ISO 14001 Quality System: September 2009

Wednesday, September 30, 2009

Business benefits of ISO 14000

Business Benefits Of ISO 14001
Any manager will try to avoid pollution that could cost the company a fine for infringing environmental legislation. But better managers will agree that doing only just enough to keep the company out of trouble with government inspectors is a rather weak and reactive approach to business in today’s increasingly environment-conscious world.
There is a better way. The ISO 14000 way. The ISO 14000 standards are practical tools for the manager who is not satisfied with mere compliance with legislation – which may be perceived as a cost of doing business. They’re for the proactive manager with the breadth of vision to understand that implementing a strategic approach can bring return on investment in environmentrelated measures. Implementing an ISO 14000-basedenvironmental management system, and using other tools from the ISO 14000 family, will give you far more than just confidence that you are complying with legislation.
The ISO 14000 approach forces you to take a hard look at all areas where your business has an environmental impact. And this systematic approach can lead to benefits like the following:
a. Reduced cost of waste managementb. Savings in consumption of energy and materialsc. Lower distribution costsd. Improved corporate image among regulators, customers and the publice. Framework for continuous improvement of your environmental performance.
The manager who is “too busy managing the business” to listen to good senseabout environmental management could actually be costing the business plenty. Just think, for example, of the lost opportunities for achieving benefits like those above.
The ISO 14000 standards are management tools that will help your businessachieve environmental goals that go way beyond acquiring a mere “green sheen”.

Requirements for Product Environmental Quality Assurance

All Mandatory Requirements for Product Environmental Quality Assurance need to be carried out in the following manner1. Establish a system that meets all requirements2. Ensure the system is stable and efficient.3. Document the processes and procedures4. Keep records of the system’s performance.
The assigned management of the supplier shall establish a system to prevent BannedSubstances from being used in the products and packaging.(1) To determine policies and methods for ensuring Product Environment Quality.(2) To assign a person to be in charge of managing Product Environment Quality(“Product Environmental Quality Management Representative”)(3) To establish an organization in managing Product Environment Quality,determine responsibilities, authorities, roles of each department and familiarize allmembers in each department with the importance of Product Environment Quality.(4) To establish a “Cadmium-Free Factory”(5) To review the adequacy and efficiency of the system.
Maintenance of the SystemThe supplier shall maintain the system in a condition to be able to respond to therequests for Product Environment Quality and instruction letters to suppliers),ensure the system is properly functioning.(1) Plan and carry out an internal audit at least once a year.(2) When Non-conforming Products or defects are found in the system, the suppliershall conduct an internal audit immediately.(3) The assigned management for Product Environment Products at the suppliershall revise the system according to the results of the internal audit if necessary.
Documents, Data and RecordsThe supplier should manage documents, verification data related to ProductEnvironment Quality.(1) Keep documents, verification data for three years or longer, if required by law.(2) Provide documents and verification data when requested.(3) Review the documents regularly and keep them updated instructions
Selection of Materials and PartsThe supplier has to comply with the following request when selecting material and parts.(1) “No Use of Banned Substances Allowed” (or equal) must be mentioned in allrelevant documents (specifications, blueprints, purchase orders, etc)(2) Materials must not contain any Banned Substances.(3) Only purchase Designated Raw Materials from Green Partners.

ISO 9000 Standards

ISO 9000 Standards
ISO 9000 is a written set of rules (a “Standard”) published by an internationalstandards writing body (International Organization for Standardization. The rules define practices that are universally recognized and accepted for assuring that organizations consistently understand and meet the needs of their customers.ISO 9000 is also highly generic. Its principles can be applied to any organization providing any product or service anywhere in the world.Since meeting customer needs is one of the (many) definitions of quality, ISO 9000 is often called a quality system or a quality management system. But the rules, referred to as requirements, go beyond quality matters as they are traditionally understood. The requirements fall roughly into the following types:
a. Requirements that help assure that the organization’s output (whether product, service, or both) meets customer specifications. (Making, and keeping, them happy.)
b. Requirements that assure that the quality system is consistently implemented and verifiable. (We must actually do what we say we are supposed to do. This must be verifiable via independent, objectiveaudit.)
c. Requirements for practices that measure the effectiveness of variousaspects of the system. (In God we trust; all others bring data.)
d. Requirements that support continuous improvement of the company’sability to meet customer needs. (We cannot sit still. We must strive to get better all the time, because customers change, and competitors gain strength.)
Nothing in ISO 9000 is new. The first edition, published by ISO in 1987, was drawn almost word for word from a British quality system standard. It in turn evolved from a long succession of written quality system specifications that had their ultimate origin in the defense and arms industries. Most of the practices required by ISO 9000 have been in use in industries of various kinds for decades. One intent of ISO 9000 is to simplify things for organizations. ISO 9000 strives to harmonize the sometimes conflicting, sometimes redundant quality programs that have traditionally been imposed by major corporations on their suppliers. (Note, however, that ISO 9000 is not meant to supersede customer, legal, or regulatory requirements.)
Very often, major customers require or strongly “suggest” that their suppliers implement ISO 9000 systems. Equally often, such customers require independent verification that suppliers are meeting the equirements.
So third-party registration bodies audit suppliers, confirm compliance to the ISO 9000 standard, and register the suppliers. It does not stop there. To stay registered, suppliers must undergo periodic (often semi-annual) surveillance audits, also carried out by their registration body.
Implementing an ISO 9000 quality system is neither cheap, nor easy. How costly and difficult it can be depends on:
a. The level of commitment of senior management. (The single most important factor.)
b. Where you are when you start. If you have already implemented a disciplined, documented quality system, you will have a less difficult time migrating to ISO 9000. (But that does not mean you will waltz to registration, either.)
c. Whether your company (or any part of it) is “design responsible” or not.
d. How much time you have. If you are under the customer’s gun and have merely months to get the job done, the process will be highly stressful.
e. The physical size and configuration of your company.
The bottom line is this. ISO 9000 is a comprehensive set of rules—a business system, really—that can cause the way your organization runs to profoundly change, almost always for the better. Yet, because it is often customer-mandated, many suppliers regard ISO 9000 as “just another hoop to jump through to keep our customers happy.”
They see their choice as swallow hard, pony up, and jump through the hoops; or walk away from the customer. What many do not fully appreciate is that implementing ISO 9000—expensive, exhausting, and annoying as it can be—can also have the salutary effect of improving the performance of your organization. Not just at first, but on an ongoing basis.

Goal and Scope of an ISO 9000 quality system

Goal and Scope of an ISO 9000 quality system
The ISO 9000 Standard states its goal in two blunt words: customer satisfaction.How do we achieve customer satisfaction? By meeting customer requirements.The quality management system (QMS) helps us to dothis by:
a. Applying the system. Actually using it. Putting it at the heart ofour organization.b. Continually improving the system. The QMS is never done. Afterall, customer requirements do not stand still—they evolve and grow tougher.So we have to improve continually in order to survive.
(The guidance document, ISO 9004: 2000, sets a compatibleand in some respects more ambitious goal: “improving theprocesses of an organization to enhance performance.”) Prevention of nonconformity. Prevention is the key term here: prevention,rather than detection. Quality management has longsince evolved away from the old “inspect quality in” approach.Prevention is cheaper, more effective, and more protective of thecustomer. Detection is also a different mindset. It requires a veryhigh degree of process orientation, upstream thinking, and relentlessanalysis.To what types of organizations does the Standard apply? Alltypes. The requirements “are generic and applicable to all organizations,regardless of type and size.” A compliant QMS can be implementedby any organization, producing any product or service,anywhere in the world.Within the organization, the impact of the requirements and theQMS are similarly broad. The Standard “applies to the activities of organizationsfrom the identification of customer requirements, throughall quality management system processes, to the achievement of customersatisfaction.” Every activity within the organization that impactsthe process of creating customer satisfaction is affected by therequirements of the Standard.

ISO 9000 registration or certification

ISO 9000 registration or certification
Registration is documented and objective evidence that an organization’squality system meets the requirements of ISO 9000.
Certification is a term often used interchangeably with registration.
In the context of ISO 9000, they mean the same thing. Registration isthe technically correct term for verification of compliance to standardsof quality systems. Certification usually applies to verification of thequality of products (as opposed to quality systems).
Registration is carried out by independent companies called registrars.These companies are:- Wholly independent.- Accredited by a recognized international accreditation body.- Selected, and paid, by you.
Registration can cover:- The sole location of a single-location organization.- Multiple locations of a multilocation organization.- Only certain parts of a multilocation organization (under certain conditions).- Separate locations under separate certificates. (This is a more costlyapproach.)The registration body audits your quality system against the requirementsof ISO 9000. It reports its findings in writing. These findings may (and usually do) include noncompliances (Question 96). Major noncompliances must be closed out prior to official registration.
When this has been done, the registration body:- Lists the organization’s name in its book of registered companies—in effect, registers the organization in its book.- Issues a certificate to the registered organization. This registrationincludes:— Identity of the organization.— Location(s) covered by the registration.— A list of products/services supplied by the registered locations.— Revision date of the Standard.— Registration effective dates.— Name and location of registrar.
Most registrars limit registrations to three years. After that, youmust renew your registration by undergoing another complete systemsaudit. Some registrars do not use the renewal approach. They simplykeep checking the system via surveillance audits.
Whichever the scheme, the organization, to keep registration, mustundergo a surveillance assessment every so often. Six months is the typicalinterval. Some registrars offer annual surveillance schemes (notrecommended except for firms with exceptionally well-implementedquality management systems). Surveillance assessments are scheduledevents (there is no such thing as a “surprise” surveillance audit). Onlypart of the quality system is checked at each surveillance. Usually, theregistrar does not disclose what part will be assessed until the day of theassessment, although some registrars will tell you everything up front.The entire quality system is usually checked via surveillance audits overthe course of three years.
There is no way to “fail” a surveillance assessment, just as there isno way to “fail” a registration audit—except by refusingto implement corrective action required by the registrar. Normally,registrars allow adequate time, but corrective actions must be done ina timely and agreed upon manner to keep registration.One final note: As mentioned, each registrar publishes a list ofthe firms it has registered to ISO 9000.

What is a quality systems registrar

What is a quality systems registrar
A registrar, or registration body (the preferred term), is sometimes called a certification body. (Accreditation bodies are entirely different—they are the entities that audit/approve registration bodies.)
There are some 573 registration bodies in operation worldwide, including52 in the United States.
The registrar is the organization that checks your quality system and confirms that it meets ISO 9000 requirements for a prescribed and agreed period of time.
To do this, the registrar:a. Audits your organization’s quality system to determine the degree of conformity to ISO 9000 standards. The audit is carried out:— On paper (desktop study).— On site (throughout your facility).b. Registers your quality system, assuming it conforms, to ISO 9000.c. Monitors conformity on an ongoing basis by means of regular reauditsand other methods.All quality system registrars perform these functions, with certainvariations. Registrars differ in two principal ways:a. Accreditation status.b. Scope of accreditation
Reputable ISO 9000 registrars are accredited by international accreditationbodies. These enforce a standard, EN 45012 (European Standard for Bodies Certificating Suppliers’ Quality Systems), that governs the processes that registrars follow. This standard is quite strict:a. Registrars must make their services available to all qualified supplierswithout imposing undue financial or other conditions, andmust administer their regulations in a nondiscriminatory manner.b. The registrar’s organization must not engage in activities that mayaffect its impartiality. For example:— It must not provide consulting services “on matters to whichits certificates are related” (i.e., quality systems). This requirementis superseded by the ISO 9000 restriction noted earlier.— It must not directly engage in commerce with firms that it hasassessed and/or registered.— Individuals involved in the registration process must not haveprovided consulting services to registration clients, or any relatedfirms, within the previous two years.— Its employees and agents must not engage in business activitiesthat would cause others to question the firm’s impartiality.— The registrar may not market consultancy and registrationservices together, and may not recommend consulting servicesto clients.— Auditors may not give advice as part of registration audits.— The registrar must provide the accreditation body with documentationof its employees’ qualifications.— The registrar must have appropriate facilities for carrying outits activities.— The registrar must have a quality manual and documentedprocedures. (Curiously, EN 45012 does not require that registrarsregister to ISO 9000!)— Registrars may not grant or renew certificates of registration until all major noncompliances are eliminated.
Another point of differentiation is scope of accreditation. All registrarsare not accredited, or approved, to register firms in any line of business. Each registrar is accredited to operate within the business or industrial sectors about which it has documented expertise. This is generically referred to as the registrar’s scope.

How long does it take to register to ISO 9000?

The time it takes to get ISO 9001 registered are varies. But it is talkingmonths here, not weeks. For one thing, you have to keep running yourbusiness. You cannot simply shut down while getting registered.The entire process can be broken down into the following generalphases:a. Implementing the ISO 9000 system.b. Operating it for the minimum time. (A minimum of three, andpreferably six, months before registration audit.)c. Selecting a registrar. This can be done during the registrationprocess, to save time.d. Interval between application and registration audit. This dependson the registrar’s backlog.
The time it takes to implement the ISO 9000 system depends in largepart on where you are when you start. If you already have any of thefollowing, implementation time should be relatively short:a. A documented quality system of any kind that is active, meaningful,but not necessarily compliant with any particular standard.b. Resources temporarily dedicated solely to implementing the system.c. The guidance of a good consultant
If you are starting from square one, implementation can take a longtime. (Unless you can shut down operations while implementing—butwho can do that?) Here are some other factors that can extend thetime it takes:a. Multiple locations.b. Head count.c. Whether or not you are design responsible.d. Corporate turmoil.e. Lack of ongoing, consistent, persistent top management commitment.This exhibits itself in a host of symptoms, including lack ofsufficient resources, other issues taking priority, vacillation, failureto pay attention, failure to learn and understand, and failureto lead.All that being said, experience has shown the following:a. On average, the shortest interval for the entire process—fromlaunch through registration audit—seems to be around 6 to 9months.b. At the other extreme, it’s been known to take 18 to 24 to 36months, even with significant resources and full managementcommitment.On average, for the typical organization (whatever that is), you arelooking at 10 to 18 months to get the job done.

What does ISO 9000 offer?

What does ISO 9000 offer? For one thing, it offers you continuedbusiness with customers who may be requiring you to register. That isa pretty strong benefit right there.These customers may never question your quality, but these customersdepend heavily on their main suppliers. They know they canimprove their quality and through-put, if you improve yours. Just because you are great does not mean you are as great as you couldbe. ISO 9000 mandates a continuous improvement system. Youcan wriggle and fudge, but if you implement that system and workit conscientiously, you cannot help but improve. Continuous improvementis not just a buzz term. It is an imperative. Just because you are great today does not mean you will be great tomorrow.Has your industry changed? Has your organizationchanged? A well-implemented ISO 9000 helps your organizationadapt to change. It brings independence of individuals and consistencyof practices—two features that tend to resist declines inperformance.
What else does ISO 9000 bring you? When well implemented, anISO 9000 quality system improves organization performance. That is,after all, the whole point. In cases where it does not, the fault tendsnot to be in the ISO 9000 process (its inherent deficiencies notwithstanding).When an ISO 9000 system does not provide substantial benefits andimprovement in performance, it is usually because managementhas consciously chosen to cut corners, blowsmoke,stay uninvolved, and starve the system of all but the most essentialresources. “We’ll do this stupid thing, but we’re sure not goingto change the way we operate.”ISO 9000 registration brings you one more thing that your organizationmay not have today: International credibility. ISO 9000 is deployedand practiced in nearly 100 countries around the world. Intoday’s ever-growing international economic climate, this is not a bademblem to have, however narrow the scope of your market today.

Policy and Procedures for Quality Assurance

Quality PolicyThe Institute seeks to ensure that the following standards, guidelines, requirements and procedures are adhered to:· European Standards and Guidelines for Quality Assurance in the European Higher Education Area;· All relevant HETAC Standards and Guidelines;· National Framework of Qualifications Standards;· Policies and Procedures approved by the Institute’s Academic Council;· All other relevant regulatory and professional requirements.The Institute also seeks to ensure that its education provision and services meet the requirements of its students in a learner centered and supportive environment.1.2 CommunicationThis Policy is published on the Institute website and communicated to stakeholders through email alerts. It will be formally published in Institute Yearbook from September 2009.1.3 ImplementationIt is the responsibility of the President, the Registrar, the Academic Council, Heads of School, Heads of Department and Heads of Function to ensure that this policy is implemented.1.4 MeasurementThe policy is measured by internal audits, Programmatic Review and external peer review.1.5 EvaluationEach quality process will be audited for compliance by the Registrar’s Office annually. This audit can include recommendations for minor changes to the process. The audit reports will be placed before the Academic Council.The Academic Council will conduct an evaluation of each process against national and international best practice on a three year cycle. The environmental scanning technique discussed in the Institute’s Self-Study 2009 will support this evaluation.1.6 Continuous ImprovementRecommendations for improvement will be generated through the measures indicated in 1.4 and 1.5 above. The implementation of these recomendations will ensure continuous improvement.1.7 Key Performance Indicators(i) Each of the seven areas identified under the European Standards and Guidelines will be revised on a three year cycle. See 1.8 below.(ii) Best practice will become an embedded feature of the process and external peer review reports will testify that minimum standards are surpassed.
1.8 Goals and Objectives

PRELIMINARY GAP ANALYSIS FOR ISO 9001:2008

Quality Management System Preliminary Gap Analysis
Decide on a number from 0 to 5 for each item below. The scoring criteria are given in a table at the end. 1 to 5 Make notes to explain your score for future reference.
1. Have you established, documented, implemented and now maintain a Quality Management System (QMS) to any system including ISO 9001?
2. Have you identified the processes needed for your QMS and
a. the sequence of your production and service delivery processes,
b. the criteria and methods needed to ensure the processes are effective, and
c. have the resources and the information you need to support the processes?

3. Do you have
a. a Quality Manual including your Quality Policy and quality objectives, and
b. written procedures and work instructions?
4. Do your records provide evidence that your business processes are effective?
5. Is your Top Management committed to the development and implementation of a new QMS (i.e. based on the 2008 version of ISO 9001)?

6. Has your Top Management communicated the importance of meeting customer and other business requirements to all the employees?
7. Has your Top Management made a commitment to ensure your customers’ requirements are top priority?
8. Do your quality objectives include requirements for production and delivery?
9. Are your quality objectives measurable?
10. Have the responsibilities and authorities of managers and employees been defined and communicated to them?
11. Does your management have the drive and resources needed
a. to implement, and maintain a QMS and continually improve its effectiveness, and
b. to enhance customer satisfaction by meeting customer requirements?
12. Does your organization have procedures to select competent personnel for work activities?
13. Does your organization provide training or take other action to help develop your people?
14. Does your organization provide adequate:
a. buildings, workspace and utilities,
b. process equipment, and
c. supporting services such as transport or communication?
15. When you receive a customer order do you review it for
a. requirements specified by the customer, including the delivery and post-delivery activities,
b. requirements not stated by the customer but necessary for specified use or known and intended use, and
c. statutory and regulatory requirements related to the product?
16. Do you inform your customers concerning
a. product information,
b. enquiries, contracts or order handling, including changes, and
c. channels for customer feedback and complaints?
17. Does your organization plan and control product design and development activities?
18. Does your organization maintain records of design or development review, verification and validation activities and resulting action?
19. Does your organization inspect or otherwise confirm that purchased products, materials, components and services conform to your specified purchase requirements?
20. Does your organization select suppliers depending on how important the purchased product is for production?
21. Does your organization evaluate suppliers (subcontractors or vendors) based on their ability to satisfy your requirements?
22. Do you ensure production has
a. the information that describes the characteristics of the product,
b. the necessary work instructions,
c. suitable equipment, and
d. the monitoring and measuring devices needed?
23. Does your organization regularly confirm that your production and service processes are capable of consistently meeting your requirements?
24. Are parts, components, subassemblies and products identified throughout production or service delivery?
25. Are monitoring and measurement requirements clearly shown with the status of the product?
26. Where traceability is a requirement, does production keep records of unique product identification?
27. Do you care for and protect customers’ property under your control or being used by your people?
28. Do you look after your product (including the parts or components) during both production and delivery to the customer, by providing suitable identification, packaging, storage, preservation and handling?
29. Do you have instructions needed to identify inspection or monitoring activities to be done during production or service delivery and the devices to be used?
30. Is your measuring equipment:
a. Calibrated or verified at specified intervals, or prior to use?
b. Adjusted or re-adjusted as necessary?
c. Identified to enable the calibration status to be determined?
d. Safeguarded from adjustments that would invalidate the measurement result?
e. Protected from damage and deterioration during handling, maintenance and storage?
31. Does your organization monitor customer information that shows you have satisfied customer requirements?
32. Does your organization conduct internal quality audits at planned intervals?
33. Does your organization use suitable methods to monitor and, where practical, measure the performance of your processes?
34. Does your organization inspect or measure the characteristics of finished products and record the results?
35. Does your organization identify nonconforming products and review them for disposition?
36. Does your organization collect and analyze data to assess the suitability and effectiveness of the QMS?
37. Does your organization use data to evaluate or identify where continual improvement of the QMS can be made?
38. Does your organization continually improve the effectiveness of the QMS?
39. Does your organization take corrective action to eliminate the causes of problems and to prevent their recurrence?
40. Does your organization determine and eliminate potential nonconformities in order to prevent their occurrence?
To score this table:
0 – You do not understand what is required or believe it is necessary
1 – Your organization does not perform this activity
2.- You understand this activity is a good thing to do but do not do it
3 – You do this sometimes
4 – You do this but not very well
5 – You do this quite well.
Add all the points together.
150 – 200
You are almost ready to complete your ISO 9001 QMS and apply for certification/
registration.
100 – 149
You are ready to implement the QMS. This will likely improve your business results.
0 – 99
You have a lot to do but should begin. You could consider seeking help from a
consultant or specialist.

Improve your performance management with new version of ISO 9001

A quality management system enables you to manage your business processes effectively:
it is much more than a set of rules and procedures. When properly implemented and maintained, a QMS addresses the needs of your organisation and delivers tangible business benefits.
The new version of ISO 9001 has recently been published. One of the main aims of ISO 9001:2008 is to facilitate integration with other standards. Although there are no new requirements as such, there are some key clarifications to be taken into account.
There are three main objectives to the new standard:
Detail, clarify, improve the understanding of ISO 9001:2000 (previous version)
Improve compatibility with ISO 14001:2004 Simplify the way in which ISO 9001 can be integrated with other management system standards (such as OHSAS 18001)
There are no new requirements in the new standard:
The title, scope, and structure of the standard are unchanged
The process approach is confirmed
Compatibility with the latest revision of ISO 14001:2004 is maintained and improved upon
Preservation of the quality management principles included in ISO 9000:2000
There are five main areas to note. The relevant sections of the standard are noted in brackets.
1. A reinforcement of the notion of product conformity
2. Compatibility with other standards is evolving
3. A better understanding of outsourced processes
4. An editorial clarification of some requirements – for instance;
A reinforcement of the notion of product conformity2.3.4.
An editorial clarification of some requirements – for instance;A better understanding of outsourced processesCompatibility with other standards is evolving
• (6.4) work environment, including an explanatory note on work environment giving examples,
to help meet product conformity requirements
• (8.2.1) measurement of customer satisfaction, including a note broadening the scope beyond
satisfaction surveys to include other channels such as customer feedback5.
• (Introduction) the notion of risk
• (5.5.2) appointment of a management représentative
• (6.2.2) assessing the effectiveness of achieving compétence
• (8.5.2 et 3) assessing the effectiveness of corrective and preventive actions?
Some additional explanations regarding the requirements of the standard;An editorial clarification of some requirements – for instance;A better understanding of outsourced processesCompatibility with other standards is evolvingA reinforcement of the notion of product conformity

The Similarity between ISO 9001 and BS 7799-2

The Similarity between ISO 9001 and BS 7799-2
BS 7799-2:2002 is a specification for an Information Security Management System (ISMS). It is shortly to be upgraded to the status of a full
International Standard, and published as ISO/IEC 27001. The normative part of this standard has four sections and an annex . The requirements of the four sections are associated with the PDCA cycle. The annex defines all the controls that must be considered for generating the SOA. Thus the structure of BS 7799-2:2002, as will be ISO/IEC 27001, can be simply described as:
A PDCA framework;
An SOA.
ISO 9001:2000 is a specification for a Quality Management System (QMS). The normative part of this standard has five normative sections,
numbered 4 – 8. All of these requirements must be met in order to claim conformance with the standard, save for section 7 (Product Realisation),
where the standard states in paragraph 1.2 “Where exclusions are made, claims of conformity to this International Standard are not acceptable unless
these exclusions are limited to requirements within clause 7, an such exclusions do not affect the organisation’s ability, or responsibility, to provide
product that meets customer and applicable regulatory requirements”.
In Table 2 we relate the requirements of sections 4, 5, 6 and 8 to the PDCA framework. We treat section 7 as an SOA.
The BS 7799-2:2002 standard gives instruction on how the controls documented in BS 7799-2 Annex A are to be determined as being applicable or nonapplicable. In particular, if the control is applicable it must be justified in terms of the results of a risk assessment.
The controls listed in Section 7 of ISO 9001 may be excluded with justification. Thus, Section 7 of ISO 9001 may be treated in exactly the same manner as BS 7799-2 Annex A provided that applicable quality controls are also justified by
reference to a risk assessment. Conversely for an integrated MS, information security controls that are declared to be non-applicable should also be
justified as not applicable by reference to a risk assessment, in order to bring the two standards into line. Interestingly, this requirement was present in
BS 7799-2:1999 but was dropped in the 2002 revision.
The amalgamation of these two approaches in an integrated MS should not be seen as a disadvantage. The justification of non-applicable information security controls greatly simplifies the task of determining, given a change of threat or
business practice, whether a non-applicable control has now become applicable. The justification of Product Realisation controls by way of a reference to a risk assessment serves to remind us that, for many organisations, quality controls are not uniform across the whole organisation but are commensurate with the degree of risk involved.
For example, in the software business, a fixed price assignment with tight timescales to produce a bespoke software system has a greater risk than a
time and materials contract to supply programming staff, and the quality controls applied to management planning and reporting of the two projects would be very different.

BACKGROUND TO THE ISO 9001:2008 REVISION PROCESS

BACKGROUND TO THE ISO 9001:2008 REVISION PROCESS
In order to assist organizations to have a full understanding of the new ISO 9001:2008, it may be useful to have an insight on the revision process, how this revision reflects the inputs received from users of the standard, and the consideration given to benefits and impacts during its development.
Prior to the commencement of a revision (or amendment)to a management system standard, ISO/Guide 72:2001 Guidelines for the justification and development of management system standards recommends that a Justification Study” is prepared to present a case for the proposed project and that it outlines details of the data and inputs used to support its arguments. In relation to the development of ISO 9001:2008 user needs were identified from the following:
- the results of a formal “Systematic Review on ISO 9001:2000 that was performed by the members of ISO/TC 176/SC2 during 2003-2004
- feedback from the ISO/TC 176/Working Group on Interpretations,
- the results of an extensive worldwide “User Feedback Survey on ISO 9001 and ISO 9004″ by ISO/TC 176/SC 2/WG 18 and similar national surveys.
The key focuses of the ISO 9001:2008 amendment were to enhance the clarity of ISO 9001:2000 and to enhance its compatibility with ISO 14001:2004.
A tool for assessing the impacts versus benefits for proposed changes was created to assist the drafters of the amendment in deciding which changes should be included, and to assist in the verification of drafts against the identified user needs. The following decision making principles were applied:1) No changes with high impact would be incorporated into the standard;
2) Changes with medium impact would only be incorporated when they provided a correspondingly medium or high benefit to users of the standard;
3) Even where a change was low impact, it had to be justified by the benefits it delivered to users, before being incorporated.
The changes incorporated in this ISO 9001:2008 edition were classified in terms of impact into the following categorie
- No changes or minimum changes on user documents, including records
- No changes or minimum changes to existing processes of the organization
- No additional training required or minimal training required
- No effects on current certifications
The benefits identified for the ISO 9001:2008 edition fall into the following categories:
- Provides clarity
- Increases compatibility with ISO 14001.- Maintains consistency with ISO 9000 family of standards.
-

Improves translatability

Summaries of changes to ISO 14001

Summaries of changes to ISO 14001
ISO 14001 year 2004 changes are consider having some effect on EMS ISO 14001, the changes require reviewing the EMS and taking action for transition (information is under control of TC 207). Considering the most relevant changes in advancing / transition to ISO 14001 2004 standard includes (an overview for transition / implementation):
Clause 4.1, Scope – requires defining the scope of the EMS (environmental management system) linking to the organizations activities, products, and services (and processes). First consider defining the scope of the EMS within the “boundaries” of products, services, activities, and processes as these relate [for ISO 9001:2000 organizations consider requirement 4.1, and organizations implementing ISO 14001 may be helpful reading ISO 9001:2000 clause 4.1]. The previous indicates an overview on how the EMS fulfills ISO 14001 2004 [some thoughts are internal auditing, management system review providing that these link].
Clause 4.2, Policy – The scope of the EMS and its policy must be consistent. The requirements for the policy remains about the same, now explicitly indicating that must be developed by top management, and other explicit terms in tune with the 1996 version.
Clause 4.3.1, Environmental Aspects Identification – Changes involve in assisting to clarifying statements from 1996 version and the change of the “or” for “and” (within the scope of the EMS); “… products and services…” Control and influence are now mutually exclusive, whilst introducing planned and new developments… new and modified activities… Considering identifying significant aspects must occur from development, implementation, and maintaining the EMS (see 4.1). Information on environmental aspects needs be in documentation format.
To a more assertive statement, “… over which it can be expected to have…” changes to the following “…those which it can influence.”
Clause 4.3.2, Legal and Other Requirements – The wording changes to “legal” in better addressing context to different world regions. Consideration must be given with changes to clause 4.1, for development, implementation, and maintaining the EMS.
Clause 4.3.3 – No significant change.
Clause 4.3.4 – No significant change.
Clause 4.4.1 , Resources, Roles, Responsibility and Authority, please note that this is a new title. This title reflects the importance and relevancy of each term to the EMS. Some minor wording changes include from “…provide…” to “…ensure the availability…” Do not forget that this will require reviewing auditing, planning, and responding to emergencies.
Clause 4.4.2, Competence, Training and Awareness – Whilst using the same
terms in the title notice the change in sequence. This change reflects the expected order of importance of the terms-subjects. Also consider that introduces a new phrase that broadens the individuals within an EMS; “…persons working for, or on behalf of …” Combining these previous two sentences, provides for the organization to include not only relevancy to significant environmental aspects but as well extending to those working for or in behalf of the organization . (Note: also consider that training provider and supporting services are inclusive to 4.4.6).
Clause 4.4.3, Communication – In specifically addressing the European Requirements (EMAR / EMAS), if the organization decides communicating externally the environmental aspects (environmental performance), ISO 14001:2004 address this issue. This is strictly on a volunteer globally, realizing that within the European Union is require.
Clause 4.4.4, Environmental Management System Documentation – in pursuit
of continuing compatibility with ISO 9001:2000 the term applied is “Documentation.”
Thereof, consider this clause also in the light of ISO 9001:2000 when integrating
EMS and QMS. The EMS documentation and records must be those to ascertain
objective evidence on the effectiveness of implementing the policy, planning, and
execution (including improving), control of operations, verification, and control,
improving, and reviewing the EMS.
Clause 4.4.5, Document Control – Again, changing the title and wording reflects
compatibility with ISO 9001:2000. Other than compatibility between QMS ISO
9001:2000 and EMS ISO 14001:2004 there are no significant changes.
4.4.6, Operational Control – No significant change.
4.4.7, Emergency Preparedness and Response – The structure changes by
placing some of its already content in bullets to emphasize each as pointer for the organization to address.
4.5.1, Monitoring and Measurement – Best to see new clause 4.5.2.
4.5.2, Evaluation of Legal Compliance – This is a new clause
[Note: addressing the concern of many government entities / authorities on
their responsibility on environmental and social issues and EMS ISO 14001 1996].
This is construe as the most impacting change to ISO 14001 2004 – this “new” clause brings the last paragraph of 4.5.1 as a separate clause. This clause brings the importance of periodically reviewing legal requirements / compliance under which the organization ascribes. It implies provision of records to demonstrate that this review occurs. This requires that the EMS be review to address the requirements of this “new” clause.
4.5.3, Non Conformance, Corrective and Preventive Action – Includes clarifications ascertaining that prevention (measures or potential of non conformity)and corrective action are two occurring events (which may be mutually inclusive).
Thereof, “action to eliminate the causes of potential non conformities to prevent their occurrence” can lead to changes in your EMS procedures.
4.5.4, Records – States that organizations need records to demonstrate
implementation of procedures and achieving results. These must demonstrate complying with the EMS (procedures and results). Whilst record retention times are not specifically required, record retention needs being specified (consider legal requirements and contractual agreements such that provide a demonstrable sustainable EMS).
4.5.5, Environmental Management System Audit – Whilst there are no wording changes, auditing must be reviewed in the light and effect of other changes (such as 4.5.1, 4.4.2).
4.6, Management Review – The wording provides (more direct) compatibility with ISO 9001:2000, which includes inputs and outputs for reviewing the EMS. Addition includes reviewing for improving the EMS (from target and not merely objectives).
The advent of ISO 14001:2004 shall not require additional training, unless otherwise the organization decides for a short review presentation or an “IMS” (integrated management systems,” integration of management systems such as ILO-OSH, OSH.MS, OSHAS 18001, ISO 9001 and variants with ISO 14001.) It will require reviewing the EMS by management, (perhaps a gap analysis), acting on any changes, inclusive to auditing against ISO 14001:2004 before transition.

Summaries of changes to ISO 14001

Concept Of Quality – Historical Background
The concept of quality as we think of it now first emerged out of the Industrial Revolution. Previously goods had been made from start to finish by the same person or team of people, with handcrafting and tweaking the product to meet ‘quality criteria’. Mass production brought huge teams of people together to work on specific stages of production where one person would not necessarily complete a product from start to finish. In the late 1800s pioneers such as Frederick Winslow Taylor and Henry Ford recognized the limitations of the methods being used in mass production at the time and the subsequent varying quality of output. Taylor established Quality Departments to oversee the quality of production and rectifying of errors, and Ford emphasized standardization of design and component standards to ensure a standard product was produced. Management of quality was the responsibility of the Quality department and was implemented by Inspection of product output to ‘catch’ defects. Application of statistical control came later as a result of World War production methods. Quality management systems are the outgrowth of work done by W. Edwards Deming, a statistician, after whom the Deming Prize for quality is named.
Quality, as a profession and the managerial process associated with the quality function, was introduced during the second-half of the 20th century, and has evolved since then. Over this period, few other disciplines have seen as many changes as the quality profession.
The quality profession grew from simple control, to engineering, to systems engineering. Quality control activities were predominant in the 1940s, 950s, and 1960s. The 1970s were an era of quality engineering and the 1990s saw quality systems as an emerging field. Like medicine, accounting, and engineering, quality has achieved status as a recognized profession.

Concept of quality – historical background

Five Steps to Implementing ISO 14001:2004

ISO 14001 provides a logical, common-sense approach for
businesses to adopt. To start it is recommended to carry out an
environmental review of the business and the Annex to the Standard
provides guidance on the approach required. The Standard then
requires a management system to be developed that addresses the
key environmental issues that were identified by the review as being
relevant to the business, through a rational programme of control and
continual improvement.
There are five key steps to ISO 14001 EMS implementation, and
subsequent operation which are clearly laid out in just three pages of
text.
The five key steps are:
1. Environmental Policy
2. Planning
3. Implementation and Operation
4. Checking and Corrective Action
5. Management Review
Step 1. Environmental Policy
The company or organisation must write an environmental policy
statement which is relevant to the business activities and approved by
top management. Their full commitment is essential if environmental
management is to work. The ISO 14001 Standard clearly sets out
what to cover in the policy. Often a one page document is sufficient.
Produce a first issue and expect to amend it several times before
assessment and registration as knowledge grows in the company.
Step 2. Planning
Plan what the EMS is to address.
Environmental aspects
First make lists of the environmental aspects (issues) that are relevant
to the business. The environmental review mentioned earlier should
provide most of this information and the Annex to ISO 14001 provides
guidance on the format for doing this.
Consider the inputs, outputs and processes/activities of the business in
relation to;
a) emissions to air
b) releases to water
c) waste management
d) contamination of land
e) use of raw materials and natural resources
f) other local environmental and community issues
Consider both site (direct) and offsite (ie. indirect) aspects that you
control or have influence over (such as suppliers) and in relation to
normal operations, shut-down and start-up conditions and reasonably
foreseeable and emergencies situations.
A simple written procedure is then required to determine which of the
aspects identified are really or probably significant (important) and
training needs, outline the key stages of the project and dates that will
lead to the target achievement).
Gradually apply environmental management programme thinking to
such things as the introduction of new products, new or improved
processes and other key activities of the business. In particular,
ensure existing projects become environmental management projects
where there is a significant environmental impact involved, so that the
EMS becomes company wide. This is a frequent oversight found
during ISO 14001 assessments. The EMS must cover the whole
business – like a net thrown over the whole business and for example
including such things as engineering and maintenance
Step 3. Implementation and Operation
Structure and responsibility
Appoint one or more people, depending on the size of the business, to
have authority and responsibility for implementing and maintaining the
EMS and provide sufficient resources. (It’s worth monitoring costs
carefully and benchmarking these against key consumption figures so
that improvements delivered by the EMS become apparent).
Training, awareness and competence
Implement a procedure to provide environmental training appropriate
to identified needs for management, the general workforce, project
teams and key plant operators. This can have far reaching benefits
on employee motivation. The workforce is usually very supportive of
moves to achieve genuine environmental improvement. Every
company has its share of cynics but even some of these can be won
over with time. Training will vary from a general briefing for the
workforce to detailed environmental auditor training.
Communication
Implement procedures to establish a system of internal and external
communication to receive environmental information and respond to it
and to circulate new information to people that need to know. This will
include: new legislation, information from suppliers, customers and
neighbours and communications both with employees and for
employees about progress with the EMS. This process can often
generate worthwhile ideas from employees themselves for future
environmental improvements.
Environmental management system documentation
The EMS itself needs to be documented with a manual, procedures
and work instructions but keep it brief and simple. The Standard
clearly states where procedures are required. Eleven system
procedures are required to maintain the EMS, plus operating work
instructions but if you already have ISO 9000, this will cover most of six
of the procedures required and a quality system can certainly be
expanded to cover ISO 14001 as well. Cross reference the EMS
manual to other environmental and quality documents to link the EMS
and to integrate it with existing business practices.
Operational control
Implement additional operating procedures (work instructions) to
control the identified significant (important) aspects of production
processes and other activities. Some of these will already exist but
may need a ‘bit of polish’. Don’t forget significant aspects that relate to
goods and services from suppliers and contractors.
Emergency preparedness and response
Implement procedures to address reasonably foreseeable
emergencies and to minimise their impact should they occur. (eg. Fire,
major spillages of hazardous materials, explosion risks etc.)
Step 4. Checking and Corrective Action
Monitoring and measurement
Implement procedures to monitor and measure the progress of
projects against the targets which have been set, the performance of
processes against the written criteria using calibrated equipment (verify
monitoring records) and regularly check (audit) the company’s
compliance with legislation that has been identified as relevant to your
business. The most effective way of doing this is through regular
progress meetings.
Nonconformance and corrective and preventive action
Implement procedures to enable appropriate corrective and
subsequent preventive action to be taken where breaches of the EMS
occur (eg. process control problems, delays in project process, noncompliance
with legislation, incidents etc.).
Records
Implement procedures to keep records generated by the
environmental management system. The Annex to the Standard
suggests those that are likely to be required.
Environmental management system audit
Implement a procedure to carry out audits of each part of the EMS and
company activities and operations to verify both compliance with the
EMS and with ISO 14001. Audit results must be reported to top
management . A typical audit cycle is one year but more critical
activities will require auditing more frequently.
Step 5. Management Review
At regular intervals (typically annual), top management must conduct
through meetings and record minutes of a review of the EMS, to
determine that it is still appropriate and effective or to make changes
where necessary. Top management will need to consider audit
results, project progress, changing circumstances and the requirement
of ISO 14001 for continual improvement, through setting and achieving
further environmental targets.

ISO 9001:2008 Requirements – QMS

ISO 9001:2008 Requirements – Quality Management System
Establish, document, implement, and maintain a quality management system. Continually improve its effectiveness in accordance with ISO 9001 requirements. Implement the system to:? Determine processes needed for the quality management system (and their application throughout the organization)? Determine process sequence and interaction? Determine criteria and methods for process operation and control? Ensure resources and supporting information are available? Monitor, measure where applicable, and analyze these processes? Implement actions to achieve planned results and continual process improvementManage these processes in accordance with ISO 9001 requirements. Define the type and extent of control applied to any outsourced processes that affect product conformity to requirements.NOTE 1: Processes needed for the quality management system include the processes for management activities (see 5), provision of resources (see 6), product realization (see 7), and measurement, analysis, and improvement (see 8).NOTE 2: An outsourced process is a process the organization needs for its quality management system, and which the organization chooses to have performed by an external party.NOTE 3: Ensuring control over outsourced processes does not absolve your organization of the responsibility to conform to all customer, statutory, and regulatory requirements. The type and extent of control applied to an outsourced process can be influenced by factors such as:? Potential impact of the outsourced process on your organization’s capability to provide product that conforms to requirements? Degree to which the control for the process is shared? Capability of achieving the necessary control through the application of 7.4

ISO 9001:2008 Requirements – Documentation Requirements

ISO 9001:2008 Requirements – Documentation Requirements
Include in the quality management system documentation:? Documented statements of a quality policy and quality objectives? A quality manual? Documented procedures and records required by ISO 9001? Documents and records determined by the organization to be necessary for the effective planning, operation, and control of its processesNOTE 1: Where “documented procedure” appears within the Standard, this means that the procedure is established, documented, implemented, and maintained. A single document may address the requirements for one or more procedures. A requirement for a documented procedure may be covered by more than one document.NOTE 2: The extent of the quality management system documentation can differ from one organization to another due to:? Size of the organization and type of activities? Complexity of processes and their interactions? Competence of personnelNOTE 3: The documentation can be in any form or type of medium.4.2.2 Quality ManualEstablish and maintain a quality manual with:? Scope of the quality management system? Details and justification for any exclusions? Procedures or references to the procedures? Description of interaction between processes4.2.3 Control of DocumentsControl the documents required by the quality management system. Records are a special type of document and must be controlled as required by clause 4.2.4.
Establish a documented procedure to:? Approve documents for adequacy prior to issue? Review, update as necessary, and re-approve documents? Identify the changes and current document revision status? Make relevant documents available at points of use? Ensure the documents remain legible and readily identifiable? Identify external documents and control their distribution? Prevent obsolete documents from unintended use? Apply suitable identification if obsolete documents are retained4.2.4 Control of RecordsEstablish and control records as evidence of conformity to requirements and to demonstrate the effective operation of the quality management system.Establish a documented procedure to define the controls needed for record:? Identification? Storage? Protection? Retrieval? Retention? DispositionKeep records legible, readily identifiable, and retrievable.

ISO 9001:2008 Requirements – Management Responsibility

ISO 9001:2008 Requirements - Management Responsibility
All requirements in clause 5 are the responsibility of top management.5.1 Management CommitmentProvide evidence of management commitment to develop and implement the quality management system, as well as, continually improve its effectiveness by:? Expressing the importance of meeting requirements? Establishing the quality policy and quality objectives? Conducting management reviews? Ensuring the availability of necessary resources
5.2 Customer FocusEnsure customer requirements are determined and met in order to improve customer satisfaction.5.3 Quality PolicyEnsure the quality policy is:? Appropriate to the purpose of the organization? Focused on meeting requirements and continual improvement? Used as a framework for quality objectives? Communicated and understood at appropriate levels? Reviewed for continuing suitability5.4 Planning5.4.1 Quality ObjectivesEnsure quality objectives, including those needed to meet product requirements, are established at the relevant functions and levels within the organization. Ensure quality objectives are measurable and consistent with the quality policy.5.4.2 Quality Management System PlanningEnsure that planning for the quality management system:? Meets the general requirements (4.1), as well as, quality objectives (5.4.1)? Maintains the system integrity when changes are planned and implemented5.5 Responsibility, Authority, and Communication5.5.1 Responsibility and AuthorityEnsure responsibilities and authorities are defined and communicated within the organization.
5.5.2 Management RepresentativeAppoint a member of your management who, irrespective of other duties, has the responsibility and authority to:? Ensure the needed processes are established, implemented, and maintained? Report to top management on quality management system performance? Report to top management on any need for improvement? Ensuring the promotion of awareness of customer requirementsNOTE: The responsibility of a management representative can include being the liaison with external parties on matters relating to the quality management system.5.5.3 Internal CommunicationEnsure the appropriate communication processes are established and carried out within the organization regarding the effectiveness of the system.5.6 Management Review5.6.1 GeneralReview the quality management system at planned intervals to:? Ensure a suitable, adequate, and effective system? Assess possible opportunities for improvement? Evaluate the need for any changes to the system? Consider the need for changes to the quality policy and objectivesMaintain records of the management reviews.5.6.2 Review InputInputs for management review must include information on:? Results of audits? Customer feedback? Process performance and product conformity? Status of preventive and corrective actions? Follow-up actions from earlier reviews? Changes that could affect the quality system? Recommendations for improvement
5.6.3 Review OutputOutputs from the management review must include any decisions and actions related to:? Improvement of the effectiveness of the quality management system and its processes? Improvement of product related to customer requirements? Resource needs

ISO 9001:2008 Requirements – Resource Management

ISO 9001:2008 Requirements – Resource Management
6.1 Provision of ResourcesDetermine and provide the resources necessary to:? Implement and maintain the quality management system? Continually improve the effectiveness of the system? Enhance customer satisfaction by meeting customer requirements6.2 Human Resources6.2.1 GeneralEnsure people performing work affecting conformity to product requirements are competent based on the appropriate education, training, skills, and experience.NOTE: Conformity to product requirements can be affected directly, or indirectly, by personnel performing any task within the quality management system.6.2.2 Competence, Training, and AwarenessThe organization must:? Determine the competency needs for personnel? Provide training (or take other actions) to achieve the necessary competence? Evaluate the effectiveness of the actions taken? Inform employees of the relevance and importance of their activities? Ensure they know their contribution to achieving quality objectives? Maintain education, training, skill, and experience records
6.3 InfrastructureDetermine, provide, and maintain the necessary infrastructure to achieve product conformity. Infrastructure includes, as applicable:? Buildings, workspace, and associated utilities? Process equipment (both hardware and software)? Supporting services (such as transport, communication, or information systems)6.4 Work EnvironmentDetermine and manage the work environment needed to achieve product conformity.NOTE: The term “work environment” relates to those conditions under which work is performed, including physical, environmental, and other factors such as noise, temperature, humidity, lighting, or weather.

Wednesday, September 23, 2009

ISO 14001 And The Environment

The ISO 14000 family of International Standards on environmental management is a relative newcomer to ISO’s portfolio – but enviroment-related standardization is far from being a new departure for ISO.
In fact, ISO has two-pronged approach to meeting the needs of business, industry, governments, non-governmental organizations and consumers in the field of the environment.
On the one hand, it offers a wideranging portfolio of standardized sampling, testing and analytical methods to deal with specific environmental challenges. It has developed more than 350 International Standards (out of a total morethan 12000) for the monitoring of such aspects as the quality of air, water and soil. These standards are means of providing business and government with scientifically valid data on the environmental effects of economic activity.
They also serve in a number of countries as the technical basis for environmental regulations.
ISO is leading a strategic approach by developing environmental management system standards that can be implemented in any type of organization in either public or private sectors (companies, administration, public utilities). To spearhead this strategic approach, ISO establish a new technical commitee, ISO /TC 207, Environmental management, in
1993. This followed ISO’s successful pioneering experience in management system standardization with the ISO 9000 series for quality management.
ISO’s direct involvement in environmental management stemmed from an intensive consultation process, carried out within the framework of a Strategic Advisory Group on Environment (SAGE),set up in 1991, in which 20 countrie, 11 international organizations and more than 100 environmental experts participated in defining the basic requirements of a new approach to environment-related standards.
This pioneering work was consolidated with ISO’s commitment to support the objective of “sustainable development” dicussed at the United Nations Conference on Environment and Development in Rio de Janeiro in 1992.
Today, delegations of business and government experts from 55 countries have participate actively within TC 207,
and another 16 countries have observer status. These delegations are chosen by the national standars institute concerned and they are required to bring to TC 207 a national consensus on issue being addressed by the commitee.
This national consensus is derived from a process of consultation with interested parties.
From its beginning, it was recognized that ISO/TC 207 should have close cooperation with ISO/TC 176, Quality management and quality assurance, in the areas of management systems, auditing and related terminology. Active efforts are under way to ensure compatibility of ISO environmental management and quality management standards, for the benefit of all organizations wishing to implement them.