effective operation of the quality management system.

This is a simple requirement that you have your computer folder structures defined, and that they be well-organised so that records can be found.

If you use an intranet, and you archive your records, you need further records to enable you to find the original records. This is not difficult, but not everyone does it well.

If you have an intranet or not, you do need a document which describes the required controls.

If you use an intranet, you need to give every record on your computer system a unique identifier. For example, if the records are on a form (say, Form004), there is a danger that every time they are stored they are named Form004. That might be alright but it might not. If there are many copies of Form004 for a particular job, then the file name (of form004.xls) is not going to be unique, and so will not be a unique identifier. You need to define further the way that the form is to be named when it is used. For example, you might name it as Job1234.Form004.20030901.xls. But, whatever identification scheme you use, it needs to be documented somewhere in your QMS.

If you use an intranet, you need to document where you would store the various records. So, for example, in the case of the Job1234.Form004.xxxxxxxx.xls records above, you would need to say where in the file system this record is to be kept. Possibly, this will be somewhere in one of the Job1234 folders. You need to say where.

If you have an intranet, this implies that you have an effective backup system so that the records can't be lost.

Not a problem with an intranet, but it does imply that:

if you archive your data, it is to a medium which can be read many years after archiving (not the case for tape or CD-R);

that you have equipment which will read archives from long ago (the speed with which IT equipment changes can cause problems here).

You need to describe how you will dispose of records. For most purposes this is not a problem. If the records contain private data or otherwise secure data, you need to say what you will do to ensure their security.

5.5.3 Internal communication

Top management shall ensure that appropriate communication processes are established within the organization and that communication takes place regarding the effectiveness of the quality management system.

If you have an intranet, then at a trivial level, it should be easier to meet this requirement. You can set up e-mail distribution lists, conferencing systems, and so on. All this is "appropriate communication processes". However, it is easy to believe that this is communication when it is not. Communication needs a receiver as well as a transmitter. Are you sure that your e-mail is being received, and read, and understood, and accepted? If so, you have communication; if not, you merely have data flow.

7.5.1 Control of production and service provision

Controlled conditions shall include, ...
b) the availability of work instructions, as necessary,

If you have an intranet, it may not extend to all the staff on the shop floor. You have to provide an adequate means of distributing paper copies of the documents needed where the intranet does not reach. This is discussed above.

chapter contents list

introduction