QCS International

It’s fair to say that when an audit has to be done of Section 5 (Management Responsibility) of ISO 9001, the question you can often be left with is how do I audit a management team?   Here is a list of audit questions to use in your organisation that will really test your ISO 9001 compliance (we have included the ISO 9001 section number in brackets as a reference).

5.1 Management Commitment

• What is the process for conducting management review? (5.6.1)
• How is the Senior Management Team involved in this process? (5.1d)
• How are action plans developed following management review? (5.6.3)
• How are the resources needed to implement actions identified? (5.6.3/5.1e)
• What is Senior Management Team’s day-to-day involvement with the quality management system? (5.1)
• Do the Senior Management Team communicate importance of customer & regulatory requirements? (5.1a)
• Check for evidence of this communication & effectiveness throughout the organization
• What benefits have been derived from the QMS?

5.2 Customer Focus

• What is the Mechanism for identifying customer requirements (7.2.1)
• What is the mechanism for keeping up to date with statutory and regulatory requirements (7.2.1 c)
• Are customer expectations and requirements are reflected in product and service specifications?
• Is the quality policy is consistent with the requirements of customers (5.3)
• Are quality objectives are consistent with customer requirements (5.4.1)
• Do the product and service specifications provide customer satisfaction (8.2.1)
• Is there an effective process for communication with the customer (7.2.3)
• Is there evidence that customer satisfaction/perception data is being analysed (8.2.1 and 8.4)

5.3 Quality Policy

• Is there a quality policy and how was it developed? (5.1b)
• Is there evidence of senior management involvement with this (5.1b)
• Is the quality policy appropriate to your organization? (5.3a)
• Does the policy relate to the objectives of your organization? (5.3a)
• Does it include a commitment to meet requirements? (5.3a/5.2)
• Is it understood throughout the business?  (5.3d)
• What is important to your customers, and how do you know? (5.3.a/5.2)
• What will be the process for reviewing the quality policy? (5.3e)

5.4 Planning

• What is the process for establishing and reviewing quality objectives? (5.3.c)
• Check to what extent the Senior Management Team top management are involved in this (5.1c)
• View the current quality objectives – How were these objectives chosen? (5.4.1)
• Check how objectives link to - quality policy (5.4.1), analysed data (8.4/8.5.1), customer requirements (5.2), management review outputs (5.6.1), related business objectives (5.3)
• How are objectives established at throughout your organization? (5.4.1)
• How are objectives measured? (5.4.1)
• Is there evidence that objectives are being achieved?  If not, has appropriate corrective action been taken? (8.5.1)

5.5 Responsibility, authority & communication

• Are responsibilities and authorities communicated through your organisation? (5.5.1)
• Is there a Quality Management Representative appointed? (5.5.2)
• Does the Quality Management Representative communicate  performance to senior management? (5.5.2 b)
• Does the Quality Management Representative promote awareness of customer requirements? (5.5.2 c)
• Do senior management communicate objectives throughout your organisation? (5.5.3)
• Do senior management communicate QMS performance? (5.5.3)

5.6 Management Review

• Does your organisation perform management reviews? (5.6.1)
• Are records of these reviews maintained? (5.6.1)
• Does the review include: results of audits, customer feedback, process performance, product performance, status of preventive & corrective actions, follow up actions, changes and recommendations for improvement (5.6.2)
• Does the review result in decisions and actions to drive improvement? (5.6.3)

Hopefully this extensive list will give you all you need to thoroughly audit this part of ISO 9001 and achieve higher levels of compliance.

You may be using a handy man or a company with a prestigious reputation but if you use any contractor at all then you have a very clear responsibility to ensure the contractor is working safely, a lesson that Lincoln College have just learnt.

Recently, Lincoln College has been fined £1,500 after a window cleaner working at the college fell from a roof.   The window cleaner suffered broken ribs and a serious back injury as a result of the  accident and can now only perform  “restricted duties” in his job after months off work.

Lincoln College pleaded guilty to not carrying out a sufficient risk assessment during a hearing at the city’s Magistrates Court.

The HSE stated that the institution had failed in its legal duty to its contractors had not implemented proper procedures.   Organisations have a joint responsibility to carry out checks and “ensure the safety of all staff who work on site”.

What about the window cleaners employer?

The employer of the window cleaner – A Nicoll & Son Ltd, was prosecuted in October 2009 by the HSE, after pleading guilty to breaches of health and safety regarding the incident. The company was fined £2,500 and ordered to pay costs of £2,948.20.

So although the window cleaner was working for a ‘reputable employer’ the College still failed in their duty of care in the eyes of the law.

What can you do?

In simple terms whenever you use a contractor be it a gardener, window cleaner or someone performing a specialist ‘high risk’ job for you, your organisation has a duty of care to manage the contractor.

The HSE give guidance in this document

indg368 Use of Contractors

But in summary here are 6 things you can do to avoid a fine…

1. Recognise that you and the contractor are responsible for any work in your organisation.   Even if the contractor has a good reputation or is doing highly specialised work for you – you need to get involved before the contractor starts work.

2. Identify the job that is being done – quite often this be provided by the contractor and can take the form of a method statement which clearly spells out the extent and scope of the job.

3. Select the Contractor – make sure the contractor and the individual is competent and ask to see proof!   Competency will differ from job to job but try and find out what qualification is needed and then seek proof of qualification.

Make sure you keep this relevant – for instance in the case of the window cleaner you are probably not too interested if the cleaner is a ‘Member of the Institute of Chamois Leather Purveyors’ but more importantly – has the individual that is being sent to clean windows been trained in using ladders/working from height.

4. Make sure there is a ‘suitable and sufficient’ risk assessment.   Again you might not be the expert on this but you should always ask the contractor for a risk assessment or method statement before work starts.

5. Provide information & training – This is a difficult one because you probably expect the contractor to know all this.   In this case your duty of care is to tell the contractor anything about your organisation that might affect their job.

6. Manage and supervise – No you don’t have to watch your window cleaner doing the job but you do have a duty to check the method statement is being adhered to.

This may seem a long list for someone who you are paying to do something for you,  but a few simple steps will avoid a costly day out in court.

You might have been in a position when being audited by your certification body, when  you feel there is a new issue being raised that has not been raised before.   Does this mean that the auditor is using a different standard or different interpretation?   Not necessarily.

At the end of any certification body audit, the auditor reads out the standard disclaimer which includes the statement that ‘an audit is a sample and a snapshot in time’ and this sampling approach is one of the reasons why previous audits may not have raised the issue.

Other reasons for apparent inconsistencies may include…

• The auditor simply missed something during previous audits
• An auditor may have different knowledge experience and may be more specific about certain requirements
• The depth and scope of each audit can vary (as can the sample) so this may have affected what the auditor looked at previously

What to do…

Any good auditor should clearly state the ‘evidence and criteria not met’ when discussing a non conformity so make sure you fully understand the evidence being cited and the exact clause of the standard not being met.   Don’t forget you are well within your rights to ask ‘where in the standard does it say that’.

So although the issue of ‘we haven’t had an issue before’ can be raised, it should be clear exactly what the issue is with specific examples.

A process, ISO 9001 tells us is something which changes inputs into outputs but what exactly does this mean?   A process may well be a department or a key activity within a department.   For example ‘purchasing’ may be described as a process or the ‘production department’ may also be a process.

Processes should always be something that actually adds value to your organisation, but this may not be something that results in a product or service being delivered.

Internal Auditing for instance, is a process and should add value but does not result in your product or service being delivered.

To understand this more easily, when you first decide to do an audit, start by deciding on the following;

1. What is the ‘process name’
2. What are the ‘outputs’ (what does the process/task actually deliver)
3. What are the ‘inputs’ (what do you need to start the process)

This helps to clearly define the process and the scope of the audit.   Once this has been done you then need to look at the key factors affecting the process.

Key factors affecting a process…

The process approach to auditing requires you to fully understand not only the inputs, outputs and scope of the process, but also consider six key factors.

The importance of the six factors will vary depending on the individual process; for example, ‘machinery’ is likely to have less importance in an administrative process (e.g. Internal Auditing) than a product realisation process (e.g. Manufacturing or Service Delivery).

When preparing and performing a process based audit, you need to consider each of the following factors;

Manpower: Consider human resources needed including competence and training.   This should also include an understanding of any relevant authority and responsibilities.

Machinery: Consider any machinery and equipment required for the process including technical and maintenance requirements.   This factor should also consider any monitoring and measurement equipment and relevant calibrations.

Methods: Consider relevant methods and other documentation including records used in the process.

Materials: Consider any materials used in the process and also if relevant, the controls placed on relevant suppliers of materials.

Environment: This factor will include work environment considerations such as temperature, cleanliness, noise etc. and also infrastructure and support requirements for the process.

Measurement: If there are any performance indicators for the process these should be considered but if these are not obvious then always ask:

• How do you know the process is effective and efficient?
• How does the process deal with nonconforming situations?

By thinking about these six key factors before preparing for an audit, you will ensure a true process based audit will be performed.

This makes you a far more effective auditor because although ISO 9001 and your own procedures are important, it is easy to focus on compliance to these procedures and not actually ask the question ‘Is the process effective’.

Desperately trying to justify having an i-phone, I decided to see if there are suitable applications that could be used by a Systems Manager. Here is a review of the apps I have used…

Apart from the obvious use of the camera for recording examples of findings during an audit, I discovered a suitable app to improve your ISO 9001, ISO 14001 and OHSAS 18001 systems…

So for your ISO 9001 system there are a range of process improvement essential tools available. Many of these tools are simplified text books for Lean and Six Sigma techniques so whereas you won’t become an instant expert, the information is a good and handy reference if you are an experienced practioner. ‘Six Sigma and Process Improvement’ essentials are among those reviewed.

For your OHSAS 18001 system there was a handy sound meter to monitor how noise levels. Apparently the meter can be calibrated as well. Made by Studio 6 Digital, the application is good for informal spot checks but if sound is a significant hazard then it may be better to use a sound meter that can measure sound over a period of time.

For the environmental system managers amongst you I came across a couple of useful apps for your ISO 14001 system.

Meter Readings is an app that allows you to monitor the cost of the electricity and gas being used. It takes a few minutes to set up but after that you can measure energy use on a weekly/monthly basis providing you can get access to your meters.

Perhaps one of the most creative apps that you could use to raise awareness of environmental issues in your organisation is ‘21^st Century Office’. This app encourages people to look at their current life style and tells them their carbon footprint. Again it might not save the world but it does make you think.

Overall not quite enough of a business driver to warrant buying an i-phone but some good applications to use if you happen to have an i-phone. You can get all the apps mentioned from the apps store on i-tunes.