AS9100 and The Documented Information Requirements
Clause 7.5 - Documented Information within the AS9100 REV D standard highlights what is required when creating and controlling documentation that is required to support your Quality Management System for Aviation, Space, and Defence Organisations. The requirements for how you manage and control your documented information have changed since technology has moved on since the last iteration of the standard, the standard needs to move on as well. How you present your documentation is no longer as prescriptive as it once was, there is, for example, no requirement within the standard to have a Quality Manual or any form of a register for your forms, records, documents or document changes. That said while it doesn't require it these things are probably still good to have but certainly not in any hard copy form.
What is Documented Information?
The AS9100 REV D Clause 7.5 - Documented Information is a combination of a few other areas, and it's recognising that the formats have moved on, previously AS9100 referred to "Documents" and "Records". Documents referred to things like Policies, Procedures, Work Instructions and Check-list Templates for example. Records on the other had been about the historical information that you kept demonstrating compliance with your QMS such as completed check-lists, training records, audits and things like that. Documents and records are no longer referenced as such in the new standard, instead, it is a single Documented Information heading which is now about any information that you need as an organisation to run the business and to demonstrate the results out of the Quality Management System.
To know when the new standard is referencing a document or a record, think about it in the following way
- If the standard says you need to Maintain documented information, then it's talking about a Document (Policy, Process, Work instruction etc.)
- If the standard says you need to Retain documented information, then it's talking about a record that should be kept (Audit results, Quality data etc.)
With clause 7.5.1 of AS9100D there is now the requirement for the organisation to have the various documented information that is prescribed throughout the management system included in the documented information, that's not really a surprise.
However, is part b of that clause, it also stated the organisation itself needs to identify what Documented Information is required to have their AS9100D Quality Management System run effectively and include this into their system. You get to determine that based on a few things, for example the size of your organisation, complexity of what you do, the products you make and how competent your people are, which means you may decide to document something but not others, just be prepared to back up the reasons why you don't document things!
Again, AS9100 REV D doesn't care what format you have these things in, it can be hard copy, PDF's, Word documents or inside a dedicated QMS system like Mango QHSE, the choice is yours to make based on what is the best thing for your organisation.
Creating and updating - What Things Are Required?
Clause 7.5.2 of the AS9100D standard gives us a few requirements for your documented Information that you need to meet for any part of the standard that says documentation MUST be included (i.e. if you don't have them you don't meet the standard) these are:
- Document Identification & Description - so a name, date, author or a reference number would be needed to make it individually identifiable. The key here is that there isn't a requirement that documents need to have a number, if they are clearly identifiable via the title then that's enough. Depending on the complexity of your organisation, having a Document number may make life simpler, but not required.
- Format - How is the information presented, language i.e. if you are an English-speaking organisation, but the document is in French you may struggle to comply, it may need a software version, it may be in paper or in PDF, it may be electronic, consider what is going to be best for all users of your system.
- Review & Approval - all items need to have been reviewed for suitability and adequacy, in other words, are they fit for purpose. Once reviewed, you should be able to show that it has been checked and then approved.
AS9100D has a clarifying note attached to this which says that "Approval implies authorised persons and approval methods are identified for the relevant types of documented information, as determined by the organisation"
In other words, those approving documents should be able to understand them and know if they are correct or not, i.e. subject matter experts and you need to control who is able to authorise things. You can do this with a list, a matrix to outline who has approval rights for what type of document. When you change who is able to approve things, do that through your change control process.
Control of your Documented Information
Clause 7.5.3 is all about how you control your documented information and there are a few gotcha here for the uninitiated to think about and while there are 5 requirements in this clause they really roll up into only 3 areas:
- Availability and suitability for Use - think about this as the next step from Appropriate format - For example, if you are a distributed organisation with people in a wide range of places needing the information having a central paper copy probably isn't it, having PDF helps, having it available on the cloud even better. You need to think about what works for everyone in your organisation for the various types of documented information you will use.
- Protected - This is about a few things, you need to ensure confidentiality and that the information is available only to the correct people, the documented information can't be used incorrectly (maybe the wrong revision), and you must be able to ensure integrity so that the format or the content, for example, can't be changed without going through an approval process.
- Controlled – Control is probably the biggest area you need think about. Here they are looking for control in terms of the distribution, access, retrieval, and obsolescence.
- Only those who should have the particular bit of your AS9100 documented information do and that if they need to get it they can.
- Storage and preservation are required i.e., how do you ensure that when it's used it's in the proper condition and fully legible?
- Changes i.e., version control is in place and as stated before only authorised personal can approve those changes. As a hint, keep your version numbering simple, 1, 2, 3 is perfect, don't get into major or minor changes, a change is a change, go up a number and make your life simple.
- Retention - how long you keep the information (and where), what determines that duration, is it a company policy or a legal requirement? For disposition - how you get rid of obsolete or out of date information, especially when you need to ensure secure destruction.
- Prevention of unintended use – this is linked to change control, when you do have a new version how to you guarantee that the old versions are no longer available for people to use? This is tricky in paper systems, and you need to go around and collect them all in, typically keeping a register of who has them to begin with. Electronic versions are easier as you can just replace the old with the new. If you do keep old versions of documents, how do you keep them secure to make sure people don't use them accidentally?
There is also the requirement for the organisation to identify any information held externally that they believe is central to their planning and operation of the quality management system. Perhaps you use 3rd party design requirements or specifications, you have industry standards to use, these need to be factored into the thinking.
Finally, there is a requirement that "When documented information is managed electronically, data protection processes shall be defined (e.g., protection from loss, unauthorised changes, unintended alteration, corruption, physical damage)". I.e., just because you have them in electronic format doesn't mean you don't have to follow all the same rules and a few more. Just because they are in SharePoint doesn't make them secure for example it means there are available but how did you store them there, what are the access rights and so forth, anyone who has ever used a SharePoint set up knows the pain that is access rights and SharePoint control! How do you ensure back-ups are happening and available should you need them, and that the method of electronic storage doesn't alter them in any way? Having a dedicated document management system as part of your overall integrated Quality management system makes sense, which is where systems like Mango QHSE with a dedicated Document Control and Management of Change system really come into their own.
Importantly, any documented Information that is held as evidence that something conforms to a standard or specification needs to be kept in such a way that is protected from unintended alteration, i.e., you can't accidentally overwrite the last Certificate of Conformance or Quality data sample you produced.
The new clause 7.5 Documented Information in the AS9100 REV D standard breaks down what has combined all document and record requirements into one section. There is no longer a need to have hard copies or even a quality manual or documented procedures in order to meet the standard, but the organisation should think long and hard about what they do need and who and how the information will be used. Many of these things are still just as valid and easy to use, but you can now use any media format you need to in order to make it effective to your organisation.
© Many Caps Consulting | All Rights Reserved
When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.