QCS International

Setting environmental objectives is getting easier by the day.   With Government Initiatives raising overall awareness, even Financial Directors are asking how we can reduce the Carbon Footprint of the company.

Also many organisations have heard of SMART objectives so we now know to make any objective for our system specific, measurable and time bound.

The real problem is that environmental objectives are a bit like a Gym Membership – signed up too hastily in January by everyone and then not re-visited for at least another 6 months…

But remember ISO 14001 requires that you have a programme for your objectives including a ‘means and a time frame’.  

As we are often setting objectives at this time of year, it is worth getting an effective programme set up at the same time to make sure that all objectives are prioritised and given the right resources to be successful from the start.

Objectives, targets and programmes…
Once you have decided on your ‘SMART’ objective break this down into a brief project plan.   Also make sure that resources in terms of time and money etc are clearly identified as part of the overall programme and that the senior management team in your company has bought into the objective and the programme.   This will make sure that every one really understands what’s involved in achieving an objective and more importantly that the right objectives are given a priority and you don’t fall into the trap of setting too many objectives.

Also make sure that within the programme you have regular reviews/updates to monitor progress and update and amend programmes as you progress your objective.    

This may seem like a detailed approach, but failure to have an effective programme for your objectives may well result in non-conformities at your next ISO 14001 audit.

Love them or hate them KPIs (Key Performance Indicators) are the way many organisations monitor and measure their processes.   These should be linked to business objectives and as January often starts with the annual cycle of objective setting, just how good is your organisation at setting KPIs?.. 

 Here is what ISO 9004 tells us…
‘ensure that you provide information that is measurable, accurate and reliable, and usable to implement corrective actions when performance is not in conformity with objectives or to improve process efficiency and effectiveness’.

What should we measure?
All processes within your organisation should be measured and monitored and key performance indicators should take into account:

• the needs and expectations of customers and other interested parties
• the importance of individual products to the organization, both at the present time and in the future
• the effectiveness and efficiency of processes
• the effective and efficient use of resources
• profitability and financial performance
• statutory and regulatory requirements

What makes a good KPI?
The KPI should be relevant to the control of critical parts of your organisation.   The KPIs should also be quantifiable and should enable you to set measurable objectives, identify and predict trends and if required take corrective, preventive and improvement actions.

Are you best in class?   Take the test…
How you use the KPI is often another matter.   ISO 9004 has provided a self assessment test to allow you to assess where your organisation is regarding the use of KPIs.   On a scale of 1 to 5 (1 being poor – 5 being best in class) take a look at the following self assessment questions to see where you think you are on the ISO 9004 business maturity scale.

Business Maturity Level 1: Very limited set of data from measurements and assessment is available to support management decisions or tracking of the progress of actions taken.   Basic indicators (such as financial criteria, on-time deliveries, and the number of customer complaints, legal warnings and fines) are used.   Data are not always reliable.

Business Maturity Level 2: There is a formal set of definitions for key indicators related to the organization’s strategy and main processes.   Indicators are mostly based on the use of internal data.    Management decisions are supported by the outputs from reviews of the management system and additional key performance indicators.

Business Maturity Level 3: Process-level objectives are related to key performance indicators.   Data is available to show how the organization’s performance compares with that of other organizations.   The main conditions for success are identified and tracked by suitable, practical indicators.   Management decisions are supported by reliable data from the measurement systems.

Business Maturity Level 4: Data is available to show progress on key performance indicators over time.   Deployment of the strategy and objectives are monitored.   Performance indicators are established, widely deployed and used for strategic decisions regarding trends and long term planning.   Systematic analysis of data allows future performance to be predicted.

Business Maturity Level 5: Systematic analysis of comprehensive data allows future performance to be predicted with confidence.   Indicators contribute to good strategic decisions.   KPIs are selected and acted upon in a way that provides reliable information for predicting trends and for taking strategic decisions.   Risk analysis is performed as a tool for prioritizing improvement.

The most important thing here is to identify where you are in terms of business maturity and how you can improve your use of KPIs as a business control and improvement tool for the coming year.

And finally if the KPIs you are measuring do not drive any kind of process control, action or improvement, make it your new years resolution to save some time and effort and stop measuring them!

You may be thinking about setting your Health and Safety objectives for 2011.   If you are short on inspiration, here are a few ideas straight from OHSAS 18001:2007…

1. Look at your risk assessments – what hazards still have a high risk score?   Can you reduce these in any way?
2. Still looking at your risk assessments – have you really used the hierarchy of  control in deciding robust control measures or are there hazards that rely a bit too much on ‘good old’ supervision and PPE for controls?
3. Your policy (the little used document in your reception area) – take a look at this.   If you have made commitments in the policy then you really should be setting objectives to achieve these.
4. Accidents and incidents from last year – have you closed our on all corrective actions are there still some outstanding issues?
5. Near misses – again have you closed our on all corrective actions are there still some outstanding issues?
6. Management Review – you probably made some commitments in the meeting – it’s always worth taking a close look at this and make sure any actions are tied into your objectives for the year.
7. Compliance Evaluation… Did you find any areas that needed improvement from your review?   (Did you do a review????)
8. Health & Safety committee meeting minutes – Review the minutes to make sure you have picked up any longer term actions into your objectives.
9. OHSAS 18002 & OHSAS 18004 – The Guidance documents are packed with help and advice on how to apply and improve OHSAS 18001 in your organisation – take a look at them for inspiration.  
10. HSE Web Site – Very user friendly and full of free information – Use this to look for any up and coming changes in legislation so that you and your organisation.

And finally for every objective don’t forget these should be measurable if possible and have a clear responsibility assigned with a time scale.

Recently, a UK company Strachan and Henshaw was fined £30,000 plus costs for failure to improve ‘filthy and dilapidated’ toilets.   This seems a hefty fine but is a good reminder to ensure that the requirements of the Workplace, Safety, and Health and Welfare regulations 1992 are reviewed on a regular basis during health and safety audits.

The regulations require the provision of ‘suitable and sufficient sanitary conveniences’ in addition, employers must provide:

• enough toilets and washbasins for those expected to use them – people should not have to queue for long periods to go to the toilet;
• where possible, separate facilities for men and women _ failing that, rooms with lockable doors;
• clean facilities to help achieve this walls and floors should preferably be tiled (or covered in suitable waterproof material) to make them easier to clean;
• a supply of toilet paper and, for female employees, a means of disposing of sanitary dressings;
• facilities that are well lit and ventilated;
• facilities with hot and cold running water;
• enough soap or other washing agents;
• a basin large enough to wash hands and forearms if necessary;
• a means for drying hands, e.g. paper towels or a hot air dryer; and
• showers where necessary, e.g. for particularly dirty work. 

A more extensive code of practice is available form the HSE web site but the link below includes the HSE information guide for managers which provides a good summary to use when preparing for an audit of this legislation.

indg244 Welfare Regulations – A short guide for managers

Although this is probably not the most exciting audit to do, it is worth performing an audit across your business from time to time to assess how documentation is controlled.

A question of risk…
It is important when planning your audit to look at the overall risk to your business posed by documentation control.   The fact is, no one has ever died because the wrong revision of the internal audit procedure was being used but some big mistakes have been made because the wrong specification was issued.

Of course system documentation is important and yes you will pick up non conformities during certification body assessments for poor control of system documentation but you also need to look at the control of all types of documentation in your business.  

Typical documentation can include:

• Quality Management Policy, Manual and Procedures
• Operational Procedures
• Operational Checklists
• Training Documents
• Documents sent to/used by customers
• Bills of materials
• Price Lists
• Product & Test Specifications
• Art work and packaging proofs
• Service Level Agreements
• Method Statements
• Documentation sent to and from suppliers
• Design documentation

 Also don’t forget external documentation – I often get told during audits that there aren’t any external documents only to find a long list of important documents that are not being controlled effectively.  

External documents may include:

• Product/service legislation
• Product/service design standards
• ISO standards and other industry requirements
• Customer policies and specifications
• Service level agreements
• Contracts
• Customer designs

 For each type of documentation you should assess the core controls as identified in the check list below:

 For internal documents:

 Is there a documented procedure available to define controls for all document types identified?

1.Does this procedure identify who can approve and issue each type of document?

2.What is the process for updates and changes?

Are changes approved before issue?   Is this approval by the same ‘authority’ as the initial issue or has this changed?   If so is this adequate to control the document issue? 

Are documents reviewed from time to time to make sure they are still relevant and being followed?   If there is a review period is there evidence this is being followed or are documents out of date?

Are hand amendments allowed in the procedure and if so are these properly authorised? 

3.Does each document have a clear title/identification and is there a clear revision level for the document?

4.How are changes to documents communicated to the people who need to use the document?

5.How are documents of each type circulated?   Are the right documents available at each point of use?

If this is controlled by a computer system, what happens if this system is not available?

7.Are any documents used at other/remote locations?   If so how do you know the correct version is being used?

8.For external documents – what controls are in place to identify any updates to:

Legislation and standards?

Changes to customer designs and requirements?

Changes in any contracts/service level agreements?

9.What happens to obsolete documents?

When new documents are issued are you sure the old documents are removed from use?   Is it obvious which documents are obsolete or is there a chance of confusion?

Are old documents retained for reference and if so are these identified?

Document control is a process that require auditing from time to time to ensure compliance and control business risk.  Don’t forget, you can download the audit checklist below.

Document Control Checklist

This month, Checklist of the Month takes a look at your OHSAS 18001 system and how you investigate accidents and incidents.   The checklist looks at base compliance to OHSAS 18001 and also RIDDOR so should give you plenty to audit.    

The checklist is also available here for anyone who wants to download and audit.  

Sept Checklist Accident Investigation

Checklist…

1. Is there a documented procedure for the process?   Is it controlled? (4.4.4 & 4.4.5)

 2. Is the procedure defined for:

 -          Accident/Incident Reporting

-          Investigation of any issues

-          Corrective Actions

-          Closure of actions and verification of effectiveness

(4.5.3)

 3. Are records of accidents/incident recorded and are records maintained?  

 For how long are records retained for?  

Note: check 3 years retention for any RIDDOR? (4.5.4)

 4. Are key people aware of accident reporting procedure & have they been trained? (4.4.2)

-  Managers?..First Aiders?

 RIDDOR Regulations 1995

5. Does the procedure define the requirements for reporting under RIDDOR?   Review records to ensure compliance?

 6. Does the procedure ensure that dangerous occurrences are reported under RIDDOR?

 7. Check that all accidents and incidents have been reported.

 How is 3 day lost time is calculated for any RIDDDOR (exclude day of accident but include rest days?).

Other Issues 

8. Are accident and incident issues discussed at the H&S reps team meeting? (4.4.3.2)

 9. Are accident and incidents communicated to the organisation as required?  (4.4.3.1)

 10. Is accident/lost time data reviewed at management reviewed?  Have any trends been identified as a basis for improvement? (4.6) 

Bonus Questions…

As mentioned, this checklist is all about base complaince to OHSAS 18001 and also RIDDOR (so you can use this for part of your compliance evaluation) but it does not cover things like near miss reporting which is best practice so it may be worth considering this in your audit.   It is also worth a look to see if accident/incident actions feedback into the risk assessment process (and results in an updated risk assessment) as this really does help to complete the ‘Plan-Do-Check-Act’ Cycle and also keeps your risk assessment ‘living’.

ISO 19011:2002 is the standard that covers the auditing of Quality and Environmental management systems and, after 8 years, the International Standards Organisation (ISO) is looking to revise this.

With a focus on enhancing the standard, ISO 19011 is now out for final comment and will be published next year.   This will include the following changes:

• There will be more of a focus on internal auditing.   The standard at the moment covers internal auditing but has a focus on supplier and certification body (second and third party) auditing.   With the previous publication of ISO 17021, there is now a standard for certification body auditing and ISO 19011 should focus more on internal auditing.
• ISO 19011 was originally published to cover Quality and Environmental auditing.   Over the last few years there are now many different systems to audit (Health & Safety, Food, Social Responsibility, Information Security etc) and ISO 19011 is being updated to reflect the differing competencies required to audit these systems adequately.    Competencies will include for instance knowledge of legal requirements, and other specialist areas such as waste minimisation, risk assessment and sustainability.
• The concept of risk based auditing will also be included,  where by significant business risks (eg most important contract, most significant aspect and most significant H&S hazard) are prioritised for auditing.   Although you could argue this is nothing new, it is a step in the right direction to make sure internal audits continue to deliver value to any organisation.
• Remote auditing is another area covered by the revised standard.   Although traditional face to face auditing is still favoured by many, the use of video conferencing and remote web based reviews are now covered in the revision.

It may be easy to dismiss the changes to this standard as custom and practice but ISO 19011 is used as the guidance for IEMA and IRCA auditor training courses so you should see these concepts filtering into training courses when the standard is published sometime in 2011.

Check List of the Month

 An audit of the audit system I hear you say!   What ever next?   Well actually it is a mandatory requirement but it often confuses people on what they should actually ask during their ISO 9001 internal audit.  

Here is a checklist that will allow you to thoroughly audit your ISO 9001 internal audit system.   It has references to ISO 9001, but this could be easily applied to OHSAS 18001 and ISO 14001 if required.

 The checklist can also be downloded in checklist style below so that all you have to do is print the checklist out to use it as part of your audit.

 Internal Audit Checklist 

Audit Programme

1. Is there an audit programme available, approved and communicated?(8.2.2)

 2. Does the audit programme cover all processes & clauses of ISO 9001? (8.2.2)

3. Does the audit programme cover processes (or does it tend to follow procedures within the system?).   (8.2.2)

 4. Does the programme reflect the results of previous audits & importance of process? (8.2.2)

 5. Are auditor’s trained? Check training certificates/records. (6.2.2)

 Audit Procedure

 6. Review audit procedure (8.2.2) does this cover:

 -          Requirements for planning audits?

-          Checklist preparation as a means to record objective evidence?

-          Non conformity reporting including categorisation (e.g. Major/Minor/Improvement etc)?

-          How corrective actions are agree, verified and followed up?

-          Requirements for auditor competency?   (6.2.2)

Reporting & Records

 7. Are records of internal audits maintained? (8.2.2)

 8. Are these records maintained?   If so for how long? (4.2.4)

 9. Are records of any non-conformities and corrective actions maintained? (8.5.2)

 10. Are records of root cause and corrective action verification maintained? (8.5.2)

System Effectiveness & Improvement

11. Is the audit programme on track (or have some audits been missed this year?)   (8.2.2)

 12. Are corrective actions from internal audits closed in a timely manner?   How many overdue actions are there?   (8.2.2)

 13. Are audits reviewed at management review as a means to improve the business? (5.6)

 14. And finally, always ask yourself…does the audit programme provide real information to the senior management team to identify the real risks to the business and drive improvement if required or is it just a tick in the box exercise?

In this month’s blog we are launching our checklist the month.   This free service aims to give you a helping hand when it comes to performing your management system audits.

This month we are going to take a look at your ISO 9001 corrective action system.

This ISO 9001 internal audit checklist can also be downloaded here in a format that you can use this directly in your audit.

Checklist

1. Do you have a documented procedure for your CA system that covers the requirements of ISO 9001 8.5.2?
2. Do you identify and define the sources of product and quality problems in your procedure?
3. Do the sources of information include:
   1. Product (service) nonconformity/failure
   2. Do you have a documented nonconformity investigation procedure?   Does the procedure control and prevent the release of nonconforming product/delivery of service?
   3. Internal audits
   4. Customer complaints and feedback
   5. Process and quality issues
   6. Out of specification results
   7. Calibration failures
   8. Supplier issues

4. Does this procedure also include additional ‘containment action’ to control product/service that is currently being processed and to identify nonconforming product/service which may have been released/delivered?

5. Is the data in the CA system reported in an accurate and timely way?

6. Is the data in the CA analysed to identify actions to prevent the nonconformity from happening again?   Is the amount of time spent on investigating each CAPA appropriate for the significance of the issue?

7. Have actions from the CA investigation been identified and implemented to stop the issue from re-occurring? Are the actions appropriate for the significance of the issue?

8. Do you analyse trends of product and quality data to identify unfavourable process or product/service trends?   Have any trends been identified that may require CA?

9. Do you use statistical methods (where necessary) to detect recurring quality problems?   Are results analysed across processes to determine the extent of product/service and quality problems?

10. Do you communicate the information from CA across the organisation, including the review of this CA information in the management review?

You may well know that CoSHH assessments are required by the Control of Substances Hazardous to Health Regulations. However, many organisations still think that a having a material safety data sheet on file is all that is required.

What are you using ?

The first step in complying with the regulations is to review what materials/chemicals are being used – even if these are proprietary brands bought form a local hardware store.

Once you have a full list of chemicals/substances, then make sure you have an up to date Material Safety Data Sheet for each chemical.   The supplier of the chemical is obliged to provide you with one on request.

You will also need to keep this list up to date so think of an easy way for everyone in your organisation to update the list when a new material is ordered.

CoSHH assessment

The CoSHH assessment should include a review of the information on the material safety data sheet and also the application and frequency of use.   The assessment should then identify and document the following areas:

1. Identify the hazard – e.g. corrosives, irritants, toxic etc.
2. What are the control measures – identify what control measures are in place currently – don’t forget if exhaust ventilation is required then make sure records of this are maintained and this is performed on an annual (not exceeding 14 months) basis.
3. Do you need to use the material or could you use a less hazardous material?  It is easy to forget this step but you are required by law to consider substitution/elimination of the material if it is hazardous.
4. Do you need to consider additional control measures to comply with the recommendations in the data sheets?   If so make a note of these and decide on a timetable to introduce the improved control measures.

Other things to consider

For more hazardous substances then you may need to do a more comprehensive assessment or even bring a consultant into to monitor and assess exposure levels.   As a guide also ways review this need for any respiratory sensitisers, materials that can generate fumes or dust.

Check your equipment

An easy thing to over look but ask yourself – are the gloves or respirators you are using providing adequate protection? Is the extract system/Local Exhaust Ventilation (LEV) powerful enough?   Information for the correct equipment to be used can all be found on the data sheet.

If you use LEV then you also need to pay attention to test records.   These records by law should include the following information; extraction rates and confirmation that motors, ductwork, filters and alarms are working; operating performance of the LEV; testing methods used; details of any work carried out to adjust and test the LEV and; details and qualifications of the person carrying out the test.   This is a statutory records must be kept for at least five years.

Don’t forget pregnant or nursing mothers

You may need to consider the needs of vulnerable workers in particular pregnant and nursing mothers.  If a chemical has the risk code R40, R45, R46, R61, R63 or R64, then you will have to prevent exposure of any pregnant or nursing mother to the material.   Don’t forget…Some chemicals are mutagenic which means that any women who may become pregnant should be made aware of the effects before potential exposure (this should include before they are pregnant).

HSE Resources

The HSE has some good resources to use – a summary guide to CoSHH can be down loaded here.   HSE COSHH Guidance