![[GKL logo]](gkl.gif)
|
How to publish your QMS on your Intranet |
| document review and approval |
| previous | next | home | footer | feedback |
The requirements for document review and approval are the same whether or not you have an intranet. First, let us revise what review and approval are.
Document review is the process in which a document is read critically by a reviewer to discover whether the document meets some particular set of requirements. Thus, the review has a "scope", which is the definition of the set of requirements. A key point is that different reviewers will be reviewing the document for different aspects. One reviewer might be checking that the engineering calculations are right; a second reviewer might be checking that the document answers all the questions it was supposed to answer; a third reviewer might be checking that the document follows all the standards for document formatting that are to be followed. It is, clearly, important that each reviewer know the expected scope of his review, and that this be stated when he says that the document is ok (if he does so).
Document approval is the process in which someone with authority (the approver) states that the document may be released; that is to say in simple terms, it is ok. The approver need not review the document, he only needs to satisfy himself that the appropriate reviews have been done. For example: he might see that Charlie was the engineer who checked the calculations, and decide that he can't trust Charlie for this document; then, he wouldn't approve it. On the other hand, he might trust Charlie for this type of calculation, and be happy to approve the document. The approver doesn't have to be able to do all the reviews himself; he has to be able to decide whether to trust the reviewers. Thus, approval is a management task.
The approver will, often, be a reviewer also. In that case, he has two roles. These are separate, and should be recorded as such.
There is a difference between the record of a review and the working papers arising from a review. The record of a review is the simple data about the review: who did it; what was the identity of the document; when was the review done; what was the scope of the review (see above); was the reviewer satisfied that the document met the requirements of the scope (yes or no). This is the data of a record.
The working papers arising from the review are the annotated documents produced by the reviewer (or the forms he filled in with his comments). These data are not, strictly, the record of the review. The ISO 9001 standard requires that records of the results of the review and any actions arising be kept; it does not require that all the working papers be kept (although you can keep them if you wish).
The review process is discussed above.
Broadly speaking, there are two main methods of documenting a document review.
If you want to annotate the document, you can usually use a feature of your word processing software to assist with this. There will usually be a feature which enables you to highlight your changes by using in a different colour or other visual means.
If you prefer to list your comments, then it is usually a good idea to provide a form for this. You can use tables in a word processor or you can use a spreadsheet. Here is an example of a format. [Note: this is in practice a spreadsheet; it has been saved in html format so that it can be shown here.] In addition to providing a means of recording comments, this form provides a means of recording the follow-up to the comments.
The minimum contents of a review record are:
As noted above, there is a difference between the record of a review and the working papers arising from a review. If you want to keep the working papers, then do so. These can be very useful in case a subsequent change is called for. If you keep them, then it will usually be a good idea for the review record to contain a reference to them. Alternatively, their existence may be implied by their location.
Note: ISO 9001:2000 does not require that you have a signature on your records. It states that you shall "... define the controls needed ... to approve documents for adequacy prior to issue...", and that you need records "...to provide evidence of conformity to requirements...". In your procedures, signatures may be needed to provide that evidence, but it is not a requirement of the standard.
The approval process is discussed above.
Approval records are similar to review records; the following data should, desirably, be kept.
The "list of review records on which the approval was based" may be implied. The approval procedure could say that it is the set of available review records at the time of approval. This would avoid having to list these records specifically.
Again, ISO 9001:2000 does not require that you have a signature on your records.
There are various means of creating an "electronic signature" or e-signature. How solid the means needs to be will vary greatly from one organisation to another. In a small organisation in which the products are not highly critical, a simple method of signing may be sufficient; but if the products are highly critical (either from a safety, security, or financial viewpoint) then very rigorous methods of signing may be needed. You need to take each case on its merits and devise a method which is appropriate to your needs. If you devise a method which is more complex than is needed, it will cost more and make it harder to use. There is no virtue in over-egging the pudding;
In creating an e-signature, you are generally seeking to achieve some of the following:
The following is a list of methods of creating an e-signature roughly in order of increasing rigour. This is not a complete list; there are other methods which represent intermediate solutions.
More generally, you can use "access control lists" (ACLs - also known as "file access permissions") to control the over-writing of records and documents. You can set up a folder so that one only person has write access to the folder. He then controls any changes to the folder; he is responsible for all updates to it. This might be used to hold review and approval records, or to hold documents themselves. This is a rather laborious way of doing things, so you would only do it to meet stringent security requirements.
PS: if you have a strong requirement to have signatures, you have two main options. The first is to go for software which will provide the required level of security; this could be expensive if you are acquiring the software mainly for the e-signatures. The second option, is to use paper forms for the signatures. If there are not many cases of them, this could be the most cost-effective approach.
You can buy software systems to help with your "document management". Often such systems provide a means of semi-automating the review and approval process. So, typically, you can define a review list and an approval list. The software will then distribute the document for review (using the e-mail system). It will distribute the document either in series (that is, to each reviewer one after the other) or in parallel (that is, to all reviewers at the same time). It will chase up reviewers who don't review. It will manage the process overall.
Such systems can be useful for large organisations, but such systems are cumbersome; if people don't use them properly, (for example, if some don't do the reviews on time) then the process can grind to a halt - users will be tempted to set up an alternative system to by-pass the main system just to get things done. In essence, if people are not doing reviews because they don't have enough time, or because they don't feel they are important, automation won't fix things. You need to sort out the underlying problem first.
There are, apparently, facilities in Microsoft Outlook (the Voting/Tracking options) which can be used as a form of routing. I have not used them, so I can't say how effective they are.
ISO 9001:2000 requires us "to ensure that changes ... are identified". There are several ways of achieving this.
If your documents allow hyperlinks then you can include a "document change history" at the end of the document. This can be a simple list of the changes, giving dates, and a summary of the change, with a hyperlink(s) to the places in the document where the change has been made. This can be very effective. There is an example here.
It is useful to have a summary of the changes that have been made to the QMS in a single document. Again, this will be a simple list of the changes, giving dates, and a summary of the change, with a hyperlink(s) to the places in the document where the change has been made.
Usually, it is not necessary to list every small change - only those which have a material effect on how work is done.
If you have html documents on your intranet, it is a good idea to have a "document properties" block somewhere on each page. This will provide essential data such as version number, issue date, author, and so on. This page itself has such a document properties block at the foot of the document; this is generally the place to put it, although it is often in the header.
You need to decide what is most appropriate for your purposes. Here is a more comprehensive example; as well as the "document properties" block there is also a "document control" block. The two can be merged if you wish.
| previous | next | home | top | feedback |
[last updated on 10 September 2003] [Version 1] [© copyright: Gordon Kirk 2003] [Comments on this document should be sent to Gordon Kirk.]