Abstract

DOCUMENT CONTROL

The control of documents maintained in the electronic media and the requirements of NBR ISO/IEC 17025 and adequacy for PNQ

Anselmo Ferreira de Castro^I; Glória Maria Pereira da Silva^I; Stella Regina Reis da Costa^II; Sílvio Francisco dos SantosI, ^* * Author for correspondence

^IGeneral Accreditation Coordination; Inmetro - Cgcre/Inmetro; Rio de Janeiro - RJ - Brasil

^IIUFF/UFRRJ; Rio de Janeiro - RJ - Brasil

ABSTRACT

During the assessments carried out by the authors at the diverse laboratories pertaining to the network of accredited laboratories - known as the Brazilian Calibration Network (RBC) - the authors verified the difficulties that these laboratories had in meeting the requirements of NBR ISO/IEC 17025:2001 (Standard), related to the maintenance of documents in the electronic media. More and more laboratories are substituting traditional control with electronic document control, which allows for more agility in the recovery of information. These laboratories implement policies and procedures; however, they still feel insecure, in some way, as to how to meet all of these requirements, thereby giving rise to difficulties in the implementation of such. The aim of this paper is to discuss the control of documents stored in the electronic media, adopting requirement 4.3 of the Standard as the reference, and aiming, in this manner, to harmonize the assessment process of the procedures of document management in the electronic media, and to assist the laboratories in the interpretation of the Standard, so that they may implement systems that are adequate to their actual necessities and to their structural size, while at the same time complying with the referred to requirement. This work will not broach the treatment given to the records (requirement 4.12 of the Standard), facts (requirement 5.4.7) nor to the electronic transmission of results (requirement 5.10.7), leaving these subjects for posterior discussions.

Key words: NBR ISO/IEC 17025, PNQ, computerized systems, documents

INTRODUCTION

At the moment, the great majority of laboratories make use, to a greater or lesser degree, of computerized media in order to store their documents. Among the advantages of computerized control is the possibility of increasing the productivity and competitiveness of the laboratory.

Among the activities of the internal and external auditors, as well as of the assessors from Cgcre/Inmetro [3, 4 e 10], is the assessment of the adequacy and implementation of the policies and procedures adopted by the laboratories, for document control. The adequate implementation of this aspect is one of the essential factors for the demonstration that the laboratory is competent, as specified by the Standard.

According to Coutinho et al. (2004), in a comparative study of the nonconformities identified by the accreditation bodies belonging to the American Association for Laboratory Accreditation (A2LA) and to those belonging to Cgcre/Inmetro, requirement 4.3 of the Standard - document control, is responsible for 8,2% of the nonconformities reported by the A2LA and for 10% of the nonconformities reported by the Brazilian body. Coutinho's sample involved the consideration of the reports of all the assessments carried out between 2001 and 2003. In both cases, document control was the third biggest cause of nonconformities.

During the assessments, it was observed that among the difficulties of the laboratories, is the understanding of the requirements of the Standard, as well as of some of its concepts, in particular, the definition of document, and what the importance of its control for the maintenance of a "traditional "or computerized quality system is.

Although they may seem simple, we believe that the knowledge of such concepts is fundamental to the initiation of our discussion.

The definition of a document

NBR ISO 9000:2000, in the part that deals with fundamentals and vocabulary, defines a document in the following manner:

"A document is the information and its supporting medium."

In the ABNT ISO/GUIDE 2:1998, note 2 of item 3.1, considers the term "'document' as being any medium that contains registered information". Note 3 of the same item considers "the document and its content as being a single entity".

The Standard presents the following as examples of documents: regulations, standards, calibration and/or testing methods, drawings, specifications, instructions, manuals and software. The documents may be contained in various media: electronic, on paper, and may be digital, analogical, photographic and written.

The 17025 does not present a definition of an electronic document. A definition accepted by the authors deems "an electronic document as being that which is memorized in a digital format, and which is not perceptible to the human eye without the intervention of a computer"[6].

In a general manner, we can consider all information stored on an electronic device (hard disk, floppy disk, CD-ROM) or transmitted through electronic means, to be an electronic document. In this context, software, data bases, texts, images, as well as the information accessed via the Internet: e-mail, websites etc. may also be included.

Some laboratories opt to maintain their documents on paper, while others only use the electronic media, and yet others maintain "a hybrid" form, wherein both paper and the electronic media are used.

The importance of document control

The importance of document control, both for those documents which are generated internally and for those which are obtained from external origins, resides in the need to identify the personnel authorized to review and approve of such documents, in the identification of the status of their revision and in the identification for distribution to those who have access to such documents. Another characteristic of document control is that it should be capable of making documents readily available, as well as of avoiding the use of invalid and/or obsolete documents.

A system of document control must be able to generate, issue, receive, store or process information in some other manner, while at the same time trying to maintain the integrity of the documents. These aspects are assessed in item 5.1, Management of the Information of an Organization, of Criterion 5, Information and Knowledge, of the management model for excellence called for by the National Quality Prize (PNQ).

METHODOLOGY

In this paper, we will begin by presenting some considerations with regards to electronic documents, and some of the characteristics of such documents. We will then revise requirement 4.3 of the Standard and Criterion 5.1 of PNQ. This will be followed by a discussion and an interpretation of these requirements as applied to electronic documents, suggesting an approach for the assessment of these requirements, which is of fundamental importance for a quality system to function well. Finally, we will draw a conclusion with regards to the discussion.

CONSIDERATIONS

For the documents maintained in the electronic media, we consider the definitions contained in NBR ISO/IEC 17799:2001: Information Technology - Code of Practice for Information Security Management as being valid. This document deals with the management of information security and applies the following definitions:

Confidentiality: ensuring that information is accessible only to those authorized to have access;

Bearing the approach and the application of the criteria on information and knowledge in mind, the following practices are requested for the markers that make up item 5.1:

In order to work with electronic documents, we need to understand the mechanism of the electronic signature. This technology tries to overcome the purposes of traditional signatures, and it is obviously not the copying and pasting of a scanned signature onto an electronic document, but rather a system of codes to identify and authenticate the authors, that is dealt with by software.

Depending on the type of security system used, there are basically two types of electronic signatures: passwords and public keys.

For our purposes, passwords offer the necessary level of security, which is many times greater than that which is offered by paper. For this reason, we will not deal with public keys here.

It is necessary to point out that the aim of the electronic signature is not to make the document illegible, as the content itself is not encrypted, but rather to increase the state of security of the signed document, in such a way so as to guarantee its confidentiality, integrity and availability.

The operational systems offer some options of access control through passwords. Among the resources offered by such software are:

1. A password to access the network environment;

2. A password for the sharing of resources. In this case, there are two types of access control: access control at the level of sharing, which allows one to supply access to each shared resource (for example: folders and printers) and access control at the level of the user, which allows one to specify which users or groups may have access to each shared resource;

3. A password to protect the computer during waiting periods;

4. A password to protect the screen.

DISCUSSION OF THE REQUIREMENTS OF THE STANDARD WITH REGARD TO DOCUMENT CONTROL

For the control of documents maintained in the electronic media, we shall discuss the following items (the numbers in parenthesis refer to the items of the Standard relative to document control):

It would be advisable for the master list to contain, at the very least, the following information:

1. Document link/path/address

2. Title of document

3. Revision number

4. Date of revision.

The available software offers systematic orientations to restrict access to documents. Such systematic orientations involve:

1. Attribution of a password to open documents, thereby avoiding unauthorized users from accessing them (

   protection password);

2. Attribution of a password for the modification of documents, which allows other people to access the document, but not to alter it in any way without the password. If a person were to access the document in order to modify or alter it without the password, s/he would only be able to save the document by giving the file a different name (

   protection password);

3. Recommendation that others may open the documents as a reading-only file. If a person were to open the document as a reading-only file, and alter it, s/he would only be able to save it by giving the document a different file name. If the person opens the document as a reading-writing file, and alters it, the document could be saved using its original file name;

4. Attribution of a password when a document is sent for revision, which prevents alterations from being made, except for commentaries or controlled alterations;

5. Attribution of a password in order to use areas of a form, in order to create forms, which will avoid others from altering the specified sections;

6. Attribution of a password to protect working folders and spread sheets from being altered;

7. Attribution of a password to protect spread sheet cells, graphic data etc.

It would be advisable for the laboratory to have a systematic orientation for the attribution of passwords in such a way so as to avoid problems which may occur due to employees forgetting or leaving the organization, for example.

It would be advisable for the laboratory to establish backup procedures that assure the protection and the safe storage of information, demonstrating which measures are adopted to prevent losses and, whenever possible, the backup documents should be stored outside the laboratory's installations.

It is difficult to make safety copies of paper files, while it is easier to implement a backup procedure for electronic files. However, a critical point in this in case is the control of versions. When a document is altered, this altered version is made available as the most recent version. An inverse backup is normally provoked when a previous version has to be consulted, and this should be avoided. In fulfilling item i, it is possible to attend to marker a.4 of item 5.1 of the PNQ, in which refers to electronic documents.

CONCLUSION

We have verified that the treatment to be given to the control of electronic documentation, saved in their due proportions, is not very different from the treatment adopted for those documents kept in a physical format.

The maintenance of documents in the electronic media offers many advantages, including: agility, speed and security, both for the organization's internal staff members as well as for its clients.

At present, the main disadvantage of using the electronic media for document control lies in the connection that such media has to technology. In order to overcome this, the laboratories have to maintain the equipment and the software necessary for the recovery and the exhibition of the filed data, during the time period in which documents have to be retained.

For there to be success in this modality of document use, it is necessary to apply 17025 correctly, paying attention to the confidentiality, integrity and availability of information, which naturally leads to compliance with item 5.1, Management of the Information of an Organization.

During the internal and external assessments and audits, the size of the laboratory and the degree to which it is computerized must be taken into account: as in all activities, the use of common-sense is a fundamental factor for the success of these activities.

We would like to point out that it is up to the laboratory to establish and to decide upon the best systematic orientation, which is adequate for the Standard, and which is appropriate for its circumstances.

This discussion should not be interpreted as an additional requirement, nor should it be used as an integral part of the Standard.

ACKNOWLEDGMENTS

We would like to thank the collaboration of the staff members of Cgcre/Inmetro, who contributed to the realization of this paper.

Received: July 29, 2005;

Revised: September 05, 2005;

Accepted: November 22, 2005.

Publication Dates

History