Table of Contents INTEGRATED MANAGEMENT SYSTEM GUIDANCE

Transcription

1 Table of Contents INTRODUCTION... 3 THE CORE VALUES OF THE IMS... 3 IMPLEMENTATION & DEVELOPMENT... 3 TOP MANAGEMENT COMMITMENT... 4 RECOMMENDED INITIAL GOALS... 5 GAP ANALYSIS... 5 BUDGET & RESOURCES... 5 IMPLEMENTATION TEAM... 6 MEETINGS... 6 CHOOSING A REGISTRAR... 6 MANAGING THE CHANGE... 7 COMMON REQUIREMENTS MATRIX INTEGRATED MANAGEMENT SYSTEM GENERAL REQUIREMENTS Integrated Management System Manual Document & Data Control Control of Records CORPORATE POLICIES DEFINING YOUR POLICIES COMMUNICATING THE POLICIES SYSTEM PLANNING OCCUPATIONAL HAZARDS AND ENVIRONMENTAL ASPECTS LEGAL AND OTHER REQUIREMENTS OBJECTIVES, TARGETS & PROGRAMMES INTEGRATED MANAGEMENT SYSTEM Management System Planning Outsourced Processes RESPONSIBILITY & AUTHORITY Management Commitment Customer Focus Responsibility & Authority Management Representative Communication & Participation PROVISION OF RESOURCES HUMAN RESOURCES General Competence, Awareness & Training INFRASTRUCTURE WORK ENVIRONMENT OPERATIONAL PLANNING & CONTROL PRODUCT REALIZATION PLANNING CUSTOMER RELATED PROCESSES Determination of Requirements Related to Product Review of Requirements Related to Product Customer Communication DESIGN & DEVELOPMENT Planning Input Output P a g e 1 of 63

2 7.3.4 Review Verification Validation Control of Design & Development Changes PURCHASING Purchasing Process Purchasing Information Verification of Purchased Product PRODUCTION & SERVICE PROVISION Control of Production & Service Provision Validation of Processes for Production & Service Provision Identification & Traceability Customer Property Preservation of Product CONTROL OF MONITORING & MEASURING EQUIPMENT OPERATIONAL CONTROL OF ENVIRONMENTAL AND HEALTH & SAFETY ASSESSMENT & EVALUATION GENERAL MONITORING & MEASUREMENT Customer Satisfaction Internal Audit Process Monitoring & Measurement Product Monitoring & Measurement Evaluation of Compliance CONTROL OF NON-CONFORMANCES Control of Non-conforming Products Accident & Incident Investigation Control of Emergency Situations ANALYSIS OF DATA CONTINUAL IMPROVEMENT GENERAL CORRECTIVE ACTION PREVENTIVE ACTION MANAGEMENT REVIEW GENERAL REVIEW INPUT REVIEW OUTPUT HERE TO HELP KEY MANAGEMENT SYSTEM DOCUMENTS OPERATIONAL PROCEDURES FORMS & RECORDS CHECKLISTS P a g e 2 of 63

3 6.0 System Planning 6.1 Occupational Hazards and Environmental Aspects Occupational Hazards & Risks Before you set off upon your journey, an assessment will have to be made to identify any actual or potential hazards that may prevent you from reaching your ultimate destination (hazard identification and risk assessment) and your route adjusted to suit (risk control). Consideration will have to be taken when developing your company specific road map (policy statement) to the avoidance and elimination of such hazards. In order to plan for hazard identification, risk assessment and control; the organization must identify and control risks associated with identified hazards associated with routine and non-routine activities. Hazard identification and risk assessment form the core of the management system s drive for control and improvement. What is important at this stage; is to understand the terms hazard and risk; these terms are commonly used, interchangeably in everyday conversation. OHSAS defines hazards as those things which have the potential to cause harm, and risks as those things which relate to the potential for harm to actually arise. A simple example might be to consider the electrical supply in a building. Electricity itself represents a hazard and provided the supply is live, the risk of electric shock remains. These hazards and risks are best identified by understanding your business processes, identifying the tasks and activities where they arise and listing the inputs and outputs from each activity. The key features of this clause are: A procedure for identifying occupational hazards appropriate to a task Evaluating the consequent risks and deciding which are significant Identifying a level of risk which the organisation considers to be tolerable Using this as a basis for setting objectives for improvement Keeping the risk assessments and any improvement objectives up to date This means that you need to document a procedure in sufficient detail to ensure a repeatable and consistent process. There is also a need to keep sufficient records to show that the procedure has been effectively applied. It must cover the following situations: Normal, i.e. current operations, planned maintenance activities (what happens most of the time) Abnormal, e.g. breakdown maintenance, out-of-control processes (planned but less frequent) Potential emergency, e.g. fire, explosion, spillages etc. (the things that could go wrong) Planned changes (the maintaining part of the requirement) Identifying Hazards & Risks These can represent a wide range of issues, but it is essential they are all considered because your whole SMS will be focused on the output of this identification process and ranking for significance. Auditors will test the process and its outputs for content, repeatability, accuracy, records, and later on, for the use of its outputs in focusing the direction and delivery of the management system. Five Steps to Risk Assessment 1. Look for hazards Walk around the work area, paying attention to activities and materials that have the potential to cause harm. Identify materials and substances; as well as equipment and tools. Observe activities in the workplace as well as how people perform the activities. Ask employees or representatives what they think and review applicable manufacturers health and safety data sheets. 2. Decide who might be harmed and how Groups of people that may be affected include operators, cleaners, contractors, maintenance personnel, members of the public, people sharing your workplace etc. Pay particular attention to young workers, inexperienced operators, disabled people, visitors and lone workers P a g e 16 of 63

4 3. Evaluate the risks and decide whether current controls are adequate Consider how likely it is that each hazard could cause harm by using risk ratings to prioritize risk. Determine whether or not you need to do more to reduce the risk and implement control measures (actions list) if the risks are not adequately controlled 4. Record your findings Keep written records for future reference in order to demonstrate compliance to legal requirements (e.g. manual handling, working in confined spaces) 5. Review risk assessments and revise if necessary Review and revise the risk assessment when there is any significant change (e.g. new hazards arise due to new machines, substances and processes). Regularly review the risk assessment to check that the precautions for each hazard still adequately control the risk and, if necessary, reassess the risk. Deciding which Risks are Significant Having identified all hazards and associated risks which could impact on occupational health and safety, the process of rating the risks for significance can be carried out. This crucial process, together with a thorough knowledge of legal and other similar requirements, provide the foundations of the management system. This assessment process is vital in determining the need for controls aimed at either reducing risk to levels deemed to be tolerable, or meeting the requirements of legislation. The significance level (or risk rating) should then be used to prioritise actions. Remember that the importance of this process cannot be overestimated. If you get this process wrong, the whole system will be suspect. Environmental Aspects & Impacts ISO Section 4.3.1, Environmental Aspects, requires organizations to establish and maintain a procedure to identify the environmental aspects of its activities, products or services that it can control and over which it can be expected to have an influence, in order to determine those which have or can have significant impacts on the environment. The term environmental aspects is defined in the standard as any element of an organization s activities, products or services which can interact with the environment, in laymen s terms, environmental aspects cause, or have the potential to cause, an environment impact, examples of environmental aspects include: Emissions to air via smoke or fumes Waste water discharge The potential for accidental chemical spill The generation of waste and disposal of waste The use of resources, including water and energy The use of recycled materials Noise and vibration An environmental impact is defined as any change to the environment, whether adverse or beneficial, wholly or partially resulting from an organization s activities, products or services. A cause and effect relationship exists between environmental aspects and environmental impacts, respectively. For instance, an environmental aspect, or cause, can be the emission of volatile organic compounds (VOCs). The environmental impact, or effect, is ozone depletion. To comply with ISO Section 4.3.1, the following five actions should be taken: Identify all of your organization s activities, products and services Identify the environmental aspects of all activities, products and services that can be controlled or influenced Identify the environmental impact(s) of each aspect Establish and maintain a procedure or method to identify any new or modified environment aspect or impact Identify the most significant environmental impacts The identification of environmental aspects will form the foundation of your IMS. The aspects that have significant impacts on the environment will become the basis of your organization s objectives and targets; therefore, you will P a g e 17 of 63

5 want to be thorough in completing this step. Develop a list of the organization s activities, products, and services can be a difficult task. The activity, product, or service should be small enough to be understood, but large enough to be analyzed. Environmental Aspects The next step is to identify the environmental aspects for each activity, product and service. For each environmental aspect that is identified, you should list any quantitative information that is applicable. For instance, if an activity emits air pollutants, state the amount (i.e. 543 tons of CO 2 per year, or 3.5 Kg of particulate matter per hour). The following is a list of additional information to include, if applicable: Legal requirements Other relevant requirements Permits Record keeping requirements Pollution controls or treatment Best management practices Monitoring requirements Environmental Impacts The next step is to identify the environmental impact for each environmental aspect, list the environmental impact for each environmental aspect. As you complete this step, remember the cause-and-effect relationship discussed earlier. Please note that environmental impacts can be positive or negative. Examples of negative impacts include increased air pollution, potential contamination of the ground, or depletion of natural resources. Positive impacts can include conservation of natural resources, improved wetlands area, decreased soil erosion, and conservation of natural habitat. Significant Impacts ISO does not provide a standard or method with which to determine the significant impacts. Part of the reason for not establishing a standard or method is that the significance of each impact can vary for each organization based on various factors and concerns. The significance of each impact can vary for each organization based on the listed concerns. The standard lists several environmental and business related factors and concerns to consider when evaluating the significance of each environmental impact: Environmental Concerns: The scale of the impact The severity of an impact or a potential impact The probability of occurrence The duration of impact The frequency of an impact or a potential impact The location of facility Business Concerns: The potential regulatory and legal exposure The difficulty of changing the impact The cost of changing the impact The effect of change on other activities and processes Any concerns of interested parties The effect on the public image of the organization P a g e 18 of 63

6 Procedure to Control Aspects, Impacts, Hazards & Risks To meet the requirements of the standard, your organization must establish and maintain a procedure to continually identify environmental aspects, health & safety hazards and to evaluate the respective impacts and risks. This procedure must take into account both old and new activities, products, and services. For old elements, changes in legal requirements, environmental issues, or business issues may require that the aspect, hazard, impact and risk be re-evaluated. In addition, this procedure must enable the process owner to recognize a new activity, product, or service and evaluate its impact. For example, the procedure for maintaining aspects and impacts may require that the IMS Coordinator review the organization s environmental aspects and impacts every six months. The IMS Coordinator may also want to require certain department managers, such as production manager(s), to report any new or modified activities, products, or services to maintain the list of environmental aspects and impacts and health & safety hazards and risks. Supporting documentation: Ref. Title & Description ISO 9001 ISO OHSAS OP03 Identification, Evaluation and Control Procedure Legal and Other Requirements Legal and other requirements, states that organizations must: establish and maintain a procedure to identify and have access to legal and other requirements to which the organization subscribes directly applicable to the environmental aspects and the health and safety hazards of its activities, products, and services. Before addressing the specific requirements, the term legal and other requirements should be clarified; legal requirements include all national and EU regulatory requirements that are related or applicable to your operations and includes all corporate policies and regulations. This definition also includes administrative requirements, such as permits, records, reporting, and plans. Other requirements encompass voluntary requirements that the organization commits to meeting, e.g. industry codes of practice. Certification does not require your organization to volunteer for other requirements. However, if an organization previously volunteered or subscribed to other requirements, it must meet the stipulations for that other requirement or programme. This is also true for other requirements that an organization plans to volunteer for or subscribe to in the future. To comply, the following three actions should be taken: Identify the legal requirements applicable to your organization Identify other requirements that your organization subscribed to or volunteered to meet Provide access to legal and other requirements for employees who may need this information Establish a procedure to identify legal and other requirements applicable to the environmental aspects and the health and safety hazards of your organization Your organization should determine the best sequence in which to complete these actions. Some organizations find trial and error is minimized by first identifying the legal and other requirements and then establishing the procedure. Identifying and Tracking Legal and Other Requirements The introduction of new legislation and changes to current legislation can be monitored through following sources: NETRegs service Recycling envirowise.wrap.org.uk Environment Environment Environment and Health & Safety Health & Safety Health & Safety Relevant publications and professional bodies P a g e 19 of 63

7 Supporting documentation: Ref. Title & Description ISO 9001 ISO OHSAS OP04 Legal & Other Requirements Procedure Objectives, Targets & Programmes An effectively implemented integrated management system aligns the policies with strategic and management system objectives and provides the framework upon which to translate these objectives into functional targets. The goaloriented framework depicted in the diagram below demonstrates how goals established at the uppermost levels of the organization flow down through the integrated management system to influence functional and personal objectives and targets. Objective Development Flow: Quality Policy Quality Objectives Strategic Goals OHSAS Policy OHSAS Objectives Functional Objectives and Targets Environmental Policy Environmental Objectives Establish and maintain documented QEH&S objectives and targets, at each relevant function and level within the organization. The objectives and targets establish an important link between the policies and the management programmes. The objectives and targets must be consistent with the QEH&S policies, including the commitment to prevention of pollution and continual improvement. Depending on the size, management structure, and other factors pertaining to your organization, the objectives may be established and reviewed by various personnel and with direct top management input. Objectives Objectives are a clear requirement in their own right as opposed to being just a part of the policy. They must be established in support of the policy and focus on meeting product requirements and achieving continual improvement. The translation of the QEH&S policy into practice is made by defining the supporting objectives. ISO 9001 does not specify how the objectives should be documented; they could be documented in business plans, management review outputs or within the IMS manual. QEH&S objectives are not static and should be updated in view of the prevailing business climate, customer expectations and continual improvement activities. Don t be afraid to revise your objectives, but as always; ensure that personnel are made aware that they have changed! It is worth remembering that even partial achievement of a quality objective demonstrates continual improvement. A recent survey of over 1400 companies reveals the popularity and variance of objectives. The findings and revealed that achieving customer satisfaction is often a primary objective, closely followed by the reduction of defects and customer complaints. These are all good examples of a customer-centric philosophy that can be transposed to and adopted by any organization. Remember that there is a clear link between the proactive revision of the QEH&S policy, the development of objectives and the commitment of the organization to continual improvement. Incorporate the objectives into the reporting process. Clearly defined objectives should also be closely linked to your key performance indicators (KPIs) or other pre-existing indicators; otherwise they become meaningless. KPIs should measure project or organizational performance. This information can be used for benchmarking purposes and constitutes a key component of any organization s approach to achieving best practice P a g e 20 of 63

8 Targets Targets are short-term goals that move toward achieving QEH&S objectives and are a detailed performance requirement, quantified where practicable, applicable to the organization, that arises from the QEH&S objectives and that needs to be set and met in order to achieve those objectives. Targets must be specific and measurable, and they must be assigned a specific time-frame for completion. An example of an environmental target might be a reduction in CO 2 emissions by 30 % percent next year. For each objective, you will need to establish at least one target. In some cases, several targets may be established to achieve an objective. For example, if the objective is to reduce the amount of harmful air emissions, at least one target must be established to meet this objective. Even though it is not required, you may want to look at each operation that produces air emissions and evaluate the possibility of establishing a target for each operation. Establishing Objectives & Targets Objectives and targets can apply to an entire organization, can be site-specific, or can be specific to individual activities. The appropriate level(s) of management personnel should define the objectives and targets. In some cases, personnel who set objectives may not be the same as those who set targets. Remember that the objectives are the overall goals as reflected in the principles established in the policy. The scope and number of the objectives and targets must be realistic and achievable. Otherwise, the success and continued commitment from top management and employees will diminish. Consider the factors below, as you begin to formulate your objectives: Legal and other requirements Significant aspects (aspects directly related to significant impacts) Significant hazards (hazards directly related to risks) Technological options Financial, operational, and business requirements Views of interested parties Performance Indicators Targets must be quantified where practicable and the units that are used to quantify the targets are referred to as key performance indicators (KPIs). A KPI is defined as an expression that is used to provide information about management system performance. The following are some examples of KPIs: The quantity of raw material or energy used The amount waste produced The number of incidents/accidents The percentage of waste recycled Investment in environmental protection Carefully consider the type of KPI you choose to use. Suppose your organization establishes a target to reduce its nonhazardous waste by 40 % and the KPI you choose is the total tonnage of waste produced each year (tons/year). If your organization triples its production of units and reduces the amount of waste by 50 % percent per product unit, the KPI, tons per year, does not show the reduction. In this case, the better KPI would have been the weight amount of waste per product unit (Kg per unit). In many cases, measuring against the production units proves to be more accurate. The following is an example of an objective with a specific of a target and an environmental performance indicator: Objective: reduce energy required in manufacturing processes Target: achieve 15 % reduction of energy usage by 2014 Indicator: quantity of electricity per production unit (kilowatt/unit) Management Programmes Organizations are required to establish and maintain one or more management improvement programmes for achieving their objectives. The management improvement programme is a key element to the success of the IMS P a g e 21 of 63

9 Properly designed and implemented, management programmes should achieve the objectives and, consequently, improve your organization s performance. The management programme must: 1. Address each objective and target 2. Designate the personnel responsible for achieving targets at each relevant function/level of the organization 3. Provide an action plan describing how each target will be achieved 4. Establish a time-frame or a schedule for achieving each target The management programme is an action plan or a series of action plans to achieve an objective. Action Plans An action plan is a detailed plan for the implementation of several tasks in order to achieve each target. An action plan should be established for each target. Action plans should include: Specific actions in order of their priority Cost parameters Progress analysis Necessary modifications Establishing an action plan for each target may require considerable effort on the part of the personnel at relevant levels within the organization. To ensure the progress of the action plan and a coordinated effort, a target leader should be selected for each target. The target leader will be responsible for ensuring a target is achieved within the specified time-frame. Once the action plan is established, you must implement it. You may find that the following suggestions will help foster a cooperative effort in accomplishing the plan: Involve your employees early in establishing and carrying out the action plans Communicate the expectations and responsibilities laid out in the action plans to those who need to know Build on the plans and programmes you have now for QEH&S compliance Keep it simple Focus on continual improvement of management programmes over time New Activities, Products, or Services The integrated management programme should be revised regularly to reflect changes in your organization s objectives and targets. Track all new or modified operations, activities, and/or products in case the management programme needs to be amended to reflect these changes. Supporting documentation: Ref. Title & Description ISO 9001 ISO OHSAS OP05 Objective, Targets & Programmes Procedure Integrated Management System Management System Planning It is the responsibility of the management representative to ensure organizational changes and their subsequent consequences are identified and defined, that changes resulting from planning activities are coordinated and implemented in a controlled manner, that changes to the integrated management system are documented, implemented and approved, and that the IMS is properly maintained during these changes. Undertake integrated management system planning to ensure: The on-going development of the IMS to meet the requirements of 4.1 The on-going development of QEH&S policies and objectives 5.2 & 6.3 Processes and resources exist to identify characteristics at different stages 6.6, 6.7, 7.1, & P a g e 22 of 63

10 The ability to proactively review and improve the IMS & 10 Verification activities, determine criteria for acceptability 7.6 & 8.1 Each department manager should develop and maintain a process map, flow chart, quality plan, operating procedure, etc., that show the workflow of the department as well as referencing evidence of compliance with the requirements of the management system. If your organization outsources certain processes or has a requirement for strict control over its supplied product, it might be appropriate to establish a quality plan. This defines the quality practices, resources and activities relevant to the product to be designed or supplied whilst also establishing how the requirements for quality are to be met. The quality assurance requirements are then implemented through the use of this plan in conjunction with the manufacturer s quality manual and operating procedures. This plan further includes, but is not limited to the following key activities, as appropriate, in meeting the specified requirements for the products, projects or contracts. The preparation of the quality plan might include: The identification of processes, resources, and skills needed to achieve quality The identification of suitable verification criteria at appropriate stages Demonstrating compatibility of design, production, inspection and testing The clarification of standards of acceptability for all features and requirements Details of calibration of any special measuring or test equipment to be used Outsourced Processes Outsourced processes must be controlled by the organization and these controls must be defined and described within their system. Organizations are required to identify the controls they apply for any outsourced processes. The facility IMS manual must identify if outsource processes are applicable. In addition, the client shall have written documentation on the methods used to control the outsourced processes. Examples of some outsourced processes are: 1. A process completed wholly or partially by a sister facility outside the scope of registration. Such as corporate performing design, purchasing or customer related processes, this includes management activities i.e. business planning, goal setting, resources, data analysis, budgeting, etc. This may include the entire element or a subsection i.e. corporate completes supplier evaluation and re-evaluation of suppliers and the registered site initiates purchase orders. 2. A processes completed by an outside vendor or subcontractor such as heat treating, plating, calibration, painting, powder coating, etc. These types of processes may be controlled by the purchasing process where a formal contract or purchase order may be the controls. If this is the case, written documentation would be the purchasing documentation and records however; these processes are required to be documented in the quality manual. If an outsourced process is controlled through purchasing, there must be documented objective evidence to ensure that these processes are being controlled beyond the basic purchasing requirements, which are focused on controlling products not processes. The organization is responsible to ensure that the outsourced process is meeting the applicable requirements to ISO 9001:2008. Outsourced processes may be controlled through such methods as, but not limited to: Auditing Contractual agreements Process performance data review on an on-going basis Purchasing process Ensuring control over outsourced processes does not absolve the organization of the responsibility for conforming to customer, statutory and regulatory requirements. The type and extent of control to be applied to the outsourced process can be influenced by factors such as: The potential impact of the outsourced process on the organization s capability to provide a product or service that conforms to requirements P a g e 23 of 63