We live in an age seemingly obsessed with controls. Perhaps this is because of more than half a century of unwavering passion for computer systems such as your CMMS that, on one hand make life easier for us, but on the other hand leave us vulnerable to all kinds of new risks as technology improves. Some believe that adoption of new technology would have been much faster if users weren’t as wary of the many real and perceived control or security issues. This sometimes is cited as a reason why users are reluctant to purchase products and services online. Users question whether there are sufficient controls in place to ensure that the expected quality and quantity of what was paid for was actually received. As well, there is a perception that our secure information might somehow be compromised.
In fact, controls have been around for centuries. For example, long before computer systems were available, many entrepreneurs were notorious for micro-managing their businesses, such as insisting on approving every expenditure. However, maintenance managers have enjoyed a relatively high degree of autonomy from controls because senior management and business owners understood the value of keeping the machines running. Thus, it wasn’t surprising to see huge sums of money spent on parts rushed in from wherever in the world they could be sourced, in an effort to minimize downtime.
Today, more expensive assets and spare parts, increased automation and better planning tools have made it less acceptable for maintenance management to spend so freely on rush orders for replacement parts in the event of machine downtime, unless consequences are near catastrophic. Many companies have adopted an approval process to ensure costs are kept to a minimum, from approval of a work request to the recording of parts and labor needed to complete the work. In some industries such as food, pharmaceutical and nuclear, to name a few, there are strict regulatory requirements to ensure controls are in place for transparency, traceability, error prevention and the avoidance of a security breach.
Depending on the size of your company and your industry, you might consider implementing an approval process for any of the following:
- Budgets — approval of an entire budget or portions thereof down to the G/L account code
- Asset lifecycle — approval of engineering drawings and changes to the status of a given asset (eg, out of service)
- Work management — approval of any change in status during the life of a work order, from work request to work order closure, including approval of any labour hours, material dollars and contract work booked against a work order
- Procurement — approval of any change in status during the life of a purchase order, from purchase requisition to purchase order, receipt of goods/service and payment
- Inventory management — approval of additions/changes/deletions to the parts master, stock issuance against a work order, quality assurance of parts received, returns, vendor repairs and warranty work.
One of the most important components of effective control systems is a comprehensive approval process using electronic signatures. Furthermore, many of the more advanced CMMS packages have used a sophisticated workflow engine to facilitate the configuration of the approvals process that best fit your ever-changing needs. These features are explained and discussed below.
Electronic signatures: Any approval process must involve a signature of some kind. Some companies still insist on manual signatures on printed documents, but most accept the electronic equivalent. An electronic signature can, in theory, take the form of a symbol such as a graphic representation of your signature on a document, or as simple as your name typed in a location for which only you have secured access within the application.
Regulators such as the FDA insist on having the best of both worlds, so to speak. According to FDA’s 21 CFR Part 11, Subpart C, Section 11.100 (c):
“Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures.
(1) The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations (HFC-100), 5600 Fishers Lane, Rockville, MD 20857.
(2) Persons using electronic signatures shall, upon agency request, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer's handwritten signature.”
The FDA, as well as regulatory bodies in other industries, require an electronic signature when closing a work order regardless of the device used (eg, desktop computer connected to the company LAN, laptop used remotely or mobile PDA). Execution of the signature causes a lockdown of the work order so that no changes or deletions can occur. There’s a similar process for handling purchase orders and service requests.
Although a document can be “unsigned” to make changes, it must be unsigned by an approver as well as the mechanic. The electronic signature is done by verifying user ID and password, or using a biometric device such as a fingerprint scan for signature validation. Once the document is unsigned, FDA requires that a pop-up window be presented for the approver to specify why the file is being unlocked. A chronological record is kept of transactions where electronic signatures were required including comments. Note that not all CMMS packages can handle the more stringent requirements described above.
Digital signatures: One form of an electronic signature that offers even greater security is the digital signature. Digital signatures provide universal acceptance as they are based on Public Key Infrastructure (PKI), a globally-accepted standard that guarantees signer authenticity and data integrity using public and private keys, authenticated by a trusted third-party certificate authority. It also prevents the sender from denying knowledge of the document they signed. A digital signature can’t be copied, tampered or altered in any way without detection. As PKI is a universal standard, signatures made within a given software application can be validated by others using the same application.
Workflow engine: Some CMMS vendors have gone much further than providing approvals capability for electronically signing certain documents such as the work order. Higher-end CMMS packages use a graphical workflow engine, providing the ultimate in terms of flexibility. As in MS Visio, users can generate workflows by dragging and dropping connectors and shapes selected from a palette. Each step in the workflow can be given a name, the number of responses required, a set of priorities, a closure type expected (eg, reject, approve) and the resultant next step. Business rules can be established to automatically escalate the process, for example, if the work order isn’t approved after one day, reroute the document to the signer’s supervisor. Work flow engines typically can assign responsibility for approvals by named individuals, roles (eg, planner) or work group (eg, shift five electricians).
A decision box can be established within a workflow with many lines out typically shown graphically in different colors. For example, if the decision box is “what is the cost?” users might have eight possible flows out of the decision depending on conditions. One flow might be: if the work order is safety related, the asset is not under warranty and labor costs are greater than $1,000, take this path. Thus, users can build multiple conditions using Boolean logic tied to related fields from any master record (eg, assets, work orders, spare part stock levels, vendor quotations, purchase order status, warranties).
E-mail Contributing Editor David Berger, P.Eng., partner, Western Management Consultants, at email@example.com.