QCS International

Although this is probably not the most exciting audit to do, it is worth performing an audit across your business from time to time to assess how documentation is controlled.

A question of risk…
It is important when planning your audit to look at the overall risk to your business posed by documentation control.   The fact is, no one has ever died because the wrong revision of the internal audit procedure was being used but some big mistakes have been made because the wrong specification was issued.

Of course system documentation is important and yes you will pick up non conformities during certification body assessments for poor control of system documentation but you also need to look at the control of all types of documentation in your business.  

Typical documentation can include:

• Quality Management Policy, Manual and Procedures
• Operational Procedures
• Operational Checklists
• Training Documents
• Documents sent to/used by customers
• Bills of materials
• Price Lists
• Product & Test Specifications
• Art work and packaging proofs
• Service Level Agreements
• Method Statements
• Documentation sent to and from suppliers
• Design documentation

 Also don’t forget external documentation – I often get told during audits that there aren’t any external documents only to find a long list of important documents that are not being controlled effectively.  

External documents may include:

• Product/service legislation
• Product/service design standards
• ISO standards and other industry requirements
• Customer policies and specifications
• Service level agreements
• Contracts
• Customer designs

 For each type of documentation you should assess the core controls as identified in the check list below:

 For internal documents:

 Is there a documented procedure available to define controls for all document types identified?

1.Does this procedure identify who can approve and issue each type of document?

2.What is the process for updates and changes?

Are changes approved before issue?   Is this approval by the same ‘authority’ as the initial issue or has this changed?   If so is this adequate to control the document issue? 

Are documents reviewed from time to time to make sure they are still relevant and being followed?   If there is a review period is there evidence this is being followed or are documents out of date?

Are hand amendments allowed in the procedure and if so are these properly authorised? 

3.Does each document have a clear title/identification and is there a clear revision level for the document?

4.How are changes to documents communicated to the people who need to use the document?

5.How are documents of each type circulated?   Are the right documents available at each point of use?

If this is controlled by a computer system, what happens if this system is not available?

7.Are any documents used at other/remote locations?   If so how do you know the correct version is being used?

8.For external documents – what controls are in place to identify any updates to:

Legislation and standards?

Changes to customer designs and requirements?

Changes in any contracts/service level agreements?

9.What happens to obsolete documents?

When new documents are issued are you sure the old documents are removed from use?   Is it obvious which documents are obsolete or is there a chance of confusion?

Are old documents retained for reference and if so are these identified?

Document control is a process that require auditing from time to time to ensure compliance and control business risk.  Don’t forget, you can download the audit checklist below.

Document Control Checklist

This month, Checklist of the Month takes a look at your OHSAS 18001 system and how you investigate accidents and incidents.   The checklist looks at base compliance to OHSAS 18001 and also RIDDOR so should give you plenty to audit.    

The checklist is also available here for anyone who wants to download and audit.  

Sept Checklist Accident Investigation

Checklist…

1. Is there a documented procedure for the process?   Is it controlled? (4.4.4 & 4.4.5)

 2. Is the procedure defined for:

 -          Accident/Incident Reporting

-          Investigation of any issues

-          Corrective Actions

-          Closure of actions and verification of effectiveness

(4.5.3)

 3. Are records of accidents/incident recorded and are records maintained?  

 For how long are records retained for?  

Note: check 3 years retention for any RIDDOR? (4.5.4)

 4. Are key people aware of accident reporting procedure & have they been trained? (4.4.2)

-  Managers?..First Aiders?

 RIDDOR Regulations 1995

5. Does the procedure define the requirements for reporting under RIDDOR?   Review records to ensure compliance?

 6. Does the procedure ensure that dangerous occurrences are reported under RIDDOR?

 7. Check that all accidents and incidents have been reported.

 How is 3 day lost time is calculated for any RIDDDOR (exclude day of accident but include rest days?).

Other Issues 

8. Are accident and incident issues discussed at the H&S reps team meeting? (4.4.3.2)

 9. Are accident and incidents communicated to the organisation as required?  (4.4.3.1)

 10. Is accident/lost time data reviewed at management reviewed?  Have any trends been identified as a basis for improvement? (4.6) 

Bonus Questions…

As mentioned, this checklist is all about base complaince to OHSAS 18001 and also RIDDOR (so you can use this for part of your compliance evaluation) but it does not cover things like near miss reporting which is best practice so it may be worth considering this in your audit.   It is also worth a look to see if accident/incident actions feedback into the risk assessment process (and results in an updated risk assessment) as this really does help to complete the ‘Plan-Do-Check-Act’ Cycle and also keeps your risk assessment ‘living’.

ISO 19011:2002 is the standard that covers the auditing of Quality and Environmental management systems and, after 8 years, the International Standards Organisation (ISO) is looking to revise this.

With a focus on enhancing the standard, ISO 19011 is now out for final comment and will be published next year.   This will include the following changes:

• There will be more of a focus on internal auditing.   The standard at the moment covers internal auditing but has a focus on supplier and certification body (second and third party) auditing.   With the previous publication of ISO 17021, there is now a standard for certification body auditing and ISO 19011 should focus more on internal auditing.
• ISO 19011 was originally published to cover Quality and Environmental auditing.   Over the last few years there are now many different systems to audit (Health & Safety, Food, Social Responsibility, Information Security etc) and ISO 19011 is being updated to reflect the differing competencies required to audit these systems adequately.    Competencies will include for instance knowledge of legal requirements, and other specialist areas such as waste minimisation, risk assessment and sustainability.
• The concept of risk based auditing will also be included,  where by significant business risks (eg most important contract, most significant aspect and most significant H&S hazard) are prioritised for auditing.   Although you could argue this is nothing new, it is a step in the right direction to make sure internal audits continue to deliver value to any organisation.
• Remote auditing is another area covered by the revised standard.   Although traditional face to face auditing is still favoured by many, the use of video conferencing and remote web based reviews are now covered in the revision.

It may be easy to dismiss the changes to this standard as custom and practice but ISO 19011 is used as the guidance for IEMA and IRCA auditor training courses so you should see these concepts filtering into training courses when the standard is published sometime in 2011.

Check List of the Month

 An audit of the audit system I hear you say!   What ever next?   Well actually it is a mandatory requirement but it often confuses people on what they should actually ask during their ISO 13485 internal audit.  

Here is a checklist that will allow you to thoroughly audit your ISO 13485 internal audit system.

 The checklist can also be downloded in checklist style below so that all you have to do is print the checklist out to use it as part of your audit.

ISO 13485 Checklist – Internal Audits 

Audit Programme

1. Is there an audit programme available, approved and communicated?(8.2.2)

 2. Does the audit programme cover all processes & clauses of ISO 13485? (8.2.2)

3. Does the audit programme cover processes (or does it tend to follow procedures within the system?).   (8.2.2)

 4. Does the programme reflect the results of previous audits & importance of process? (8.2.2)

 5. Are auditor’s trained? Check training certificates/records. (6.2.2)

 Audit Procedure

 6. Review audit procedure (8.2.2) does this cover:

 -          Requirements for planning audits?

-          Checklist preparation as a means to record objective evidence?

-          Non conformity reporting including categorisation (e.g. Major/Minor/Improvement etc)?

-          How corrective actions are agree, verified and followed up?

-          Requirements for auditor competency?   (6.2.2)

Reporting & Records

 7. Are records of internal audits maintained? (8.2.2)

 8. Are these records maintained?   If so for how long? (4.2.4)

 9. Are records of any non-conformities and corrective actions maintained? (8.5.2)

 10. Are records of root cause and corrective action verification maintained? (8.5.2)

System Effectiveness & Improvement

11. Is the audit programme on track (or have some audits been missed this year?)   (8.2.2)

 12. Are corrective actions from internal audits closed in a timely manner?   How many overdue actions are there?   (8.2.2)

 13. Are audits reviewed at management review as a means to improve effectiveness? (5.6)

 14. And finally, always ask yourself…does the audit programme provide real information to the senior management team to identify the real risks to the business and drive improvement if required or is it just a tick in the box exercise?

Check List of the Month

 An audit of the audit system I hear you say!   What ever next?   Well actually it is a mandatory requirement but it often confuses people on what they should actually ask during their ISO 9001 internal audit.  

Here is a checklist that will allow you to thoroughly audit your ISO 9001 internal audit system.   It has references to ISO 9001, but this could be easily applied to OHSAS 18001 and ISO 14001 if required.

 The checklist can also be downloded in checklist style below so that all you have to do is print the checklist out to use it as part of your audit.

 Internal Audit Checklist 

Audit Programme

1. Is there an audit programme available, approved and communicated?(8.2.2)

 2. Does the audit programme cover all processes & clauses of ISO 9001? (8.2.2)

3. Does the audit programme cover processes (or does it tend to follow procedures within the system?).   (8.2.2)

 4. Does the programme reflect the results of previous audits & importance of process? (8.2.2)

 5. Are auditor’s trained? Check training certificates/records. (6.2.2)

 Audit Procedure

 6. Review audit procedure (8.2.2) does this cover:

 -          Requirements for planning audits?

-          Checklist preparation as a means to record objective evidence?

-          Non conformity reporting including categorisation (e.g. Major/Minor/Improvement etc)?

-          How corrective actions are agree, verified and followed up?

-          Requirements for auditor competency?   (6.2.2)

Reporting & Records

 7. Are records of internal audits maintained? (8.2.2)

 8. Are these records maintained?   If so for how long? (4.2.4)

 9. Are records of any non-conformities and corrective actions maintained? (8.5.2)

 10. Are records of root cause and corrective action verification maintained? (8.5.2)

System Effectiveness & Improvement

11. Is the audit programme on track (or have some audits been missed this year?)   (8.2.2)

 12. Are corrective actions from internal audits closed in a timely manner?   How many overdue actions are there?   (8.2.2)

 13. Are audits reviewed at management review as a means to improve the business? (5.6)

 14. And finally, always ask yourself…does the audit programme provide real information to the senior management team to identify the real risks to the business and drive improvement if required or is it just a tick in the box exercise?

In this month’s blog we are launching our checklist the month.   This free service aims to give you a helping hand when it comes to performing your management system audits.

This month we are going to take a look at your ISO 9001 corrective action system.

This ISO 9001 internal audit checklist can also be downloaded here in a format that you can use this directly in your audit.

Checklist

1. Do you have a documented procedure for your CA system that covers the requirements of ISO 9001 8.5.2?
2. Do you identify and define the sources of product and quality problems in your procedure?
3. Do the sources of information include:
   1. Product (service) nonconformity/failure
   2. Do you have a documented nonconformity investigation procedure?   Does the procedure control and prevent the release of nonconforming product/delivery of service?
   3. Internal audits
   4. Customer complaints and feedback
   5. Process and quality issues
   6. Out of specification results
   7. Calibration failures
   8. Supplier issues

4. Does this procedure also include additional ‘containment action’ to control product/service that is currently being processed and to identify nonconforming product/service which may have been released/delivered?

5. Is the data in the CA system reported in an accurate and timely way?

6. Is the data in the CA analysed to identify actions to prevent the nonconformity from happening again?   Is the amount of time spent on investigating each CAPA appropriate for the significance of the issue?

7. Have actions from the CA investigation been identified and implemented to stop the issue from re-occurring? Are the actions appropriate for the significance of the issue?

8. Do you analyse trends of product and quality data to identify unfavourable process or product/service trends?   Have any trends been identified that may require CA?

9. Do you use statistical methods (where necessary) to detect recurring quality problems?   Are results analysed across processes to determine the extent of product/service and quality problems?

10. Do you communicate the information from CA across the organisation, including the review of this CA information in the management review?

You may well know that CoSHH assessments are required by the Control of Substances Hazardous to Health Regulations. However, many organisations still think that a having a material safety data sheet on file is all that is required.

What are you using ?

The first step in complying with the regulations is to review what materials/chemicals are being used – even if these are proprietary brands bought form a local hardware store.

Once you have a full list of chemicals/substances, then make sure you have an up to date Material Safety Data Sheet for each chemical.   The supplier of the chemical is obliged to provide you with one on request.

You will also need to keep this list up to date so think of an easy way for everyone in your organisation to update the list when a new material is ordered.

CoSHH assessment

The CoSHH assessment should include a review of the information on the material safety data sheet and also the application and frequency of use.   The assessment should then identify and document the following areas:

1. Identify the hazard – e.g. corrosives, irritants, toxic etc.
2. What are the control measures – identify what control measures are in place currently – don’t forget if exhaust ventilation is required then make sure records of this are maintained and this is performed on an annual (not exceeding 14 months) basis.
3. Do you need to use the material or could you use a less hazardous material?  It is easy to forget this step but you are required by law to consider substitution/elimination of the material if it is hazardous.
4. Do you need to consider additional control measures to comply with the recommendations in the data sheets?   If so make a note of these and decide on a timetable to introduce the improved control measures.

Other things to consider

For more hazardous substances then you may need to do a more comprehensive assessment or even bring a consultant into to monitor and assess exposure levels.   As a guide also ways review this need for any respiratory sensitisers, materials that can generate fumes or dust.

Check your equipment

An easy thing to over look but ask yourself – are the gloves or respirators you are using providing adequate protection? Is the extract system/Local Exhaust Ventilation (LEV) powerful enough?   Information for the correct equipment to be used can all be found on the data sheet.

If you use LEV then you also need to pay attention to test records.   These records by law should include the following information; extraction rates and confirmation that motors, ductwork, filters and alarms are working; operating performance of the LEV; testing methods used; details of any work carried out to adjust and test the LEV and; details and qualifications of the person carrying out the test.   This is a statutory records must be kept for at least five years.

Don’t forget pregnant or nursing mothers

You may need to consider the needs of vulnerable workers in particular pregnant and nursing mothers.  If a chemical has the risk code R40, R45, R46, R61, R63 or R64, then you will have to prevent exposure of any pregnant or nursing mother to the material.   Don’t forget…Some chemicals are mutagenic which means that any women who may become pregnant should be made aware of the effects before potential exposure (this should include before they are pregnant).

HSE Resources

The HSE has some good resources to use – a summary guide to CoSHH can be down loaded here.   HSE COSHH Guidance

Recent research from NEBOSH  (The National Examination Board in Occupational Safety and Health) suggests  that more than 50% of health and safety managers are now responsible for managing quality and environmental issues at work.

The same is also true of internal auditors – there is now more and more pressure on auditors to audit the holy trinity of ISO 9001, ISO 14001 and OHSAS 18001 but ensuring competency for each system may be tough to achieve.   So what skills do managers and auditors actually need?

This question depends on your overall organisation and level of risk and complexity but here are some ideas of auditor competency that is needed for each system…

Quality Management Auditor

Assuming you are running an ISO 9001 system your internal audit team will need a two day internal audit course as a minimum.   It could help to send the team on a one day foundation course as well.

If asked the importance of the one day course – my advice is to rate the individual on a scale of 1-10 for ISO 9001 knowledge.   If they rate as a 1-3 then a one day foundation course is required… 4 plus and the individual should be able to comfortably achieve the two day internal audit.

If your organisation uses risk assessment techniques such as FMEA or other quality tools (SPC, Six Sigma, problem solving etc, etc) then it would also help for your audit team to be trained in these techniques.

Environmental Management Auditor

Once again the one day foundation course and two day internal audit course should be viewed as a minimum.   If you have a well develop aspect register and these tend not to change then this training may be enough but, an auditor must have an understanding of how to audit environmental aspects as well as procedures.

If you are using your audit system to evaluate compliance, then some kind of training for legislation would be useful in order for the auditor team to assess significant legislation effectively.

If you have more complex aspects or, aspects that tend to change (for example in construction sites) then more in depth training such as the  IEMA Associates course will provide a good level of training.

Health & Safety Auditor

Similar advice to that of environmental management auditor – the OHSAS 18001 internal audit course will provide a good overview.

Legislation is important, as is an understanding of risk assessment so, as a minimum, an additional course such as the IOSH managing safely course will provide a good introduction to these areas.   If however your hazards are more complex and changing then a course such as the NEBOSH General Certificate should be considered.

Competancy, awareness and training

So having hit your training budget is that all?   Not quite – don’t forget that an audit team needs regular exposure to auditing and as an ideal, initially conducting 4-5 audits with a more experienced auditor will be worth the investment in time to build the confidence and competence of an internal auditor.

This is not a sales pitch!

Its easy to say that I would recommend extensive training for any auditor as that is the business of QCS International… the big however is that I often see organisations actually waste money by training people who then don’t use their audit training at all because they don’t feel confident enough to perform audits.   The worst case scenario is investing in some training only to find your audit team perform ineffective internal audits.

The bottom line is – an effective integrated auditor needs somewhere in the region of 9-12 days training to cover all three systems effectively – more so if you process/environmental/safety hazards are more complex or change often.

So before you try to get your team to become super integrated auditors, just consider the time, investment and benefits of conducting integrated versus separate system audits.

Is air travel that bad?   Our increased use of air travel (in particular short haul flights) is actively being targeted by pressure groups and governments alike- but is it really the worst offender in terms of carbon foot print?   And should we be targeting a reduction in air travel as a way of improving our environmental impact?   May be not…

Dirty great carbon foot prints

I have a friend who has signed a pledge to only take one flight a year and so having had her summer holiday last year she had to make another trip from London to Dublin to attend a wedding.

Because of her pledge, the trip involved driving a car to the ferry and also taking a train.   To settle a debate we were having, we sat down and worked out the full environmental impact of her trip versus taking a flight (the cold winter nights just fly by when you’re with a QCS environmental consultant!).

The result was, she would have had less of an impact if she had broken her pledge and taken the flight.   The guilty party was the car!

We’re getting there

According to  DEFRA guideline the following figures can be used as a guide to CO₂ emissions:

Plane: 0.13kg/CO₂ per km (Short Haul)

Car: 0.20kg/CO₂ per km (Average UK Car)

Train: 0.06kg/CO₂ per km

So rather than being the real villain of the story, air travel can produce less of a carbon footprint than a car.

Little and often

Cars contribute to 26% of your carbon emissions each year and with half of car journeys being less than 5 miles, any organisation should be targeting car use for both business miles and employees travelling to and from work, as it is highly likely that this is actually one of the most significant environmental impacts in your organisation.

Putting this in to practice

I am not suggesting that you buy a bike (although there is a government initiative that allows you to part fund bicycles for employees) or a company jet should be on your shopping list – but there are some simple steps that any organisation can take as part of your ISO 14001 objectives, to influence car use by employees:

• Introduce a travel policy that strongly encourages travel by rail whenever possible.
• Company cars – target a reduction in CO₂ emissions on all company vehicles including hire cars.   Ideally set a limit for the maximum allowed.
• Try and think of initiatives to promote car sharing to and from work – I know its not a new idea but sharing a car to work for a year would result in a saving of over 500kg of CO₂
• Discuss with HR to see if home working or remote working is an option to encourage – even if this is for certain occasions.

And finally – keep at it.   This is about influencing people to change which always takes time but with some effort it is a way of reducing a significant environmental impact, albeit an indirect impact, that you probably haven’t thought of.