QCS International

ISO 19011:2002 is the standard that covers the auditing of Quality and Environmental management systems and, after 8 years, the International Standards Organisation (ISO) is looking to revise this.

With a focus on enhancing the standard, ISO 19011 is now out for final comment and will be published next year.   This will include the following changes:

• There will be more of a focus on internal auditing.   The standard at the moment covers internal auditing but has a focus on supplier and certification body (second and third party) auditing.   With the previous publication of ISO 17021, there is now a standard for certification body auditing and ISO 19011 should focus more on internal auditing.
• ISO 19011 was originally published to cover Quality and Environmental auditing.   Over the last few years there are now many different systems to audit (Health & Safety, Food, Social Responsibility, Information Security etc) and ISO 19011 is being updated to reflect the differing competencies required to audit these systems adequately.    Competencies will include for instance knowledge of legal requirements, and other specialist areas such as waste minimisation, risk assessment and sustainability.
• The concept of risk based auditing will also be included,  where by significant business risks (eg most important contract, most significant aspect and most significant H&S hazard) are prioritised for auditing.   Although you could argue this is nothing new, it is a step in the right direction to make sure internal audits continue to deliver value to any organisation.
• Remote auditing is another area covered by the revised standard.   Although traditional face to face auditing is still favoured by many, the use of video conferencing and remote web based reviews are now covered in the revision.

It may be easy to dismiss the changes to this standard as custom and practice but ISO 19011 is used as the guidance for IEMA and IRCA auditor training courses so you should see these concepts filtering into training courses when the standard is published sometime in 2011.

Check List of the Month

 An audit of the audit system I hear you say!   What ever next?   Well actually it is a mandatory requirement but it often confuses people on what they should actually ask during their ISO 9001 internal audit.  

Here is a checklist that will allow you to thoroughly audit your ISO 9001 internal audit system.   It has references to ISO 9001, but this could be easily applied to OHSAS 18001 and ISO 14001 if required.

 The checklist can also be downloded in checklist style below so that all you have to do is print the checklist out to use it as part of your audit.

 Internal Audit Checklist 

Audit Programme

1. Is there an audit programme available, approved and communicated?(8.2.2)

 2. Does the audit programme cover all processes & clauses of ISO 9001? (8.2.2)

3. Does the audit programme cover processes (or does it tend to follow procedures within the system?).   (8.2.2)

 4. Does the programme reflect the results of previous audits & importance of process? (8.2.2)

 5. Are auditor’s trained? Check training certificates/records. (6.2.2)

 Audit Procedure

 6. Review audit procedure (8.2.2) does this cover:

 -          Requirements for planning audits?

-          Checklist preparation as a means to record objective evidence?

-          Non conformity reporting including categorisation (e.g. Major/Minor/Improvement etc)?

-          How corrective actions are agree, verified and followed up?

-          Requirements for auditor competency?   (6.2.2)

Reporting & Records

 7. Are records of internal audits maintained? (8.2.2)

 8. Are these records maintained?   If so for how long? (4.2.4)

 9. Are records of any non-conformities and corrective actions maintained? (8.5.2)

 10. Are records of root cause and corrective action verification maintained? (8.5.2)

System Effectiveness & Improvement

11. Is the audit programme on track (or have some audits been missed this year?)   (8.2.2)

 12. Are corrective actions from internal audits closed in a timely manner?   How many overdue actions are there?   (8.2.2)

 13. Are audits reviewed at management review as a means to improve the business? (5.6)

 14. And finally, always ask yourself…does the audit programme provide real information to the senior management team to identify the real risks to the business and drive improvement if required or is it just a tick in the box exercise?

In this month’s blog we are launching our checklist the month.   This free service aims to give you a helping hand when it comes to performing your management system audits.

This month we are going to take a look at your ISO 9001 corrective action system.

This ISO 9001 internal audit checklist can also be downloaded here in a format that you can use this directly in your audit.

Checklist

1. Do you have a documented procedure for your CA system that covers the requirements of ISO 9001 8.5.2?
2. Do you identify and define the sources of product and quality problems in your procedure?
3. Do the sources of information include:
   1. Product (service) nonconformity/failure
   2. Do you have a documented nonconformity investigation procedure?   Does the procedure control and prevent the release of nonconforming product/delivery of service?
   3. Internal audits
   4. Customer complaints and feedback
   5. Process and quality issues
   6. Out of specification results
   7. Calibration failures
   8. Supplier issues

4. Does this procedure also include additional ‘containment action’ to control product/service that is currently being processed and to identify nonconforming product/service which may have been released/delivered?

5. Is the data in the CA system reported in an accurate and timely way?

6. Is the data in the CA analysed to identify actions to prevent the nonconformity from happening again?   Is the amount of time spent on investigating each CAPA appropriate for the significance of the issue?

7. Have actions from the CA investigation been identified and implemented to stop the issue from re-occurring? Are the actions appropriate for the significance of the issue?

8. Do you analyse trends of product and quality data to identify unfavourable process or product/service trends?   Have any trends been identified that may require CA?

9. Do you use statistical methods (where necessary) to detect recurring quality problems?   Are results analysed across processes to determine the extent of product/service and quality problems?

10. Do you communicate the information from CA across the organisation, including the review of this CA information in the management review?

You may well know that CoSHH assessments are required by the Control of Substances Hazardous to Health Regulations. However, many organisations still think that a having a material safety data sheet on file is all that is required.

What are you using ?

The first step in complying with the regulations is to review what materials/chemicals are being used – even if these are proprietary brands bought form a local hardware store.

Once you have a full list of chemicals/substances, then make sure you have an up to date Material Safety Data Sheet for each chemical.   The supplier of the chemical is obliged to provide you with one on request.

You will also need to keep this list up to date so think of an easy way for everyone in your organisation to update the list when a new material is ordered.

CoSHH assessment

The CoSHH assessment should include a review of the information on the material safety data sheet and also the application and frequency of use.   The assessment should then identify and document the following areas:

1. Identify the hazard – e.g. corrosives, irritants, toxic etc.
2. What are the control measures – identify what control measures are in place currently – don’t forget if exhaust ventilation is required then make sure records of this are maintained and this is performed on an annual (not exceeding 14 months) basis.
3. Do you need to use the material or could you use a less hazardous material?  It is easy to forget this step but you are required by law to consider substitution/elimination of the material if it is hazardous.
4. Do you need to consider additional control measures to comply with the recommendations in the data sheets?   If so make a note of these and decide on a timetable to introduce the improved control measures.

Other things to consider

For more hazardous substances then you may need to do a more comprehensive assessment or even bring a consultant into to monitor and assess exposure levels.   As a guide also ways review this need for any respiratory sensitisers, materials that can generate fumes or dust.

Check your equipment

An easy thing to over look but ask yourself – are the gloves or respirators you are using providing adequate protection? Is the extract system/Local Exhaust Ventilation (LEV) powerful enough?   Information for the correct equipment to be used can all be found on the data sheet.

If you use LEV then you also need to pay attention to test records.   These records by law should include the following information; extraction rates and confirmation that motors, ductwork, filters and alarms are working; operating performance of the LEV; testing methods used; details of any work carried out to adjust and test the LEV and; details and qualifications of the person carrying out the test.   This is a statutory records must be kept for at least five years.

Don’t forget pregnant or nursing mothers

You may need to consider the needs of vulnerable workers in particular pregnant and nursing mothers.  If a chemical has the risk code R40, R45, R46, R61, R63 or R64, then you will have to prevent exposure of any pregnant or nursing mother to the material.   Don’t forget…Some chemicals are mutagenic which means that any women who may become pregnant should be made aware of the effects before potential exposure (this should include before they are pregnant).

HSE Resources

The HSE has some good resources to use – a summary guide to CoSHH can be down loaded here.   HSE COSHH Guidance

Recent research from NEBOSH  (The National Examination Board in Occupational Safety and Health) suggests  that more than 50% of health and safety managers are now responsible for managing quality and environmental issues at work.

The same is also true of internal auditors – there is now more and more pressure on auditors to audit the holy trinity of ISO 9001, ISO 14001 and OHSAS 18001 but ensuring competency for each system may be tough to achieve.   So what skills do managers and auditors actually need?

This question depends on your overall organisation and level of risk and complexity but here are some ideas of auditor competency that is needed for each system…

Quality Management Auditor

Assuming you are running an ISO 9001 system your internal audit team will need a two day internal audit course as a minimum.   It could help to send the team on a one day foundation course as well.

If asked the importance of the one day course – my advice is to rate the individual on a scale of 1-10 for ISO 9001 knowledge.   If they rate as a 1-3 then a one day foundation course is required… 4 plus and the individual should be able to comfortably achieve the two day internal audit.

If your organisation uses risk assessment techniques such as FMEA or other quality tools (SPC, Six Sigma, problem solving etc, etc) then it would also help for your audit team to be trained in these techniques.

Environmental Management Auditor

Once again the one day foundation course and two day internal audit course should be viewed as a minimum.   If you have a well develop aspect register and these tend not to change then this training may be enough but, an auditor must have an understanding of how to audit environmental aspects as well as procedures.

If you are using your audit system to evaluate compliance, then some kind of training for legislation would be useful in order for the auditor team to assess significant legislation effectively.

If you have more complex aspects or, aspects that tend to change (for example in construction sites) then more in depth training such as the  IEMA Associates course will provide a good level of training.

Health & Safety Auditor

Similar advice to that of environmental management auditor – the OHSAS 18001 internal audit course will provide a good overview.

Legislation is important, as is an understanding of risk assessment so, as a minimum, an additional course such as the IOSH managing safely course will provide a good introduction to these areas.   If however your hazards are more complex and changing then a course such as the NEBOSH General Certificate should be considered.

Competancy, awareness and training

So having hit your training budget is that all?   Not quite – don’t forget that an audit team needs regular exposure to auditing and as an ideal, initially conducting 4-5 audits with a more experienced auditor will be worth the investment in time to build the confidence and competence of an internal auditor.

This is not a sales pitch!

Its easy to say that I would recommend extensive training for any auditor as that is the business of QCS International… the big however is that I often see organisations actually waste money by training people who then don’t use their audit training at all because they don’t feel confident enough to perform audits.   The worst case scenario is investing in some training only to find your audit team perform ineffective internal audits.

The bottom line is – an effective integrated auditor needs somewhere in the region of 9-12 days training to cover all three systems effectively – more so if you process/environmental/safety hazards are more complex or change often.

So before you try to get your team to become super integrated auditors, just consider the time, investment and benefits of conducting integrated versus separate system audits.

Is air travel that bad?   Our increased use of air travel (in particular short haul flights) is actively being targeted by pressure groups and governments alike- but is it really the worst offender in terms of carbon foot print?   And should we be targeting a reduction in air travel as a way of improving our environmental impact?   May be not…

Dirty great carbon foot prints

I have a friend who has signed a pledge to only take one flight a year and so having had her summer holiday last year she had to make another trip from London to Dublin to attend a wedding.

Because of her pledge, the trip involved driving a car to the ferry and also taking a train.   To settle a debate we were having, we sat down and worked out the full environmental impact of her trip versus taking a flight (the cold winter nights just fly by when you’re with a QCS environmental consultant!).

The result was, she would have had less of an impact if she had broken her pledge and taken the flight.   The guilty party was the car!

We’re getting there

According to  DEFRA guideline the following figures can be used as a guide to CO₂ emissions:

Plane: 0.13kg/CO₂ per km (Short Haul)

Car: 0.20kg/CO₂ per km (Average UK Car)

Train: 0.06kg/CO₂ per km

So rather than being the real villain of the story, air travel can produce less of a carbon footprint than a car.

Little and often

Cars contribute to 26% of your carbon emissions each year and with half of car journeys being less than 5 miles, any organisation should be targeting car use for both business miles and employees travelling to and from work, as it is highly likely that this is actually one of the most significant environmental impacts in your organisation.

Putting this in to practice

I am not suggesting that you buy a bike (although there is a government initiative that allows you to part fund bicycles for employees) or a company jet should be on your shopping list – but there are some simple steps that any organisation can take as part of your ISO 14001 objectives, to influence car use by employees:

• Introduce a travel policy that strongly encourages travel by rail whenever possible.
• Company cars – target a reduction in CO₂ emissions on all company vehicles including hire cars.   Ideally set a limit for the maximum allowed.
• Try and think of initiatives to promote car sharing to and from work – I know its not a new idea but sharing a car to work for a year would result in a saving of over 500kg of CO₂
• Discuss with HR to see if home working or remote working is an option to encourage – even if this is for certain occasions.

And finally – keep at it.   This is about influencing people to change which always takes time but with some effort it is a way of reducing a significant environmental impact, albeit an indirect impact, that you probably haven’t thought of.

It’s fair to say that when an audit has to be done of Section 5 (Management Responsibility) of ISO 9001, the question you can often be left with is how do I audit a management team?   Here is a list of audit questions to use in your organisation that will really test your ISO 9001 compliance (we have included the ISO 9001 section number in brackets as a reference).

5.1 Management Commitment

• What is the process for conducting management review? (5.6.1)
• How is the Senior Management Team involved in this process? (5.1d)
• How are action plans developed following management review? (5.6.3)
• How are the resources needed to implement actions identified? (5.6.3/5.1e)
• What is Senior Management Team’s day-to-day involvement with the quality management system? (5.1)
• Do the Senior Management Team communicate importance of customer & regulatory requirements? (5.1a)
• Check for evidence of this communication & effectiveness throughout the organization
• What benefits have been derived from the QMS?

5.2 Customer Focus

• What is the Mechanism for identifying customer requirements (7.2.1)
• What is the mechanism for keeping up to date with statutory and regulatory requirements (7.2.1 c)
• Are customer expectations and requirements are reflected in product and service specifications?
• Is the quality policy is consistent with the requirements of customers (5.3)
• Are quality objectives are consistent with customer requirements (5.4.1)
• Do the product and service specifications provide customer satisfaction (8.2.1)
• Is there an effective process for communication with the customer (7.2.3)
• Is there evidence that customer satisfaction/perception data is being analysed (8.2.1 and 8.4)

5.3 Quality Policy

• Is there a quality policy and how was it developed? (5.1b)
• Is there evidence of senior management involvement with this (5.1b)
• Is the quality policy appropriate to your organization? (5.3a)
• Does the policy relate to the objectives of your organization? (5.3a)
• Does it include a commitment to meet requirements? (5.3a/5.2)
• Is it understood throughout the business?  (5.3d)
• What is important to your customers, and how do you know? (5.3.a/5.2)
• What will be the process for reviewing the quality policy? (5.3e)

5.4 Planning

• What is the process for establishing and reviewing quality objectives? (5.3.c)
• Check to what extent the Senior Management Team top management are involved in this (5.1c)
• View the current quality objectives – How were these objectives chosen? (5.4.1)
• Check how objectives link to - quality policy (5.4.1), analysed data (8.4/8.5.1), customer requirements (5.2), management review outputs (5.6.1), related business objectives (5.3)
• How are objectives established at throughout your organization? (5.4.1)
• How are objectives measured? (5.4.1)
• Is there evidence that objectives are being achieved?  If not, has appropriate corrective action been taken? (8.5.1)

5.5 Responsibility, authority & communication

• Are responsibilities and authorities communicated through your organisation? (5.5.1)
• Is there a Quality Management Representative appointed? (5.5.2)
• Does the Quality Management Representative communicate  performance to senior management? (5.5.2 b)
• Does the Quality Management Representative promote awareness of customer requirements? (5.5.2 c)
• Do senior management communicate objectives throughout your organisation? (5.5.3)
• Do senior management communicate QMS performance? (5.5.3)

5.6 Management Review

• Does your organisation perform management reviews? (5.6.1)
• Are records of these reviews maintained? (5.6.1)
• Does the review include: results of audits, customer feedback, process performance, product performance, status of preventive & corrective actions, follow up actions, changes and recommendations for improvement (5.6.2)
• Does the review result in decisions and actions to drive improvement? (5.6.3)

Hopefully this extensive list will give you all you need to thoroughly audit this part of ISO 9001 and achieve higher levels of compliance.

You may be using a handy man or a company with a prestigious reputation but if you use any contractor at all then you have a very clear responsibility to ensure the contractor is working safely, a lesson that Lincoln College have just learnt.

Recently, Lincoln College has been fined £1,500 after a window cleaner working at the college fell from a roof.   The window cleaner suffered broken ribs and a serious back injury as a result of the  accident and can now only perform  “restricted duties” in his job after months off work.

Lincoln College pleaded guilty to not carrying out a sufficient risk assessment during a hearing at the city’s Magistrates Court.

The HSE stated that the institution had failed in its legal duty to its contractors had not implemented proper procedures.   Organisations have a joint responsibility to carry out checks and “ensure the safety of all staff who work on site”.

What about the window cleaners employer?

The employer of the window cleaner – A Nicoll & Son Ltd, was prosecuted in October 2009 by the HSE, after pleading guilty to breaches of health and safety regarding the incident. The company was fined £2,500 and ordered to pay costs of £2,948.20.

So although the window cleaner was working for a ‘reputable employer’ the College still failed in their duty of care in the eyes of the law.

What can you do?

In simple terms whenever you use a contractor be it a gardener, window cleaner or someone performing a specialist ‘high risk’ job for you, your organisation has a duty of care to manage the contractor.

The HSE give guidance in this document

indg368 Use of Contractors

But in summary here are 6 things you can do to avoid a fine…

1. Recognise that you and the contractor are responsible for any work in your organisation.   Even if the contractor has a good reputation or is doing highly specialised work for you – you need to get involved before the contractor starts work.

2. Identify the job that is being done – quite often this be provided by the contractor and can take the form of a method statement which clearly spells out the extent and scope of the job.

3. Select the Contractor – make sure the contractor and the individual is competent and ask to see proof!   Competency will differ from job to job but try and find out what qualification is needed and then seek proof of qualification.

Make sure you keep this relevant – for instance in the case of the window cleaner you are probably not too interested if the cleaner is a ‘Member of the Institute of Chamois Leather Purveyors’ but more importantly – has the individual that is being sent to clean windows been trained in using ladders/working from height.

4. Make sure there is a ‘suitable and sufficient’ risk assessment.   Again you might not be the expert on this but you should always ask the contractor for a risk assessment or method statement before work starts.

5. Provide information & training – This is a difficult one because you probably expect the contractor to know all this.   In this case your duty of care is to tell the contractor anything about your organisation that might affect their job.

6. Manage and supervise – No you don’t have to watch your window cleaner doing the job but you do have a duty to check the method statement is being adhered to.

This may seem a long list for someone who you are paying to do something for you,  but a few simple steps will avoid a costly day out in court.

You might have been in a position when being audited by your certification body, when  you feel there is a new issue being raised that has not been raised before.   Does this mean that the auditor is using a different standard or different interpretation?   Not necessarily.

At the end of any certification body audit, the auditor reads out the standard disclaimer which includes the statement that ‘an audit is a sample and a snapshot in time’ and this sampling approach is one of the reasons why previous audits may not have raised the issue.

Other reasons for apparent inconsistencies may include…

• The auditor simply missed something during previous audits
• An auditor may have different knowledge experience and may be more specific about certain requirements
• The depth and scope of each audit can vary (as can the sample) so this may have affected what the auditor looked at previously

What to do…

Any good auditor should clearly state the ‘evidence and criteria not met’ when discussing a non conformity so make sure you fully understand the evidence being cited and the exact clause of the standard not being met.   Don’t forget you are well within your rights to ask ‘where in the standard does it say that’.

So although the issue of ‘we haven’t had an issue before’ can be raised, it should be clear exactly what the issue is with specific examples.

A process, ISO 9001 tells us is something which changes inputs into outputs but what exactly does this mean?   A process may well be a department or a key activity within a department.   For example ‘purchasing’ may be described as a process or the ‘production department’ may also be a process.

Processes should always be something that actually adds value to your organisation, but this may not be something that results in a product or service being delivered.

Internal Auditing for instance, is a process and should add value but does not result in your product or service being delivered.

To understand this more easily, when you first decide to do an audit, start by deciding on the following;

1. What is the ‘process name’
2. What are the ‘outputs’ (what does the process/task actually deliver)
3. What are the ‘inputs’ (what do you need to start the process)

This helps to clearly define the process and the scope of the audit.   Once this has been done you then need to look at the key factors affecting the process.

Key factors affecting a process…

The process approach to auditing requires you to fully understand not only the inputs, outputs and scope of the process, but also consider six key factors.

The importance of the six factors will vary depending on the individual process; for example, ‘machinery’ is likely to have less importance in an administrative process (e.g. Internal Auditing) than a product realisation process (e.g. Manufacturing or Service Delivery).

When preparing and performing a process based audit, you need to consider each of the following factors;

Manpower: Consider human resources needed including competence and training.   This should also include an understanding of any relevant authority and responsibilities.

Machinery: Consider any machinery and equipment required for the process including technical and maintenance requirements.   This factor should also consider any monitoring and measurement equipment and relevant calibrations.

Methods: Consider relevant methods and other documentation including records used in the process.

Materials: Consider any materials used in the process and also if relevant, the controls placed on relevant suppliers of materials.

Environment: This factor will include work environment considerations such as temperature, cleanliness, noise etc. and also infrastructure and support requirements for the process.

Measurement: If there are any performance indicators for the process these should be considered but if these are not obvious then always ask:

• How do you know the process is effective and efficient?
• How does the process deal with nonconforming situations?

By thinking about these six key factors before preparing for an audit, you will ensure a true process based audit will be performed.

This makes you a far more effective auditor because although ISO 9001 and your own procedures are important, it is easy to focus on compliance to these procedures and not actually ask the question ‘Is the process effective’.