Integrated Management

systems diploma
Module 1: High Level Analysis on Integrated Management System (IMS)
 After completing this module you will be able to:
 Explain the need for Integrated Management System (IMS) for businesses.

 Discuss the fundamental concepts related to Integrated Management System (IMS)

 Identify the different levels of integrated management system (IMS)

 Discuss the new ISO standards from an integration perspective.

 Assess the compatibility of ISO 14001, ISO 45001 and ISO 9001.

 Explain the benefits and constraints of various levels of integration.

 Compare the three common and widely used ISO management system standards with its sub-
clauses.

 Outline the benefits of integrated management system approach.

What is Integrated Management System?

Integrated Management System is a single structure for management system utilized by
companies to manage their organization's processes or activities that converts inputs into a
product or service which comply the organization's objectives and equitably satisfy the
interested party's quality, health & safety, environmental, security, ethical or any other
special identified requirement. Integrated management system usually refer to the
integration of quality (QMS), environment (EMS) and occupational health and safety
(OH&SMS) management systems. Because normally companies integrate three systems
which are QMS, EMS, OH&SMS. However there is no defined rule companies can integrate
as many systems they want and as per their needs. However this diploma course covers
three systems i.e. QMS, EMS & OHSMS for the integrated management systems (IMS).
The variables that conclude the integration levels are the operations, size, competition,
institutional setting, kind of system and all these depend on the needs of the companies as
well as the needs could be determined by all these factors. Companies can attain numerous
management systems, can start from the Quality Management System and then of-course
opt for environment (ISO 14001), and Occupational Health and safety (ISO 45001). Moreover
then they can surely opt for other management systems such as social accountability (SA
8000) or energy management system (ISO 50001) or other industry specific systems such as
medical devices sector (ISO 13485) and energy management system (ISO 50001). All the
above activities are opted in an endeavor to enhance profit and go towards a more
sustainable development.

ISO - The Integrated Use Of Management System Standards (IUMSS)

There is no standard up-till now that is offered by ISO on the subject of integrated management
system. However ISO has published a guide handbook on this subject. The second edition of the
handbook has been released by ISO to empower organizations of any industry or sector and
companies can be of any size. The guideline will help companies as to how they can integrate
requirements of multiple management system standards into their management systems.

The Rise of MSS

Due to different business needs, the number of management systems standards (MSS) has grown
drastically in today's world, exhibiting the requirements and needs of more and more companies
looking to enhance their performance around a different spectrum of applications and sectors.
Role of ISO for IMS
From enhancing quality to managing energy efficiency, and from environmental performance to
minimizing road accidents, the implementation of management systems has augmented speedily in
current years, exhibiting augmented complex working environments and contexts. The need of
continual improvement and sustained performance has lead ISO to publish a handbook to assist
organizations with effective management system design that is robust and integrated, to adapt and
grow.

Some common and widely used management system standards are:

• ISO 45001 (Occupational Health and Safety Management System)
• ISO 14001 (Environmental Management System)
• ISO 9001 (Quality Management System)
• ISO 50001 (Energy Management System)

Industry specific or Application specific MSS:

There are other management system standards (MSS) which are industry-specific or application
based.
Examples of industry specific standards are:
• ISO 22000 (Food Safety)
• ISO 13485 (Medical devices)
• ISO 21001 (Education)

Examples of application-specific standards are:

• ISO 27001 (Information Security)
• ISO 37001 (Anti-bribery Management Systems)

Impact of MSS:
Unlike different other types of product or process standards, management system standards (MSS) do
have an influence on various aspects and working of an organization and, now, more and more
companies have multiple management system standards. ISO’s comprehensive guide to integrating
management system standards is there to help companies.

Common Approach for Integrated Management System

The common approach to integrate management system standards are based on the integration of
three most common standards which are ISO 9001, ISO 14001 and ISO 45001.
ISO 9001:2015
ISO 9001 is the quality management system standard, and it specifies requirements for managing
quality through different organizations' processes. Ideally the systems proposed by ISO 9001 covers
many common requirements in other management system standards as well. Only specifics of other
systems needs to be incorporated. Some common requirements provided by ISO 9001 are Clause 7.5 -
documented information, Clause 9.2 - internal audits, Clause 9.3 - Management Review etc. The basic
framework is same but only the specifics should be addressed. For example you need to design a
management review system, you will start with ISO 9001, then you will add elements of ISO 45001
and ISO 14001 as review inputs.

Chapter 2 of this course will cover the requirements and explanation for guide on ISO 9001 standard.

SO 14001:2015

ISO 14001 is the environmental management system standards. It specifies requirements to manage
and improve environmental performance. The standard is commonly integrated with ISO 9001 and
because of the same structure in latest standard, it is even easier now.

Chapter 3 of this course will cover the requirements and explanation for guide on ISO 14001 standard.

SO 45001:2018

ISO 45001 is the occupational health and safety management system standards. It specifies
requirements to manage and improve health and safety performance. The standard is commonly
integrated with ISO 9001, ISO 14001 and because of the HLS structure in the latest standard, it is even
easier now to integrate this standard compared with OHSAS 18001.

Chapter 4 of this course will cover the requirements and explanation for guide on ISO 45001 standard.

Diploma in ISO Standards - Integrated Management System (IMS) - Course

Structure
IMS diploma Course is covering different aspects of management system standards. The course is
divided into different milestones and covers the concepts related to integrated management system,
Quality Management System, Environmental Management System, Occupational Health and Safety
Management System, ISO Audit Protocols and finally the course assessment. Please note that except
the first milestone, each milestone had also separate assessments. The final assessment is based on
the complete course work.
1. 1st Milestone: High Level Analysis on Integrated Management System (Current Module)

2. 2nd Milestone: ISO 9001:2015 - Quality Management System

3. 3rd Milestone: ISO 14001:2015 - Environmental Management System

4. 4th Milestone: ISO 45001:2018 - Occupational Health and Safety Management System

5. 5th Milestone: ISO Management System Audit Techniques

6. 6th Milestone: Course Assessment

Why Integrated Management System (IMS) is needed in Companies?

Companies and corporate will integrate their management systems for various causes. The main
reasons for companies opting integrated management system can be elaborated as:

Increased Management System Requirement

There is intense external pressure for companies to subscribe to more than one international
management system standards. Moreover, there are also some sector-specific standards present.
Few regulatory bodies also need specific management system for instance, in the America, the
Occupational Health and Safety Agency (OHSA) needs a management system for process safety.
Moreover companies need to comply the requirements enforced by their group headquarters,
mother company or customer standards. The company may then also be exposed with the quest to
be competitive also on the other hand comply with all the system requirements. The only way to
respond all these challenges is to have a single integrated management system.

Improved Effectiveness

An IMS emphasizes on business requirements and offers enhanced values to the business since the
company re-assess requirements and do what is healthy for the business. It is where, the standards
are comprehended more comprehensively in a manner that the company complies both the system
requirements and the organization’s need. The company wide missions, goals and objectives are
developed through one management system. Due to single well designed management system,
company can manage all requirements with improved effectiveness. This is the reason for which most
companies implementing a new management system have some kind of management system already
in place. IMS enhances a system to be more logical from an complete assessment of economy,
functionality and transparency for the management system users. The company will be at the leading
by enhancing its image and credibility. It will obstruct sub-optimization for individual systems,
enhance utilization of the organization single system and lead to enhanced sustainability and
integrated business thinking in the company.

Cost reduction

If the company is managing various management system separately, it will have separate system for
Quality Management System and a separate system for health and safety and similarly for the
environment. All internal audits, document control, management review, and other common
functions of management system will be managed separately. It means there will be more resources
required to manage these systems individually, more processes, more interactions, more external
audits, more paper work, more document reviews etc. All such repeated activities will incur some
type of cost. A highly integrated management system will avoid the repetitive costs, additional cost or
resources, external audits etc.

Less redundancy and conflicting elements

Integration manages the extensive business needs of a company by eradicating redundancies and
conflicting processes that are usually present when multiple separate management systems are
utilized individually. Environmental department can take advantage from developed QMS core
systems like calibration, document control, roles and responsibilities, and record management. The
environmental staff do not have to design the existing systems, they can simply use those. For those
functions having a adverse significant environmental impact, operational procedures and work
instructions can be adapted to incorporate important environmental process essentials. This
empowers employees to comprehend multiple requirements of different management systems
through one integrated procedure.
Constraints and Challenges for IMS
In IMS, if two management systems subscribes third party audits for certification, a non-conformance
in one system may also be reported into the other system. In the most dangerous case; a single major
non-conformance, will risk both subscriptions until robust corrective action is made. The management
of extra procedures, documents, training, and calibrations may exhaust the support staff. Enhanced
support resources may be appropriate. These fresh perspectives for the IMS may be unwanted, can
also result in conflict between existing groups and system operators and it can be difficult to maintain
full implementation of the quality system requirements alone. People do resist change, and for that
reason they will also resist the company moving towards IMS. Constraints to the application of IMS
relies on the companies and can be due to:

I. Absence of competency, skills and knowledge in the company.

II. People think that when systems are managed separately, the single system is given due
attention.

III. Security and comfort level with the already existing management systems managed separately.

IV. The systems are separated managed in a company, people think they will loose the credit of
managing systems relevant to them.

V. The management is short sighted and has only one-sided emphasis on one area.

VI. The workers fear the IMS because they have to adapt with IMS and they have to work differently.

Benefits and Advantages of IMS

The advantages of IMS are many, unconcerned of the integration level , and it may include:
 Enhanced operational performance.

 Improved cross-functional teamwork, cohesion and internal management.

 Leads to synergy in-terms of objective achievements and other areas of job functions.

 Higher motivation of staff

 Minimized cost.

 Improved confidence of customers, employees and other interested parties.

 Less number of external and internal audits.

Bibliography
1. Organization, I., 2015. ISO 9001:2015, Fifth Edition: Quality Management Systems -
Requirements. Multiple. Distributed Through American National Standards Institute (ansi).
2. Organization, I., 2018. Iso 45001:2018, First Edition: Occupational Health And Safety
Management Systems - Requirements With Guidance For Use. Multiple. Distributed Through
American National Standards Institute (ansi).

3. Organization, I., 2015. ISO 14001:2015, Third Edition: Environmental Management Systems -
Requirements With Guidance For Use. Multiple. Distributed Through American National
Standards Institute (ansi).
Levels of Integration
This is the major concept for this diploma course; because the aim of this course is to let learners
understand how organizations can go with implementation of IMS. These concepts empowers to
satisfy their requirements and the different levels of integration will have different goals, objectives
and advantages. Different levels of integration have also been reflected differently by different
experts. For instance; Hines (2002) reflected with the two levels of integration usually alignment and
integration.
Alignment
This is when the similarities of the standards are used to structure the system. The purpose is to
reduce administrative and audit cost. There are still separate procedures for each system but all are
placed together.

Integration

This is a complete integration in all significant procedures and instruction. There is embeddedness in
the organization and close interaction with stakeholders. Therefore there is focus on customers and
continuous improvement.

What’s Missing?
The above two levels does not address all the relevant issues involved in integrated management
systems such as cross-referencing.

Level of Integration
Jorgensen, Remmen and Mellado (2006) explains three levels of integration which can be reflected
based on the synergy between the customer quality, focus on the product, environmental
management system and corporate social responsibility. The three levels are:
Correspondence Level
Correspondence level which emphasizes on the system aspect due to enhanced
compatibility among the standards. This is similar to the alignment level
discussed in the previous slide.

Generic Level
Generic level emphasizes on the processes or the structure due to coherence or
coordination of different processes. In this level, there is a strong motivation for
continuous improvement, various processes are internally integrated with synergy.
Generic level is similar to integration level discussed in previous slide.

Integration Level
This is a more strategic and inherent level of integration with intensive focus in
the organization and interested party's relationship. This is more product-based and integrated
thinking in various endeavors of the organization not only internal but also with external relationships.
In this level, there is a strong drive for continuous improvement. This level is also similar to the
integration level discussion in the previous slide.

Correspondence level of integration

As the different ISO management systems standards have been revised, it has been made easier to
combine the different elements. This is by improving their compatibility in the following ways:
HLS Structure and Compatibility within Standards
For correspondence between various management system standards, ISO has presented HLS (high-
level structure) and most of the common international management system standards are based on
HLS:
- ISO 9001:2015 is based on a process model which focuses on continuous improvement as shown in
the previous section. This is also the main foundation for the environmental and health and safety
management systems
- ISO 14001:2015 was developed so as to improve coherence with ISO 9001:2015.
- ISO 45001:2018 was developed to be compatible with both ISO 9001 and 14001.
- ISO 19011:2018 was developed which is a common standard for presenting auditing principles for
quality, occupational health safety and environmental management system’s auditing.

Cross reference
Moreover the ISO guide for integration is also published to improve the crossing referencing between
the standard developing committees and the markets utilizing the common management system
standards. Hence, the starting point for integration is cross references, compatibility, and internal
coordination of various segments of the management system. Cross references around different
management systems are imperative since it yields less work related to bureaucracy, documentation,
records, paper work, and deteriorated efficiency in terms of time, cost, and resources and ease for
both internal and external audits.

For example, if ISO 9001:2015, ISO 45001:2018, ISO 14001:2015 all have similar requirements in
Clause 7.5 for documented information, so why make a separate procedure and document control
process for each management system?

Generic Level
Within this level, there is stress on the generic processes or the cohesion processes of the
management cycle. ISO 9001, ISO 45001 and 14001 are generic because they are implementable to
any sector, industry and in any organization.

Advantages
The benefits of the generic level of integration are listed as under:
• There is emphasis on synergies based on interrelations and balancing between the management
systems.
• Objectives and targets are developed, communicated, and synchronized.
• Organization and responsibilities for different managements systems are defined together.
Potential of Generic level integration
It also has a potential of raising environment, health and safety or corporate responsibility to higher
levels on the organization’s agenda if combined with ISO 9001 and organized in a coordinated manner.
In order to improve synergies and reduce trade-offs, a more integrated approach to policy making is
proposed, based on better regulation and on the guiding principles for sustainable development
adopted by the European Council of June 2005 (European Commission, 2007). This refers to the third
level of integration.

Aspect of Generic level integration

The management system generic aspects comprises of: planning, policy, operations, internal audits,
corrective action and management review etc.
The generic processes for management system are: leadership commitment, defining the policy
statement for integrated management system, planning processes for defining objectives and targets,
developing procedures, conducting audits, enforcing documentation and records control, enforcing
control of non-compliance, carrying out corrective actions, and management review. An emphasis on
these generic integrated processes will finally make organizations more innovative focusing on
improvement of their performance.

Integration Level
This is a more challenging level than the earlier levels that were discussed and comprises not only
internal synergy of IMS but also synergy for external interested parties such as suppliers. It comprises
of a learning culture, continual improvement and interested party's involvement. If properly taken up,
it will drive continual improvement in terms of IMS performance, business competitive advantage and
enhanced sustainable development.
There are some preconditions for this integration level. These are:
 A common understanding and comprehension of internal and external business challenges. This
incorporates company's culture, continual learning and robust involvement of employees. These
will lead to a more challenging level of integration than just the common system elements i.e.
correspondence and that of internal processes i.e. generic level.

 A learning organization and a culture of ownership. It is imperative to have a learning process in

order to ascertain enhanced design and restructuring of management systems and thus make
sure continuous adjustment to new business challenges.

 Interaction with interested parties is important. the new requirements in ISO 9001, ISO 14001
and ISO 45001 regarding context of organization pay due importance to interested parties and
understanding their expectations and needs. This can be done through collaboration,
conversation and maintaining transparency. It is vital to do this so as to enhance quality,
environment, health and safety and social responsibility in the whole life-cycle.

Levels of Integrations ; Advantages & Requirements

There are different levels of integration, each has its own significance, requirements and importance.
Companies adopt these systems based on their needs.
Bibliography
1. Jørgensen, T.H., Remmen, A. and Mellado, M.D. (2006) Integrated Management Systems—Three
Different Levels of Integration. Journal of Cleaner Production, 14, 713-722.

Hines F. Integrated Management Systems einclusivity of approachor dilution of problems? Poster

presentation at 10

2. th international conference of the Greening of Industry Network, Sweden; 2002.

ISO 9001, ISO 45001 & ISO 14001 High-Level Comparison

ISO 9001 and ISO 14001 are most widely used standards worldwide as quality management system
and environment management system respectively. ISO 45001 is a recent release on occupational
health and safety management system. Although all these three standards are revised in recent three
years i.e. from 2015 to 2018, ISO 45001 is the latest release in 2018. Typically all three standards
follow the same high level structure so it will be very easy for organizations looking to integrate these
three standards or any two of them. In order to ease the process of integration, the course presents a
comparison matrix or correspondence matrix on latest version of ISO 9001:2015, ISO 14001:2015 and
ISO 45001:2018. The first three clauses are non-Auditable and are there only for guidance purpose in
all three ISO management system standards. Auditable clauses are from Clause 4 to Clause 10.
ISO 9001, ISO 45001 & ISO 14001 Comparison on Sub-clauses of Clause - 4
In clause 4, ISO 14001 and ISO 45001 are similar to a larger extent then the ISO 9001 standards. The
ISO 9001 has some additional requirements in Clause 4, it includes detail about generic Quality
Management System (QMS) and its processes, and the need for documented information for the
integrity of QMS. Organization can define an integrated scope for all three management system
keeping in view the health and safety and environmental considerations. Moreover organization can
have an integrated list of interested parties for all three management systems and an integrated
approach to identify their expectations and needs.

ISO 9001, ISO 45001 & ISO 14001 Comparison on Sub-clauses of Clause - 5
The Clause 5 presents various requirements, and again a slight variation is noted in ISO 9001, it has
additional requirements on customer focus, and customer oriented approach for the QMS. For these
requirements, organization can define a integrated management system policy that covers the
specifics of every management system standard. Similarly roles and responsibilities can also be
defined with an integrated approach.
ISO 9001, ISO 45001 & ISO 14001 Comparison on Sub-clauses of Clause - 6
Now as we can see in the comparison table, some requirements are specific. Some requirements have
correspondence. Discussing about the correspondence, organization can make integrated process to
take actions to address risks and opportunities for all three management systems considering the
integrated approach for context of organization. Similarly the second correspondence here is about
setting objectives and planning actions to achieve them, therefore it can be done with an integrated
approach. Now a bit difference here is in third correspondence which is between ISO 9001 and ISO
45001, Clause 6.1.3 of ISO 9001 and Clause 8.1.3 of ISO 45001 also corresponds with each other.
Therefore a process to plan the changes considering both quality and health and safety issues is
needed for an integrated approach, along with the controls for unintended changes. The clauses do
not corresponds exactly are Clause 6.1.2 of ISO 45001 - Hazard identification and risk assessment and
Clause 6.1.2 of ISO 14001 - Environmental Aspects Impacts Assessment. These can be managed
separately in correspondence level. Integration of these two processes is difficult. Moreover the
fourth correspondence is between ISO 45001 and ISO 14001 on clause 6.1.3 and clause 6.1.4.
ISO 9001, ISO 45001 & ISO 14001 Comparison on Sub-clauses of Clause - 7
Clause 7.1 of ISO 9001 is very comprehensive and detailed and it can serve as the foundation for
other management system standards as well. The clauses such as 7.2 and 7.3 are also corresponding
with each other in all three standards. So an integrated approach can be developed.
ISO 9001, ISO 45001 & ISO 14001 Comparison on Sub-clauses of Clause - 7
Although the clauses are corresponding, a slight difference of structure is noted in ISO 9001
compared with ISO 45001 and ISO 14001. An integrated approach is possible for both clauses 7.4 and
7.5.


ISO 9001, ISO 45001 & ISO 14001 Comparison on Sub-clauses of Clause - 8
Clause - 8 has detailed specifics for QMS, and some specifics for OH&SMS and EMS. ISO 45001 and
ISO 14001 closely matches in clause - 8 with slight different variations in details of these requirements
and guidelines. However ISO 9001 has additional requirements such as requirements for products and
services that includes customer communication, then determination of these requirements, and after
that comprehensive review is also needed. All these things should be documented and changes for
these requirements needs to be controlled. Moreover in clause - 8, the whole framework of design
and development is also needed for the QMS. Design and development contains six different sub-
clauses as requirement.

ISO 9001, ISO 45001 & ISO 14001 Comparison on Sub-clauses of Clause - 8
ISO 9001 continues with its unique requirements in Clause - 8. The additional requirements are
Control of externally provided processes, products and services. These requirements are about
organization's control on supplier, contractor and third party providers. The basic business operation
for customers is covered in ISO 9001 under clause 8.5 that includes controls, identification and
traceability, control of property for customers and other external parties, preservation of products,
controls for product or service release etc. Moreover there is a requirement for control of non-
conforming outputs. It applied to service oriented companies as well, because outputs are not merely
products but also services.

ISO 9001, ISO 45001 & ISO 14001 Comparison on Sub-clauses of Clause - 9
The clause - 9 is somehow very much corresponding among all three standards. But here as well, ISO
9001 has some unique requirements for monitoring customer satisfaction. Remaining requirements
on internal audits and management reviews are quite same, except some specifics which will be
further elaborated in this course, when discussing individual management system standards (in-
detail).
ISO 9001, ISO 45001 & ISO 14001 Comparison on Sub-clauses of Clause - 10
The Clause - 10 is also very much comparable to integrate, except with a minor distinction for ISO
9001 versus ISO 45001, ISO 14001. The distinction is about the health and safety incidents, or
environmental incidents but in Quality Management System, standard does not imitate the term
incident, however possible nonconformity in the case of QMS, can be customer complaint, internal
defects, rejections etc. So an organization can have a integrated process for reporting environmental,
health and safety incidents, and separate integrated process for managing non-conformities arising
through incidents, IMS audits, customer complaints etc.
Bibliography
1. Organization, I., 2015. ISO 9001:2015, Fifth Edition: Quality Management Systems -
Requirements. Multiple. Distributed Through American National Standards Institute (ansi).

2. Organization, I., 2018. ISO 45001:2018, First Edition: Occupational Health And Safety
Management Systems - Requirements With Guidance For Use. Multiple. Distributed Through
American National Standards Institute (ansi).

3. Organization, I., 2015. ISO 14001:2015, Third Edition: Environmental Management

Systems - Requirements With Guidance For Use. Multiple. Distributed Through American
National Standards Institute (ansi).

The main points from this module are as follows:

Integrated Management System (IMS)

Integrated Management System is a single structure for management system utilized by companies to
manage their organization's processes or activities that converts inputs into a product or service
which comply the organization's objectives and equitably satisfy the interested party's quality, health
& safety, environmental, security, ethical or any other special identified requirement.

The variables that conclude the integration levels are the operations, size, competition, institutional
setting, kind of system and all these depend on the needs of the companies as well as the needs could
be determined by all these factors.
The Integrated Use Of Management System Standards (IUMSS)

There is no standard up-till now that is offered by ISO on the subject of integrated management
system. However ISO has published a guide handbook on this subject. The book is titled as "The
Integrated Use Of Management System Standards (IUMSS)".
Unlike different other types of product or process standards, management system standards (MSS) do
have an influence on various aspects and working of an organization and, now, more and more
companies have multiple management system standards. ISO’s comprehensive guide to integrating
management system standards is there to help companies.

The common ISO management system standards are:

 ISO 9001:2015

 ISO 14001:2015

 ISO 45001:2015
The common approach to integrate management system standards are based on the integration of
three most common standards which are ISO 9001, ISO 14001 and ISO 45001.

 Diploma in ISO Standards - Integrated Management System (IMS) is based on following

milestones:
 1st Milestone: High Level Analysis on Integrated Management System (Current Module)

 2nd Milestone: ISO 9001:2015 - Quality Management System

 3rd Milestone: ISO 14001:2015 - Environmental Management System

 4th Milestone: ISO 45001:2018 - Occupational Health and Safety Management System

 5th Milestone: ISO Management System Audit Techniques

 6th Milestone: Course Assessment

Integrated Management System (IMS) is needed in Companies due to following reasons:

 Increased Management System Requirement

 Improved Effectiveness

 Cost Reduction

 Less Redundancy and Conflicting Elements

Constraints and Challenges for IMS are:
 Absence of competency, skills and knowledge in the company.

 People think that when systems are managed separately, the single system is given due
attention.

 Security and comfort level with the already existing management systems managed separately.

 The systems are separated managed in a company, people think they will loose the credit of
managing systems relevant to them.

 The management is short sighted and has only one-sided emphasis on one area.

 The workers fear the IMS because they have to adapt with IMS and they have to work differently.
Jorgensen, Remmen and Mellado (2006) explains three levels of integration which can be reflected
based on the synergy between the customer quality, focus on the product, environmental
management system and corporate social responsibility.
 Correspondence level which emphasizes on the system aspect due to enhanced compatibility
among the standards.

 Generic level emphasizes on the processes or the structure due to coherence or coordination of
different processes. In this level, there is a strong motivation for continuous improvement,
various processes are internally integrated with synergy.

 This is a more strategic and inherent level of integration with intensive focus in the organization
and interested party's relationship. This is more product-based and integrated thinking in various
endeavors of the organization not only internal but also with external relationships. In this level,
there is a strong drive for continuous improvement.

ISO 9001, ISO 45001 & ISO 14001 High-level Comparison

 The first three clauses are non-Auditable and are there only for guidance purpose in all three ISO
management system standards i.e. ISO 9001, ISO 45001 and ISO 14001. Auditable clauses are
from Clause 4 to Clause 10.

 ISO 9001, ISO 45001 & ISO 14001 Comparison on Sub-clauses of Clause - 4 >> Organization can
define an integrated scope for all three management system keeping in view the health and
safety and environmental considerations. Moreover organization can have an integrated list of
 interested parties for all three management systems and an integrated approach to identify their
expectations and needs.

 The Clause 5 presents various requirements, and again a slight variation is noted in ISO 9001, it
has additional requirements on customer focus, and customer oriented approach for the QMS.
For these requirements, organization can define a integrated management system policy that
covers the specifics of every management system standard. Similarly roles and responsibilities
can also be defined with an integrated approach.

 In clause 6, organization can make integrated process to take actions to address risks and
opportunities for all three management systems considering the integrated approach for context
of organization. Also organization can set integrated management system objectives and
planning actions to achieve them. Therefore an integrated process to plan the changes
considering both quality and health and safety issues is needed for an integrated approach,
along with the controls for unintended changes.

 The clauses do not corresponds exactly are Clause 6.1.2 of ISO 45001 - Hazard identification and
risk assessment and Clause 6.1.2 of ISO 14001 - Environmental Aspects Impacts Assessment.
These can be managed separately in correspondence level. Integration of these two processes is
difficult.

 Moreover the additional correspondence in clause 6, is between ISO 45001 and ISO 14001 on
clause 6.1.3 and clause 6.1.4.

 Clause -7.1 of ISO 9001 is very comprehensive and detailed and it can serve as the foundation for
other management system standards as well. The clauses such as 7.2 and 7.3 are also
corresponding with each other in all three standards. So an integrated approach can be
developed.

 Although the clauses are corresponding, a slight difference of structure is noted in ISO 9001
compared with ISO 45001 and ISO 14001. An integrated approach is possible for both clause -
7.4 and clause - 7.5.

 Clause - 8 has detailed specifics for QMS, and some specifics for OH&SMS and EMS. ISO 45001
and ISO 14001 closely matches in clause - 8 with slight different variations in details of these
requirements and guidelines.

 ISO 9001 has additional requirements such as requirements for products and services that
includes customer communication, then determination of these requirements, and after that
comprehensive review is also needed. All these things should be documented and changes for
these requirements needs to be controlled. Moreover in clause - 8, the whole framework of
design and development is also needed for the QMS. Design and development contains six
different sub-clauses as requirement.

 The additional requirements of ISO 9001 in clause 8, are Control of externally provided processes,
products and services. These requirements are about organization's control on supplier,
contractor and third party providers. The basic business operation for customers is covered in
ISO 9001 under clause 8.5 that includes controls, identification and traceability, control of
property for customers and other external parties, preservation of products, controls for product
or service release etc. Moreover there is a requirement for control of non-conforming outputs. It
 applied to service oriented companies as well, because outputs are not merely products but also
services.

 The clause - 9 is somehow very much corresponding among all three standards. But here as well,
ISO 9001 has some unique requirements for monitoring customer satisfaction. Remaining
requirements on internal audits and management reviews are quite same with some specifics
for management systems.

 The Clause - 10 is also very much comparable to integrate, except with a minor distinction for
ISO 9001 versus ISO 45001, ISO 14001. The distinction is about the health and safety incidents,
or environmental incidents but in Quality Management System, standard does not imitate the
term incident, however possible nonconformity in the case of QMS, can be customer complaint,
internal defects, rejections etc.

 For Clause - 10, organization can have a integrated process for reporting environmental, health
and safety incidents, and integrated process for managing non-conformities arising through
incidents, IMS audits, customer complaints etc.
 Module 2: Foundations of Quality Management System

Upon completion of this module, you will be able to:

 Discuss the history of ISO 9001 Revisions.

 Discuss the global status of ISO 9001 & changes in revision.

 Explain what companies should do with change.

 Clarify and describe common misconceptions about revision.

 Examine and manage the context of an organization.

 Explain Process Approach.

 List each phase of the Plan, Do, Check and Act Cycle.

 Define Risk Based Thinking.


History of ISO 9001 Revisions
The idea behind ISO 9001 can be traced back to the British Standard 5750 in 1979, however the
ISO9000s history is as follows:
 The first version of ISO 9000 was published in 1987 and was based on BS5750 standard. It was
also influenced by Defense Military standards.

 The second version of ISO 9000:1994 was published in 1994. This version stressed quality
assurance through preventative action.

 The third version was published in 2000 as ISO 9001:2000. This version radically changed
thinking as it held the belief that process management should be the core of the standard.

 ISO 9001:2000 made the goals of standard crystal clear i.e. that standard should be ‘a
documented system’ not just a ‘system of documents’. The idea was to create system efficiency
that can be measured and validated by process performance.

 The fourth version is ISO 9001:2008 standard. This edition on made slight changes to the
previous version. The goal of this revision was to better explain 2000 edition requirements and
to increase compatibility with other management systems, such as ISO 14001.

 The fifth major revision was published in 2015. This version is called ISO 9001:2015. Because the
revision in 2008 was just a minor update of the 2000 version, this revision sought to fill in gaps
that have been formed over the fifteen years since 2000.
Timeline from Committee Draft to Publication of ISO 9001:2015
Timeline for Organization to make Transition to ISO 9001:2015

Global Status of ISO 9001 and Revision

By 2014, the ISO: 9001 standard was used by more than 1.1 million people and organizations in 180
countries worldwide, which makes it easy to believe that this number will have surely grown as of
2017.

BSI Group claims to have achieved the first global accreditation for ISO 9001:2015.

This revision will influence all certification and authorization bodies, training bodies, advisors,
implementing agencies and business clients.

The standard has helped to build systems for various sectors such as the manufacturing sector,
automotive sector, the medical sector, governments and more.
ISO 9001 version 2015 is meant for companies who want to:
 Prove that they are capable of delivering high quality products and services, which will then
fulfill client requirements and regulatory needs.

 Enhance customer satisfaction.

Key changes in ISO 9001 version 2015 include the following key changes:
 Building a quality management system that is well matched to each organization’s particular
needs.

 Top management must be involved in the management system in order to make comprehensive
enterprise strategy.

 The prevalence of risk-based thinking across the standard enables the entire management
system to be used as a preventive instrument, which will continually boost improvement.

 Less enforcing requirements for records and documentation. The enterprise can now decide
independently what documented information it requires and what is the appropriate format.

 Integration with other important and widespread management system standards.

Fundamental Concepts in ISO 9001:2015

Nigel Croft, Chairperson of the ISO subcommittee for revising the standard, emphasizes that the
revision is based on three basic concepts:
 Process approach
 PDCA Model i.e. Plan Do Check & Act
 Risk Based Thinking
Process Approach

PDCA

Risk Based Thinking

Misconceptions about Revision
There are two prevalent misconceptions about revision due to incorporation of risk based thinking:
Substitution of Process Approach by Risk Based Thinking

There are concerns that risk based thinking substitutes the process approach, which is incorrect. It is
part of the process approach itself, because before one begins the process, one must identify any
hazards and opportunities so that they may decide which process best meets the objectives in a given
context.
Preventive Action Has Been Removed

When risk based thinking in included, preventive action will become a habit and thus prevention is
involved in every phase of the process.

Action Plan for Organizations

Currently accredited management systems can be adapted with some minor modifications. In many
situations, organizations should have sufficient documentation and protocols already in place with
their presently certified management system.
As risk is incorporated in many sections of the revision of ISO 9001, companies should focus on
establishing their risk management protocols if they do not currently have a system in place for
controlling risks. The companies must start thinking about how to incorporate risk in their businesses
at both a strategic level as well as an operational level.
The transitional period does not end until 2018, so organizations will have had three years to update
their systems and make sure it comply with the revision.

Certification Process - Phases

Starting Point: Outline the scope of the certification program.
Pre-Audit (not mandatory): This is a gap analysis phase against standard. This helps companies to
identify what they need to do to prepare for a certification audit.
Certification Audits are actually conducted in 2 stages:
 Stage 1 Audit is a readiness review audit to prove that the organization is prepared for
certification.

 Stage 2 Audit is an assessment of implementation, along with the effectiveness, and

performance evaluation of the management system of the organization. This is the stage where
certification is awarded. A certificate is valid for 3 years and is awarded based on the results of
stage 2 audit.
Surveillance Audits are conducted to prove that the management system maintains fulfillment
against requirements of standard and are also conducted to observe the continual improvement of
the management system.
Re-Certification Audits are done after 3 years to endorse the effectiveness of the management
system as a whole. Certificate is then reissued for next 3 years.

Certification Process – Implementation Benefits

 Improved customer retention, satisfaction and acquisition.

 Exhibition of management commitment towards quality of services and products.

 Improving cost control through conserving input materials.

 Reducing defects that result in complaints, therefore reducing compensation costs.

 Increase in efficiency, productivity and profit.

 Creation of knowledge database for effective management of company knowledge.

 Consistent outcomes which are measured and monitored.

 High Level Structure (HLS) to easily integrate with more than one standard.

Benefits of ISO 9001 Certification Program to Customers

Some clients will only purchase or buy services or products from certified companies since it provides
them the assurance that management systems are continuously assessed, improved and monitored.
Some of the benefits to customers are:
 Reduces repeated mistakes.

 Develops a complaint reporting system and improves performance.

 Improved quality products and services by internal auditing.

 Consistent and robust scheduling of production and delivery.

 Performance will be maintained with the help of external certification body annual assessments
program.

What Can't Companies Do?

Companies cannot do following with ISO 9001 certification:
 Companies cannot employ or change ISO’s logo. It is ISO’s brand and intellectual property.

 Companies cannot equate ISO 9001 certification to being ISO certified. Companies which are ISO
9001:2015 certified are not certified by ISO or by ISO 9001 technical committee, but rather by an
Accreditation Body like UKAS.

 ISO 9001:2015 cannot be branded on company products or utilized in literature to denote that
product is certified by ISO 9001. It is not a product certification but a company quality
management system certification.
 Companies must be careful with their scope so to correctly describe their certified activities and
geographic locations. A certification is only awarded on the defined scope. Activities of
companies outside the certification scope cannot be implied to gain benefits of ISO 9001
certification.

Process Approach and PDCA Cycle

 A process is usually defined as reproducible,
interacting activities that together convert
an input into an output. The elements in the
process approach cycle are discussed below:
 With What means the infrastructure i.e.
process equipment, software, hardware,
and supporting devices.

 With Who means the human resource i.e.

personnel, training, and qualification
needed to carry out the process.

 How is the procedure or work instructions that explain how the process will be carried out and
describe the entities responsible entities for the process.

 How many? These are the process monitoring parameters like action plan, trends, production
reports. This also counts as evidence for PDCA.

 Input is something that starts the process. Input can be workers, event, resources, or supplies.
For example, a maintenance requisition starts the process for maintenance.

 Output is a consequence of the process, or its result. Output should comply with the expectation
of a customer both in-house or external. Normally outputs are goods, services, or the input into
other in-house process.

Organizational Processes Examples

Some of the examples of organizational processes are shared below:
 Training process

 Information management process

 Maintenance process

 Information management process

 Planning process

 Assembly process

 Marketing process

 Customer communications process

 Purchasing process

 Internal auditing process

Organizational Processes
Training process flow is shown as a case study:

Determinants of a Process
Some of process determinants are following:

Process Characteristics
Some of the process characteristics are:
 Repeatable

 Predictable

 Quantifiable

 Explainable

 Context Oriented & Dependent

What is PDCA Cycle?

Plan-Do-Check-Act (also known as “PDCA”) is a cyclic process that was conceptualized by Walter
Shewhart and widely promoted by Edward Deming – two founders of most of the quality philosophies
that are followed today.

This concept is a cycle for bringing about a change which, when implemented and repeated, would
yield repeated improvements in any process.
A case study we all can recognize will be the process we go through when selecting a wireless
carrier:
 We Plan to have no issues like dropped calls, interruption in voice delivery or receiving etc.

 The Do part occurs when we start utilizing the wireless service.

 The Check part occurs when we assess the actual performance and realize that we have had a
few interruptions to calls.

 And the Act part occurs when we make our future course of action based on Check. For example,
we could accept the number of interruptions in calls, or we could complain to the vendor to
have the complaint corrected, or we could change the service provider.

Plan, Do, Check & Act is a cycle that was devised by Walter Shewhart and propagated by Edward
Deming. PDCA is an iterative four-step managing technique utilized
in industry for the continual improvement of processes.
Plan – This step includes the establishment of the objectives and
processes essential to provide outcomes that are in line with
needed output.
Planning of the QMS starts with the initial documentation of the
Quality Manual, control of documents and records, Quality Policy
and Quality Objectives, plan to achieve policy & objectives,
Additional planning on how to realize the product or service,
including what resources are required and how they will be used, is
the last step in the early planning.

Do – This step includes the execution of the plan, performance the process, and production the
product. At this point, companies must gather process statistics for recording and examination in the
next steps of Check And Act.

Raw material or service needs must be specified.

Designs development, the purchasing process, and raw materials must be verified against
requirements.
The process of creating the merchandise or service must be implemented. Defects must be
incorporated in non-conformities and be dealt with. The procedure and the instrument to monitor
and inspect the product and processes must be controlled.

All undertakings of creating and delivering the product or service to clients are required to be
completed in Do phase.

Check – Examine the real results of ‘Do’ step, and check it against the expected results of the plan
phase.

It is mandatory to check and measure not merely the product to make sure it fulfills requirements,
but moreover to check and measure the processes as well. Analysis of data, internal audits, external
audits & Management Review are mandatory in ISO 9001. All these extensive processes are part of
‘check’ phase in PDCA cycle

Act – If the Check analysis reveals that the Plan that was applied in Do phase is a progressive
improvement to the earlier results, then the present ‘Do’ should become the new standard for how
the organization should Act going forward.

If the Check analysis reveals that the Plan that was applied in Do phase is not an improvement, then
the prior standard will remain.

In both cases, i.e. improvement or no improvement, more learning is needed and that will inform next
PDCA cycle. Corrective actions and action plans that resulted from output of management review
meetings and internal audits are part of the Act phase in PDCA cycle.

When to Use Plan–Do–Check–Act

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore
et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut
aliquip ex ea commodo consequat.
PDCA cycle should be used in following cases:
 When opting for continuous improvement.

 When initiating a new improvement project.

 When making a new or modified design of a process, product or service.

 When defining a repetitive work process.

 When preparing data collection and analysis so as to verify and prioritize problems or root
causes.

 When applying any change


PDCA Cycle and ISO 9001:2015
PDCA is an integral part of ISO 9001:2015 (Quality Management System i.e. QMS). Companies going
for ISO 9001 will automatically integrate PDCA cycle.
Plan and Do in ISO 9001:2015

Plan

Planning is one of the vital parts of the QMS and begins with realizing the context of the organization
and the expectations of interested parties (Clauses 4.1 & 4.2), which is then utilized to define the
QMS scope and the processes (Clauses 4.3 & 4.4).
Then commitment of leadership in the company guides the organization to a customer focus by
outlining organizational roles and responsibilities and by instituting a quality policy to focus on QMS
(Clauses 5.1, 5.2 & 5.3).
Then planning identifies and addresses the risks and opportunities of the QMS, including setting and
planning for quality objectives and changes to support continual improvement (Clauses 6.1, 6.2 & 6.3).
The final layer of planning is to recognize and define the support structure to perform plans. This
comprises resources (Clause 7.1), recognizing competence (Clause 7.2), awareness (Clause 7.3),
communication (Clause 7.4) and to have the system for creation and control of documented
information (Clause 7.5).

Do

Plans are meant to be carried out.

Controls need to be recognized for the operations, product or service requirements to be recognized
(8.2), designs to be developed (8.3), controls placed on external providers (8.4).
The course of producing the product or service needs to be applied with control of product and
service release (8.5 & 8.6), any non-conformity requires to be addressed (8.7).
Finally the actions of making and supplying products or services to the clients have to be done.
Check and Act in ISO 9001:2015
Check
 There are numerous places in the standard to check the processes of the QMS to make sure they are
effective as per plan. The ISO standard requires enterprises to monitor, measure, analyze and
evaluate the products or services to make sure that the processes employed are satisfactory and
effective, and that customer satisfaction is achieved (Clause 9.1). Internal Audits (Clause 9.2) are
required as a means of measuring the effectiveness of the QMS. The Management Review procedure
(Clause 9.3), analyses and evaluates all the collected information related to QMS and helps to identify
solutions to resolve any issues or problems.
Act

Action in ISO 9001 includes the actions required to address any concerns revealed in the check step.
Improvement (Clauses 10.1 & 10.3) is the main purpose for these action items (Clause 10.1), which
occurs when removing nonconformity and taking Corrective Actions (Clause 10.2) to eradicate the
reasons of current and foreseeable non-conformities.
After the “Act” phase, some changes are likely to begin in the initial “Plan” of the QMS which marks
the beginning of the cycle again.

Context of Organization and Risk Based Thinking

Clause 4 of ISO 9001:2015 states that the organization to assess itself in regards to the organizations'
context and how this context may affect the QMS.
Organization need to study:
 Influences of various elements on the organization.

 How elements reflect on the QMS

 Risks and opportunities regarding the business

Internal context External context

The company's culture Markets
Objectives and goals Customers
Complexity of the Regulatory Bodies & Government
products Organization
Flow of processes
Organization knowledge
Size of the organization

The standard does not mandate the method for understanding the context of the
organization, however there are few logical steps and
milestones:


What is an internal context of organization?
An organization’s internal context is the environment in which it aims to achieve its objectives.
Internal context can include:
 Approach to governance

 Contractual relationships with customers

 Interested parties
Things that need to be considered (while analyzing internal context) are:
 Culture, beliefs, values, or principles inside the organization.

 Complexity of processes and organizational structure.

What is an external context of organization?

.An organization’s external context is the environment which influences the organization. For example
environmental, social, ethical, legal, political, technological, and economic environment.
External context can include:
 Regulations and modifications in the law.

 Economic drifts in the market where organization operates.

 Competition that the organization faces.

 Technology advancements.


Example Matrix of Interested parties, Issues and Treatment

The main points from this module are as follows:

The idea for ISO 9001 can be traced back to British standard 5750 in 1979, however the first
publication was made in 1987.
The second revision (1994) stresses quality assurance through preventive action. The third revision
(2000) was based on process approach. The forth revision (2008) was based on alignment with other
standards. The current version was published in 2015.
The current revision was presented as committee draft in June 2013, then as draft international
standard in April 2014, then as final draft international standard in July 2015. Finally, the revision was
published in September 2015.
Companies have until September 2018 to upgrade to the recent revision.

The latest revision of ISO 9001:2015 is made based on following concepts:

 Process Approach

 Plan, Do, Check, and Act cycle

 Risk Based Thinking

Risk based thinking does not replace the process approach. Preventive action is built into risk based
decision making.
A certification process of ISO 9001:2015:
 Defining the scope of business i.e. physical boundaries, products etc.

 A gap analysis is performed.

 Stage 1 readiness check audit.

 Stage 2 certification audit.

 After certification, surveillance audits are done annually for three years.

 Then re-certification is done after 3 years of certification issuance.

Some of benefits of ISO 9001:2015 to business owners are: customer satisfaction, improved
efficiency, decreased defects, and high level structure for easy integration with other standards.
Some benefits of ISO 9001:2015 to customers are: reduced mistakes, improved complaint handling
system, consistent performance etc.
Companies cannot use ISO logo on products, or cannot change it. Companies cannot say they are ISO
certified, because they are ISO 9001:2015 certified by an accredited body like UKAS.
Processes have elements like: inputs, outputs, with what, with who, how and how many.
Inputs are raw materials and human resources.
With What includes software and process equipment used to execute activities in process.
With Who refers to human resources and their qualification to run processes.
How is the method used to carry out the process.
How Many refers to the process monitoring parameters.
Outputs are the consequence of process.

Walter Shewhart's Plan, Do, Check and Act cycle is the basis of ISO 9001:2015 and is used to analyze
the context of an organization to plan for its optimization.
The planning of processes, the setting of quality objectives, and planning to achieve them are part
of Plan phase in PDCA cycle.
Do involves support activities like human resource allocation, infrastructure, equipment. Do also
involves production and operational activities. Design activities are also included in Do.
Check is the management review, performance evaluation example inspection, internal audits etc.
Act is continual improvement based on internal audits, non-conformities and corrective actions.
Context of Organization is the analysis of organization’s context both internal and external.

Organizations can list their internal and external issues and identify the parties involved and their
needs and expectations.
They can then document context by listing these issues and needs of interested parties.
Then, they can rate each issue and need on a priority ranking scale.
If needed, a treatment method can be provided to optimize the opportunity and to mitigate the risk.
Risk based thinking is a thinking process that we do in our everyday life. Organizations need to adopt
it in their processes and activities.
Risk driven approach from risk based thinking is based on recognizing risks and opportunities,
examining and prioritizing recognized risks and opportunities, planning actions to mitigate risk or
optimize opportunities, implementing a plan, assessing the effectiveness of implemented plan, and
finally, improve continually by learning from experience.
 Module 3: Auditable Clauses in ISO 9001:2015

Upon completion of this module, you will be able to:

 List the Auditable clauses of ISO 9001:2015

 Discuss the requirements of standard for the Context of Organization.

 Explain the requirements of standard on Leadership role.

 Clarify the Planning requirements for the Quality Management System (QMS).

 Describe the support functions required for the QMS.

 Explain the requirements of Operation Controls for QMS.

 Discuss the Performance Evaluation requirements related to measurement and monitoring,

internal audits, and management reviews.

 Explain the requirements of Improvement in standard's context.

Clause 4 - Context of Organization

Context of Organization is the new requirement of ISO 9001:2015. New requirements related context
of organization are already discussed in the earlier module's last topic. The requirements and
guidelines are expressed here in simple but meaningful terms:
Clause 4.1 - Comprehend Organization and its Unique Context
Under this sub-clause, organization has to take care of the following:
- Recognize and comprehend organization's context.
- Recognize and comprehend organization's context before one develops organization's quality
management system (QMS).
- Consider the external issues that are appropriate to organization's purpose and strategic direction
and think about the influence these issues could have on its QMS and the outcomes it intends to
attain.
- Consider the internal issues that are appropriate to organization's purpose and strategic direction
and think about the influence these issues could have on its QMS and the results it intends to achieve.
- Monitor information about your organization's context.
- Consider the impact changes in context could have on your organization's quality management
system (QMS).
Clause 4.2 - Clarify the Needs and Expectations of Interested Parties related to
Organization
Under this sub-clause, organization has to take care of the following:
- Recognize the parties who influence or could influence QMS.
- Reflect how interested parties influence or could influence organization's capability to provide
products and services that meet customer requirements.
- Consider how interested parties could affect your ability to provide products and services that meet
statutory and regulatory requirements.
- Clarify and comprehend their unique needs and expectations.
- Monitor and review information about your interested parties.
Clause 4.3 - Define the Scope of Organization's Quality Management System
Under this sub-clause, organization has to take care of the following:
- Clarify boundaries and think about what your QMS should apply to.
- Use boundary and applicability information to define your scope.
- Consider your organization's context when you define your scope.
- Document the scope of your quality management system (QMS).
- Use your scope document to describe the boundaries of your organization's QMS and to explain
what it applies to.
- Use your scope document to identify the types of products and services that will be included in your
organization's QMS.
- Use your scope document to explain that every ISO 9001 requirement must be applied unless you
can explain why it does not apply.
- Maintain the document that defines the scope of your QMS.
- Control your organization's QMS scope document.

Clause 4.4 - Develop a QMS and Establish Documented Information

This sub-clause is the part of Context of Organization. Organization has to develop a quality
management system and should incorporate documented information to support that. The
requirements of these clause are expressed in two different clauses:
Clause 4.4.1 - Develop a QMS that complies with this standard
The organization has to take care of the following requirements under this clause:
• Establish a process-oriented Quality Management System (QMS).
• Identify the processes that organization's QMS needs.
• Identify methods required to manage processes.
• Identify resources required to support processes.
• Determine process responsibilities and authorities.
• Determine risks and opportunities for each process.
• Determine methods needed to evaluate processes.
• Implement your process-based quality management system.
• Implement criteria required to operate and control organization's processes.
• Apply methods needed to operate and control your processes.
• Maintain your process-based quality management system.
• Improve your process-based quality management system.
Clause 4.4.2 - Keep QMS documents & keep QMS records
The organization has to take care of the following requirements under this clause:
• Keep documents required to help process operations.
• Control documents which help process operations.
• Keep records which exhibit that plans are being followed.
• Control records which show that plans are being followed.

Clause 5 - Leadership
The first sub-clause on Leadership is clause 5.1 which is focused on " Provide leadership by focusing
on quality and customers." Requirements are expressed in two different heads:
Clause 5.1.1 - Offer Leadership by Encouraging a Focus on Quality

The organization has to take care of the following requirements under this clause:
• Accept responsibility for organization's QMS.
• Prove a commitment to organization's QMS.
• Make sure that a quality policy is established.
• Make sure that quality objectives are established.
• Make sure that requirements are built into processes.
• Make sure that your QMS achieves all intended results.
• Communicate organization's commitment to the QMS.
• Explain why quality management is important.
• Anticipate managers to be accountable for their QMS.
• Encourage organization's personnel to support their QMS.
• Promote the utilization of risk-based thinking.
Clause 5.1.2 - Offer Leadership by Encouraging a Focus on Customers

The organization has to take care of the following requirements under this clause:
• Anticipate human resources to focus on customers.
• Anticipate human resources to manage all related requirements.
• Anticipate human resources to manage appropriate risks and opportunities.
• Anticipate human resources to emphasize on improving customer satisfaction.

Clause 5.2 - Provide leadership by establishing a suitable quality policy

The second clause is related to offer leadership be establishing an appropriate quality policy.
Clause 5.2.1- Provide Leadership by Formulating Quality Policy of the
Organization

The organization has to take care of the following requirements under this clause:
• Establish a relevant quality policy.
• Ensure that it supports company's purpose.
• Ensure that it deals with business context.
• Formulate organization's quality policy.
• Make a commitment to meet applicable requirements.
• Have a commitment to continual improve QMS.
• Enforce the developed organization's quality policy.
• Maintain and keep company's quality policy.
Clause - 5.2.2 - Provide Leadership by Implementing Quality Policy of the
Organization

The organization has to take care of the following requirements under this clause:
• Document company's quality policy.
• Communicate organization's quality policy.
• Apply organization's quality policy.
Clause 5.3 - Offer Leadership by Defining Roles and Responsibilities
The third clause is 5.3, which on the leadership role in defining the roles and responsibilities.
 Allocate QMS roles, responsibilities, and authorities.

 Communicate those QMS roles, responsibilities, and authorities.

 Make sure that every one understand his/her role, responsibilities and authorities.
Clause 6 - Planning
The first sub-clause is 6.1 which is on defining actions and measures to control risks and capitalize
opportunities.
Clause 6.1.1 - Consider risks and opportunities when you plan your QMS

Under this clause, organization has to comply with following requirements:

• Plan the development of company's QMS.
• Recognize the risks and opportunities that could influence the performance of organization's QMS
or disrupt its operation.
• Consider how the company's context could influence how well its QMS is capable to attain planned
results.
• Consider how the company's interested parties could influence how well its QMS is capable to
achieve planned results.
• Identify what one needs to do to manage the risks and opportunities that could affects the
performance of company's QMS or disrupt its operation.
Clause 6.1.2 - Plan how you’re going to manage risks and opportunities

Under this clause, organization has to comply with following requirements

• Consider company's risk treatment options.
• Identify measures to address risks and opportunities.
• Identify actions that one can take to address the risks and opportunities that could impact the
performance of company's QMS or halt or deteriorate its operation.

Clause 6.2 - Setting Quality Objectives and Establish plans to attain them
The second clause is about setting quality objectives and developing plans to achieve them.
Clause 6.2.1 - Develop quality objectives for all appropriate areas
Under this sub-clause, organization has to take care of following:
• Define the criteria for identifying quality objectives.
• Resolve quality objectives in all relevant areas.
• Communicate organization's quality objectives.
• Document organization's quality objectives.
• Monitor organization's quality objectives.
• Update organization's quality objectives.
Clause 6.2.2 - Make Plans to Attain Objectives and Assess Results
Under this sub-clause, organization has to take care of following:
• Establish and develop plans to attain quality objectives.
• Plan how the company is going to assess results.

Clause 6.3 - Plan changes to your quality management system

The third sub-clause is related to planning of changes to organization's quality management system.
This is what we can name it as change management. In this clause, one has to take care of the
following issues:
 Think about the purpose of the changes one plans to make.

 Reflect responsibilities and authorities whenever one make changes.

 Contemplate the outcomes that changes could potentially result in.

 Consider the provision of resources whenever one make changes.

 Reflect the integrity of organization's QMS whenever any change is made.

Clause 7 - Support
The first sub-clause 7.1 is about supporting organization's QMS by offering the required resources.
There are six sub-clauses within this clause clause 7.1. The two sub-clauses within this sub-clause are:
Clause 7.1.1 - Offer Internal and External resources for Company's QMS

Organization has to take care of the following issues within this clause:
• Identify the resources that company's QMS requires.
• Provide the resources that company's QMS needs.
Clause 7.1.2 - Provide Relevant People for QMS and its processes

Organization has to take care of the following issues within this clause:

• Provide the people that company's QMS needs to be effective.

• Furnish the people that company's need so as to operate processes.
• Hire the people that company's need so as to control processes.

The other two sub-clause of 7.1 are:

Clause 7.1.3 - Furnish the Infrastructure that Company's processes must
have

The organization has to take care of the following issues under this clause:
• Identify and determine the infrastructure that the processes and the organization need
So as to support process operations and attain conformity of products and services.
• Furnish the infrastructure that organization and its processes need.
Clause 7.1.4 - Furnish the relevant environment for Organization's
Processes

The organization has to take care of the following issues under this clause:
• Identify and determine the environment that organization and its processes need.
So as to support process operations and attain conformity of products and services.
• Furnish the environment that the processes need.

The last sub-clause 7.1.5 of clause 7.1 is about providing monitoring, measuring, and trace-ability
resources. It is further described in two different sub-clauses, and the last of clause of 7.1 is also
discussed in the given tabs.
Clause 7.1.5.1 - Arrange Suitable Monitoring and Measuring resources

Under this clause, organization has to manage following requirements:

• Identify monitoring and measuring resource requirements.
• Determine the monitoring and measuring resources that organization need so as to be certain
that one can offer products and services that meet all suitable requirements.
• Offer appropriate monitoring and measuring resources.

Clause 7.1.5.2 - Organize Suitable Measurement Traceability resources

Under this clause, organization has to manage following requirements:

• Determine the company's measurement traceability requirements.
• Offer reasonable measurement traceability resources.

Clause 7.1.6 - Provide Knowledge to Facilitate Process Operations

Under this clause, organization has to manage following requirements on Organization's knowledge:
• Identify the knowledge that one organization needs to have.
• Attain the knowledge that one organization needs to have.
• Furnish organizational knowledge available to the scale needed.
• Monitor suitable trends and modifications in knowledge and information.
• Keep the organizational knowledge that has been attained.

This is clause related to Organization Knowledge. In this course, there is a separate topic on
Organization Knowledge in which this topic is elaborated in detail.

The other three sub-clauses of clauses 7 are discussed:

Clause 7.2 - Support QMS by ensuring that people are competent

Organization has to make arrangements for the following requirements

• Identify those under organization's control who do work that influences quality.
• Clarify organization's quality competence requirements.
• Attain competence whenever shortcomings are discovered.
• Document the competence of those whose work influences quality.
• Evaluate the effectiveness of actions taken to acquire competence.

Clause 7.3 - Support QMS by explaining how people can help

Organization has to make arrangements for the following requirements

• Aware personnel about organization's QMS.
• Share information about company's QMS with the people who carry out work that is under
organization's control.
Clause 7.4 - Support organization's QMS by managing communications

Organization has to make arrangements for the following requirements

• Support organization's QMS by managing QMS communications.
• Resolve how internal communications will be handled.
• Resolve how external communications will be handled

Clause 7.5 - Support your QMS by Controlling Documented Information

Clause 7.5 is about the control of documented information.
Clause 7.5.1 - Incorporate Documented Information

Under this clause, organization has to manage following requirements:

• Identify how extensive documented QMS information should be.
• Think about activities when one develops documents and records.
• Think about individuals when one develops documents and records.
• Reflect on those processes when one develop documents and records.
• Take into account products when organization establish documents and records.
• Take into account services when organization establish documents and records.
• Consider size of company when organization establish documents and records.
• Incorporate all the documents and records that company's QMS needs.
• Incorporate all internal documents and records that company's QMS needs.
• Incorporate all external documents and records that company's QMS needs.
Clause 7.5.2 - Manage the Creation and Revision of Documented
Information

Under this clause, organization has to manage the following:

• Organize and control the creation and update to documented information.
• Ensure that organization’s QMS documents and records are appropriately identified and explained.
• Ensure that organization’s QMS documents and records are appropriately formatted and presented.
• Ensure that organization’s QMS documents and records are appropriately reviewed and approved.

The clause 7.5.3 is related to Control the management and utilization of documented information. It
is further discussed in two sub-clauses:
Clause 7.5.3.1 - Control Organization's QMS documents and records

The organization has to take care of the following requirements:

• Choose and maintain the QMS documents and records that one needs.
• Choose and maintain all the documentation that one needs so as to protect the confidentiality,
integrity, and use of information.
• Choose and maintain all of the documentation that is mandated by ISO 9001.
• Control and maintain the QMS documents and records as per QMS needs.
• Control and maintain all the internal documentation that company's QMS needs.
• Control and maintain all the external documentation that company's QMS needs.
Clause 7.5.3.2 - Control how QMS documents and records are controlled

• Control how company's QMS documents and records are controlled.

• Control how company's QMS documents and records are created.
• Control how company's QMS documents and records are identified
• Control how company's QMS documents and records are distributed.
• Control how company's QMS documents and records are accessed.
• Control how company's QMS documents and records are retrieved.
• Control how company's QMS documents and records are stored.
• Control how company's QMS documents and records are utilized.
• Control how company's QMS documents and records are changed.
• Control how company's QMS documents and records are protected.
• Control how company's QMS documents and records are preserved.

Clause 8 - Operation
The first clause 8.1 is related to development, implementation, and control of QMS operational
processes
 Plan the application and control of operational processes.

 Prepare operational process implementation and control plans.

 Utilize organization's plans to apply and control operational processes.

 Control planned operational process alterations and modifications.

 Keep appropriate operational process documents and records.

Clause 8.2.1 - Communicating with Customers and Managing Customer Property
The clause 8.2.1 is related to communication with customers and management of customer property,
under which an organization is required to do following:
• Communicate with customers.
• Furnish information to customers.
• Attain and get information from customers.
• Manage customer property.
• Control property supplied by customers.
Clause 8.2.2 - Clarify all Product and Service Requirements and Capabilities
Organization has to take care of following issues in this sub-clause:
• Identify requirements for products and services offered to customers.
• Verify that you can actually meet product & service requirements.
Clause 8.2.3 - Review Product and Service requirements and Record Results
This sub-clause is further divided into two clauses;
Clause 8.2.3.1 - Verify requirements before Organization accepts Orders from Customers
• Analyze and assess product & service requirements before accepting order.
• Clarify differences and variations between basic proposal and final order.
• Confirm and verify that one has to meet product and service requirements.
Clause 8.2.3.2 - Document review of Product and Service requirements
• Document and maintain results of product and service requirement reviews.
• Document and maintain new or modified product and service requirements.
Clause 8.2.4 - Modify Documents when Product and Service Requirements Alters
Under this sub-clause organization has to take care of the following:
• Amend all appropriate documented information to exhibit changes in customers' service and
products requirements.
• Retain and control documents and records that explain new or changed product and service
requirements.

Clause 8.3 - Develop a Process to Design and Develop Products and Services
Within this clause, organization has to take care of many issues. As design and development is a
critical part of the Quality management system, since within this phase customer requirements are
internalized in the product design.
Clause 8.3.1 - Make a Suitable Design and Development Process

Within this sub-clause, organization has to take care of the following issues:
• Develop a suitable design and development process.
• Apply an appropriate design and development process.
Clause 8.3.2 - Project planning of Design and Development activities for
Products and Services

Under this sub-clause organization has to take care of the following issues:
• Plan organization's design and development stages and controls.
• Consider complexities of design and development process.
• Consider requirements for design and development process.
• Consider expectations design and development process.
• Consider participation of parties for design and development process
• Consider interfaces of design and development process.
• Consider responsibilities of design and development process.
• Consider documentation design and development process.
• Consider resources of a design and development process.
Clause 8.3.3 - Identify Inputs of Design and Development for Product
and Services

Organization has to take care of the following issues under this sub-clause:
• Clarify your product and service design and development inputs.
• Define the resource needs of product and service design and development needs.
• Control organization's design and development input documents and records.

The other sub-clauses of Design and Development are discussed here:

Clause 8.3.4 -
Specify how Design and Development process will be Controlled

Under this sub-clause, organization has to take care of the following issues:
• Control product and service design and development activities.
• Control how design and development results are identified.
• Control how design and development reviews are performed.
• Control how design and development validations are carried out
• Control how design and development verification are completed
• Document product and service design and development activities.

Clause 8.3.5 - Clarify how Design and Development Outputs will be

produced

Under this sub-clause, organization has to take care of the following issues:
• Control product and service design and development outputs.
• Make sure that outputs can be compared against input requirements.
• Make sure that outputs are capable of supporting product provision.
• Make sure that outputs include or refer to acceptance criteria.
• Make sure that outputs can be used to validate proposals.
• Control design and development output documents and records.

Clause 8.3.6 - Review and Control all Design and Development Changes

Under this sub-clause, organization has to take care of the following issues:
• Identify changes during or subsequent to design and development.
• Review changes and modifications during or subsequent to design and development.
• Control changes and modifications during or subsequent to design and development.

Clause 8.4 - Monitor and Control External Processes, Products, and Services
This clauses is further divided into following sub-clauses:
Clause 8.4.1 - Verify External Products & Services Fulfills Requirements

Under this clause, organization has to take care of following issues:

• Establish controls for external processes, products, and services.
• Control organization's externally provided processes, products, and services.
• Determine criteria to select, evaluate, and monitor external providers.
• Utilize developed criteria to select external process, product, and providers.
• Utilize developed criteria to monitor the performance of external providers.
• Utilize developed criteria to assess organization's external providers.
Clause 8.4.2 - Establish Controls for Externally Supplied Services and
Products

Under this clause, organization has to take care of following issues:

• Examine controls for external providers, processes, products, and services.
• Examine the potential impact that externally provided processes,products, and services could have
on your organization's ability to consistently meet external requirements.
• Examine the controls that external process, product, and service providers have implemented and
think about how effective their controls actually are.
• Establish controls for external providers, processes, products, and services.
• Apply controls for external providers, processes, products, and services.

Clause 8.4.3 - Explicate Requirements to External Suppliers

Under this clause, organization has to take care of following issues:

• Elucidate what you expect from external providers.
• Elucidate organization's process requirements.
• Elucidate organization's product requirements.
• Elucidate organization's service requirements.
• Elucidate organization's equipment requirements.
• Elucidate organization's interaction requirements.
• Elucidate organization's competence requirements.
• Elucidate organization's methodological requirements for supplies.
• Elucidate organization's monitoring and control requirements.
• Elucidate organization's verification or validation requirements.
• Discuss organization's requirements with external providers.

Clause 8.5 -Manage and control production and service provision activities
This clause is further divided into three sub-clauses:
Clause 8.5.1 - Develop controls for production and service provision

Under this sub-clause, organization has to take care of the following issues:
• Apply controlled conditions.
• Apply controlled conditions for production.
• Apply controlled conditions for service provision.
• Apply controlled conditions for delivery process.
• Apply controlled conditions for post-delivery process.
Clause 8.5.2 - Point Out outputs and Control their Unique Identity

Under this sub-clause, organization has to take care of the following issues:
• Utilize suitable means to identify outputs.
• Identify outputs throughout production.
• Identify outputs throughout service provision.
• Control the unique identify of your outputs.
• Control output identity if traceability is required.
Clause 8.5.3 - Protect Property belonging by Customers and External
Providers
Under this sub-clause, organization has to take care of the following issues:
• Point out property owned by customers and external providers.
• Verify property owned by customers and external providers.
• Protect and safeguard property owned by customers and external providers.
• Monitor property owned by customers and external providers.
• Document property owned by customers and external providers.

The other sub-clauses under this clause 8.5 are as under:

Clause 8.5.4 -Preserve Outputs through Production and Service Delivery

Under this clause, organization has to take care of the following issues:
• Preserve and protect outputs during production and service provision.
• Take into consideration for utilizing identification methods to preserve outputs.
• Take into consideration for utilizing packaging methods to preserve outputs.
• Take into consideration for utilizing handling methods to preserve outputs.
• Take into consideration for utilizing storage methods to preserve outputs.
• Take into consideration for utilizing transmission methods to preserve outputs.
• Take into consideration for utilizing transportation methods to preserve outputs.
Clause 8.5.5 - Elucidate and Meet all Post-Delivery Requirements

Under this clause, organization has to take care of the following issues:
• Explain organization's post-delivery requirements.
• Identify activities that must be performed after product delivery.
• Identify activities that must be performed after service delivery.
• Meet with organization's post-delivery requirements.

Clause 8.5.6 - Control changes for production and service Delivery

Under this clause, organization has to take care of the following issues:
• Review and assess modifications in production and service provision.
• Document review results, actions taken, and authorizations.
• Control modifications in production and service provision.
Clause 8.6 - Implement Plans to Control Product and Service Release

Under this clause, organization has to take care of the following issues:
• Develop planned arrangements to confirm products at each stage.
• Confirm that product requirements were fulfilled at appropriate stages.
• Develop planned arrangements to verify services at each stage.
• Confirm that service requirements were fulfilled at suitable stages.
Clause 8.7 - Control nonconforming outputs and Actions taken to be
Documented

Under this clause, there are two sub-clauses:

Clause 8.7.1 - Identify and Control Nonconforming Output to Avoid Unintended Application
Under this sub-clause, organization has to take care of the following issues:
• Identify outputs that do not conform to their requirements.
• Assess nonconforming outputs and examine their impact.
• Take appropriate action to control nonconforming outputs.
• Verify conformity when nonconforming outputs are corrected.
Clause 8.7.2- Document Nonconforming Outputs and the Actions Taken
Under this sub-clause, organization has to take care of the following issues:
• Document organization's nonconforming products and outputs.
• Document the actions and decisions taken to avoid the unintended use or supply of nonconforming
outputs.

Clause 9 - Evaluation
The first clause is related to monitoring, measurement, analysis and evaluation. The Clause 9.1 is
further divided into different sub-clauses discussed below:
Clause 9.1.1- Plan how to Monitor, Measure, Analyze, and Evaluate

In this sub-clause organization has to take care of the following:

• Plan how the company is going to monitor, measure, analyze, and evaluate organization's QMS.
• Monitor, measure, analyze, and evaluate QMS performance and effectiveness.

Clause 9.1.2 -Find out how well Customer Needs and Expectations are
being fulfilled

In this sub-clause organization has to take care of the following:

• Develop methods that can be utilized to monitor perceptions.
• Monitor how well customer needs and expectations are fulfilled.
Clause 9.1.3 -Evaluate and Assess Performance, Effectiveness,
Conformity, and Satisfaction

In this sub-clause organization has to take care of the following:

• Analyze organization's monitoring and measurement results.
• Analyze and asses suitable data and information.
• Utilize analytical results to assess performance.
• Utilize analytical results to assess effectiveness.
• Utilize analytical results to assess conformity.
• Utilize analytical results to assess satisfaction.

Clause 9.2 - Utilize Internal Audits to Evaluate Conformance and Performance

Clause 9.2.1 - Audit Organization's Quality Management System at

Planned Intervals

In this sub-clause, organization has to take care of the following issues:

• Conduct and perform internal conformance audits at pre-determined planned intervals.
• Determine if the organization's QMS fulfill requirements.
• Examine and evaluate the effectiveness of organization's QMS.
Clause 9.2.2 - Establish an Internal Audit program for the Organization

In this sub-clause, organization has to take care of the following issues:

• Plan the development of your internal audit program (programme).
• Establish a program that can find out if QMS meets requirements.
• Establish a program that can determine if QMS is effective.
• Establish organization's internal audit program.
• Develop internal audit planning requirements.
• Develop internal audit reporting requirements.
• Develop internal audit responsibilities.
• Develop internal audit schedules.
• Develop internal audit methods.

Clause 9.3 - Carry out Management Reviews and Document the Results
There is a separate topic on management review in this course, which covers the different aspects of
management review in detail. The guidelines and requirements of standard are discussed here:
Clause 9.3.1 - Review Suitability, Adequacy, Effectiveness, and Direction
In this sub-clause following issues should be taken care of:
• Review organization's QMS at regular intervals.
• Review the suitability of organization's QMS.
• Review the adequacy of organization's QMS.
• Review the effectiveness of organization's QMS.
• Review the direction of organization's QMS.
Clause 9.3.2 - Plan and Conduct Management Reviews at Predetermined Planned
Intervals
In this sub-clause following issues should be taken care of:
• Plan organization's management review activities
• Schedule organization's reviews at predetermined planned intervals.
• Review organization's quality management system.
Clause 9.3.3 - Generate Management Review Outputs and Maintain Documented
Results
In this sub-clause following issues should be taken care of:
• Generate suitable and appropriate management review outputs.
• Document the results of organization's management reviews.

Clause 10 - Improvement
The first clause on improvement is related to the determination of improvement opportunities and
making improvements. The first clause 10.1 says to take into consideration means of improving
customer satisfaction. In which following should be done:
 Take into consideration opportunities to support innovation.

 Take into consideration opportunities to take corrective action.

 Take into consideration opportunities to transform organization's operations.

 Take into consideration opportunities to make incremental changes.

Then the clause says to determine and choose opportunities for improvement.
 Determine opportunities to fulfill customer requirements.

 Take into consideration opportunities to enhance customer satisfaction.

Then the clause concludes on fulfilling customer requirements and improving satisfaction.
Clause 10.2 - Control Non-conformities and Take Appropriate Measures and
Corrective action
The second clause on improvement is related to control of non-conformity and taking measures and
corrective actions to address that.
Clause 10.2.1 - Correct Non conformities and Address Causes and
Consequences

Under this sub-clause, one needs to address following:

• React and respond to organization's non-conformites.
• Control and correct organization's non-conformites.
• Evaluate and assess the need to eliminate causes.
• Develop and establish corrective actions to address causes.
• Implement and apply corrective actions to eradicate the causes.
• Review and assess the effectiveness of corrective actions taken.
Clause 10.2.2 - Document Organization's Non conformities and the
Actions that are Taken

Under this sub-clause, one needs to address following:

• Document the non-conformites as these are reported.
• Document the actions which are made to resolve non-conformites.
• Document the organization's corrective action results.
Clause 10.3 - Enhance and Improve the Suitability, Adequacy, and Effectiveness of
Company's QMS
The last clause on improvement is related to the enhancement of the Quality Management System
for its suitability, adequacy and effectiveness. The requirements of these clauses under the pretext of
enhancing the Suitability, Adequacy, and Effectiveness of Company's QMS are:
 Consider and take into account evaluation, analytical, and outputs of management reviews.

 Utilize results to verify that unfulfilled QMS requirements; which must be addressed.

 Improve and enhance the adequacy, suitability, and effectiveness of company's QMS.

The main points from this module are as follows:

Clause 4 - Context of Organization
 Clause 4.1 - Comprehend Organization and its Unique Context
 Clause 4.2 - Clarify the Needs and Expectations of Interested Parties related to Organization
 Clause 4.3 - Define the Scope of Organization's Quality Management System
 Clause 4.4 - Develop a QMS and Establish Documented Information
 Clause 4.4.1 - Develop a QMS that complies with this standard
 Clause 4.4.2 - Keep QMS Documents and Keep QMS records
Clause 5 - Leadership

• Clause 5.1 - Offering leadership by focusing on quality and customers

• Clause 5.1.1 - Offer Leadership by Encouraging a Focus on Quality
• Clause 5.1.2 - Offer Leadership by Encouraging a Focus on Customers
• Clause 5.2 - Provide leadership by establishing a suitable quality policy
 • Clause 5.2.1 - Provide Leadership by Formulating Quality Policy of the Organization
• Clause - 5.2.2 - Provide Leadership by Implementing Quality Policy of the Organization
• Clause 5.3 - Offer Leadership by Defining Roles and Responsibilities

Clause 6 - Planning

• Clause 6.1 - Defining Actions and Measures to control risks and capitalize opportunities
• Clause 6.1.1 - Consider risks and opportunities when you plan your QMS
• Clause 6.1.2 - Plan how you’re going to manage risks and opportunities
• Clause 6.2 - Setting Quality Objectives and Establish plans to attain them
• Clause 6.2.1 - Develop Quality Objectives for all appropriate areas
• Clause 6.2.2 - Make plans to attain objectives and assess results
• Clause 6.3 - Plan changes to your quality management system

Clause 7 - Support

• Clause 7.1 - Supporting Organization's QMS by Offering the Required Resources

• Clause 7.1.1 - Offer Internal and External resources for Company's QMS
• Clause 7.1.2 - Provide Relevant People for QMS and its processes
• Clause 7.1.3 - Furnish the Infrastructure that Company's processes must have
• Clause 7.1.4 - Furnish the relevant environment for Organization's Processes
• Clause 7.1.5 - Provide monitoring, measuring, and trace-ability resources
• Clause 7.1.5.1 - Arrange suitable monitoring and measuring resources
• Clause 7.1.5.2 - Organize suitable measurement traceability resources
• Clause 7.1.6 - Provide knowledge to facilitate process operations
• Clause 7.2 - Support QMS by ensuring that people are competent
• Clause 7.3 - Support QMS by explaining how people can help
• Clause 7.4 - Support organization's QMS by managing communications
• Clause 7.5 - Support QMS by controlling documented information
• Clause 7.5.1 - Incorporate Documented Information
• Clause 7.5.2 - Manage the Creation and Revision of Documented Information
• Clause 7.5.3 - Control the management and utilization of documented information
• Clause 7.5.3.1 - Control Organization's QMS documents and records
• Clause 7.5.3.2 - Control how QMS documents and records are controlled

Clause 8 - Operation

• Clause 8.1 - Development, Implementation, and Control of QMS Operational Processes

• Clause 8.2 - Determine and Document Product and Service Requirements
• Clause 8.2.1 - Communicating with Customers and Managing Customer Property
• Clause 8.2.2 - Clarify all Product and Service Requirements and Capabilities
• Clause 8.2.3 - Review Product and Service requirements and Record Results
• Clause 8.2.4 - Modify Documents when Product and Service Requirements Alters
• Clause 8.3 - Develop a Process to Design and Develop Products and Services
• Clause 8.3.1 - Make a Suitable Design and Development Process
• Clause 8.3.2 - Project planning of Design and Development activities for Products and Services
• Clause 8.3.3 - Identify Inputs of Design and Development for Product and Services
• Clause 8.3.4 - Specify how design and development process will be controlled
• Clause 8.3.5 - Clarify how design and development outputs will be produced
• Clause 8.3.6 - Review and control all design and development changes
• Clause 8.4 - Monitor and Control External Processes, Products, and Services
• Clause 8.4.1 - Verify External Products & Services Fulfills Requirements
• Clause 8.4.2 - Establish Controls for Externally Supplied Services and Products
• Clause 8.4.3 - Explicate Requirements to External Suppliers
• Clause 8.5 - Manage and control production and service provision activities
• Clause 8.5.1 - Develop controls for production and service provision
• Clause 8.5.2 - Point Out and identify outputs and Control their Unique Identity
• Clause 8.5.3 - Protect Property belonging by Customers and External Providers
• Clause 8.5.4 - Preserve Outputs through Production and Service Delivery
• Clause 8.5.5 - Elucidate and Meet all Post-Delivery Requirements
• Clause 8.5.6 - Control changes for production and service Delivery
• Clause 8.6 - Implement Plans to Control Product and Service Release
• Clause 8.7 - Control nonconforming outputs and Actions taken to be Documented
• Clause 8.7.1 - Identify and Control Nonconforming Output to Avoid Unintended Application
• Clause 8.7.2 - Document Nonconforming Outputs and the Actions Taken

Clause 9 - Evaluation

Under this clause, organization has to take of the following sub-clauses:

Clause 9.1 - Measurement, Monitoring, Analysis and Evaluation
Clause 9.1.1- Plan how to Monitor, Measure, Analyze, and Evaluate
Clause 9.1.2 -Find out how well Customer Needs and Expectations are being fulfilled
Clause 9.1.3 -Evaluate and Assess Performance, Effectiveness, Conformity, and Satisfaction
Clause 9.2 - Utilize Internal Audits to Evaluate Conformance and Performance
Clause 9.2.1 - Audit Organization's Quality Management System at Planned Intervals
Clause 9.2.2 - Establish an Internal Audit program for the Organization
Clause 9.3 - Carry out Management Reviews and Document the Results
Clause 9.3.1 - Review Suitability, Adequacy, Effectiveness, and Direction
Clause 9.3.2 - Plan and Conduct Management Reviews at Predetermined Planned Intervals
Clause 9.3.3 - Generate Management Review Outputs and Maintain Documented Results
Clause 10 - Improvement

Under this clause, organization has to take of the following sub-clauses:

Clause 10.1 - Take into consideration means of improving customer satisfaction
Clause 10.2 - Control Non conformities and Take Appropriate Measures and Corrective action
Clause 10.2.1 - Correct Non conformities and Address Causes and Consequences
Clause 10.2.2 - Document Organization's Non conformities and the Actions that are Taken
Clause 10.3 - Enhance and Improve the Suitability, Adequacy, and Effectiveness of Company's QMS
 Module 4: Essential Elements of Quality Management System
Upon completion of this module, you will be able to:

 Recognize the importance of managing organizational knowledge

 Explain how organizational knowledge can be preserved

 Discuss how companies check their management system through internal audits

 Explain how internal auditors can audit the new requirements of the ISO 9001:2015

 Discuss how top management should be involved in Management System through Management reviews

 List the new inputs of management reviews

 Explain how management reviews can be made effective in an organization

 Compare what has changed from previous version i.e. ISO 9001:2008 to new version ISO 9001:2015

regarding management reviews

Organization Knowledge
The latest ISO 9001:2015 standard institutes the concept of “knowledge.”
As knowledge was not required by the former ISO 9001 standard, the concept of this topic and the
method to it are newly introduced in the standard. ISO 9001:2015 explicates obligations for managing
organizational knowledge in the following four phases, which are similar to the PDCA cycle:

 Identify the knowledge which is mandatory for the implementation of processes and for
acquiring conformity of products and services

 Keep knowledge and make it accessible to the level needed.

 Be thoughtful of the present organizational knowledge and measure it against contemporary

requirements and trends.
 Gain the required knowledge.
Knowledge Triangle: How data, information and analysis contributes to knowledge. And finally
knowledge converts to wisdom.

Data
Data can be understood as “unordered facts and figures."
The fundamental part of information in an enterprise is in the shape of data. Organizations gather,
assesses and analyses this data to recognize patterns and trends. Majority data thus gathered is
linked with the main processes of the organization.
Data are particulars and statistics which reinforce something particular about a process, but data is
not structured in any terms and it gives no further vision concerning trend, forecast and context, etc.
Information
Each data unit is a fragment of a process transaction and does not give any information until these
fragments are structured and ordered in concurrence with other data units. The collection of data
into a meaningful context gives information. For data to be transformed to information, it must be
connected with its background, grouped, formulated and compressed where necessary. Information
therefore provides a larger picture; it is data with applicability and objective. It may transfer a
behavior in the environment, or can refer a trend of sales for a timeline. Basically, information is
revealed in responses to questions that start with words like what, who, when, where and how much.
Analysis
The information collected in the earlier phase provides much depth. Analysis provides more value by
disconnecting or reorganizing this information. Simulations with systematic and logical processing
give practitioners the capability to evaluate information and define process, trend, etc.
Knowledge
Knowledge is not identical to data, information or analysis. It is because knowledge can be generated
from any source, or it can be founded on previous knowledge utilizing logical inferences.
Knowledge is related to performance and relates how to do and comprehension of a reality. The
knowledge owned by each person is an output of one’s experience, and relies on the scale by which a
person examines new inputs from his environment.
Knowledge can be determined as “an abstract mix of perceived experience, principles, socioeconomic
and political context, professional awareness, and the emotional elements."
All these elements give a surrounding and mechanism for assessing and adding new information and
experiences. It initiates and is developed in the intellect of the one who knows. In companies,
knowledge is frequently built within organizational culture, norms, routine activities along with its
documentation.
Wisdom
Wisdom is the use of gathered knowledge to build an increased comprehension of the reality and to
optimize business functions.
How can you record the knowledge of your organization?
Every organization has significant knowledge that makes them gain a lead in the competition, but how
is this recorded within your organization? When this knowledge resides with some employees and is
not recorded, it is usually known as “tribal knowledge,” and if this can be a strength, it can be at risk
of being forgotten when these personals leave the company.

So, how can you simply record the knowledge of your organization? Here are some ideas:
Work Instructions

Obviously, the best way to record this knowledge is with the help of instructions. If you have a
process that needs to be done in a particular way in order to avoid problems, do so, and then this can
be drafted easily for comprehension of new recruits.
Checklists

Obviously, the best way to record this knowledge is with the help of instructions. If you have a
process that needs to be done in a particular way in order to avoid problems, do so, and then this can
be drafted easily for comprehension of new recruits.
Training Packages

At times, key points of the process needs to be recorded, and having this in a type of training package
can be an excellent idea for capturing the knowledge.
On-the-Job Training

When the knowledge just can’t be explained in black and white, it can be helpful to employ on-the-
job training where a professional and experienced person will convey the undocumented knowledge
in an organization to others.
Knowledge Database

Some concepts or things are learned during a project. This experience can be captured by creating a
report that discusses the successes and failures of a project, which can then be logged in a knowledge
database. Such records will help in completing such projects effectively.

Taking Advantage of the Recorded Organizational Knowledge

When organizational knowledge is recorded, one should take advantage of this resource, particularly
when bringing any changes.
Implementing quality checklists and work instructions can be met with resistance, but if all concerned
personnel know how important this documentation is, implementation will be easier.
Similarly, the training requirements should be implemented as soon as they have been produced.
Systems should be upgraded to incorporate the training for the implementation of work instructions
and quality checklists. This incorporation will ensure that when a new person is recruited to the team,
he/she will be provided with the most up-to-date training to start the job.
The knowledge database is an exclusive idea in that it is a input mechanism into the design job, so one
needs to update the system of design process to make sure that design engineers are able to take
advantage from the lessons which have been incorporated into knowledge database to ensure that
no one bypasses learning or improvement that has been recognized and recorded. Personnel should
learn to utilize this system so that they may gradually progress in their jobs.
"Where is the knowledge we have lost in information?” - T. S. Eliot
Knowledge is often lost in information, especially when the given information is not analyzed and
applied during work.
Some organizations make use of data by ordering and converting such data forms into information.
Information provides insight about a process and the relation of data structures. But when this
information is only utilized for reports without taking appropriate actions on processes based on this
information, then a potential knowledge resource is lost.
Therefore knowledge is something beyond information that is applied to some process, machinery,
procedure, and gives a comprehensive understanding of a process subject.

An Important Resource!
Considering organizational knowledge as a powerful resource can speed an organization into
continual improvement, which can be crucial to the long-term success of an organization.
Frequently, organizations don’t understand what crucial knowledge they had until one key employee
moves out and systems do not work properly anymore.
This can be a costly method for learning the lesson that it is important to record and regulate
organizational knowledge. To avoid this, enterprises should take advantage of the ISO 9001:2015
requirements and opt for organizational knowledge recording by making it a strategic theme. The
organization will receive the benefits of doing so.

Types of Knowledge
There are different types of organizational knowledge and these can be explained as:

 Tacit knowledge - Knowledge that cannot be expressed and communicated

 Implicit knowledge - Knowledge that can be expressed and communicated but it has never
been

 Explicit knowledge - Knowledge that is expressed and communicated, mostly recorded in the
structure of tables, text, relationship etc.

 Procedural knowledge - Knowledge expresses itself in the form of doing some process.

 Declarative knowledge - Knowledge that comprises of methods, descriptions and things, and
written procedures (declared and followed).

 Strategic knowledge - Knowing the time of doing something with the reason of doing it.

Business Knowledge and Resources

Business knowledge can be found on various different platforms, some are listed below:
Personal

This is a type of knowledge found within an individual, it is mostly tacit knowledge. It can also be both
implicit and explicit, but it must be personal in nature.
Community

This knowledge is found within communities but is not conveyed to the remaining organization.
Companies normally comprise of different groups (normally casually formed) which are associated
with each other by usual practice. These groups may have some common values, semantics, ways of
doing work etc. These communities are also a bank of learning and a source for implicit, tacit, explicit,
procedural knowledge.
Structural

This knowledge is present in practices and culture of an organization. This knowledge might be
understood by most of the members of the company or only by some.
For instance the knowledge of the army schedules may not be acknowledged by the soldiers who
carry out these schedules. Sometimes, structural knowledge may be the remainder of organizational
history, else dis-remembered lessons, where the value of this knowledge exists solely in the process
itself.

Organizational Memory
Traditional memory is related to a person’s capability to obtain, retain, and retrieve knowledge.

Within organizations, this concept is stretched beyond the personal traditional memory, and
organizational memory thus relates to the organization’s capability to obtain, retain and retrieve
knowledge through information, analysis and proceedings.
What is Organizational Memory?
It is defined as the memory in which all the types of repositories are set in, where a company may
collect information.
This memory is comprised of the various official records, along with tacit and available knowledge in
people, companies’ culture, and processes.

Stage for Processing Knowledge Through Organizational Memory

Knowledge Addition: Organizational memory comprises of the obtained information concerning
historic judgement. This information is not mainly warehoused in a central place, but instead it is
divided across various storage units.
Each time a judgment is taken and the concerns are assessed, new information is supplemented to
the memory of the organization.
Knowledge Retention: Knowledge in an organization is retained in five different knowledge storage
areas:

 Personal: The memories of the person who remember organizational events, decisions, and
issues faced in the past.

 Shared Values of an Organization: The mode of communication and structures that are present
in an organization and form the shared values of an organization.

 Developed Systems: The developed standard procedures and official methods that the
organization uses. These official methods imitate the company’s past experiences and are
repositories for embedded knowledge.

The Role of Leadership

The role of a leader can never be underestimated in the development and effective management of
organizational knowledge. Usually three leadership roles are identified as being important for the
effective management of organizational knowledge.

These are explained as below:

Lead Designer
This type of leader can be described as the designer of a ship rather than just being a captain.
The key roles played by this leader include:
 To create a shared vision with the team having common values and purpose.
 To define the high level policy, plans, and business structures that transform ideas into
effective decisions.
 To create beneficial learning methods; this will encourage the continual improvement of the
policies, plans, and business structures.
Lead Teacher

The attributes of this type of leader include playing the role of trainer, a couch and a counsellor for
competing with old ideas in an organization, and correcting those old shared perceptions that resist
positive change and act as a barrier for organizational success. This type of leader convinces the
organization to change and breaks the shackles of superficial hindrances.
Lead Steward

This quality relates to the personality of a leader. The attitude the lead steward is one that does not
benefit oneself but rather sees to the overall well-being of the organization, business, and the long
term good of the people.
All of these three attributes will help leaders to build the foundations of a system where
organizational knowledge is used in the most effective manner for the overall well-being of the
organization.

What is Internal Auditing?

Internal auditing is an internal process for facilitating organizations to meet their objectives. It is
concerned with checking and improving the effectiveness of different management systems in an
organization.

What is auditing? Auditing is defined in international standard ISO 19011:2011—Guidelines for

auditing management systems as a “systematic, independent and documented process
for obtaining audit evidence [records, statements of fact or other information which
are relevant and verifiable] and evaluating it objectively to determine the extent to
which the audit criteria [set of policies, procedures or requirements] are fulfilled.”

The Concept Behind Internal Auditing

An audit can be termed as a type of inspection and testing, except that in this case the product being
inspected is the management system itself.
Similar to a product or process inspection, an audit compares “how things really are” to “how they are
supposed to be”.
Audits attempt to reveal areas that should be given attention and areas that are veiled during routine
activities; audits look at the whole process with fresh eyes, which can detect such shortcomings.
Although it is such a constructive tool in the management system, audits often evoke a level of stress
that is equivalent to the stress of completing an exam.
An positive external audit carries a lot of weight, so it is natural that there is some concern and worry
from the auditee. However, a robust internal audit cycle can minimize the stress, as an audit might
reveal the problems within department and perhaps even solve them before an external audit ever
begins.
Comparing the Old and New ISO 9001 Standard
All types of management standards need audits to observe and present findings on the efficiency of
the management system.
A comparison of the internal audit between the old ISO 9001:2008 and the new ISO 9001:2015 is
shared below:
ISO 9001:2008

This internal audit process is required in one of the documented procedures mandated by ISO
9001:2008, which explicates that companies will implement a documented procedure with defined
tasks owners. The procedure should also state how internal audits will be planned, conducted and
results reported. The records should also be kept.
ISO 9001:2015

ISO 9001:2015 does not mandate a procedure for Internal Audit which is supposed to be documented.
However organizations should keep an audit program and keep documented information of the
audits held, their findings and closure records.

Phases of an Audit
There are four phases of an audit program. Click on the following tabs to learn more:
Audit Preparation
Audit preparation contains all steps that are made in advance by concerned parties ( such as the lead
auditor, the auditee, and the audit program manager) to make sure that the audit acts in accordance
with the client’s objective. The preparation part of an audit starts with the decision to perform the
audit. Preparation finishes when the audit starts.
Audit Proceedings

This is the actual implementation phase of an audit and it is frequently known as the evidence
collection. This phase comprises of the time period when the auditor appears at the audit location to
the last closing meeting.
It comprises of audit proceedings which comprises of on-site audit organization, discussion with the
auditee, comprehending the procedures and system controls and confirming that these controls are
effective, collaborating with team members, and interacting with the auditee till closing meeting.
Audit Reporting

The objective of the audit report is to discuss the findings of the audit proceedings. The report should
contain evidence of findings that will be operative in solving imperative organizational matters. The
audit activities are completed when the report is presented by the lead auditor or when follow-up
actions are done.
Audit Follow-Up and Closure

The final phase of an Audit is verification of follow-up actions. Once the follow-up actions are verified,
the audit is considered closed.

First, Second and Third Party Audits

First Party Audit

A first party audit is also known as internal auditing.

It is conducted within an organization to gauge strengths and flaws for an organizations own
procedures, work instruction, or external standards like ISO 9001, which are voluntarily adopted or
mandated by a regulatory body.
A first party audit is performed by auditors who are part of the organization being reviewed but who
have no interest in the falsification of audit results.
Second Party Audit

A second party audit is an external audit that is conducted on a supplier by a client or by a third party
organization in lieu of a customer. Second party audits usually focus on the rules of contract law.
Second-party audits tend to be more official than first party audits as the audit results could affect the
customer’s buying conditions.
Third Party Audit

A third party audit is conducted by an audit organization free from the purchaser-provider
association and is free from any conflict of interest. Impartiality of the audit organization is an
important element of a third-party audit. Third party audits may end in recognition, award,
registration, certification, license endorsement, a reference, or a penalty given by the third party
organization.
ISO 9001:2015 certification is also awarded based upon a third party audit, but this audit verifies a
system of first party audit i.e. internal audit for certification.

Types of Audit
Product Audit

This type of audit is carried out on a particular product or service to observe whether or not these
products and services conform to specifications and customer requirements.
Process Audit

This type of audit is carried out on a process to check whether process parameters are maintained
within defined limits. This audit assesses an operation or technique in comparison to guidelines or
criterion. This audit may comprise of following:

• Verify conformance to prescribed requirements such as instance pressure, time, temperature,

composition, voltage, and blend.
• Observe the resources (i.e. machinery, materials, human resource) allocated to convert the inputs
into outputs, the surroundings, the standard procedures, and instructions followed, and the methods
identified to control process performance.
• Verify the capability and efficiency of the process controls formed by procedures, flowcharts, work
instructions, awareness sessions, and process specifications.

System Audit

A system audit is performed on a management system.

This type of audit is an evidence finding activity that is conducted to confirm, assess and verify that
the appropriate elements of the system are present and effective. Furthermore, this audit ensures
that elements have been aligned, recorded, and applied with stated requirements.
ISO 9001:2015 is a quality management system. Internal audits and third party external audits are
also system audits against the requirements of ISO 9001:2015.
Internal Audit Planning
Internal audit planning is one of the most important activity of internal audit process:

 Internal Audits should be planned at scheduled intervals to verify that the management system
fulfills requirements and that the effectiveness of the system is maintained. 'Requirements'
comprise of the standard itself, along with the organizational requirements (such as the
organization’s procedures and policies).

 One does not need to audit an entire organization at any given time. The external audit (third
party audit) can cover the complete scope of organization, but internal audits can be done by
flexible means with different departments audited at different point of times.

 The standard does not mandate a mandatory audit frequency. Instead, it endorses making your
plan on the basis of importance of the processes, their associated risks, their former past issues,
and the associated quality objectives. One can set different audit frequencies for different
processes.

 If an organization is applying a new management system (such as ISO 9001:2015), then all
processes and departments covered under the management system scope should be internally
audited at least one time before third party external audit.

Who Will Perform Internal Audit?

There are a number of things that should be considered before selecting an internal auditor.
Moreover, there are different approaches to perform internal audit. Some things that should be
considered before selecting internal auditors for a process include:

 An auditor should be unbiased and independent. One cannot audit processes that he/she
organize or has any stakes involved in it.

 Auditors should be competent with the auditing process itself.

 Internal auditors should be aware of the requirements of ISO 9001:2015 and organizational
procedures.
Approaches to internal auditing used by organizations include:
 Organizations can use consultants to carry out internal audits to implement a management
system.

 Some organizations employ full-time, permanent, internal auditors.

 Big organizations may utilize a team of internal auditors.

 Cross-function internal audits are also popular. These internal auditors are trained by various
departments and are allocated to audit other departments as per designated plan.
Requirements for Each Audit
Audit requirements should be well studied by internal auditors before going into the audit
process. Some methodologies include:

 The internal audit plan should have previously recognized the region that one will audit. Now the
auditor needs to recognize what criteria he/she will audit. At times this will be done with a
formal checklist that has a list of relevant questions. One can also consider the procedure and
identify check points. Internal auditors will check those records to verify.

 Findings from previous internal audits, or external audits can also help internal auditors to
identify weak areas and thus can re-audit those point to check whether follow-up actions were
effective or not.

 The criteria for internal audits should be communicated to the auditee before audit. It is a good
practice to communicate to the auditee to arrange required documents before the audit to save
time.

 Last but not the least, the use of observation and listening skills during the questioning of the
audit helps to identify gaps within the systems.
Perform the Internal Audit
Performing an internal audit should follow a series of steps that are based on international protocols.
These steps should be followed while conducting an internal audit:
Step 1
An audit normally begins with an opening meeting where the auditor interacts the auditee(s), states
the projected schedule, and informs the auditee about how the audit will be performed.
Step 2
Throughout the audit, the internal auditor will work logically from the checklist or procedure,
observing evidence that the process fulfills the required criteria. It is usual for internal auditor to write
a finding summary and a finding result, which can be defined below:
C = compliant or fulfillment of a requirement
NI = needs improvement or an area of potential gap
NC = non-conformance or non-fulfillment of a procedural or standard requirement

Step 3
When reporting the audit, it is vital to note what evidence was observed to institute the finding -
irrespective of the finding.
For example, while auditing the management review process, the auditor writes, "management
review conducted on 21st June 2017, an important agenda item was missed during the review i.e.
analyzing context of organization."
Step 4
Commonly, the internal auditor will inform the auditee of the finding result before reporting the
results. This is to make sure that the auditee comprehends the results and to ensure that there truly is
a problem.
Step 5
The internal audit will end with a closing meeting where the lead internal auditor will provide a
complete summary of the internal audit and information about each audit finding to make sure that
they are agreed upon and understood
Audit Findings Kept as Documented Information
Audit findings should be maintained as documented information. An external third party auditor will
give an official written report on the external audit to management a few days after the audit and
some companies do the same internal audits. However, there is no obligation in the ISO 9001:2015
standard for an official internal audit report. Internal auditors should make sure that the findings are
documented and communicated to top management.
Auditor can just record the findings and their particulars in an organization’s non-conformance form
and the associated register.
Auditors should keep records of the audit which will normally be available in following forms:

 Filled-in internal audit checklists

 Observations against procedures

 Minutes on objective evidence observed, and employees cross-examined

 Audit findings which can be referenced to your non-conformance report and register

 A formal audit report

 Non-conformance report on a software managed through the cloud or the organization's local
server

Process Improvement Through Internal Audits

Internal audits can serve as a vital tool to maintain the effectiveness of the system and can act as the
“Check” part of the PDCA cycle. Through internal audits, organizations highlight the failures within
management system that develops over time of the implementation and thus can address such gaps.
Through internal audits process owners can also see underlying gaps in their processes which are
camouflaged as part of the process. This provides them the opportunity to fill those gaps which they
are not able to perceive due to routine work cycles.
Organizations can make a culture of process improvement by internal audits by carrying out the
following steps:
Step 1

Awareness by process owners that internal audits help them to improve their processes and that
audits add value to the process. They should value the cycle of internal audits.
Step 2

Maintaining compliance of standard is not a big deal for organizations. However, making use of
internal audits to ensure that the processes are effective and to add value in process streams, this is
the real challenge that organizations face.
Through internal audits non-value streams in a process can be removed, saving unnecessary cost of
over processing through those non-value streams. Internal audit processes can also identify a vital
process that can increase customer satisfaction which can yield more business which means more
profitability.
Step 3
Internal audits can help organizations to identify barriers to some processes that would help them to
meet their quality objectives. Through this process top management can be made aware of such
barriers, which can then be removed to improve the processes.

Internal Audits for Risk Management System

ISO 9001:2015 focuses on risk management of organizational processes. The organization is required
to identify risks and opportunities for its business processes as well as for internal processes.
An internal auditor will have to check following:

 Has the process owner identified its associated risks and opportunities?

 Has the process owner has identified the acceptable risks and opportunities which require no
further action?

 Have they indentified significant risks and opportunities for which a plan must be made to
mitigate the negative impact of the risk and maximize the positive impact of the opportunity?

 Are the plans for risk mitigation or opportunity optimized to ensure they are achieved?

 Are the plans implemented and residual risk is acceptable?

 Does the process owner reassess the process risk if there is a change in workforce, machinery,
material, or the process after a shutdown activity begins?

 Has the internal auditor verified that the process of risk management is being implemented?

Internal Audit for the Context of an Organization

ISO 9001:2015 requires organizations to identify its context. The organization should highlight internal
and external issues. The organizations should identify a list of interested parties.
The organizations should also identify needs and expectations of the interested parties. When an
internal auditor audits management representatives or top management for clauses related to top
management responsibilities, all requirements can be audited there.
However when auditing a process owner, following the requirements of context of organization can
be addressed:

 Process owner should understand how his/her process is linked with the organization’s goals and
the context in which it operates.

 What are the external issues that influence that process (such as the material supply of that
process)?

 What are the internal issues that influence the process (such as the work force, support activities
from other departments, machinery, internal software applications, etc.)

 How are the issues related to the processes managed?

 How the need and expectations of interested parties are fulfilled. For example, the employee
running the process is an internal party and they expect to be rewarded for their hard work.
Annual appraisal programs in their organization provides incentives for their hard work.
Internal Audits for Organization Knowledge
ISO 9001:2015 also requires organization to manage knowledge. Each process owner has an adequate
amount of knowledge regarding their processes.
During an internal audit, the auditor can examine whether the knowledge possessed within that
process are documented in checklists, work instructions, or some documents related knowledge
management. Internal audit can provide a continual way for organizations to document knowledge
within those processes which are not yet documented.
Thus, the reliance of organizations on old employees possessing the knowledge about processes is
reduced to a level manageable by the organization. Therefore, internal audits can serve as a tool for
improving the organizational knowledge by documenting it and reduces the dependency of an
organization on just a few individuals.
Therefore, the risk of organizational knowledge being lost when the old employees leave the
company is taken care of. Internal audit will act as the "check phase" of the whole knowledge
management cycle.

Management Review
Click on the following tabs to learn about management review:
What is management review?

Management review is a process in which top management reviews the performance of management
system. In the case of ISO 9001:2015, it is the quality management system that should be reviewed by
top management. The standard defines some requirements for management reviews. It is again the
“Check” part of the PDCA cycle for quality management system.
What is the Standard Mandated Management Review Inputs?

Although other inputs could be considered as needed by the company, ISO 9001:2015 mandates a
minimum list required management review inputs that top management must review. This can
support the wellbeing of the QMS and can help in discovering regions where correction is required or
should brought in so as to fix the processes and increase customer satisfaction.
Results of Audits

As internal audits are conducted at planned intervals within organization, external audits are
conducted on annual basis as surveillance audit. What are the results of these audits? Are there any
repetitive observations that are being highlighted in audits that can potentially point to a bigger gap?
What are the areas that management needs to support for improvement? These are the questions
that will be asked when the results of audit are discussed in management reviews.

What are the management review inputs?

Customer Satisfaction
Customer satisfaction is one of the most important management review inputs. As a Quality
Management System focuses on customer satisfaction, the voice of the customer is actually reflected
in customer feedback reports.
Customer feedback reports are usually collected by the Customer Services department. Moreover,
customer complaints are also considered customer feedback.
There are number of things that management should consider in customer feedback review. Is
customer feedback in the form of complaint occurring less often and positive feedback becoming
more frequent? Are customer complaints handled speedily to ensure that customer satisfaction is not
affected? Last but not the least, when analyzing the data, management should ask what changes must
be made to the processes to avoid a complaint and/or to reduce the frequency of any complaint.
Process Performance and Product Conformity
Process performance and product conformity are actually indicated in the number of non-
conformities that are reported due to a process or on the product itself.
For example, rejections and reworks of a process indicate that process performance is declining. Then
the question is whether the process is being fed with adequate resources or not. How are these
processes and product non-conformities affecting customer satisfaction? Which processes should be
improved to ensure product conformity and what resources should be provided to improve such
processes?

What are the Required Management Review Inputs?

Status of Corrective Action
ISO 9001:2015 mandates a protocol for corrective actions in processes. Corrective action request is
issued when a non-conformity has occurred.
Management needs to observe when these actions do not occur within the given timeline. What has
delayed corrective actions and why? Are there suitable resources assigned to the most serious issues?
Management should intervene during the review to complete the critical corrective actions for their
processes. This is how management review meetings can address the status of corrective actions.
Follow-Up Actions from Previous Management Reviews
This should occur at the beginning of a management review. The status of actions that have risen
from the last management review meetings should be addressed first.
This also shows the effectiveness of the management review itself. If management decided upon
some action plan during a previous management review, management can then follow up on those
actions and can decide whether the allocated resources were effective in dealing with the issue and
moving the organization forward. Moreover management can see whether the actions taken have
really solved the potential problems or not.
Changes that could affect the Quality Management System (QMS)
Sometimes changes occur due to a new legal requirement or any customer requirement that may
impact QMS. Management review provides a platform to plan for such changes earlier rather than
later, so that there will not be a rush to implement these changes upon the enforcement of a new law.

What are the Required Management Review Inputs?

Performance of External Providers
Management must also review the performance of their external providers such as their suppliers,
contractors, vendors and other service providers.
The performance is reviewed on the basis of service or product quality, timely delivery, and the
extent to which the organizational requirements are being met. Based on this review, management
can also take decisions.
For example, if a supplier is not performing well, is providing bad quality raw material, and as a result
a company is facing difficulties in meeting its quality objectives, then management can make
decisions to connect with another supplier who can provide a quality raw material.
Even if the cost will increase, it will be better compared to the cost incurred in product rejections,
utilities and resource utilization during reworks etc.
Effectiveness of Actions Taken to Address Risks and Opportunities
Organizations as per ISO 9001:2015 are now required to manage risk and opportunities. For risk,
management will take actions to mitigate the effects of risk. For opportunities, management will take
actions to maximize the returns for that opportunities.
Management Reviews provide an opportunity to review the effectiveness of those actions which are
taken. For actions that are not active, management can propose other actions in order to meet the
necessary objectives.
Recommendations for Improvements
Organizations receive recommendations for improvements from employees, contractors, suppliers,
customers etc. The management needs to see whether these recommendations are taken seriously or
just ignored.
Management has to make the decision about which recommended areas for improvement that the
organization will work on in order to improve and gain advantage in the market.

What are the Required Management Review Inputs?

Adequacy of Resources
Management must also review the resources that are allocated for the effectiveness of quality
management system as a whole. It is possible that due to changes in processes or the addition of
other products in the product manufacturing line, the resources requirements may have increased.
But the management cannot address such issues in daily routine.
Management review provides management with an opportunity to provide adequate resources for
such processes which have been neglected for any reason in the past. This will ensure the
effectiveness of the process and will help the management to achieve its goals.
Quality Policy
Quality policy is a document that shows the commitment of top management to a quality
management system, as well as to the customer and other interested parties. Although it is not a
specific management review requirement as an input, management is required to review its strategic
direction regarding quality management system and thus quality policy can also be reviewed to check
if it is aligned with strategic direction.

What are the Required Management Review Outputs?

The three points discussed below are the compulsory outputs of Management Review.

Proceedings of the inputs need to be kept to display that management review has effectively
addressed them and produced the required outputs for the QMS. The records maintained can differ
and these records are reliant on how the management review is planned and completed. These
records are imperative not only to show to an auditor, but to record decisions for betterment of the
company, what decisions were made, and why.
Improvement of the Effectiveness of the System

Management should make decisions as to what actions are needed to improve the effectiveness of
the system. A management review is not only meant for reviewing things without acting. A
management review means that management must make decisions for the improvement of the
system. This is similarly mandated by ISO 9001:2015.
Improvement of Product Related to Customer Requirements
Management should make decisions based on customer complaints or feedback in order to improve
the product. If the product is improved based upon an action derived from a management review
meeting, it offers management an opportunity to draw more customers. As the customer voice
becomes in favor of the company, more customers will yearn for the product.
Resources Needs

Last but not the least, management should identify areas from the management review which need
more resources. Management should make the decision to hire competent resources to fill potential
gaps in the processes. This is how management review can be an effective tool for increasing the
performance of the quality management system and thus ensuring that the customer is also satisfied
with the company’s performance.

Can Management Review be Done Without Holding a Meeting?

While management review meeting scripts are easier for the external auditor to analyze, it is not the
concern of company management to make things comprehensible for the auditor. Rather,
management reviews are in place to ensure that their organization works well.
Many organizations conduct reviews by means of a management review meeting and generally do so
on an yearly, biannually or quarterly in an year. The standard simply mandates management review,
not a management review meeting, therefore it is up to the organization how the management
review is conducted.
For example, a customer complaint needs to be reviewed. However, if this review only occurs on a bi-
annual or annual basis in a meeting, a timely response may not be provided on customer issues.
Therefore management might review it on quarterly basis as well. Management must conduct
reviews, but how these reviews are to be done is up to management to decide. The only thing that is
required is that reviews should be effective in providing an accurate picture of a QMS and improving
the QMS, so as to achieve increased customer satisfaction.
Management Review can be a Key Driver of Improvement
Management Review is all about reviewing the presented review inputs to make sure that sufficient
resources are available so as to have customer satisfaction and increase the efficiency of the QMS and
to increase the quality of product. This is done to confirm that resources are producing the right
outputs.

How Do Auditors Verify Management Reviews During an Audit?

External and internal auditors will try to verify the requirements of ISO 9001:2015, which are almost
the same to that of ISO 9001:2008, except with few changes.
The auditors will check how the management review inputs are prepared for the review. The auditor
will try to establish evidence that the organization has conducted a review on the inputs of
management review. They will also check the outputs of the management review.

ISO 9001:2015 Transition

 Auditors are being counselled to ensure that planned management reviews are establishing that
the management system association is aligned with organization's strategic themes. The
particular requirements added in the latest version of ISO is concerned with the context in which
the organization operates and the related actions to address risks, which will also be checked by
auditor as Management Review inputs.

 The bigger emphasis in the 2015 edition of ISO is on top management’s involvement with the
management system. This will certainly lead to the amplified inspection of the management
 review process, which will authenticate its incorporation into an organization's business
processes.

 The auditor can also verify the depth of review, suitably scheduled frequency of reviews,
timeliness of conducting reviews, suitable attendance and results worked on. Auditor can verify
these elements of management review by checking records and interviewing the top
management.

Changes Between the Old and New Version of Standard

As the ISO 9001:2008 called for the evaluation of the quality objectives and their appropriateness to
the quality management system in the management review, the ISO 9001:2015 entails an evaluation
on changes in the industrial environment and how these elements of change might disturb the
strategy of the business.
The ISO 9001:2008 asks in simple terms:
Kindly demonstrate changes and improvements that have happened

How they associate with the Quality Management System

How the management reacts to changes

The ISO 9001:2015 wants organizations to demonstrate in below terms:
Please show evaluation (in management reviews) of business strategy to attain organizational quality
objectives in the environment where your business operates

Please show how changes in this business environment are evaluated in management reviews

Please show evaluation in reviews regarding these changes impacting QMS

And if changes impacts QMS what actions are taken in management reviews
Now, Standard relies upon how strong or old-standard oriented the external auditor is; if he is
tenacious and updated, he might need to evaluate the business environment, how company’s
strategy is relevant to it, and its association with the QMS.

Management Review Relation with PDCA

Performance Evaluation is a necessary part of ISO 9001:2015. The “Check” phase of the PDCA cycle
relates to Performance Evaluation. Performance Evaluation comprises of management review,
internal audits and monitoring, measurement analysis.
Queries about Management Reviews
Why Carry Out Management Reviews?

Management reviews are carried out in order to ensure that the requirements of the management
system and its effectiveness are evaluated. The reviews need to evaluate present management
performance statistics and make sure that improvement opportunities have been identified and taken
care of.
How Frequently Should an Organization Hold Management Reviews?

The standard requires that reviews should be carried out at “planned intervals”. This can be once-a-
month, three-monthly or once a year. It is strongly recommended that these should be conducted as
per a defined plan on a regular basis. The schedule also needs to be shared with relevant stake
holders in order to hold management reviews appropriately.
Who Takes Part in Management Reviews?

The appointed personnel for managing management reviews is usually known as the management
representative. He should chair the meeting with concerned senior managers, line managers and top
management representatives, like the CEO or members from the board of directors. Sometimes,
vendors are also invited to take part in reviews sessions regarding the performance of external
providers.

Records for Management Reviews

Records of management reviews can be kept in various forms. As the standard says to maintain
documented information, it means the requirements of standard can be attained with the help of any
format that has got the provisions to address standard requirements.
Normally management review records are available in following forms and can also be maintained
to fulfill standard requirements:
Management Review Meeting Minutes

summarized notes of the conversations or review proceedings, as well as action managers and
offered action due dates for completion.
Management Review Outputs

Minutes can also have the review output form. However, it can be managed separately as well.
Outputs of the management review is founded on judgments and proceedings concerning to:
Enhancement of the business / operations
Enhancement of the usefulness of the overall quality management system
Enhancement of product associated to customer requirements
Issuance of appropriate corrective actions, when needed
Decisions on Resource addition as per needs identified in review
 Three Steps to More Effective Management Reviews
Following are the three steps required for the effectiveness of management reviews:

 Top management involvement

 Speak in their terms

 Distribute the responsibility

Top Management Involvement
The top management (chief operating officer, chief executive officer, managing director, general
manager and chief financial officer) are all concerned about the organizational financial and
accounting management system and all believe that the performance of the financial system is vital
for company’s growth and success.
Similarly, the quality management system should also be taken into the same spirit, where all among
the top management should believe that quality is an integral part of organizational success. This
belief will drive the top management involvement which is needed to accelerate the business
processes.
In the same way, top management must understand and behave as though quality is an essential
element in the organization’s victory. Furthermore, they must believe that every single manager and
member of organization has a role in the success of quality management systems.

Therefore, quality should be taken as a critical business activity. Management reviews are imperative to
meet the goals of an organization and all participants of top management must and should show
ownership and engagement in the system to make it effective.

Speak in their terms

One of the best methods for getting top management enthusiastically involved in management
reviews is to speak in their terms, which is in business linguistics. It means convincing them that bad
management system can increase the cost of running the business and an effective quality
management system can save internal inaccuracies in the processes that can result in profitability of
the business.
What have the quality management systems supported to the organization outside audits,
inspections, and system certificates placed on the wall? Quality managers and management
representatives must speak in the language understood by top management, similar to that of finance
and accounting managers when discussing the company’s monetary achievements.
Top management should be provided with eyes to see how the organization’s economic activity and
the effectiveness of its management systems are connected. The management review is an ideal
method for validating the business value that quality management systems have given to the
organization.
For example, if the organization has improved its market share following the application of its quality
management system, it is reasonable to attribute this success to the quality management system. This
attribution follows the cause-and-effect principle.
For example: before the quality management system was applied, the business had “X’ of the market
share, but three years after its implementation, the company has expanded with “1.5 X” percent of
the market share. This means that the company has grown in three years and the implementation of
the quality management system is one of the key reason for this expansion.

Three Steps to More Effective Management Reviews

Distribute the Responsibility
It is common for the quality manager to have impressions that they are only accountable for
the company’s management systems. However, quality is the concern of every executive
and member of organization, even if it occurs on different levels. It is agreed that the quality
manager is responsible for the whole routine operation of the quality management system,
but all executives, members and their teams are also liable for system to be operational.
Thus it is wisely said, “quality is every one’s responsibility”.
Quality managers must exert efforts to transfer responsibilities to the appropriate
department managers, that way responsibility can be shared.

The main points from this module are as follows:

ISO 9001:2015 introduced a new concept to Quality Management System. The concept speaks about
the management of organizational knowledge.
The standard mandates that complying organizations must:

 recognize the knowledge areas that are necessary for the effective operations of processes and
the conformity of product/service;

 maintain this knowledge and keep it accessible where necessary;

 recognize the changing trends for knowledge and compare it with current organizational
knowledge;

 and attain the required knowledge if necessary.

The knowledge triangle involves: the collection of data, the grouping of data to create information,
the analysis of information, which then creates knowledge for the organization. Following this,
repeatedly applying knowledge to improving processes will result in wisdom.

Organizational knowledge is recorded in work instructions, checklists, training packages, on-

the-job training, and knowledge databases.
The organization uses the knowledge sources to create advantage in their processes.
Knowledge is often lost in information if information is not analyzed and worked upon.
Knowledge should be considered as an important resource. Some types of knowledge
are tactic, implicit, explicit, procedural, declarative, and strategic.
Business knowledge exists among personnel, organizational communities, and the structure
of an organization.

Processing of knowledge from organizational memory comprises of knowledge addition,

retention, and retrieval.

Internal auditing is the inspection of a management system itself.

Phases of an audit comprise of audit preparation, audit proceedings, audit reporting, and
audit follow-up and closure.
An audit is done by first party (internal audits), second party (customer audits) and third
party (external certification audits).
Types of audit are product audit, process audit and management system audit. Internal
audit against ISO 9001:2015 is a management system audit.
Following the revision of ISO 9001, internal audits will now be conducted to assess risk
management systems, context of organization, and organizational knowledge.
 Module 6: Fundamentals of Environmental Management Systems (EMS)
After completing this module you will be able to:

 Explain the need for Environmental Management Systems (EMS)

 Discuss the fundamental concepts and terminologies used in EMS

 Follow the fundamental systems used in EMS

 Identify who is responsible for developing the ISO 14001 standard

 Trace the timeline of ISO 14001 development

 Assess the compatibility of ISO 14001 with other standards

 Explain the timeline for transition to ISO 14001

 List the benefits of ISO 14001 for organizations

 Outline the benefits of ISO 14001 for stakeholders

Introduction to EMS
What is an EMS?
An Environmental Management System (EMS), is a collaborative and systematic approach to
effectively managing environmental risks.
EMS helps companies to improve their environmental performance continually. In addition, EMS
provides a framework for companies to comply with environmental ordinances, regulations,
state laws and compliance obligations.
DIRECTIONS
EMS systems direct organizations in the following ways:
1. Identify environmental aspects and impacts
2. Examine the risks associated with aspects and impacts
3. Establish controls to minimize environmental impacts
4. Define goals for the achievement of environmental performance
5. Create a plan to achieve goals
6. Monitor performance against goals and
targets
7. Report results
8. Review results and continually improve
EMAS
About

One of the best known environmental management systems

other than ISO 14001 is EMAS.
EMAS is a "premium eco management system" developed in the
EU by the European Commission. EMAS is an acronym for Eco-
Management and Audit Scheme. The requirements of EMAS
help companies to assess, report and improve their
environmental performance.
EMAS can be applied to any organization looking to improve its
environmental performance. It covers all financial and service sectors and is practicable
worldwide.

Benefits
EMAS helps organizations in the following ways:
PERFORMANCE: EMAS helps organizations to identify the correct tools to improve their
environmental performance. It encourages organizations to willingly commit to both assessing
and minimizing their environmental impact.
CREDIBILITY: Third party verification from EMAS confirms and authorizes the credibility of the
organization, as it is seen as unbiased and independent from the organization.
TRANSPARENCY: Offering information on an organization’s environmental performance to the
public, is an important contribution of EMAS. Organizations attain "superior transparency",
externally from the environmental statement and internally through
employees' active participation.

Summary:
Through EMAS, an organization can minimize its environmental impacts,
reinforce its legal compliance and employee participation and protect
resources and money.
Legacy Standards
ISO 14001:2004

ISO 14001:2004 is the second edition of ISO 14001 and is compatible with ISO
9001:2000. ISO 14001:2004 states the requirements to help an organization to
develop and implement a policy and objectives regarding EMS.
This must take into consideration legal and other requirements, to which the
organization contributes. It also includes information about significant environmental effects.
ISO 14001:2004 helps an organization to identify environmental aspects it can manage and those
it can influence. This standard does not dictate any specific environmental performance criteria.
However the PDCA (Plan, Do, Check and Act) model is given importance in the standard.

ISO 14001:1996

ISO 14001:1996 is the first edition of ISO 14001 and is compatible with ISO
9001:1994. It helps an organization, by offering requirements, to develop a
policy and objectives for an EMS.

As with ISO 14001:2004, this takes into account legislative requirements and
incorporates information about significant environmental impacts.

Study Group
AGENDA
In 2010, the Study Group on Future Challenges for Environmental Management Systems,
delivered a report detailing eleven agenda items that were pertinent for the future of
environmental management systems. These can be summarized as follows:
• Working on sustainability and social responsibility
• Improvement of environmental performance
• Easing application in small organizations
• Considering the environmental impacts in the value/supply chain
• Engaging stakeholders
• Managing parallel or sub-systems (greenhouse gas, energy)
• Replicating external communications (including product information)
• Inclusion with national and international policy agendas
• Compliance with legal and external requirements
• Strategic business management
• Conformity assessment
PARALLELS

From these eleven agenda items, a set of recommendations arose and a revision of
ISO 14001 was developed.
Experts claim that the development of the latest EMS standard, was well timed in
September 2015. ISO 14001:2015 matches the structure of the publication of the
newly revised ISO 9001:2015 Quality Management System.
It is claimed the shared common requirements of the three most important EMS (ISO 9001, ISO
45001 and ISO 14001), should empower organizations to incorporate them more easily into their
organizational processes.

Committee
The ISO 14001 revision proposal was initially presented in 2011. The
committee responsible for the revision of ISO 14001 is known as ISO/TC
207/SC 1. ISO 14001:2015 was published on 15 September 2015.

ISO Comparisons
ISO 14001:2004 was adopted by many companies, and it was observed operating in different
countries around the world.
What are the major differences between ISO 14001:2004 and ISO 14001:2015?
The primary difference is that ISO 14001:2015 focuses on the interface of an organization with its
business environment. ISO 14001:2004 concentrated on managing environmental impacts and
other internal issues.
See the table below for further differences:
ISO 14001:2015 ISO 14001:2004
Process-based approach Procedure-based approach
Incorporates both risk and Considers risk exclusively
opportunities
Incorporates the views of Does not include the views of
interested parties interested parties

PDCA
ISO 14001:2015 incorporates the Plan-Do-Check-Act (PDCA) model. This offers a mechanism for
organizations to plan what they require, to mitigate the probability of incidental environmental
damage.
PLAN

Planned measures should reflect concerns regarding emissions and negative

environmental impacts in the long run. Measures should address factors
that lead to environmental incidents.
For example, a release of harmful chemicals into the environment, may
violate compliance obligations.
Measures regarding the prevention of harmful releases into the environment, environmental
policy, objectives, action plans and impact analysis are examples of the 'Plan' part of PDCA.

DO

ISO 14001:2015 guides top management in its legal obligations regarding

environmental impacts. Top management must provide commitment through
leadership and ensure that workers have the sufficient knowledge, skills and
expertise to operate functions relating to an effective EMS.
This would include operating equipment relating to waste management and
carrying out operations that lowers the organization's "carbon foot print", i.e. the
amount of carbon it releases into the environment.
Top management should put in place effective controls in the 'Do' phase. These are known as
operational controls. These operation controls are outcomes of the 'Plan' stage.

Check

This is the part where measurement and monitoring is done. The 'Check' part
lists all the main constituents that should be resolved, to make sure that the
EMS is operational. This includes identifying opportunities for improvement
and enhancement in the 'Act' phase.

Act
The 'Act' part is actually the improvement part and is referred to in the standard as
'Continual Improvement'. It is the recurring activity that is implemented, in order to
enhance environmental performance.

Problems and Solutions

DAMAGE

The planet Earth is facing many environmental challenges today.

Environmental damage includes: global warming, ozone layer depletion, acid
rain, urban sprawl, waste disposal, air pollution, water pollution and climate
change. Moreover, this effects people, animals and other living organisms on
the earth.
The mistreatment of the environment has risen at a fast rate over the past
century, due mainly to industrialization and consumerism. Human activities have not been in
support of safeguarding the earth.
We have observed many natural disasters recently, in the form of flash floods, tsunamis,
earthquakes and hurricanes. Damage to the environment has been contributed to, by industry
and production techniques. Businesses tend to exploit natural resources, which can have harmful
impacts on people and the environment.
SUSTAINABILITY
Various environmental groups and government bodies are now concerning
themselves towards "protecting the environment for future generations". The term
'sustainable development', is proclaimed as a way forward. It is argued that the world
needs development, but development that is "sustainable", without damaging the
environment.

STANDARDS
ISO 14001:2015 is a system for businesses, designed to help them to manage
and improve their environmental performance. It has been continually revised,
considering the challenges businesses face in terms of legal requirements,
business contexts and changing conditions.

Applying the Standard

TRANSITION
Companies need to upgrade from ISO 14001:2004 to ISO 14001:2015. As
part of the transition, numerous steps must be followed. The following
sequence is recommended:
1) Analyze interested parties (individuals or organizations that can
influence the organization’s activities). Analyze internal and external
factors that may influence the organization’s EMS. Check how various risks
can be managed with the help of the EMS.
2) Identify the scope of the EMS, while reflecting on what the management system should
deliver.
3) Utilize information relating to both standards, to influence the organization’s processes.
Include risk evaluation and assessment. Develop key performance indicators (KPIs), for activities
relating to the environment.
FOCUS
The focus, is the environment. The ISO 14001:2015 standard does not deal with
products or product quality, nor how they should be utilized or sustained.
The focal point is workplace performance, relating to environmental impacts. There
is a requirement to list the aspects and impacts of all work-related activities, so as to eradicate or
mitigate risks that are significant.
PROACTIVE
In a rapidly evolving world, there is a requirement in the standard, for organizations to
be proactive rather than reactive.
They should "foresee actions", instead of waiting for regulations and codes of practice to be
enforced.

SIZE
Most organizations are small or medium sized enterprises. ISO 14001:2015 is just as applicable to
them, as it is to large enterprises.
The simple, risk-oriented approach in ISO 14001:2015, should be easily-implementable for SMEs,
as it is well-matched with the approach used in EMAS.

Q&A
What will be new in ISO 14001:2015, compared with other environmental (EMS)
standards? How will the transition influence small and medium-sized enterprises
(SMEs)? A preventive approach is upgraded to "risk-based thinking", in ISO 14001:2015.

Benefits of Participation
CERTIFICATION
It is expected that a large number of organizations will employ ISO 14001:2015, to
build an effective EMS. Significant numbers will want the recognition that comes with
certification from ISO. Certification exhibits to external parties that an organization has
attained compliance with a particular standard.

Advantages
Adherence to the standard ensures compliance with current legislation. The activities
recommended by ISO 14001:2015, can help to develop an organization’s reputation as
"friendly to the environment" and this can accrue advantages.

Summary

Implementing ISO 14001:2015 can provide advantages for organizations, such as:

• Increase resource efficiency

• Decrease waste
• Lower expenses
• Offer guarantee that environmental impact is being measured
• Competitive advantage
• New business opportunities
• Compliance with legal obligations
• Increase stakeholder and customer trust
• Manage environmental obligations with consistency

Continual Improvement
The standard mandates that environmental risks be addressed and managed. For the risk
management approach to be effective, it is important that the system is continually improved, to
address ever-changing objectives.

Environmental Inputs
INTERESTED PARTIES

The term "Interested Party", is defined in the standard as "a person or

organization that can affect, be affected by, or perceives to be affected by
a decision or activity."
'Interested party' is an important inclusion in the latest ISO 14001
standard. It was not well-considered in previous ISO 14001 standards. The term is defined in
clause 3.2 of the latest standard. It is sometimes referred to as "stakeholder", in lieu of
'Interested party'.
Examples of Interested parties are: neighbors, communities, pressure groups, employees,
management and shareholders, external parties, contractors and service providers,
manufacturing partners, government or legislative bodies and trade unions.
ENVIRONMENT

Environment is defined in the standard as "surroundings in which an organization

operates, including air, water, land, natural resources, flora, fauna, humans and their
interrelationships."
Surroundings can extend from within an organization to the local, regional and
global system. Surroundings can be described in terms of biodiversity, ecosystems, climate or
characteristics.

GRAPHIC
Complexity
Environmental issues can be complex and incorporate the inter-relationships of
multiple environmental inputs, as depicted in the GRAPHIC tab. This makes the
responsibility of people and organizations, even more important.

Environmental Aspects & Impacts

Environmental Aspect

'Environmental Aspect', is defined in clause 3.2.2 of the ISO 14001:2015 standard as:
"elements of an organization’s activities, products or services, that interact with or can
interact with the environment".
An environmental aspect can cause environmental impacts. A significant
environmental aspect is one that has or can have, one or more significant
environmental impacts.

Environmental Impact
'Environmental Impact' is defined in clause 3.2.4 as: "change to the environment, whether
adverse or beneficial, wholly or partially resulting from an organization’s environmental aspects".

Activity Aspect Impact

Boiler Operation Stack Emission Air Pollution

Product Design Reduction in volume Conservation of raw

material
Vehicle
Disposal of used oil Soil Contamination
Maintenance
Activity
Examine the pictures and identify them as environmental aspects or environmental impacts.
Answers are on the NEXT slide.

Activity Answers
1. Environmental Impact

2. Environmental Impact

3. Environmental Aspect

4. Environmental Aspect

5. Environmental Aspect

Environmental Conditions
Definition
'Environmental condition' is defined in Clause 3.2.3 as "[the] state or characteristics of the
environment, as determined at a certain point in time".
In several places, the phrase "changing environmental conditions", substitutes the deleted
term "climate change".
Conditions
Examples of environmental conditions:
POLLUTION - An undesirable condition of the natural environment, which is being contaminated
with harmful substances, as a consequence of human activities.
EROSION - An environmental condition in which the earth's surface is worn away by the actions
of water and wind.
DEFORESTATION - A condition in the environment, where the environment is deprived of trees.
DEPOPULATION - The environmental condition of having a reduced numbers of inhabitants or no
inhabitants at all.
GLACIATION - The environmental condition of land being covered with glaciers or masses of ice.
INHOSPITABLE - An environmental condition in a region, that lacks a favorable climate or
suitable terrain for life or growth.

Pollution
Prevention
Prevention of pollution is defined in clause 3.2.7 of the standard as:
" The use of processes, practices, techniques, materials, products, services or
energy, to avoid, reduce or control (separately or in combination) the creation,
emission or discharge of any type of pollutant or waste, in order to reduce adverse
environmental impacts".

Actions
Prevention of pollution can include the following actions:
• Source reduction or elimination
• Process, product or service changes
• Efficient use of resources
• Material and energy substitution
• Re-use
• Recovery
• Recycling
• Reclamation
• Treatment

Life Cycle
Definition
Life Cycle is defined in clause 3.3.3 of the standard as:
"consecutive and interlinked stages of a product (or service) system, from raw material
acquisition or generation from natural resources, to final disposal".

Stages

The life cycle stages include:

• Acquisition of raw materials
• Design
• Production
• Transportation/delivery
• Use
• End-of-life
• Treatment
• Final disposal
Objectives & Performance

Environmental Performance

Environmental Performance is defined in clause 3.4.11 of ISO 14001:2015

as "performance related to the management of environmental aspects".
The results of an organization's EMS, can be measured against the organization’s
environmental policy, environmental objectives and other criteria,
using indicators.

Indicator
Indicator is a term defined in 3.4.7 of the standard as a "measurable
representation of the condition or status of operations, management or
conditions".
For manufacturing industries, releases and air emissions have
environmental indicators. For example SOX (Sulphur oxide) and NOX
(nitrogen oxide) particulate matter values, are indicators of the level of
emissions.

Objectives

Targets are set in the form of objectives; objectives are consistent

with the EMS policy. Objectives are set, so that specific results can be
achieved by the activities taken to fulfill the objectives.
Objectives are usually founded on "SMART" objectives i.e. specific,
measurable, achievable, realistic and time-bound. If objectives are
made using SMART principles, it is likely that an organization will
achieve its targets; it will be easier for people to follow and complete the various activities that
are defined within the objectives.

Examples
Examples of EMS objectives include:
• Zero acid spillage
• Maintaining air emissions within the range of legal compliance
• Maintaining adequate levels of BOD (Biochemical Oxygen Demand) and COD (Chemical Oxygen
Demand) in waste water as per legal requirements
• Shifting to renewable sources of energy

Environmental Objective
Environmental Objective is defined in clause 3.2.6 of the standard as "[an]
objective set by the organization [that is] consistent with its environmental policy".

Risk
Definition
ISO 14001:2015 defines risk as "the effect of uncertainty". The standard further
explains that the effect is a "deviation from the expected".
This effect can be positive or negative.
Uncertainty (even partial), is the state of deficiency of information relating to
understanding or knowledge of an event, its consequence, or its likelihood.

Character

Risk is often characterized with reference to potential events and consequences, or a

combination of these.
Risk is often expressed in terms of a combination of the severity and consequences of
an event (including changes in realities) and the likelihood of occurrence.
Therefore risk is conceptualized as a multiple of severity and occurrence (Risk =
Severity x Occurrence).

EMS Functions
The functions of Environmental Management Systems are listed in clause 3.1.2 of the
standard and include: managing environmental aspects; fulfilling compliance
obligations; addressing risks and opportunities.
Introduction
ISO 14001:2015 is envisioned to provide a sustainable and environmental friendly way for
businesses to operate.
In addition, this EMS offers a vigorous and effective set of processes for improving
environmental performance in global supply chains.
Moreover, the standard is designed to help organizations of all sizes, in all industries.
This EMS standard, once implemented, is expected to reduce negative environmental impacts
globally.

Environmental Damage
Concerns
Environmental damage can involve serious cases of water pollution, land contamination
and damage to biodiversity. These problems are supposed to be dealt with by a country's
environmental regulations.
The Executive Director of the United Nations Environment Programme, Achim Steiner has
said:
“If current trends continue and the world fails to enact solutions that improve current
patterns of production and consumption, if we fail to use natural resources sustainably, then the
state of the world’s environment will continue to decline. It is essential that we understand the
pace of environmental change that is upon us and that we start to work with nature instead of
against it, to tackle the array of environmental threats that face us.”
Greenhouse Gas
The GEO-6 report on Latin America and the Caribbean, states that greenhouse gas
emissions have increased as a result of urbanization, economic growth, energy
consumption, land use changes and
other factors.
Agriculture has had a significant impact on the releases of nitrous oxide and carbon
dioxide. Nitrous oxide emissions from soils, leaching, runoff, direct emissions and
animal manure, has increased by approx. twenty nine percent, between 2000 and
2010. The abundance of beef and dairy cattle across regions has amplified methane
releases, which were raised by nineteen per cent, between 2000 and 2010.

Particulates
Most metropolitan areas for which data is obtainable, have concentrations of particulate matter
(PM) above World Health Organization (WHO) recommended levels.
In Mexico for example, concentrations of PM2.5 (atmospheric PM that has a
diameter of less than 2.5 micrometers) have been recorded at 85.9, well above the
WHO recommended limit of 20.
Glaciers
Andean glaciers, which offer vital water supplies for millions of people, are
shrinking and a rise in the intensity and occurrence of extreme weather
conditions is a disturbing trend.

Source
https://www.un.org/sustainabledevelopment/blog/2016/05/rate-of-environmental-damage-
increasing-across-planet-but-still-time-to-reverse-worst-impacts/

International Solution
Solution?
Is ISO 14001 the answer to the serious problem of environmental pollution around the world?
ISO 14001 is expected to change the situation, by empowering companies to perform better.
In addition, it offers legislative and regulatory bodies and other interested parties,
resources for verifying the activities and output of equipment manufacturers,
contractual partners and production houses.
This management system can help in achieving an environmental friendly
workplace, irrespective of industrial and regional differences.

International

What makes ISO 14001 internationally important? International standards experts and writers,
have worked together to produce the standard. It is the result of collaboration by contributors
from most countries in the world.

It aims to offer a framework for the workplace, that focuses on protecting the environment.
Moreover, people in any job, sector and industry can avail of the benefits of the standard.

It has been produced by the ISO committee ISO/TC 207/SC 1, which was responsible for
standardizing the system. The British Standards Institute (BSI), served as the committee’s
secretariat for the development of the standard.

EMAS and ISO

Effective

Which is a more effective EMS, ISO 14001 or EMAS?

There is no definitive answer, as each organization is unique. The effectiveness of
the EMS, depends on how the company applies the requirements and how it is
implemented.
How effective either system is, depends on the company’s commitment to
improving their environmental performance.

Regional

EMAS certification may be problematic for organizations outside the EU. In contrast, ISO
14001:2015 certification is available in most countries.
However, if a company has a legal or other requirement to use EMAS specifically, then
the choice will not be there.

Questions
QUESTIONS TO CONSIDER:
• Does the company require a highly formalized initial environmental review and a declared
environmental statement, as part of their EMS planning? If this is the case, this can be done as
part of ISO 14001:2015. On the other hand, EMAS supplies what is needed to perform these
activities.
• Does the company need to follow strict auditing practices, such as with EMAS?
• Will the company gain more benefits by using the EMAS logo or the ISO 14001:2015 logo, in
their particular region?
• Does the company want to be a part of the public register, that is required by EMAS? If so, then
EMAS may be more beneficial.
Audits
When it comes to checking and evaluating an EMS, there are minor differences.
ISO 14001:2015 audits are carried out by certification bodies that are recognized
by various national accreditation bodies, that follow ISO auditing standards and
IAF (International Accreditation Forum) rules.
However, they are not government controlled. On the other hand, EMAS
involves environmental verifiers (also auditors) that are approved by government bodies.
Certification body auditors employ ISO standards to govern how they plan and conduct their
audits. EMAS audits are carried out according to regulation and involve fixed verification
intervals.
EMAS also comprises an accessible register of companies, which is not offered by ISO
14001:2015.
EMS Transition
Steps
Transition plans for ISO 14001:2004 compliant and certified organizations:
If an organization is currently implementing the ISO 14001:2004 standard, it will be easier to
implement ISO 14001:2015, as many of the requirements are equivalent or analogous.
Guide
Guide to existing ISO 14001:2004 users:

• Obtain a copy of the new standard from the BSI Store

(https://shop.bsigroup.com/ProductDetail?pid=000000000030281203) or from your local ISO
representative.
• Examine the changes in the new standard, or use the comparison matrix that accompanies this
course (see course resources in the menu).
• Conduct a gaps analysis, by comparing ISO 14001:2015 with your current EMS system.
• Start to apply the planning and actions necessary to upgrade your EMS.

Responsibility
Considerations
Internal and external issues concerning the organization need to be addressed, as per Clause 4.1;
this is actually a business context analysis, with an occupational, environmental perspective. This
mandates the company to systematically recognize and study the issues which effect their
numerous business operations, as well as the management system.
Clause 4.2 emphasizes the needs and expectations of "other interested parties", concerning
environmental issues. The company is required to consider issues relating to these parties, that
are addressed through the EMS. Clause 4.3 concerns scope and, unlike in ISO 14001:2004, can
only be defined when clauses 4.1 and 4.2 have been analyzed properly.

Accountable
Similar to ISO 9001, there is a stress in ISO 14001:2015 on the responsibility of top
management in the area of improvement of environmental performance and
ensuring the effectiveness of the EMS.
As per clause 5.2, there is an increased requirement for effective communication
and participation with stakeholders. Top management i.e. leadership, will be
accountable for developing organizational environmental policy, which will be in
coordination with the company’s processes and obligations.
Planning
When planning the EMS, the organization shall consider:
a) Internal and external issues
b) The needs and expectations of interested parties
c) The scope of the EMS
Management
As per clause 5.3, all roles, responsibilities and authority must be properly
defined, communicated and documented. However the accountability of
top management for the overall system, can never be delegated

Standard Clauses

Aspects

Which is a more effective EMS, ISO 14001 or EMAS?

There is no definitive answer, as each organization is unique. The effectiveness of
the EMS, depends on how the company applies the requirements and how it is
implemented.
How effective either system is, depends on the company’s commitment to
improving their environmental performance.

Compliance
The organization will meet its compliance obligations by:
• Determining how compliance obligations apply to the organization
• Considering compliance obligations when establishing, implementing, maintaining and
continually improving the EMS
Clause 6.2, deals with objectives as incentives for improvement (6.2.1 and 6.2.2) and
performance evaluation is covered in clause 9.1.1.
Objectives should support policy aspects and reflect the strategic direction of the organization.
Understanding the context of the organization, will help in identifying the relevant objectives to
pursue.

Communication
Clauses 7.1 to 7.5, deal with various support functions, including: the availability of
resources; the competency of workers to perform work safely; health and safety
communication; the safety awareness of employees, visitors and contractors; the
requirements for documented information.
Support requirements:
• Actions relating to communications, shall be evaluated for their effectiveness.
• Awareness includes: policies; the role of employees and contractors in
environmental performance; the awareness of staff, to remove themselves from
actions considered to be a "serious environmental risk".

Documentatio

The concept of 'documented information', is similar to ISO 9001. It

encompasses how an organization opts to create, maintain and retain
information, seen as compulsory for the EMS.
The organization is required to decide which documented information
(internal and external) should be controlled. This includes documented
procedures.

Additional Requirements
Controls

Clauses 8.1 to 8.2, deal with operations planning and controls. In the case of
failures or an emergency situation, what is the preparedness plan developed by
the organization?
Planning is concerned with controlling identified risk and hazards. Aspects and
impacts, should be addressed within a hierarchy of controls.
What would be the impact to your organizational reputation, if one of your
subcontracted providers, suppliers or contractors caused a major environmental incident? ISO
14001 asks you to analyze such risks associated with the organization’s reputation.

Outsourcing

ISO 14001:2015 deals with procurement and outsourcing. It requires companies to

scrutinize their purchased goods and services, to see if they adhere to environmental
protection.
In addition, there is a requirement for adequate communication and controls
regarding contractors; attention must be given to the environmental performance of external
providers.

Performance
Clause 9 deals with performance evaluation. It enhances and extends the
performance evaluation criteria in ISO 14001:2004. Compliance evaluation has
been enhanced to include the means and regularity of evaluation.
The management review clause improves upon the earlier requirements and
inputs of EMAS and ISO 14001:2004. It adds communication, improvement, risks
and opportunities, EMS effectiveness and the issues of interested parties.

Risk
Clause 10 of ISO 14001:2015, removes the reference to "preventive action" that was part of ISO
14001:2004, as it is already covered in the risk management phase.
An organization must deal with incidents; they must investigate the root cause and take
corrective action. Corrective action is then evaluated to verify its effectiveness with regard to
environmental performance.

Criteria
The organization is required to show that it has implemented procedures
concerning risk management and continual improvement, through for
example, root cause investigation, risk analysis and operation controls. In
addition, the organization must be able to prove that they are using outputs
that have arisen from performance analysis and evaluation and that they
have recognized and resolved gaps and opportunities.

The main points from this module are as follows:

 An Environmental Management System (EMS) is a collaborative and systematic approach, to

effectively managing environmental risks.

 There have been two previous editions of ISO 14001, before ISO 14001:2015. These are: ISO
14001:2004 and ISO 14001:1996.

 One of the best known environmental management systems other than ISO 14001 is EMAS.
EMAS is an acronym for Eco-Management and Audit Scheme.

 ISO 14001:1996 is the first edition of ISO 14001 and is compatible with ISO 9001:1994. It
offers requirements for an environmental management system, to help an organization to
develop a policy and objectives taking into account legislative requirements and information
about significant environmental impacts.
 The primary difference between ISO 14001:2004 and ISO 14001:2015 is that ISO
14001:2015 focuses on the interface of an organization with its business environment, and
ISO 14001:2004 concentrates on managing environmental impacts and other internal
issues.

 The committee responsible for the revision of ISO 14001 is known as ISO/TC 207/SC 1. ISO
14001:2015 was first published on 15 September 2015.

 ISO 14001:2015 incorporates the Plan-Do-Check-Act (PDCA) model. This offers a mechanism
for organizations to plan what they require, to mitigate the probability of incidental
environmental damage.

 Environmental damage includes: global warming, ozone layer depletion, acid rain, urban
sprawl, waste disposal, air pollution, water pollution and climate change.

 The mistreatment of the environment has risen at a fast rate over the past century, due
mainly to industrialization and consumerism.

 Companies need to upgrade from ISO 14001:2004 to ISO 14001:2015.

 The ISO 14001:2015 standard does not deal with products or product quality, nor how they
should be utilized or sustained. The focal point is workplace performance, relating to
environmental impacts.

 Most organizations are small or medium sized enterprises. ISO 14001:2015 is just as
applicable to them, as it is to large enterprises.

 Implementing ISO 14001:2015 can provide advantages for organizations, such as: Increased
resource efficiency; Decreased waste; Lower expenses etc.

 The term "Interested Party", is defined in the standard as "a person or organization that can
affect, be affected by, or perceives to be affected by a decision or activity." Examples of
Interested parties are: neighbors, communities, pressure groups, employees, etc.

 Environment is defined in the standard as "surroundings in which an organization operates,

including air, water, land, natural resources, flora, fauna, humans and their
interrelationships".

 'Environmental Aspect', is defined in clause 3.2.2 of the ISO 14001:2015 standard as:
"elements of an organization’s activities, products or services, that interact with or can
interact with the environment".

 'Environmental Impact' is defined in clause 3.2.4 as: "change to the environment, whether
adverse or beneficial, wholly or partially resulting from an organization’s environmental
aspects".
 'Environmental condition' is defined in Clause 3.2.3 as "[the] state or characteristics of the
environment, as determined at a certain point in time".

 Life Cycle is defined in clause 3.3.3 of the standard as "consecutive and interlinked stages of
a product (or service) system, from raw material acquisition or generation from natural
resources, to final disposal".

 Environmental Performance is defined in clause 3.4.11 of ISO 14001:2015 as "performance

related to the management of environmental aspects".

 Environmental Objective is defined in clause 3.2.6 of the standard as "[an] objective set by
the organization [that is] consistent with its environmental policy".

 Examples of EMS objectives include: Zero acid spillage; Maintaining air emissions within the
range of legal compliance; Maintaining adequate levels of BOD (Biochemical Oxygen
Demand) and COD (Chemical Oxygen Demand) etc.

 Risk is often expressed in terms of a combination of the severity and consequences of an

event (including changes in realities) and the likelihood of occurrence. Therefore risk is
conceptualized as a multiple of severity and occurrence (Risk = Severity x Occurrence).

 'Indicator' is a term defined in 3.4.7 of the standard as a "measurable representation of the

condition or status of operations, management or conditions".

 Agriculture has had a significant impact on the releases of nitrous oxide and carbon dioxide.
Nitrous oxide emissions from soils, leaching, runoff, direct emissions and animal manure,
has increased by approx. twenty nine percent, between 2000 and 2010.

 If an organization is currently implementing the ISO 14001:2004 standard, it will be easier to

implement ISO 14001:2015, as many of the requirements are equivalent or analogous.

 Clauses 8.1 to 8.2, deal with operations planning and controls; in the case of failures or an
emergency situation, what is the preparedness plan developed by the organization?

 Planning is concerned with controlling identified risk and hazards. Aspects and impacts,
should be addressed within a hierarchy of controls.

 Clause 9 deals with performance evaluation. It enhances and extends the performance
evaluation criteria in ISO 14001:2004.

 Clause 10 of ISO 14001:2015, removes the reference to "preventive action" that was part of
ISO 14001:2004, as it is already covered in the risk management phase.
 Module 7: Requirements on Organizational Management for an EMS
After completing this module you will be able to:

 Summarize what is expected from top management

 Explain why the context of an organization is important

 Outline how to manage environmental risks

 Describe the role of support functions

 Define operational controls

 Discuss how organizations enforce operational controls

 Explain how organizations can deal with emergency situations

Responsibilities of Leadership
Leadership A.
What does the standard say about leadership? Top management must assume a
leadership role and demonstrate commitment to the EMS by:
a) Owning responsibility and accountability.
b) Making sure the environment policy and objectives, following the strategy of the
company, are identified.
c) Integrating the EMS requirements into the business processes of the organization.
d) Ensuring the availability of the resources required to develop, apply, sustain and
enhance the EMS.
e) Communicating the significance of the EMS and its compliance to the standard. [continued on next
tab]
Leadership B.
Top management must assume a leadership role and demonstrate commitment to the EMS by
[ continued from previous tab ]:
f) Making sure the EMS attains its planned results.
g) Directing and supporting persons to contribute to the effectiveness of the EMS.
h) Ensuring continual improvement.
i) Empowering other managers to prove their leadership in the areas they lead.
j) Establishing, leading and encouraging an organizational culture that helps to achieve the desired
results of the EMS.
k) Empowering the development and operation of committees.
Environmental Policy
Policy A.

Who is responsible for establishing, implementing and maintaining the EMS policy? Top
management i.e. the leadership of the organization must develop, apply and maintain
an environmental policy. This policy should contain the following:
a) Commitment to protecting the environment. The commitment should ensure that
the organization remains environmentally friendly. It must be relevant to the objectives,
size, business context and the particular nature of the environmental risks and
opportunities.
b) A framework for setting environmental and health and safety (H&S) objectives.
c) Commitment to meeting legal and other requirements.
d) Commitment to eradicating or minimizing environmental impacts; the policy should demonstrate
commitment to eliminating harmful aspects and impacts. [ continued on next tab ]

Policy B.
Top management i.e. the leadership of the organization must develop, apply and maintain an
environmental policy. This policy should contain the following: [ continued from
previous tab ]
e) Commitment to continual improvement; the policy should demonstrate
commitment towards continual improvement of the EMS.
f) Commitment to environmental protection: sustainable resources; mitigation and
adaptation; protection of ecosystems and biodiversity.
EMS Policy
Policy Tips

Useful tips for creating an EMS Policy:

• Relate the environmental policy to the products, services and activities of
the organization and the environmental impacts
• Incorporate the commitment to continual improvement, prevention of
pollution and compliance with the relevant legislation
• Keep it simple and understandable
• If applicable, integrate it with quality and health and safety policies

Recommendations

Consider addressing the following issues, where practical:

o The integration of "green" practices and procedures into the design phases
o Commitment to minimizing pollution, waste and resource consumption
o Commitment to recovery, recycling and reuse waste management
o Sharing of environmental knowledge with others
o Encourage suppliers and contractors to implement "greener" policies

Policy Components

Environmental policy should include the following:

• Should be applicable and suitable
• Documented information control
• Communication across all levels of the organization
• Available to interested parties

Organizational Leadership
Authority
Roles, responsibilities and authority in the EMS system:
• Leadership must ensure that the responsibility and authority of positions within
the EMS, are allocated and communicated at the relevant levels.
• Roles, responsibility and authority is documented.
Food for thought: Responsibility can be delegated, but accountability for the overall
system remains with top management.
Top management must delegate responsibility and authority for:
a) Ensuring the EMS fulfills the requirements of the standard
b) Reporting on the outcomes of the EMS to top management

Organization
The organization shall determine the (internal and external) issues that affect its ability to achieve the
intended outcomes of the EMS. Such issues include environmental conditions that are affected by, or
capable of being affected by, the organization.
Understanding the needs and expectations of interested parties (Clause 4.2); the organization shall
determine:
a) Which interested parties are relevant to the EMS
b) The relevant needs and expectations (requirements) of the interested parties
c) Which of these needs and expectations are part of compliance obligations?
Context

Business Context (Clause 4.1)

• Understanding the company and its context
• Management must identify internal and external issues that are applicable to its
business
• Certain issues may affect the ability to attain the planned results of the EMS

Internal Issues
The internal issues of the organization constitute its internal context. Internal issues are
actions, products or services that may affect the organization’s environmental performance.

EMS in Context
Broader Picture

Collaboration between businesses has altered in the last decade, with the advancement of
the internet and 'business without borders'.
Professionals can examine why defining the business context, has now become a
fundamental component of ISO standards. Management has broader issues to consider,
when planning the EMS.
Other factors
When analyzing the business context, some internal issues must be considered:
• The competence of the organization’s workforce in ensuring the
effectiveness of the EMS
• The commitment of workers regarding the environment
• The readiness to collaborate and remain within the declared
specifications of the EMS
• The organization’s communication channels regarding the EMS
and its significance

External Factors
Factors A.

External factors are issues that are outside the organization, but that influence the organization’s
business operations. These may include legal, economic, social, or political issues that effect an
organization’s environmental performance.
Some of these common external factors are discussed below and on the following tabs:
Economic and Political Situations: Both economic and political conditions in the environment in
which the organization operates, impacts on business processes. Therefore organizations should
adapt and respond to such changes within the political and economic space. This adaptability should
be addressed in the organization's policy objectives and programs.
Trade Union Expectations: This is a factor that may have to be considered when analyzing the
business context. For example, a union may expect a higher performance level for safeguarding
the environment or workers.
Factors B.

Stakeholders and Shareholders: Whether placed in internal or external factors, their

expectations must be considered within the context of environmental performance.

National and International Agencies: These are external bodies but can impact organizations.
Business parameters may need to be restructured in light of the environment. For example the EPA in
the United States bans the use, sales and distribution of ozone depleting CFC gases.

Factors C.

• Documenting the analysis of the business context is recommended, as

this evidence can be presented to auditors and other stakeholders.
• A consistent review of business and environmental parameters should
be performed, to address legal, global and other changes.
• Compliance with relevant laws and regulations is an advantage of
implementing the standard, which will likely safeguard businesses from
legal and financial penalties.

Environmentally Friendly
It must be remembered that the well-being of the environment and making sure that business
operations are safe for the environment, is the primary objective of the standard.
Organizations should be aware of the latest knowledge and research into contemporary
environmental issues, so they can operate their systems in an environmentally friendly manner.
Such environmental issues include: deforestation, desertification, pesticide misuse, soil
erosion, air pollution, water pollution, noise pollution, climate change and natural disasters.

Discussing Stakeholders
STAKEHOLDERS A.
The main stakeholders (interested parties) concerned with an organization’s
environmental performance and its EMS include: community, neighbors,
contractual partners and shareholders. [Details below and on the following tabs]
NEIGHBORS: If there are potential environmental impacts, such as chemical spills
or noise pollution, then the people (neighbors) working/residing in the effected
area are "interested parties" and need to be considered in the EMS. If business
processes emit air pollution that could blow farther afield, the neighbors
downwind of the location may also be affected.
COMMUNITY: The "neighborhood" refers to the surrounding or adjoining area of
a business activity. The "community" refers to groups of people living in a particular area or district
which may be affected by an organization’s activities. These too need to be considered in the
organization's EMS.
STAKEHOLDERS B.

MANAGEMENT AND SHAREHOLDERS: They are connected to the strategic business decisions of the
organization and are concerned about the success of the business.
EXTERNAL PARTIES (Providers, Contractors, Service partners etc.): These third party vendors and
external suppliers are treated as an "interested party".
MANUFACTURING AND BUSINESS PARTNERS: Partners who maintain an important interest in the
management's decisions regarding environmental performance.
GOVERNMENT/REGULATORY/LEGISLATIVE BODIES: When legal requirements must be fulfilled, these
parties become interested parties with authority over organizations.
PRESSURE GROUPS: May be very much involved in watching business interactions with the
environment and the impacts of activities.

EMS Scope
Top management must identify the boundaries and applicability of the EMS when developing its
scope. They must:
a) Consider the internal and external issues
b) Consider the needs and expectations of interested parties
c) Consider the products, services and activities
d) Organize units, functions and physical boundaries
e) Consider compliance obligations
NOTE: The scope must be produced as documented information.

Planning and Risk

Planning

Actions to address risks and opportunities (Clause 6.1):

When planning for the EMS, management must consider the issues and requirements
highlighted in the business context analysis; from interested parties and according to the
scope.
When identifying risks and opportunities for the EMS, management must:
a) Provide confirmation that the EMS can attain the planned results
b) Avoid or minimize environmental impacts
c) Implement a continual improvement process
Risk
When identifying risks and opportunities for the EMS, management must analyze:
- Aspects and impacts
- Environmental risks
- Environmental opportunities
- Legal and other requirements

Documentation
Within the scope of the EMS, the organization shall determine potential
emergency situations, including those that can have an environmental impact.
The organization shall maintain documented information of its risk and
opportunities.

Environmental Aspects
Environmental Aspects
Environmental Aspects (Clause 6.1.2): Within the defined scope of the EMS, the
organization shall determine the environmental aspects of its activities, products and
services; factors it can control; those it can influence; their associated environmental
impacts; considering a life-cycle perspective.
When determining environmental aspects, the organization should consider:
a) Change - including planned or new developments, new or modified activities and
products and services.
b) Abnormal conditions and reasonably foreseeable emergency situations.
Organization
The organization shall determine those aspects that have or can have, a significant environmental
impact, i.e. significant environmental aspects, by using established criteria.
The organization shall communicate the significant environmental aspects among the various levels
and functions, as appropriate, in the organization.
The organization shall maintain documented information regarding environmental aspects and
impacts, and the criteria used to determine same. See the sample work flow for identifying significant
aspects below:

Sample workflow

Compliance
Compliance obligations (Clause 6.1.3) - The organization shall perform the following, with regard to
its compliance obligations:
a) Determine and have access to the compliance obligations related to its environmental aspects.
b) Determine how the compliance obligations apply to the organization.
c) Take the compliance obligations into account when establishing, implementing, maintaining and
continually improving the EMS.

Documentation
The organization shall maintain documented information regarding its
compliance obligations. Compliance obligations can result in risks and
opportunities for the organization.
Aspects and Impacts
Impacts

It is important to identify all the possible environmental aspects and impacts an organization is
responsible for. Certain aspects can have different environmental impacts. Potential impacts must
also be identified.
Environmental Impact is any change to the environment, whether adverse or beneficial (in whole or
in part), resulting from an organization's activities, products or services.
Significance

What is a significant impact? An activity, product or service that results in environmental

damage. This may represent a substantial breach of statutory regulations.
A thorough knowledge of the environmental aspects and impacts (potential and actual),
as a consequence of business operations, is therefore required.

Aspects

The 20-80 rule is used to evaluate environmental aspects. Companies do not need to
control all environmental aspects, only the ones that are considered significant.
Significant environmental aspects should be the focal point of the organization’s EMS.
There are numerous methods available to determine and assess the significance of
environmental aspects.

Assessment

In assessing the significance of aspects, the following should be considered:

• Type of natural surroundings
• Potential for environmental harm
• Size and frequency of the aspect
• Importance to the stakeholders of the organization
• Requirements of relevant environmental legislation
Aspects and Impacts - Examples A

Aspects and Impacts - Examples B

Below, are listed a number of environmental aspects and their consequent impacts:

Planning and Controls

Controls
Each organization must formulate its own criteria of 'significance', based on a
review of the environmental aspects and impacts.
Organizations can manage their significant aspects, by using some or all of the
following controls:
o Human resources allocation
o Training
o Developing procedures and the enforcement of checklists
o Maintenance programs
o Equipment installation

Routine
The level of control should be suitable for the nature and risk of the significant
aspect. Controls can become a part of everyday work routines.
Planning and Legal Issues
Legal Issues
Compliance Obligations (Clause 6.1.3) - Management must develop, apply
and carry out multiple processes to:
• Subscribe to the latest legal and other requirements, relevant to its
environmental aspects and EMS
• Identify which legal requirements need to be communicated, and to
whom
• Produce and retain documented information on legal and other
compliance issues, and incorporate this into the EMS

Planning

Planning (Clause 6.1.4) - Management must plan actions with regard to:
• Significant environmental aspects
• Compliance obligations
• Integrating and applying counter measures into the EMS and operational
processes
• Assessing the effectiveness of measures taken
When planning, management must take into account best practices, technological
alternatives and economical, functional and business needs.

Management Actions
Objectives

Environment objectives (Clause 6.2.1) - Management must develop environmental objectives and
appropriate operational functions, to continually improve its
environmental performance (see also clause 10.3).
Environmental objectives must:
o Be consistent with environmental policy
o Be quantifiable (if possible) and available for evaluation
o Consider legal and other requirements
o Allow for the assessment of risks and opportunities
o Be checked
o Be communicated
o Be upgraded where necessary
Plans

Planning actions to attain environmental objectives (Clause 6.2.2) -

Management must:
• Identify what will be worked on
• Identify what resources are required
• Identify who will be delegated
• Forsee/plan for when it will be finished
• Identify how outcomes will be assessed, including points of monitoring
• Identify the measures required to attain environmental objectives and assimilate this into business
processes

Resources

Support Functions - Organizational Resources (Clause 7.1): Management must identify and render the
resources required for the establishment, application, maintenance and continual enhancement of
the EMS.
Competence

Competence (Clause 7.2) - Management must:

- Identify the level of employee competence that can influence or impact environmental
performance
- Ensure that employees are competent (including the ability to recognize aspects) with the
help of suitable experience, education and training
- Where relevant, take actions to attain employee competence and evaluate effectiveness
- Retain documented information as proof of competence

Documentation
Management must produce and retain documented information on environmental objectives and
their plans to achieve them.

Communications and Awareness

Awareness

Awareness (Clause 7.3) - Employees must be made aware of the following:

• The environmental policy and its objectives
• The significant environmental aspects and impacts relating to their work
• How their contribution can enhance the effectiveness of the EMS
• The implications and potential environmental outcomes of not having an effective EMS
Food for thought: Relevant actions can involve: mentoring, training, re-allocation of staff;
hiring/outsourcing competent persons.
Communication

ISO 14001:2015 deals with procurement and outsourcing. It requires companies to

scrutinize their purchased goods and services, to see if they adhere to environmental
protection.
In addition, there is a requirement for adequate communication and controls
regarding contractors; attention must be given to the environmental performance of
external providers.
Diversity
The methodology of communication should take into account diversity issues, for example:
Gender; Language; Culture; Literacy; Disability.

Internal and External Communications

External Parties
Management must ensure that the opinions of external interested parties are considered, when
developing the communications process. Management must:
• Take into consideration legal and other requirements
• Make sure that environmental information can be trusted and is consistent with the
information produced in the EMS
• React to appropriate communications in the EMS
• Keep documented information as proof of its communications

Internal clause
Internal communications (clause 7.4.2) - Management must:
- Communicate information regarding the EMS, including modifications
- Ensure the communications process allows employees to add inputs towards continual
improvement

External clause
External communication (Clause 7.4.3) - Management must:
Communicate information regarding the EMS, including modifications, taking into consideration its
compliance obligations.
Documentation
Documented information (Clause 7.5) - The EMS must include:
• Documented information required by ISO 14001
• Documented information identified by management, as being mandatory for the effectiveness of
the EMS
Documentation
Criterion

The amount of documented information in an EMS, can vary from company to company, due to:
• The kind of products, activities and services it offers
• The requirement to show compliance, legal and other requirements
• The complexity of processes and their interfaces
• The competence of employees

Component

Developing and updating documents (Clause 7.5.2) - When developing and updating documented
information, the following should be included (where appropriate):
o Identification and description
o Title, Date, Author
o Reference Number
o Format and Language
o Software Version
o Graphics and Media

Requirements

Control of documented information (clause 7.5.3) - Documented information should:

• Be accessible and relevant for utilization
• Be sufficiently protected from loss of confidentiality, improper use and loss of integrity.
• Available for sharing, right to use, retrieval and utilization.
• Be legible, stored and conserved.
• Contain version and revision control
• Be retained and disposed of where applicable.

Change Management
Planning
Operational planning and control (Clause 8.1) - Management must plan, apply, control and carry out
the processes needed to meet the requirements of the EMS by:
1. Developing criteria for the processes
2. Applying control of the processes in accordance with the criteria
3. Producing and retaining documented information demonstrating that processes have
been carried out as planned
4. Adapting work to employees
5. Coordinating the relevant parts of the EMS with other organizations where necessary
Controls
Management must develop, apply and carry out processes for the eradication of hazards and the
minimization of environmental risks, by utilizing the following hierarchy of controls:
a) Remove or eliminate the aspect
b) Work management using (engineering) controls
c) Using administrative procedures such as training and visual controls
Changes

Controls can be used individually or in combination. Management must control short and
long term changes that impact environmental performance, including:
1. Modifications to products, services, processes, work area sites, the neighborhood and
machinery
2. Changes to legal and other requirements
3. Modifications in knowledge or facts regarding aspects and impacts
4. The upgrade of knowledge and technology

Unplanned Changes
Management must analyze the outcomes of unplanned changes, taking measures to decrease
the impact of adverse effects and review the consequences of changes. The review should be
followed by actions to mitigate any adverse effects.

Service Protocols

Products and Services

The organization must establish controls for the acquisition of products and services, and
outsource processes that use a life-cycle perspective, to ensure EMS compliance.
An organization should do the following, during the design and development stages of products
and services:
A) Determine the environmental requirements for the procurement of products and services.
B) Communicate environmental requirements to external providers, including contractors
where necessary.
C) Consider the need to provide information about potential significant environmental impacts
associated with, for example, transportation or delivery, use, end-of-life treatment and disposal.
Outsourcing
Management must ensure that subcontracted jobs and processes are monitored and
supervised. They must make sure that outsourcing operations adhere to legal and other
requirements, while achieving the planned results of the EMS. The nature and extent of control
exerted on jobs and processes, must be explicated in the EMS.

Emergency Preparedness
Emergencies A.

Emergency preparedness and response (Clause 8.2) - The organization must

develop, apply and carry out processes to respond to probable emergency
situations. This should include the following:
A) Developing planned reaction and readiness to emergency conditions, to mitigate
environmental impacts.
B) React when emergency situations occur; take measures to minimize harmful
effects and the magnitude of actions.
C) Offer training for responses.
D) Test emergency procedures at defined intervals.
E) Assess performance; changes in planned reactions; lessons learned.
F) Offering and distributing useful information to all employees during such events. [ cont'd. on next
tab ]
Emergencies B.

G) Sending appropriate information to visitors, contractors, emergency response units, government

authorities and the community, if required.
H) Take into consideration the requirements and abilities of all interested parties, ensuring their
involvement in the design and delivery of planned responses.
Case Study

WHEN EMERGENCY RESPONSE FAILS: British Petroleum published its internal investigation into the
tragic case (emergency) of the Deep-water Horizon oil spill, in the Gulf of Mexico, on 20 April 2010.
The investigation found that no single factor had caused the Macondo Well incident. Rather, a
sequence of failures involving a number of different parties led to an explosion and fire which killed
11 people and caused widespread pollution in the Gulf of Mexico.
VIDEO: https://www.youtube.com/watch?v=zE_uHq36DLU [ Deepwater Horizon Accident
Investigation Report -Credits: British Petroleum ]

Records
Management must carry out and retain documented information on the processes and plans for
reacting to (probable) emergency situations.

The main points from this module are as follows:

 Top management must assume a leadership role and demonstrate commitment to the EMS.

 The leadership of an organization must develop, apply and maintain the environmental policy.

 The leadership ensures that authority and responsibility for the Environmental Management
System (EMS) is allocated, and communicated to the relevant levels in the organization.

 The internal issues of the organization, constitute the internal context. Internal issues are actions,
products and services that may affect the organization’s environmental performance.

 External factors are issues that are outside the organization's control, but that influence the
organization’s business and operations.

 Entities concerned with an organization’s environmental performance include: community,

neighbors, contractual partners and shareholders; these qualify as 'interested parties' in the
EMS.

 Top management must identify the boundaries and applicability of the EMS to develop its scope.

 When planning for the EMS, management must consider the issues and requirements
highlighted in the business context analysis, and from interested parties.

 As part of the scope of the EMS, the organization shall determine potential emergency situations,
including those that can have an environmental impact.

 The organization shall determine those aspects that have, or can have, a significant
environmental impact.

 Significant environmental aspects can involve risks and opportunities, associated with either
adverse (threats) or beneficial (opportunities) environmental impacts.

 Companies do not need to control all environmental aspects; only the ones that are considered
'significant'.

 When planning actions, management must take into account best practices, technological
alternatives and economical, functional and business needs.

 Management must use the appropriate functions to develop environmental objectives and
continually improve the EMS and environmental performance.

 Management must take into account the 'diversity' of audiences (e.g. age and language), when
considering its communication requirements.

 Management must react to relevant communications, as part of the EMS.

 At multi-employer workplaces, management must coordinate the various factors and operations,
into the EMS.
 Management must develop, apply and carry out processes for the eradication of hazards and the
minimization of environmental risks, utilizing a hierarchy of controls.

 Management must control short and long term changes that impact on environmental
performance.

 The organization must establish controls for the acquisition of products and services and
processes for outsourcing, that consider a life cycle perspective; to make sure the EMS is
compliant.

 The organization must develop, apply and carry out processes, to prepare for responding to
possible emergency conditions.
Module 8: EMS Performance Evaluation and Continual Improvement

After completing this module you will be able to:

 Explain performance evaluation in relation to environmental management systems

 Appreciate various measurement functions

 Describe the role of monitoring and analysis

 Outline the benefits of internal auditing

 Summarize the steps involved in management reviews

 Discuss how continual enhancement can be achieved

 List the 'check' and 'act' parts in an EMS

Monitoring and Measurement

Evaluation

Performance evaluation (clause 9) - This clause provides the requirements of assessing the performance of the EMS.
The main areas of evaluation are:
• Monitoring, measurement and analysis
• Evaluation of compliance
• Internal audit
• Management reviews

Monitoring
Monitoring, measurement and analysis (Clause 9.1) - The organization must develop, apply and carry out processes
for monitoring, measurement and analysis of the EMS.
Monitoring and measurement involves the following:
1. Ensuring legal and other requirements are complied with
2. Recognizing aspects, associated risks and opportunities
3. Improvements towards the attainment of EMS objectives
4. Impacts and the efficiency of operational and other controls
Why Monitoring?

Monitoring is done to verify compliance or non-compliance. It can involve: testing results related to the
environment; the assessment of documented information; consumption of electrical energy;
identifying alarm status. In this way deviation from performance levels can be recognized.

Measurement and Analysis

Measurement involves the allocation of numbers to performance events or objects. It is
related to performance evaluation and can be extracted from the use of calibrated
equipment, for example emission gas analyzers that measure SOX and NOX in air emissions.
Analysis uses data to discover patterns, relationships and trends. It is related with
measuring events.

Assessment Criteria
Criterion
Management uses criteria to measure performance. For example, the performance of other
companies, developed codes, acknowledged standards, the company’s own codes, the
organization’s objectives and historical environmental statistics. The outcomes of measuring
and monitoring is analyzed, assessed and then communicated.

Assessment
The organization must assess its environmental performance and identify the efficiency
level of the EMS. It must make sure that any monitoring and measuring equipment is
relevant, calibrated, verified and used as appropriate.
Food for thought: There may be legal or other requirements from, e.g. national or
international standards and regulatory bodies, concerning gas emissions, waste water
discharges etc.

Documentation
Management must keep relevant documented information:
• As proof of the results of measurement, monitoring and performance analysis
• Regarding the verification and validity of measurement instruments

Evaluation Mechanisms
Compliance

Evaluation of compliance (Clause 9.1.2) - Management must develop, apply and carry out
processes for evaluating compliance with legal and other requirements. They must:
A. Identify compliance (occurrence, procedures and evaluation)
B. Take any necessary compliance measures
C. Document compliance evaluation information

Measuring and Monitoring

The first part of clause 9.1 explains the meaning of "measuring and monitoring" and provides examples of what can
be measured to fulfill the standard. This includes:
1) Measurement against objectives
2) Progress on continual improvement processes
3) The monitoring of emissions and water discharges
4) Energy consumption data
5) Trends analysis
6) Overall performance of the EMS

Requirements
The standard explains what must be measured and monitored to ensure legal compliance; discontinuities must be
recognized, solved and documented. This is an important part of the EMS. Legal requirements are not the only
factors taken into account; other requirements include:
1. Corporate policies and agreements
2. Union and company agreements
3. General regulations and rules

Competence
The term "competence" is discussed in the standard; the ability of workers and management to
cooperate, will have an impact on the environmental performance. Competence also involves the
recognition of significant aspects and impact mitigation measures.

Evaluation and Bench-marking

Evaluation
Legal and other requirements are just some of the examples that need to be measured,
in order for evaluation of the EMS to take place.
Evaluation of legal requirements and other factors of performance, can be challenging
and the standard provides some examples.

Bench-marking
 Reviewing an organization’s (and management's) performance against other organizations
is 'bench-marking'
Matching the performance of organizations of the same size, in the same industry, offers a
more precise picture.

Considerations and Standards

Standards
Management standards: these may be particular to certain sectors. For example, financial management may be
bound by certain financial codes of conduct; electronics manufacturers may be directed by electronics codes and
standards.

System
The organization should have a systematic method for monitoring and measuring its environmental performance on
a recurrent basis, and this must be a component of the EMS.
Moreover, the organization’s objectives, code and stated rules, must be in agreement with
the company's vision statement and with stakeholders.

Considerations
Certain measurement, compliance and legal factors need to be considered, such as:
1. Relevant environmental legislation
2. Mutual agreements
3. Standards and codes
4. Insurance Needs
6. Processes concerned with significant aspects and impacts
7. Progress in the attainment of environmental objectives
8. The efficiency of operational controls

Achieving Results
Indicators

Performance measurement involves the identification of 'indicators', against which the

organization’s environmental performance is assessed. Criteria is what the organization uses to
check its performance. Bench-marking environmental performance is set against other
organizations and practices.
Performance indicators are used to quantify environmental criteria. For example, if the criterion is
a comparison of past and current performance, this performance may be set against the approved
limits of regulatory bodies.

Criterion

1) The organization must choose suitable techniques for measurement, monitoring, analysis
and performance evaluation, to ensure the correct results.
2) A timeframe has to be established, for when measurement and monitoring will be
performed.
3) The outcomes of measurement and monitoring must be analyzed, assessed and presented.
Equipment

The organization must ensure that suitable equipment is used for measuring and monitoring.
This may include: sampling pumps, toxic gas detection equipment, noise monitors etc.
The equipment and the measurement instruments, must be properly verified and calibrated, to
ensure the results are legitimate.

Proactive and Reactive Measures

Proactive

The organization should use responsive and preemptive measures concerning performance. However, they should
primarily focus on proactive activities, so that environmental performance is improved.
Examples of proactive measures include:
• The evaluation of compliance with legal and other requirements
• The measures used to assess significant aspects and impacts
• The effectiveness of environmental training
• Fulfillment of statutory, legal and other inspections
• The extent to which environmental programs have been applied
• The extent to which environmental objectives have been achieved

Reactive

Examples of reactive measures include:

1) Responding to emergency situations, such as oil spills and contaminated water discharges
2) Responding to a non-conformity
3) Responding to complaints regarding negative environmental performance, from neighbors and the
community
4) Actions required following assessments by regulatory bodies, such as the EPA in the United States

Compliance and Evaluation

Compliance

The organization must develop, apply and carry out processes, to evaluate its compliance
with legal and other requirements, that are relevant to environmental risks.
The organization can decide to combine evaluations or implement separate processes.
This complements clause 6.1.3, regarding the determination of legal compliance.
The organization must:
• Identify the frequency and techniques used for the assessment of compliance
• Assess compliance and take measures when necessary
• Assess the organization’s compliance with legal and other requirements

Evaluation
A compliance evaluation program, can cover single or multiple environmental legislative requirements.
Evaluation can be influenced by historic compliance issues, or the point at which legislation is adopted or
changed.
Compliance evaluation plans, can be joined with other evaluation activities. This can consist of management system
audits, such as environmental audits or quality management system assessments.
It should be remembered that legal compliance is the minimum requirement of the standard, in evaluating the
implementation of the EMS. This means organizations must comply with all legal requirements. However, the extent
to which they choose to be environmentally-friendly (at the higher level), is up to the organization themselves.

Reasons for Audits

Purpose
Internal Audits (9.2) - ISO 14001:2015 outlines the process of management conducting internal audits in
the organization.
The standard expects that the internal audit adheres to the functions and purpose of the EMS, and that the
outputs are presented to top management and to relevant personnel.
The internal audit plan must be well-scheduled and developed with a thorough understanding of the system's
scope. The plan should take into account the outcomes of aspect/impact analysis and former audit reporting.

Justification
The internal audit should be conducted more vigilantly than in the comparable ISO 9001 (quality management
system) standard.
The justification for serious internal auditing is simple: non-productive internal audits regarding
an organization's EMS, can threaten the organization’s reputation and can lead to serious
penalties (including bans) by regulatory bodies.

Performing Audits
How can we ensure that the internal audit is effective and that the resultant
actions safeguard the environment and the workforce? You can learn how to
carry out management system audits in this free online course:
https://alison.com/course/iso-management-system-audit-techniques-and-
best-practices.

Responsibility and Functions

Responsibilities
Top management (or their designated personnel) must:

 Plan, develop, apply and carry out an audit programme that takes into account
the results of former audits

 Analyze relevant rates of occurrence, techniques and responsibilities

 Outline the criteria of the audit and its scope

 Ensure the objectivity and non-bias of auditors and the auditing process

 Ensure that the results of audits are presented to the relevant managers

 Ensure that audit results are reported to the relevant employees and other interested parties

 Take measures to remove non-conformities and continually improve environmental performance

 Keep documentation as proof of the audit process and results

Functions

Management should refer to internal audits, when conducting management reviews.

Food for thought: The outcomes of aspect/impact analysis, stakeholder input, community complaints and
risks and opportunities, should be utilized at the beginning of the internal audit process.
The internal audit should be performed at "scheduled intervals", or when it would be particularly
beneficial to the EMS.
Audit Quality
Auditor

The standard recommends that the choice of auditor should ensure "impartiality and neutrality". Moreover, the
auditor must have recognized training, knowledge and work experience relevant to
environmental policy. Many organizations will consult expert advice from professionals
externally.
The internal auditor must have access to all of the relevant details and processes.
Information regarding aspect/impact analysis, environmental performance results,
stakeholder inputs and environmental objectives, will be required by the auditor.

Authenticity

Why conduct EMS internal audits? Besides being a requirement of ISO 14001:2015, the internal audit should be
considered as a key tool in the continual improvement process. It also serves as a significant pre-emptive measure
against environmental damage.
Those involved in communicating with the auditor, should render correct and honest information during the
process. Honest assessment is a key component of "objectivity and neutrality". Audits should involve candid
evaluation and useful recommendations for enhancement, based on the facts.

Recommendations

ISO 14001:2015 advises that internal audit results be presented to

management and the leadership, who can then make choices regarding
improvement measures to be implemented.
On the other hand, it can also be helpful when the auditor makes direct
recommendations based on the audit findings. Given that the auditor should have an
intimate knowledge and awareness of issues and processes, they may be in a better
position to advise.

Taking Action
Knowledge
Following the audit, the management team should have a more comprehensive view of issues, for
example possible emergency situations, and recommendations for improving the EMS.
Documenting the auditing process, including the outcomes, results and measures, is a requirement
of the standard. The internal audit will display the ability of the organization to fulfill its
environmental objectives.

Corrections
Organizations should fulfill all the requirements of the standard, including management review, emergency response
measures and aspect/impact assessment.
Non-conformity must be communicated and corrective action must be used to correct non-conformities. Proof
of both, in addition to the reduction of risk, are crucial elements of the EMS.
Management Reviews A.
Reviews

Management Reviews (Clause 9.3) - The standard necessitates reviews of the suitability and
usefulness of the EMS, to be carried out by top management (or their delegates) at
predetermined intervals.
Management review involves systematically analyzing and gauging the performance of the EMS,
and evaluating the following:
APPROPRIATE: Is the management system suitable for the organization's processes, values and
business system?
SATISFACTORY: Is the management system applied properly?
USEFUL: Has the management system achieved the intended results?

Management Reviews A.
Accountable
Management should review:
• The status of actions arising from previous reviews
• Internal and external issues that influence the EMS - e.g. risks, opportunities, requirements, expectations,
interested parties, legal requirements
• Significant environmental aspects and impacts
• The sufficiency of resources for carrying out an effective EMS
• Required dialogue with internal and external interested parties
• Prospects for continual improvement

Management Reviews B.
Developments

Areas of consideration following a management review, include:

1. The effectiveness of the EMS in achieving planned results
2. Areas identified for improvement
3. The requirement of modifications to the EMS
4. Are more resources required?
5. Are any other actions required?
6. Opportunities to enhance the integration of the EMS with various business processes, e.g. quality, health safety
and business needs.
7. Are there any impacts on the strategic direction of the organization?

Focus

The management review process should not just assess conditions - the focus should be on
improving environmental performance, through enacting certain activities.
Also, the question must be asked, do the business activities of the organization conflict with
environmental protection issues?

Post Review

Areas of consideration following a management review, include:

1. The effectiveness of the EMS in achieving planned results
2. Areas identified for improvement
3. The requirement of modifications to the EMS
4. Are more resources required?
5. Are any other actions required?
6. Opportunities to enhance the integration of the EMS with various business processes, e.g. quality, health safety
and business needs.
7. Are there any impacts on the strategic direction of the organization?

Scheduling

Management reviews should be conducted on a regular basis such as quarterly, bi-annually

or annually. Fractional management reviews of environmental performance, can be
carried out more regularly, e.g. weekly or monthly.

Incidents and Non-Conformities

Actions
Improvement (Clause 10) - Management must identify opportunities for improvement and apply mandatory
actions to attain the planned results of the EMS.
Nonconformity and Corrective Action (10.2) - Management must investigate and take measures,
to identify and manage incidents and non-conformities.
When an incident or nonconformity exists, management must respond in a timely way; they must:
1) Take measures to manage and correct it
2) Deal with harmful consequences

Requirements

In addition, management must assess, with the involvement of employees and the
participation of other interested parties, the requirements for corrective actions that
eradicate the root causes of non-conformities and incidents. This includes:
1) Analyzing the incident and assessing the nonconformity
2) Identifying the reasons for the nonconformity or incident

Reports
Management must retain documented information as proof of:
1) The status of the non-conformities or incidents and any measures taken
2) The outcomes of measures, corrective actions and effectiveness
Management must communicate this documented information to the relevant employees,
employee representatives and other interested parties.

Continual Improvement Measures

Continual Improvement
Continual Improvement (Clause 10.3) - Management must continually improve the effectiveness of the EMS, by:
A) Improving environmental performance
B) Enhancing the value structure that supports the EMS
C) Enhancing the participation of employees in EMS improvement activities
D) Communicating the results of EMS improvements to employees and/or employee
representatives
E) Producing and maintaining documentation, as proof of continual improvement

Measures
The organization must plan and develop opportunities for enhancement, that will
improve the results of the EMS.
The organization must consider its environmental performance, compliance and the
results of internal audits and management reviews, to enhance its performance.
Improvements can result from corrective actions, continual improvements,
technological changes, innovation and re-organization.

Cause Analysis
Root-cause Analysis

The organization should have processes in place for analyzing the root causes of non-conformities, coping with
outcomes/consequences, preparing reports and taking corrective measures.
It is important that root cause analysis is carried out, to avoid the recurrence of incidents and non-
conformities. Examples of incidents and non-conformities include: Oil spills; Toxic discharges into water
sources; The release of effluents exceeding permissible levels.

Collaboration

Non-conformities include: Environmental equipment not working properly; the

inability to comply with legal requirements; environmental processes and guidelines
not being implemented.
Corrective actions should be developed in collaboration with employees and interested
parties. Why something occurred and what can be done to avoid it occurring again,
should be discussed and agreed upon.

Causes

In addition to investigating the apparent causes of incidents, professional investigators also

examine 'beneath the surface causes'. Incidents may occur as a result of multiple causes or factors,
often beneath the surface. 'Clusters of factors' can involve human behavior and ability, activities
and processes, equipment or dealing with people and organizations.

Investigations
Gaps
 Investigations should highlight gaps that require improvement, including enhancements to
the EMS and the results of corrective actions.
The extent of the investigation of an incident, is proportional to the extent of the
environmental impact.

Investigator
Who should investigate?
Investigations should be performed by an individual or party who is not reliant on the activities
being analyzed. They should also include a worker or employee representative.

Reports
Incidents should be documented and presented internally. They should also be reported externally to
regulatory bodies, where appropriate.

Issues and Corrective Actions

Corrective Actions
Examples of corrective actions, involving a hierarchy of controls, include:
1. Eradicating aspects and impacts
2. Changing or re-engineering machinery and tools
3. Establishing or applying procedures to enhance processes
4. Enhancing the capability of employees
5. Modifying the maintenance frequency of equipment

Issues
Root cause analysis of incidents and non-conformities often identifies issues such as:
1. Leaks in pipelines
2. Lack of proper communication
3. Equipment failure
4. Incompetence or inability
5. Gaps in documentation
Quick-Fix Solutions
While root cause analysis is being carried out, an organization may have to perform immediate short-term, or
'quick-fix' actions, to minimize damage.

Methods
When identifying the root cause of an incident or nonconformity, the organization should
employ methods relevant to the level of the nonconformity or incident being analyzed.

Continual Improvement Initiatives

Records

An organization should keep documentation, as proof of:

1) The type of incidents or non-conformities that have occurred
2) The measures taken to cope with incidents or non-conformities
3) The outcomes of measures taken to cope with incidents or non-conformities (including effectiveness)
4) Communication with relevant employees, unions and/or other interested parties

Measures

Measures an organization can take with respect to continual improvement, include:

I) Improving environmental performance
II) Encouraging a culture of participation in the EMS
III) Producing and communicating documentation, as proof of process improvement
IV) Incorporating the latest technology
V) Encouraging good working practices, internal and external to the organization
VI) Petitioning advice and proposals from interested parties
VII) Acquiring the latest knowledge and comprehension of environmental issues
VIII) Using better materials and/or better use of materials
IX) Improving worker competency
X) Achieving better results while using less resources

Timely

It is important that the reporting of incidents and root cause analysis is performed
without delay, as this will help to reduce recurrence and minimize environmental
impacts.
The main points from this module are as follows:

 Clause 9 of ISO 14001:2015, offers requirements on assessing the performance of the EMS.

 The organization must develop, apply and carry out processes for the monitoring, measurement and analysis

of its environmental performance.

 Monitoring is carried out, to verify whether processes are compliant or non-compliant.

 Measurement is the allocation of numbers or values, to particular performance events or criteria.

 Analysis is concerned with the discovery of patterns, relationships and trends in data.

 Criteria is what management relates its performance with. This could be the performance of other companies,

developed codes and standards, the company’s own codes, the organization’s objectives and/or historical

environmental statistics.

 An organization must ensure that its monitoring and measuring equipment is verified, calibrated and used

appropriately.

 Management must develop, apply and carry out processes for evaluating compliance with legal and other

requirements.

 An organization should use both responsive and preemptive measures regarding their environmental

performance. However, they should primarily focus on proactive activities, to minimize negative effects.

 Non-effective internal auditing threatens an organization’s reputation and can lead to penalties and punitive

measures by regulatory bodies.

Internal Audits

• Management should conduct internal audits at regular intervals, as part of the management review.
• An internal audit should consider: aspect/impact analysis, stakeholder input, community complaints and risks and
opportunities.
• The choice of the auditor must ensure "neutrality and impartiality".
• Internal audits, apart from being a requirement of the standard, should be considered a positive influence in the
continual improvement process.

non-conformities & Management reviews

• Non-conformities need to be recognized and communicated to stakeholders, so that adequate corrective actions
can be implemented.
• A root cause analysis of incidents and non-conformities is necessary, to implement the appropriate measures and
to avoid recurrence.
• Management reviews must be performed analytically and systematically, in order to correctly gauge EMS
performance.
• Management must identify opportunities for improvement and apply mandatory actions, to achieve results.
• Management should continually improve the relevancy, sufficiency and effectiveness of the environmental
management system.
 Module 10: Fundamentals of Occupational Health and Safety
Management Systems (OH&SMS)

After completing this module you will be able to:

 Explain the OH&SMS standard

 Define the fundamental concepts and terminology used in OH&SMS

 Summarize the systems involved in OH&SMS

 Explain who is responsible for developing the ISO 45001 standard

 Illustrate the timeline involved in the development of ISO 45001

 Discuss the compatibility of ISO 45001 with other standards

 Describe the timeline involved for migrating to ISO 45001

 List the benefits ISO 45001 can yield to businesses

 Outline the benefits ISO 45001 yields to managers and professionals

What is OH&SMS?
Introduction
An Occupational Health and Safety Management System (OH&SMS), is a collaborative and systematic approach
to effectively managing occupational health and safety risks.
OH&SMS helps companies to improve their occupational health and safety performance continually. Moreover
OH&SMS provides a framework for companies to comply with health and safety ordinances, regulations, state
laws and compliance obligations.
Goals
OH&SMS systems primarily direct organizations in the following ways:
1. Identify occupational health and safety hazards.
2. Examine the risks associated with the identified hazards.
3. Establish controls to minimize the risks.
4. Define goals for health and safety performance.
5. Create a plan to achieve the goals.
6. Monitor performance against the targets and goals.
7. Report performance results.
8. Review OHSMS results and continuously improve.

Standards
National standards used for implementing OH&SMS, before the introduction of ISO 45001:2018 include:
• BS OHSAS 18001
• ANSI/AIHA Z10
• CSA Z1000

Comparing Standards

BS OHSAS 18001
BS OHSAS 18001 (Occupational Health & Safety Assessment Series) is a globally recognized British Standard for
occupational health and safety management systems. Its purpose is to assist different types of organizations who
endeavour to perform well in aspects of occupational health and safety.
Companies worldwide recognize the need to monitor and enhance their health and safety performance. To do so,
they need to implement an occupational health and safety management system (OH&SMS).
OHSAS 18001 helps companies to develop a healthy and safe working environment, by providing a framework to
achieve the following:
• Determine health and safety risks and minimize them to an acceptable level
• Minimize the likelihood of accidents
• Establish a framework to assess legal compliance
• Improve overall health and safety performance

ANSI/AIHA Z10
ANSI is the American National Institute standard. The American Industrial Hygiene Association (AIHA) serves as its
Secretariat. The Accredited Standards Committee, Z10, approved the standard in 1999.
• The standard’s scope is “minimum requirements of occupational health and safety management systems”.
• The standard’s purpose is “[as a] Management tool to minimize the risk of illnesses, injury and fatalities in the
workplace.”
• The application of the standard includes organizations of all types and sizes, including contractors.
While making the standard, the Z10 Committee adopted inputs from OSHA, US industry, ISO Quality and
environmental systems and the International Labor Organization.

CSA Z1000-6

The Canadian Standard Association (CSA), published a standard for Occupational Health and Safety Management
Systems in 2006, known as CSA Z1000-6. This standard lays out the conditions for the creation, enforcement
and improvement of a Health and Safety Management System.
The elements are similar to those outlined in other management systems and include the following:
• Management Commitment and Participation
• Health and Safety Planning
• Implementation of Controls
• Performance Evaluation
• Management Review
• Continuous Improvement

Other Standards
Requirements
The need for a globally recognized standard for occupational health and safety management systems, has
always been felt. Professionals have had the ISO 9001 - quality management system and ISO 14001 -
environmental management system, since the early 2000s. However different systems for occupational health and
safety, were being followed in different countries.
Experts claim that the development of the new ISO 45001 OHSMS standard, is well timed, because it matches the
recent publication of the newly revised ISO 9001:2015 (quality management system) and the ISO 14001:2015
(environmental management system). Both employ a risk-based structure.
The shared common requirements of the three most widely used international standards, should empower
organizations to incorporate them more easily into their organizational processes.

OHSAS 18001:2007
OHSAS 18001:2007 has been the most important standard for occupational health and safety management
systems and has been adopted by many companies, operating in countries other than the UK. Since it has been
employed and observed in multiple organizations, it is important to compare the two standards
(OHSAS 18001 and ISO 45001). This will serve as an aid, to help organizations transition.
What are the major differences between OHSAS 18001 and ISO 45001? The primary difference is
that ISO 45001 focuses on the interface of an organization and its business environment; OHSAS
18001 concentrates on managing OH&S hazards and internal issues. However the standards differ in
other ways. Click on the tab below to learn more.

History

ISO 45001 was initially created on 25th October 2013. The committee responsible for its development is known as
ISO/PC 283. It is estimated that a minimum of seventy countries worked on the drafting process of its
development.
Planning the standard and the drafting of issues continued until December 2015. From this period until the first
draft of its development in 2017, it failed to achieve adequate support from ISO members. In 2017, a revised
second draft was approved and this was made into the final draft. The standard was published on 12 March 2018.

Plan-Do-Check-Act
Plan
The ISO 45001 standard comprises the Plan-Do-Check-Act (PDCA) model. This model
offers a mechanism for organizations to plan what they require, so as to mitigate the
probability of OH&S damages.
The “Plan” part of the model, should reflect concerns relating to health problems in the
long term and absenteeism at work. The measures used, should address the factors that
contribute to accidents at work.
For instance, many workers undergo stress, which is classed as a psycho-social risk.
Stress is considered to be one of the main problems at work in the current economy. Plans can also include
measures to deal with stress management.

Do
The ISO 45001 standard directs top management to "own" the workplace and the hazards
associated with it. Top management must prove their commitment through leadership, to make
sure that workers have the sufficient skills, knowledge and expertise.
Moreover top management should put in place effective controls in the “Do” phase of the PDCA model; these are
known as operational controls. Encouraging workers' participation and advice is necessary, in order to be able to
enforce better occupational health and safety measures.

Check
The “Check” part of the PDCA model, lists all of the main constituents that should be resolved, to make sure that
the system is operational. This includes opportunities for enhancement and improvement in the “Act” phase.

Act
The “Act” part of the PDCA model is the improvement part of the process and is referred to, in the standard, as
“Continual Improvement”.
It is a recurring activity that needs to be maintained, in order to enhance performance.

Migration and Features

Migration
Companies need to migrate from OHSAS 18001 to ISO 45001. As part of this migration, numerous steps must be
followed, in order to upgrade the existing management system to the new standard. The following
sequence is recommended:
1) Analyze interested parties (i.e. individuals or organizations that can influence or be influenced
by your organization’s activities). Moreover, analyze internal and external factors that might
influence the organization’s business; then check how the risks can be managed with the help of the
management system.
2) Recognize the scope of the system, while reflecting what your management system is bound to deliver.
3) Utilize the data and information to: institute the organization’s processes, for risk evaluation and assessment and
to develop the key performance indicators (KPIs) for the organization’s activities.

Features
What is new in ISO 45001, compared with other Occupational Health and Safety (OHS) standards? How will its
migration influence small and medium-sized enterprises (SMEs)? The short answer is: a preventive approach is
upgraded with risk-based thinking.
Risk-based thinking, to manage health and safety risks and opportunities in ISO 45001 is not new, nor does it
contradict earlier OHS standards. However, the preventive action of the management system is
upgraded with a risk management approach.
The Focus is the workplace. The standard does not interact with products or product quality, or how
they should be utilized or sustained. The focal point of the ISO 45001 standard is the workplace.
There is a requirement to list significant hazards in the workplace, in order to eradicate or mitigate
them.
Once the organization has resolved the knowledge and tools of OHSAS 18001, the organization can
re-utilize most of what it already has, in the new management system. Thus, even if the approaches
of the two management systems are different, the fundamental tools are identical.

Proactive

Organizations need to be proactive. In a rapidly growing and creative world, the

requirement is felt for organizations to be proactive rather than reactive. Organizations
should foresee actions, instead of waiting for regulations and codes of practice to be
instituted.
Most organizations are small or medium-sized enterprises and ISO 45001 is applicable
to them, just as it is to larger enterprises. The easy-to-follow risk oriented approach in ISO 45001 is highly
implementable for SMEs and is well matched with the approaches used in OHSAS 18001.

Certification and Advantages

Certification
It is expected that a large number of organizations will employ ISO 45001 to build an effective occupational health
and safety management system. In addition, significant numbers of organizations will want to receive
the recognition that comes with having ISO 45001 certification. Certification exhibits to external parties
that an organization has attained compliance with a particular standard.
The potential dividends of implementing the ISO 45001 OHSMS is enormous, if the standard is
implemented effectively. The standard mandates that Occupational Health and Safety risks in an organization, be
identified and managed. For the risk management approach to be effective, it is important that the system is
continually improved, to surpass the organization’s ever-changing objectives.
The enforcement of the standard ensures compliance with current legislation. The activities envisioned by the ISO
45001 standard can help to develop an organization’s reputation as a “safe place to work”. There are many
advantages, ranging from minimizing insurance costs to elevating workers’ morale, together with the improved
ability to meet the organization’s strategic targets.

Advantages
How will the new ISO 45001 standard perform for users of, for example OHSAS 18001?
It is expected that users of OHSMS standards, such as OHSAS 18001 and the ILO-OSH
Guidelines, will easily be able to take up ISO 45001, as it does not contradict these standards.
In addition, ISO 45001 empowers organizations with the opportunity of incorporating OHSMS
into their integrated business processes.
The advantages of implementing ISO 45001, aside from the fact that it is now the accepted new international
standard by consensus, is that it will naturally integrate with earlier management approaches, especially in the
area of business risks. It will thus act as an added advantage to SMEs, when opting to have more than one standard.

Illness and Injury

Global
The awaited international standard for occupational health and safety management systems (OH&SMS),
is envisioned to modify workplace practices globally.
ISO 45001:2018 OH&SMS, offers a vigorous and effective set of processes, for improving work safety
in global supply chains.
The standard is designed to help organizations and industries of all sizes. It is also expected to reduce
workplace injuries and illnesses globally.

Statistics
The International Labor Organization (ILO) calculated workplace injuries and fatalities in 2017. According to the
ILO data, 2.78 million fatal accidents happen at workplaces annually. In other words, seven thousand, seven
hundred people die each day because of work-related illness and injury.
Moreover, there are approx. 374 million incidents of non-fatal, work-related illness and damage each year. Most
of these incidents cause loss-of-time injuries, meaning absenteeism from work. These facts are a sober reflection
of the contemporary reality of workplace damage and illness. Moreover people and businesses run the risk of
experiencing illness and damage, as a consequence of merely doing their job to earn a living.

Global Solution
Solution

Is ISO 45001 the answer to the problem of occupation health and safety performance globally?
ISO 45001 is expected to change the situation by empowering companies to perform better. It
offers legislative and regulatory bodies, industry and other interested parties, practical
management solutions for ensuring worker safety across all industries.
The recognized ISO standardization framework can be utilized to promote better health and
safety conditions. Moreover it is a practical solution for original equipment manufacturers,
contractual partners and production houses. This management system can assist everyone to
achieve a safer workplace, irrespective of their nationality and regional dynamics.

International
What makes ISO 45001 internationally important? International experts and writers worked together to produce
the standard. It is the result of a close collaboration from contributors from more than seventy nation states.
As discussed, the ISO 45001 OH&SMS has been produced by the ISO committee ISO/PC 283. Also, the British
Standards Institution (BSI) served as the committee’s secretariat for the development of the standard.

Suitability

Why is ISO 45001 better than OHSAS 18001?

ISO 45001 was developed in collaboration with other ISO management systems.
Developers tried to ensure it is an easy-to-use framework, compatible with the latest versions of the ISO 9001
QMS and the ISO 14001 EMS. Companies who have already implemented other ISO standards, will find it easy to
implement ISO 45001.

Substituting OHSAS 18001

Substitution
ISO 45001 works as a substitute for OHSAS 18001, the world’s most widely used reference for occupational
health and safety standards.
Companies already compliant with and certified by OHSAS 18001, will have a 3 year migration period to comply
with the new ISO 45001 standard. However certification is not a requirement of the ISO 45001 standard.

Gap Analysis
If your organization is currently using the OHSAS 18001 standard, migrating to ISO 45001:2018 is a beneficial
solution, as multiple clause requirements of ISO 45001:2018 are equivalent or analogous. Note however, that
clauses may utilize different terminology or be arranged in a different order.
Guide to existing OHSAS 18001 users:
• Get a copy of the standard from the ISO Store at: www.iso.org/iso/iso45001 or from your national ISO
representative.
• Examine the changes in the standard, or use the comparative matrix in this course as a
free resource.
• Conduct a 'gaps analysis' between ISO 45001 and your current OHSAS 18001 system.
• Apply the necessary actions to fill any identified gaps.

Employee Participation
Clauses
The internal and external issues of organizations need to be addressed, in a business context
analysis perspective, with occupational health and safety in mind, as per Clause 4.1 of the ISO
45001:2018 standard. This mandates the company to recognize systematically and study the
various issues which effect their business operations, as well as the management system.
Clause 4.2 focuses on the need for organizations to address workers’ needs and expectations, as
well as the needs and expectations of other effected parties, in the matter of workplace health
and safety. The company is required to address these issues through a verifiable occupational
health and safety management system. Clause 4.3 relates to scope. Unlike in OHSAS 18001,
scope should only be defined when clauses 4.1 and 4.2 have been adequately addressed.

Responsibility
Similar to ISO 9001 and ISO 14001, there is a high stress in ISO 45001:2018, on
the responsibility top management has, to enforce consultation with and participation from workers,
as per clause 5.2. In addition, top management must encourage workplace safety and employee health
and monitor health and safety performance, ensuring the effectiveness of the OHSMS.
Organizational leadership is accountable for developing health and safety policy. Moreover, policy
should be agreed with the organization's labor union representatives and health and safety personnel,
where applicable. As per clause 5.3 of the standard, all roles, responsibilities and authorities must be
properly defined, communicated and documented. However the accountability of top management for
the overall OHSMS system cannot be delegated.

Participation
Clause 5.4 of the ISO 45001:2018 OH&SMS, is a much improved clause, compared with OHSAS 18001.
It documents information related to assisting the participation, involvement and communication of all
workers, at every level in an organization, with the occupational health and safety management system.
Many organizations do not have a management representative or a health and safety representative. If
there is no union representative in an organization, the ISO 45001:2018 OH&SMS standard will
not mandate this on companies. However top management must ensure worker participation and
consultation by other means.

Additions and Improvements

Documentation

Clause 6.2 of ISO 45001:2018, deals with incentives for organizational improvement and performance evaluation
(see also clause 9.1.1). Clauses 7.1 to 7.5, deal with various organizational support functions, including the
availability of resources, the competency of workers to perform work safely, health and safety awareness of workers,
visitors and contractors, health and safety communication and the requirements for documenting information.
Important points relating to support requirements:
• Communications are evaluated for their effectiveness.
• Employee awareness includes: policies, hazardous risks, employees/contractors role re. health and safety
performance (e.g. the awareness to remove oneself from ‘serious danger’).
• The documentation of information is similar to ISO 9001 and ISO 14001. This encompasses how an organization
creates, maintains and retains information that is compulsory for the OH&SMS.

Provisions

Clauses 8.1 to 8.2, deal with organizational operations, preparedness planning, identifying risk and hazards,
controls and emergency situations. Risks and hazards should be addressed by implementing a hierarchy of controls.
The management of change and operational modifications, is described in clause 8.1.3. This includes managing
instruments, circumstances, employees, obligations, legal issues and compliance.
What would be the impact to your organizational reputation, if one of your suppliers or contractors was
involved in a major occupational health and safety incident?
ISO 45001 requires organizations to analyze risks associated with an organization’s reputation.
Procurement and outsourcing is covered in the new standard, whereby it is required to scrutinize
purchased goods and services, in relation to health and safety requirements. In addition, there is an
improved requirement relating to the health and safety of contractors, regarding the requirement to
ensure a safe and healthy work environment.

Additions

ISO 45001:2018, Clause 9, includes enhanced and extended evaluation of performance, compared with the
British OHSAS 18001 standard:
• Compliance evaluation has been extended to incorporate the means and regularity of evaluation; the organization
is required to maintain knowledge and awareness of the organization's compliance.
• Internal audit results need to be discussed with workers.
• The management review clause has improved the inputs and requirements of OHSAS 18001. It has added risks
and opportunities, improvements, communications, management system effectiveness and the issues of interested
parties.

Risk and Prevention

Prevention
ISO 45001:2018 Clause 10, removes the linguistic reference to ‘preventive’ action, as it is already covered in the
risk management phase. Organizations have to deal with incidents, correct the problem, investigate the root cause
and take corrective action. The corrective action is then evaluated to check its effectiveness.
The organization is required to show that it has implemented the values of risk management and continual
improvement through: root cause investigation, in-depth analysis, modified risk analysis and required operations.
Organizations must be able to prove that they are using the outputs from performance analysis and evaluation, to
recognize and resolve gaps and opportunities.
Risks and Opportunities
In clauses 6.1.1, 6.1.2.3 and 6.1.4, organizations need to identify significant risks and opportunities concerned with
the factors of the organization’s context, as referenced in clauses 4.1 and 4.2.
These risks and opportunities need to be identified and considered and action needs to be taken to optimize
performance. Risk management concerns not just hazards, but also internal and external issues and the needs and
expectations of interested parties.
All these factors together influence the capability of the management system to yield its intended results i.e.
improved health and safety performance at work.

Workers & Interested Parties

Interested Party
Interested Party - This term is defined as a “person or organization that can affect, be affected by, or
perceive to be affected by a [organization's] decision or activity.”
Interested party is an important inclusion in the ISO 45001:2018 standard. It was not considered as
much in OHSAS 18001:2007. The term is defined in clause 3.2. It is also referred to as "stakeholder" in
the standard.
Examples of Interested parties regarding occupational health and safety management systems are: employees,
management and shareholders, external parties, contractors and service providers, manufacturing partners,
government and legislative bodies, pressure groups, neighbors, trade unions, company insurers. See the illustration
on the following tab.

Illustration

Workers
Worker - The ISO 45001 standard defines the term “worker” (clause 3.3), as a “person performing work or
work-related activities, that are under the control of the organization”.
The concept of 'worker' in the standard, is different to that which is perceived in certain industries. The term
worker, in the standard, includes top management, managerial and non-managerial staff. This term incorporates
the following:
1. Workers from external providers
2. Contractors
3. Individuals
4. Agency workers
5. Other persons involved in work-related activities

Consultation and Participation

Consultation

Consultation is defined in clause 3.5 of the ISO 45001 standard as “Seeking views
before making a decision”. Consultation includes engaging with health and safety
committees and workers’ representatives in the decision-making process and the
consideration of workers’ views. See the illustration on the next tab.
It is related to the terminology of participation, but is limited to obtaining the
views of workers, before making decisions. It is not necessary that workers' views
become the major factor in the decision-making process; however they should
have merit. In the participation part of the standard, workers are an integral part of the decision-making process.
Consultation is also a style of management - a consultative style of management, in which there is less liberty and
involvement of stakeholders, compared to a democratic style. However the consultative style offers more liberty
than the autocratic style of management, in which top management directs what is to be done, without consulting
others. A consultative style of management is considered a more "balanced approach" by many experts, compared
with the autocratic and democratic styles of management

Illustration A.

Participation

Participation is a term defined in clause 3.4 of the ISO 45001 standard, as “involvement in decision making”,
regarding the occupational health and safety management system. It includes the involvement of health and safety
committees and workers’ representatives, or by other parties in the organization.
The involvement of workers and staff in decisions, is part of the ownership of the health and safety management
system. Participation is different from consultation. In the former, workers are part of the decision-making process;
in the latter workers' views are welcomed and considered but are not necessarily a deciding factor. In consultation,
management considers workers' views on the basis of their merit.
Participation is a democratic style of management, where opinions are directly involved in the decision-making
process. This means a more empowered role for workers in the management system, giving workers an increased
level of ownership and involvement. See the illustration on the next tab.

Illustration B.
Contractors and Contracts
Contractors
ISO 45001:2018 defines contractor in clause 3.7 as “[an] external organization providing services in accordance
with agreed specifications, terms and conditions”. The standard further says that services also include
activities related to construction. A contractor is also an interested party in the organization’s
management system.
There are two types of 'organizational circles', with regard to an organization's control over contractors -
a 'circle of control' and a 'circle of influence'. In a circle of control, all contractors’ work is the responsibility
of the organization. In a circle of influence, the organization influences contractors to work safely and
according to certain protocols.

Contract
A contractor working at the premises of an organization, has to follow all health and safety related operational
controls, as developed by the organization. However a contractor doing work outside an organization's premises, will
be influenced to take certain measures, in order to control the health and safety levels at another
location.
The selection process for contractors, should consider their health and safety performance record, in
addition to the quality of services they provide. It is also pertinent that the terms relating to an
organization's health and safety management system, should be incorporated into the terms and
conditions of the contract made with contractors. This will create a contractual binding for compliance.

Hazards and the Workplace

Workplace
Workplace is defined in the ISO 45001:2018 standard as “[a] place under the control of the
organization, where a person needs to be, or to go, for work purposes.”
Workplace is a physical entity with a defined periphery. Large organizations with large workplaces,
usually employ area managers who have responsibility for certain areas. The scope of an organization's
occupational health and safety management system, is validated by site visits to the workplace.
The organization's responsibility for the workplace, is dependent on the level of control that the
organization has. If the management area of an organization has direct control, then the workplace is
under the control of the organization. If the workplace is at a contractor's premises, then the
organization can influence the workplace, but it cannot control it.

HIRA
 ISO 45001 defines the term hazard, as a “source with a potential to cause injury and ill
health”. Hazards can include sources with the potential to cause harm, or hazardous situations.
They can also include circumstances that have the potential of exposure, leading to injury and
ill health. Hazards exist, due to unsafe work conditions and unsafe work practices.
Unsafe conditions pose a direct source of potential harm. An unsafe act also creates a situation
where injury or damage is possible. ISO 45001 mandates that organizations carry out hazard
identification and risk analysis of the workplace. Together, the process is known as hazard
identification and risk assessment (HIRA).

Health, Injury and Objectives

Health & Injury

ISO 45001 defines injury and ill health as “adverse effect on the physical, mental or cognitive condition of a
person”. These adverse effects include occupational disease, illness and death. When we say occupational
disease or occupational illness, it means that the illness or disease is related to, or a consequence of work-
related activity.
The term “injury and ill health”, implies the presence of injury or ill health, either separately or in
combination. The occupational health and safety management system's main focus, is to prevent injury and
ill health at work. Recording incidents of injury and ill health at work, is part of the performance monitoring
criteria of the OH&SMS. Successful organizations aim to achieve zero occupational injury and ill health at work, as
their primary OH&S objective.

Objectives

ISO 45001 defines the term OH&S objective as “set by the organization to achieve specific results
consistent with the OH&S policy”. It means that the targets are set in the form of objectives and that
the objectives are consistent with the policies of the occupational health and safety management
system.
Objectives are made so that specific results can be obtained from the activities that are taken to
achieve them. Objectives are usually based on the S.M.A.R.T concept, i.e. specific, measurable, achievable,
realistic and time bound. See the illustration on the next tab.
If objectives are made using SMART principles, it is likely that an organization will achieve its targets.
Also, it will be easier for people to follow the procedures and to complete activities that are defined in
the objectives. Examples of OH&S objectives include: zero accidents, reduction in loss-of-time injuries,
increase in safe working hours, decrease in the number of reports of unsafe acts and unsafe conditions.

Illustration
Risk and Uncertainty
Risk
ISO 45001 defines the term risk as “the effect of uncertainty”. The standard further explains that
the effect is a deviation from the expected. This effect can be positive or negative. Uncertainty is a
state of deficiency of information relating to the understanding or knowledge of an event, its
consequences, or its likelihood. Risk is often characterized by reference to potential “events” and “consequences”, or
a combination of these.
Risk is often expressed in terms of a combination of the severity and consequences of an event (including changes in
realities) and likelihood or occurrence. Therefore risk is commonly a multiple of severity and occurrence (Risk =
Severity x Occurrence). The joint terminology of “risks and opportunities” is used in ISO 45001. See the illustration
on the next tab.
Illustration

OH&S Risks
ISO 45001 defines Occupational Health and Safety (OH&S) Risk, as the “combination of the
likelihood of occurrence of a work-related hazardous event(s) or exposure(s) and the severity of
injury and ill health, that can be caused by the event(s) or exposure(s)”.
This means OH&S risk is a risk related to hazards in the workplace, as opposed to business and
financial risks. The standard specifically defines OH&S risks as the combination of probability of
occurrence and the severity of the hazard.
Occurrence is the frequency of the event that is expected. Severity is the impact of the hazard
when or if it occurs. Severity, from an OH&S perspective, can be fatal, a disability, a first aid
case, or a near miss. Organizations must bear the financial and reputation losses resulting from incidents where
they have to compensate workers for loss.

Incidents and Accidents

ISO 45001 defines the term incident as “occurrence arising out of, or in the course of, work that could or does
result in injury and ill health”. Examples of incidents are accidents and near-miss reports. An incident where injury
or ill health occurs is referred to as an accident.
Within accidents there are: fatalities, disabilities, asset damage, first aid cases and injuries etc. An incident where no
injury or ill health occurs, can be referred to as a “near-miss”, “near-hit” or “close call”. Although there may
be nonconformity related to an incident, incidents can occur where there is no nonconformity.

The main points from this module are as follows:

 Occupational Health and Safety Management Systems help companies to improve their occupational health
and safety performance continually.

 Some of the national standards for implementing OH&SMS systems, prior to ISO 45001:2018 have been: BS

OHSAS 18001; ANSI/AIHA Z10 and CSA Z1000.

 The BS OHSAS 18001, Occupational Health & Safety Assessment Series, is a globally recognized British

Standard for occupational health and safety management systems.

 ANSI stands for the American National Standards Institute. The Accredited Standards Committee “Z10”

approved the standard in 1999.

 The Canadian Standards Association (CSA), published a standard for Occupational Health and Safety

Management Systems, in 2006, known as CSA Z1000-6.

 The ISO 45001 standard matches closely with the newly revised ISO 9001:2015 quality management

system and the ISO 14001:2015 environmental management system. Both similarly employ a risk-based

structure.

 The committee responsible for the development of the ISO 45001 standard is known as ISO/PC 283.

 Experts from approximately seventy countries, collaborated on the drafting of ISO 45001.

 The British Standards Institution (BSI), served as the committee’s secretariat for the development of ISO

45001.

 ISO 45001 incorporates a Plan-Do-Check-Act (PDCA) model. This is a mechanism for organizations to plan

what they require, in order to mitigate the probability of OH&S damages.

 Companies need to migrate from OHSAS 18001 to ISO 45001 within three years after publication of ISO

45001 (March 2018).

 Brief comparison between the ISO 45001 and OHSAS 18001 standards: ISO 45001 uses a process-based

approach > OHSAS 18001 uses a procedure-based approach; ISO 45001 uses a risk-based approach >

OHSAS 18001 uses a preventive approach; ISO 45001 incorporates both risks and opportunities > OHSAS

18001 considers risk only; ISO 45001 incorporates the views of interested parties > OHSAS 18001 does not

include the views of interested parties.

 In a rapidly growing and creative world, the requirement is felt for organizations to be proactive in the area

of occupational health and safety management, rather than reactive. ISO 45001 provides such a framework.

 Most organizations are small to medium-sized enterprises. ISO 45001 is applicable to those, as well as to

larger enterprises.

 Most organizations will benefit from ISO 45001 and significant numbers will welcome the recognition that

comes with ISO 45001 certification.

 The users of existing OH&SMS, such as OHSAS 18001 and the ILO-OSH Guidelines, will easily be able to

implement ISO 45001, as it does not contradict these standards.

 The ISO 45001:2018 OH&SMS, offers a vigorous set of processes for improving workplace safety in the area

of global supply chains.

 The new ISO 45001:2018 international standard, when implemented, is expected to reduce workplace

injuries and illness significantly around the world.

 According to ILO statistics (2017), 2.78 million fatal accidents occur in the workplace each year. In addition,

there are approx. 374 million non-deadly incidents of work-related damage and illness each year. Most of

these incidents involve loss-of-time injuries, meaning absenteeism from work, loss of productivity and loss of

revenue.
 According to the ISO 45001:2018 standard, the ultimate accountability of top management for the

OH&SMS cannot be delegated.

 The support functions listed in clauses 7.1 to 7.5 of ISO 45001:2018, include: availability of sufficient

resources; competency of workers to perform work safely, the necessary awareness of workers, visitors and

contractors regarding occupational health and safety; sufficient communication; documentation of

information.

 Clauses 8.1 to 8.2, deal with operational planning and controls; emergency situations; cases of failure and the

development of preparedness plans by organizations.

 Clause 9 in ISO 45001, deals with performance evaluation, similar to that contained in the British standard

OHSAS 18001.

 The linguistic reference to ‘preventive’ action in OHSAS 18001, has been removed from clause 10 in ISO

45001, as it is already considered in the risk management phase.

 Risk should not only be managed for hazards, but also for internal and external issues, including the needs

and expectations of 'interested parties'.

Module 11: Requirements of an Occupational Health and

Safety Management System (OH&SMS)
After completing this module you will be able to:

 List the expectations top management has in a OH&SMS.

 Describe how best to manage health and safety risks.

 Explain how support functions affect an organization's performance.

 Define what operational controls are.

 Summarize how organizations enforce operational controls.

 Discuss what an emergency response is and how organizations are required to plan for emergency situations.

Leadership Roles and Responsibilities

Leadership A.

What is a leadership role and how is it mandated in the ISO 45001:2018 standard?
Top management must ensure leadership roles and exhibit commitment towards the OH&SMS by:
a) Owning responsibility and accountability for avoiding work-based injuries and illness; provide a safe and healthy
work environment and processes.
b) Making sure that the OH&S policy objectives are identified and relate to the strategy of the company.
c) Making sure the OH&SMS integrates into the business processes of the organization.
d) Ensuring the availability of the resources required to develop, apply, sustain and enhance the OH&SMS.
e) Communicating the significance of the implementation of the OH&SMS and compliance to the standard.
f) Ensuring the OH&SMS attains its intended results.
<Cont. next tab>

Leadership B.
g) Guiding and empowering workers to play their role in the sustenance of the OH&SMS.
h) Ensuring and encouraging continuous improvement.
I) Empowering other management to prove their leadership in the areas they lead.
j) Establishing, leading and encouraging an organizational culture that assists the desired results of the OH&SMS to
succeed.
k) Safeguarding workers from retaliation or reprisals, when it comes to reporting accidents, unsafe conditions,
hazards, risks and areas for improvement.
l) Ensuring that the organization develops and applies processes for discussion and the participation of workers.
m) Empowering the development and operation of health and safety committees.

OH&SMS Participation
Effective
Who is responsible for establishing, implementing and maintaining the OH&SMS policy? Top management i.e. the
leadership of the organization must develop, apply and sustain this policy, which should have the following elements:
a) A commitment to offer a safe and healthy working environment. The commitment should
ensure that work-based accidents and illnesses are avoided. The policy should be relevant to the
objectives, size and business context of the organization and the nature of the particular health
and safety risks that exist.
b) A framework for setting out the health and safety objectives.
c) A commitment to meet legal and other requirements.
d) A commitment to eliminate hazards and reduce risks.
e) A commitment to the continuous improvement of the OH&SMS.
f) A commitment to consultation and participation. The policy should encourage discussion and the involvement of
workers/bodies representing workers and managers.

Components

The organization's health and safety management policy should ensure the following:
• The policy must be controlled and documented.
• It must be communicated throughout all levels of the organization.
• It should be suitable, applicable and available to all interested parties.

Worker Representation

Worker representation in the OH&SMS steering committee, can be a source of participation and
consultation for workers.
Hurdles and barriers to staff participation can involve the inability to address inputs and opinions,
language barriers and dangers of retaliation or reprisals for "speaking up".

Training

Delivering training to staff, can break major barriers to worker participation. The participation of non-managerial
employees can involve the following:
1. Identifying hazards and assessing risks and opportunities.
2. Identifying the procedures for consultation and participation.
3. Identify actions that can eliminate hazards and reduce health and safety risks.
4. Identify training and competence requirements and evaluate training.
5. Identify communications issues and methods.
6. Investigate incidents and non-conformities.
7. Identify control measures and their effective applications.

Internal and External Factors

Business Context
The business context for the OH&SMS (ISO 45001:2018, clause 4.1) involves the following:
• Understanding the company and its business context.
• Management must identify internal and external issues that are applicable to the OH&SMS.
• Highlight issues that have affected, or may affect, the organization's ability to successfully implement the
OH&SMS.

Internal and External Factors

Internal Issues
Collaboration between businesses has developed in the last two decades, with the advancement of the internet and
business without borders. Health and safety concerns have developed too and management has more wider-
reaching issues to consider, when planning an OH&SMS. Some internal issues include:
• The competence and diversity of the organization’s workforce.
• The commitment of workers regarding health and safety regulations.
• The readiness to collaborate with declared specifications.
• The organization’s communication channels and their significance.

Internal and External Factors

External Factors
External factors are issues that are outside an organization, but that influence its business and operations. Some of
these are summarized below:
- Legislation and regional laws.
- Economic and political situation.
- Union rules.
- National and international agencies.
Documenting the business context, for auditors and other stakeholders, with respect to external parameters, is
recommended.

Compliance and Interests

Compliance
Compliance with applicable H&S laws and regulations, protects businesses from legal and
other financial penalties.
Moreover, the well-being of an organization’s workers is the first and foremost objective.
Making sure operations are safe, improves the quality of goods and services that can be
provided.
The latest discoveries and research with regard to contemporary illness, e.g. recurring stress,
strains and depression, demonstrates that adhering to OH&S legislation improves performance.

Involvement
It's important to involve the viewpoints of interested parties when formulating an OH&SMS. Some common
interested parties include:
• Employees/workers
• Management and shareholders - they are also connected to strategic business decisions
• External providers, contractors and vendors
• Manufacturing and business partners
• Government, regulatory and legislative bodies – in many cases these have authority over organizations
• Pressure groups, neighbors, trade unions – especially in the case of e.g. nuclear power/chemical/hazardous
facilities
• An organization’s insurers - an OH&SMS may significantly affect premiums

Risks and Hazards

Analysis
When planning the OH&SMS, management must consider the issues and requirements
from a business context, i.e. internal and external factors and those of interested parties. This constitutes
the scope of the OH&SMS.
Through the planning processes, management must identify and examine the risks and opportunities associated
with the OH&SMS and the structural changes involved. Management must document the information concerning
the processes and measures needed to identify and address the risks and opportunities involved. A long and short
term risk and opportunities assessment must be undertaken, before change is applied.

Hazards

Hazard identification is referred to in clause 6.1. Top management, or its delegated personnel, must develop,
apply and carry out pre-emptive and ongoing processes for hazard identification.
These processes must take into account how work is managed, considering the following factors:
Workload; Work hours; Victimization; Harassment and bullying; Leadership and culture.

Identification

Hazard identification processes must also take into account hazards that arise from routine and non-routine
activities, including the following:
• Infrastructure, machinery, supplies, physical job areas
• Design of services and products, manufacturing, assembly, erection, service distribution, maintenance, product
and waste disposal
• Work methodology

Hazard Identification and Assessment

Personnel

Hazard identification and the assessment of risks and opportunities, involves personnel in the workplace, including:
• Those with the right of entry to the workplace (employees, third-party workers, guests)
• Those in the locality of the work area, who are affected by the work
• Employees in an area that is not under the direct administration of the company

Other Factors

Hazard identification and the assessment of risks and opportunities, involves other factors in the workplace,
including:
• The layout of work areas, practices, installations, heavy machinery, standard operating procedures and job
management
• Changes with the needs and capabilities of employees
• Changed conditions in the workplace, as a result of work-related activities
• Conditions (not controlled by management) in work areas, that can result in illness or injury to individuals
• Actual or intended changes in organogram, jobs, processes, proceedings or the health and safety management
system
• Information and knowledge relating to any changes concerning hazards

Assessment

Assessment of health and safety risks (Clause 6.1.2.2). Management must develop, apply and carry out processes for
the following:
(a) Assess the health and safety risks from a list of hazards, while considering the effectiveness of current controls;
(b) Identify and assess other risks related to the establishment, application, operation and maintenance of the
overall OH&SMS.
The management’s procedures and criteria for the assessment of health and safety risks, must be defined, to ensure
they are preemptive rather than responsive and that they are utilized in a
systematic way. Documented information must be developed and retained on the assessment principles and
methodology.

Processes, Actions and the Law

Processes
Assessment of health and safety opportunities (6.1.2.3)
Management must develop, apply and carry out processes for the following:
(a) Health and safety opportunities to enhance health and safety performance, changes to management, policies,
processes or activities.
(b) Opportunities to upgrade work, management and the work environment for employees.
(c) Opportunities to eliminate hazards and reduce health and safety risks.
(d) Opportunities for improving the OH&SMS.

Processes, Actions and the Law

Legal
Legal and other requirements (6.1.3)
Management must develop, apply and carry out processes for the following:
A. Identify and subscribe to the latest legal and other requirements that are relevant to
hazards, risks and health and the OH&SMS.
B. Identify how legal and other requirements apply to management and which
requirements need to be communicated to staff.
C. Take legal and other requirements into account when developing, applying and
improving the OH&SMS.
D. Retain documented information on legal and other issues and ensure it is upgraded to
incorporate any relevant changes.

Processes, Actions and the Law

Action
Management must plan actions relating to the following:
1) Risks and opportunities
2) Legal and other requirements
3) Prepare for and react to emergency situations
4) Integrate and apply relevant counter measures to hazards and risks, through the OH&SMS
5) Assess the effectiveness of the counter measures and action plans taken
Management must take into consideration the "hierarchy of controls" (clause 8.1.2) and results from the health and
safety management system, when deciding on new actions. When planning actions, management must take into
account best practice, technological alternatives and economical, functional and business needs.

Objectives and Planning

Objectives
Health And Safety objectives (Clause 6.2.1)
Management must develop health and safety objectives at appropriate functions and levels, to carry out and
continually improve the OH&SMS and OH&S performance (clause 10.3).
Health and safety objectives must:
(a) Be consistent with the health and safety policy
(b) Be quantifiable (if possible) and available for evaluation
Health and safety objectives must take into consideration the following:
(c) Relevant requirements
(d) The outcomes resulting from the assessment of risks and opportunities
(e) The results of consultation with employees or employees’ representatives where they exist
(f) Checks, communications and upgrades

Planning
Planning to attain health and safety objectives (Clause 6.2.2)
When planning how to attain organizational health and safety objectives, management must address
the following questions:
A. What needs to be worked on?
B. What resources will be needed?
C. Who will be delegated?
D. When it will be finished?
E. How will the outcomes be assessed (including pointers for monitoring)?
F. How will the measures needed to attain health and safety objectives, be assimilated into business processes?
Management must produce and retain documented information on health and safety objectives and the plans to
achieve them.

Duties of Management
Competence

Support Functions - Organizational Resources (Clause 7.1)

Management must recognize and render the resources required for the establishment, application, maintenance and
continual enhancement of the OH&SMS.
Competence (Clause 7.2)
To achieve mandatory employee competence, management must perform the following:
1. Identify the influence of employee competence on health and safety performance
2. Ensure that employees are competent (including the capability to recognize hazards) with help of education,
experience and training
3. Take the necessary actions to achieve mandatory employee competence and be able to evaluate the effectiveness
of these measures
4. Retain documented information on proof of employee competence
NOTE: Relevant actions can involve the delivery of training, mentoring, the re-allocation of presently employed
persons and the hiring or outsourcing of competent persons.

Awareness

Awareness (Clause 7.3)

Employees must be made aware of the following:
- Health and safety policies and objectives
- The effectiveness and benefits of the OH&SMS
- The implications and potential outcomes of not conforming to OH&S requirements
- H&S incidents and the results of investigations
- Their ability to leave work situations when there is a grave danger to their life or health

Obligations

Communication (Clause 7.4)

Management must develop, apply and carry out the processes required for the internal and external
communications applicable to the OH&SMS, together with identifying the following:
• The appropriate subjects of communication
• The appropriate timing
• The appropriate recipients (including contractors and visitors to the workplace)
• The appropriate methodology of communication
The standard stipulates that management must take into account the "diversity" of the audience when considering
its communications. Diversity includes: • Gender • Language • Culture • Literacy • Disability
Management must ensure that the opinions of external interested parties are considered, when developing the
communications process. In addition, management must:
• React to appropriate communications regarding its OH&SMS
• Keep documentation, as proof of its communications

Documentation and Control

Documentation
The level of documented information required (Clause 7.5) in an OH&SMS, varies from one organization to another.
This is due mainly to the types of products and services it provides and the requirement to show legal and other
compliance.
Documentation (Clause 7.5.2) should normally include the following:
1) Identification and description
2) Title, Date and Author
3) Reference Number
4) Language and format
5) Graphics and media
6) Software Version

Control
Documentation needs to be sufficiently controlled (clause 7.5.3), to ensure:
- It is accessible and relevant for utilization where and when it is needed
- It is sufficiently protected from loss of confidentiality and improper use
- The availability of sharing, right to use and retrieval
- Is is conserved and stored properly
- Version and revision control

Process Controls and Changes

Process
Management must plan, apply, control and carry out the processes needed to meet the requirements of the
OH&SMS. Applying actions is identified in Clause 6 and involves the following:
• Developing the criteria for processes
• Applying the control of processes, in accordance with the criteria
• Producing and retaining documented information, so that interested parties and observers can have
confidence that the processes have been carried out
• Adapting work to employees
• At multi-employer workplaces, management must coordinate the OH&SMS with other managers

Controls
Management must develop, apply and carry out processes for the eradication of hazards and the minimization of
health and safety risks (Clause 8.1.1), by utilizing the following hierarchy of controls:
(a) Remove or eliminate the hazard
(b) Substitute or replace health and safety hazards and risks, with less hazardous operations,
processes, supplies or machinery
(c) Use engineering controls and the management of work
(d) Use administrative controls, such as training and visual controls
(e) Use adequate protective equipment for employees
Examples are Permit to work system, Logout tag out systems, Access Control etc.

Changes

Management must develop a process or processes, for the application and control of intended short term and long
term changes that impact on health and safety performance. This includes:
• Modifications to old products and services, work sites and the neighborhood
• Labor force and machinery
• Legal and other requirements
• Modifications in knowledge and facts about hazards and health and safety risks
• Upgrades of technology and related knowledge
Management must analyze the outcomes of unplanned changes and take measures to decrease the impact of
adverse effects.

Outsourcing and Emergencies

Contractors

Management must develop, apply and carry out processes to control the acquisition of products and services
(Purchasing Controls - Clause 8.1.4), to ensure compliance with the OH&SMS.
Management must organize the procurement process with contractors (Clause 8.1.4.2), list hazards
and analyze health and safety risks arising from:
• Contractor activity that influences the workplace
• Activities and functions that affect the contractors’ employees
The contractor's work and functions at a site, have an influence on the interested parties in that
area. Management must ensure that the needs of its health and safety management system are fulfilled by
contractors and their employees.
Example can be supplier evaluation on the basis of health and safety, contractor protocols during onsite work etc.

Outsourcing

Management must ensure that subcontracted jobs and processes are managed. They must also ensure
that outsourcing preparations are made in accordance with legal and other requirements. The processes involved
and the extent of control, must be explained in the OH&SMS.

Emergencies

Management must develop, apply and carry out the processes required to prepare for emergency conditions,
including the following:
1. Develop readiness and planned reactions to emergency conditions, together with the prompt delivery of first aid
2. Offer training for the planned responses
3. Test emergency procedures regularly
4. Send and offer suitable information to all employees during such events
5. Assess performance
Appropriate information must be sent to visitors, contractors, emergency response units,
government authorities and the community during such events. Moreover, all interested
parties must be involved in the design and fulfillment of emergency planned responses. As
usual, management must produce and retain documented information on the processes
involved.
The main points from this module are as follows:

 An organization's policy should include a commitment to providing a safe and healthy working environment

and a commitment towards continual improvement of its occupational health and safety management system

(OH&SMS).

 Management must identify all "interested parties" in the system, together with employees. Interacting with

the organization’s workers, contractual partners and shareholders is an important part of maintaining a list

of all interested parties. If a business has a high accident rate, insurance premiums will rise. Insurers are

therefore an "interested party".

 The competence of an organization’s workforce is an internal issue and is relevant to effective health and

safety management.

 External factors are outside an organization's direct control. However, they influence an organization’s

business and operations and consequently its OH&SMS.

 The latest discoveries and research into contemporary illness in the workplace highlights: recurring stress,

strains and depression (mental health). It finds that legislation must be upgraded and business contexts need

to be fully documented, if organizations are to truly alter their health and safety systems to function

effectively.

 'Scope' refers to the boundaries and applicability of an organization's OH&SMS.

 Management must take into account the "diversity" of its interested parties, when formulating its health and

safety communications strategy. Diversity, according to the ISO 45001:2018 standard includes: Gender,

Language, Culture, Literacy and Disability.

 Employees must be made aware of the organization's health and safety policy and its health and safety

management objectives.

 Management must react to appropriate communications regarding its health and safety management system.

 The documented information relevant to the OH&SMS, should include the following components:

Identification and description; Format, language and reference number; Title, date and author; Software

version (if relevant); References to media and graphics used.

 Documented information should be protected from: Loss of confidentiality; Improper use and Loss of integrity

(damage).

 Management must develop, apply and carry out processes for the eradication of hazards and the

minimization of health and safety risks, using the following 'hierarchy of controls': (a) Remove or eliminate the

hazard; (b) Substitute or replace hazards and risks with less hazardous operations, processes, supplies and

machinery; (c) Use engineering controls and management of work; (d) Use administrative controls such as

training and visual controls; (e) Use adequate personal protective equipment.

 Where short or long term changes are applicable to work practices, a risk and opportunities assessment

should be undertaken before the change is applied.

 Only top management or its delegated personnel should develop, apply and carry out the processes for hazard

identification.

 Legal and other requirements relevant to health and safety, constitute risks and opportunities for an

organization, which management must address.

 Management must develop, apply and carry out processes to assess occupational health and safety

opportunities, in order to enhance occupational health and safety performance in an organization.

 Management must develop occupational health and safety objectives relevant to different work functions and

levels.

 Management must identify and provide the resources needed for the establishment, application, maintenance

and continual enhancement of the OH&SMS.

 Management must send information regarding its OH&SMS and concerning legal and other requirements, to

any relevant external parties.

 Management must develop, apply and carry out processes to control the acquisition of products and services,

to ensure their compliance with the OH&SMS.

 Management must ensure that its outsourcing activities, with respect to health and safety, are in fulfillment

of legal and other requirements.

 Management must develop, apply and carry out processes to prepare for possible emergency situations.

 Management must produce and retain documentation, regarding its processes and plans for reacting to

potential emergency situations.

 Module 12: OH&SMS Performance Evaluation and
Improvement
After completing this module you will be able to:

 Describe the performance evaluation of occupational health and safety management systems (OH&SMS)

 Be able to discuss monitoring, measurements and analysis

 Describe the process involved in internal audits

 Explain what is involved in management reviews

 Define what 'continual enhancement' means

 Summarize the 'check and act' part of the OH&SMS

Performance Measurement
Performance
Performance evaluation (Clause 9) lists the requirements of assessing
the performance of the OH&SMS. This clause encompasses three areas of evaluation:
• Monitoring, measurement and analysis
• Internal auditing
• Management reviews
Management must develop, apply and carry out (Clause 9.1) different processes for
monitoring, measurement and analysis. Management must identify the following:
• The level of compliance to laws and other requirements
• The activities and processes involved in recognizing hazards, risks and opportunities
• Improvements toward the attainment of the organization's health and safety objectives
• The impact and efficiency of operational (and other) controls

Tasks
Monitoring can be based on:
• Observation of work being done
• Assessment of documented information
• Interviews with people to discuss performance levels
Measurement is the allocation of numbers or values to performance, i.e. events and objects. It
is related to performance evaluation and involves verifying equipment and actions with
respect to risks and hazards.
Analysis is the study and interpretation of data to discover patterns, relationships and trends
in workplace activities. It is closely associated with measuring events.

Criterion
Management relates its performance in the area of occupational health and safety,
according to certain criteria.
For example, the performance of other companies, accepted codes, the company’s own
codes, acknowledged standards, the organization’s objectives and historical OH&S
statistics.
Management must assess its health and safety performance and be aware of the efficiency of its OH&SMS.
Management must ensure, for example, that work equipment is relevant, calibrated, verified and used
appropriately.
NOTE: There can be legal and other requirements (national and international standards) concerning the use,
calibration and verification of equipment.

Records
Management must keep relevant documentation as proof of performance measurement, monitoring, analysis and to
demonstrate results.

Guidelines on Monitoring and Measurement

Introduction

Clause 9.1 defines the meaning of “measuring and monitoring” and offers particular instances of
what can be measured to fulfill the standard. For example:
• Measurement against objectives
• Progress on continual improvement
• The monitoring of workers health and fitness
• Recorded instances of injuries and illness
• Trends

Compliance

The ISO 45001:2018 standard states what must be measured and monitored to ensure OH&S legal compliance.
Discontinuities must be recognized, solved and documented. Examples of other factors that must be taken into
account are:

Guidelines

Reviewing an organization’s performance in certain areas, against other organizations is referred to as 'bench-
marking'. Performing this type of review with respect to OH&S offers a relatively precise picture of an
organization’s performance.
However, we must bear in mind the landscape in which organizations operate. For example, financial managers
may be bound by a certain financial code of conduct; electronics manufacturers may be committed to being
directed by certain standards etc.
The ISO 45001 standard renders certain guidelines as key factors that can be used to quantify performance. For
example, if incidents are measured by occurrence, frequency and severity, this constitutes a method of measuring
performance. The measurement of the completion of a corrective action, within a certain time or at a certain rate
of completion, is another form of measurement
• Corporate policies and agreements
• Insurance requirements
• Company and union agreements
• Other rules regulations

System Criteria and Assessment

Systematic Mechanism
An organization should have a systematic method for monitoring and measuring its health and safety performance
on a continuous basis and this should be part of its OH&SMS.
Without, hopefully, laboring the point too much, monitoring and measuring an organization's health and safety
performance, should include the following:
• All relevant health and safety legislation
• Mutual relevant agreements
• Standards and codes
• Insurance requirements
• Activities and processes concerning the recognition of risks, hazards and opportunities

System Criteria and Assessment

Criteria and Indicators
The following is the difference between 'criteria' and 'indicators' as used in the standard:
Criteria is what organizations use to check their performance in key areas. For example they may
benchmark their health and safety performance against other organizations, best practices,
standards etc.
To quantify particular OH&S criteria, key performance indicators are used. For example, if a
criterion is a comparison of health and safety related incidents, an organization may check:
occurrence, type, impact, incidents, statistics etc. The indicators are the results of the comparisons

System Criteria and Assessment

Assessment
A compliance assessment program covers all occupational exposure to legislation requirements. Evaluation can be
influenced by elements such as historic compliance, or the time at which legislation was adopted
or changed.
A compliance assessment plan can be joined to other evaluation activities. These can form part of
the management system audit, for example environmental audits or quality management system
assessments.
It should be remembered that legal compliance is the minimum requirement in the standard, for
evaluating the effective implementation of the OH&SMS. This means the organization, at a
minimum, must comply with all legal requirements. Finally, as discussed, the organization must keep
documentation of the results of its compliance evaluation.

Internal Audit Process

Internal Audit
Clause 9.2.1 in ISO 45001, outlines the execution of internal audits by management in
organizations. The internal audit must meet the criteria of the OH&SMS and the results
(outputs) must be made presentable to top management and relevant personnel.
The internal audit plan must be well-scheduled and developed, with a thorough
understanding of the OH&SMS scope. The plan should be developed on the basis of risk
assessments and former audit reporting.
The internal audit should be conducted more vigilantly than in the comparable standards of ISO 9001 (quality
management system) and ISO 14001 (environmental management system).

Internal Audit Process

Purpose
The justification for conducting serious internal audits is simple: Nonproductive internal audits in an
OH&S system, can threaten the health and safety of an organization’s workforce.
Question: How can it be ensured that an internal audit is as effective as it should be and that the
consequent actions, safeguard the health and safety of the workforce?
NOTE: Learn to carry out management system audits in the next module.

Auditing Scope
Management

Internal audit programme (Clause 9.2.1): Top management or their delegated personnel must perform the
following:
(a) Plan, develop, apply and carry out an audit programme, that accounts for rate of occurrence,
techniques, responsibilities, consultation, planning needs and reporting. It must also take into
account the significance of processes and the results of former audits.
(b) Outline the criteria of the audit and its scope.
(c) Choose auditors and perform audits to ensure objectivity and non-bias in the audit process.
(d) Make sure the results of audits are presented to: the relevant managers, employees, and
other interested parties.
(e) Take measures to remove any nonconformities and "continually improve health and safety performance".
(f) As always, produce documentation as proof of the audit and results.
NOTE: Management should conduct internal audits at consistent intervals, as part of their management review.

Auditor

The internal audit should be performed at “scheduled intervals,” or additionally, if it is seen as helpful to the ISO
45001 system.
WHO?: The standard states that the choice of the auditor should ensure “impartiality and neutrality.”
Also, the auditor must have knowledge, work experience, recognized training and be familiar with
health and safety policies, objectives and performance. Managements should receive external advice
from professionals, for their internal audits. This shows that the internal audit is a critical process.
HOW?: The internal auditor must have all the relevant information available, as part of the “input” of
the auditing process, i.e. risk assessment, data and outcomes, health and safety performance results,
stakeholder inputs and health and safety objectives. The auditor must also have full access to all of the information
and people relevant to the performance of OH&S in the organization.

Objectivity

It is helpful, in terms of the continual improvement of the organization's OH&SMS, when the auditor makes sound
recommendations, based on the audit's findings and results.
In this manner, management will have a more objective framework to work with. Also, the internal audit fulfills the
direct requirements and scope of the standard.

Management Reviews
Criterion
The ISO 45001 standard (Clause 9.3), necessitates the review of the organization's OH&SMS appropriateness and
suitability, to be carried out by top management at scheduled intervals.
Management review enables an organization to systematically analyze and gauge the
performance of its OH&SMS, to determine if it continues to be:
APPROPRIATE - processes, values and business systems
SATISFACTORY - is the management system applied properly?
USEFUL - does the management system achieve its intended results?
Management reviews should be completed on a regular basis, for example: quarterly, bi-annually or annually.
Fractional management reviews of an organization's OH&SMS, can be performed at more regular intervals, if
needed.

Management Reviews
Features
A management review should include the following:
• The status of actions taken following previous management review(s)
• Internal and external issues that influence the OH&SMS, for example risks and opportunities, the requirements
and expectations of interested parties, legal and other requirements.
• Sufficient dialogue with internal and external interested parties
• An analysis of the resources needed for achieving an effective OH&SMS
• Prospects for continuous improvement

Management Reviews
Performance
Reviews should include information on the organization’s OH&S performance, including developments in the
following:
1. The attainment of OH&S objectives
2. Incidents, accidents, non-conformities and corrective actions
3. Measurement and monitoring
4. The assessment of compliance with legal and other requirements
5. Internal and external audits
6. Participation, discussion and consultation with employees
7. Risks, prospects and opportunities

Management Reviews
Evaluation
Decisions taken following a management review, should relate to:
1. The ongoing sufficiency, rationality and effectiveness of the OH&SMS, with regard to the achievement of its
intended results.
2. Areas for continual improvement.
3. Requirements for modifications to the system.
4. Additional resources required.
5. Other actions required.
6. Opportunities to integrate the OH&SMS further/differently with business processes, e.g. quality, the environment,
continuity etc.
7. Impacts on the strategic direction of the organization.

Continuous Improvement Steps

Actions
Management must identify (Clause 10) opportunities for improvement and apply
mandatory actions to attain the intended results of its OH&SMS.
Management must develop (Clause 10.2), apply and carry out processes, together with
investigations, reports and measures, to identify and manage OH&S-related incidents
and nonconformities. When an incident or a nonconformity exists, management must:
• Respond in time
• Take measures to manage and correct it
• Manage any consequences

Involvement
The involvement of employees and the participation of other interested parties must be
assessed. This is a requirement for corrective action, in order to eradicate the root causes
of the nonconformity or incident and to ensure it does not occur elsewhere. This is
achieved through the following:
• Analyzing the reasons for the nonconformity or incident
• Review/update existing assessments of OH&S risks (see 6.1)
• Identify and apply any actions required, involving a hierarchy of controls
• Analyze any new potential health and safety risks or modified hazards

Documentation
Management must retain documentation as proof of:
A. Non conformities or incidents following measures taken
B. The outcomes of measures and corrective actions
C. Communication with the relevant employees, employee representatives, or other
interested parties

Incident Analysis
Analysis

It is important that a 'root cause analysis' is performed following a nonconformity or incident, in

order to avoid its recurrence.
Examples of nonconformities and OH&S-related incidents:
INCIDENTS: Near misses, injuries, poor health, impacts to property or equipment that could result
in health and safety risks, body, skin, bone damage, hearing loss, eye-sight loss, asbestosis.
NON-CONFORMITIES: Safety equipment not working properly, inability to comply to legal
requirements, safety processes or guidelines not being followed; contractors working in a hazardous way on-site.

Root Cause
 When a nonconformity or incident occurs, the organization must respond in a timely way. The assessment of
the requirement for corrective action(s), should be agreed with the relevant employees and interested
parties.
The goal of an incident-investigation is to identify what occurred, why it occurred and what can be done to
avoid it occurring again.
Professional investigators must account, not only for immediate causes, they must also focus on root causes
and the corrective measures that need to be taken.

Factors

All incidents have causes. These can involve a cluster of factors, together with human behavior, activities, processes
and equipment.
Investigations should highlight gaps that require improvement. The extent of the investigation, is
proportional on the extent of the OH&S-related incident and its impact.
The incident should be documented and presented internally and externally, were appropriate, to
regulatory bodies.

Investigations

Who investigates? The investigation of incidents and nonconformities should be performed by a party/parties who
are not reliant on the activities being analyzed and should include an employee representative. Usually there
investigation committee who conduct these investigations.

Corrective Actions
Modifications
Organizations are responsible for corrective actions concerning the management of change
and the hierarchy of controls. They are also responsible for making modifications to the
OH&SMS by:
A. Updating process maps
B. Revising procedures
C. Updating the risk register

Corrective Actions
Controls
Instances of corrective actions involving a hierarchy of controls:
• Eradicate hazards
• Use less dangerous materials
• Re-engineer or change machinery and tools
• Modify the rate of using equipment
• Enforcing the use of personal protective equipment (PPE)

Failures and Timing

Failures
The emphasis of root cause analysis is aversion. Root cause analysis recognizes numerous contributory factors,
including the following:
• Fatigue
• Lack of communication
• Equipment failure
• Incompetence
• Gaps in signage/notices/warnings/documentation

Time
While root cause analysis is being carried out, an organization may have to
perform immediate short term actions, in order to avoid recurrence of an incident or
nonconformity.
This can be a component of the implemented corrective action. Root cause analysis and the
reporting of incidents without delay, can assist with the permanent removal of hazards.

Continuous Improvement
References
The concept of continuous improvement is referenced in other management systems (Annex
SL) as well as we already discussed ISO 9001, and ISO 14001.

Measures
Measures an organization can take to implement 'continuous improvement' in their OH&SMS include:
• Enhancing a culture that supports OH&S
• Encourage the participation of employees (recognition and application)
• Use up-to-date training, practices, technology and equipment
• Promote good working practices
• Accept proposals and advice from interested parties
• Acquire the latest knowledge of occupational health and safety in the workplace
• Source better supplies and make better use of materials
• Promote worker competence
• Attain improved performance using minimal resources

The main points from this module are as follows:

 Three main areas of OH&SMS evaluation are: monitoring, measurement and analysis; Internal audits;

management reviews.

 Management must develop, apply and carry out different processes for the monitoring, measurement and

analysis of its OH&SMS.

 Monitoring can be based on observation of work being done, the assessment of documented information (e.g.

records) and the utilization of interviews - this helps to identify status, so that any deviation from

performance can be recognized.

 'Measurement' is the allocation of numbers to the performance of events or objects. It is related with

performance evaluation. It can be extracted from the utilization of verified or calibrated equipment.

 Data analysis discovers patterns, relationships and trends in performance. It is related with the measurement

of events.

 Criteria is what the management compares its performance with, for example the performance of other

companies, developed codes, acknowledged standards, the organization's own codes, the organization’s

objectives and its historical health and safety record (statistics).

 Management must ensure that monitoring and measuring equipment is calibrated, verified and used as

appropriate.
 Management must develop, apply and carry out processes for evaluating organizational health and safety

compliance, with legal and other requirements.

 An organization should have a systematic method for monitoring and measuring its occupational health and

safety performance, on a recurrent basis. This should be a core component of its OH&SMS.

 An organization should employ preemptive and responsive measures to OH&S gaps and should primarily focus

on proactive solutions, in order to maximize its performance.

 The internal audit plan must be scheduled and developed according to the system's scope. The plan should be

developed according to a risk assessment and take into account the results of former audits.

 When choosing auditors to perform audits, objectivity and the absence of bias in the process, must be assured.

 Management should conduct internal audits at regular intervals, as part of conducting management reviews

of their OH&S status and processes.

 The ISO 45001 OH&SMS standard, mandates that the results of internal audits should be presented to all

employees and interested parties.

 Documenting the internal audit, together with the outcomes, measures and results, is a requirement and a

part of the OH&SMS continual improvement process.

 The management review should not only assess data and historical trends; it should aim to improve the

OH&S standards and performance in the organization.

 Management review of the organization's OH&S status, should be performed regularly, on a quarterly, bi-

annual or annual basis.

 Management must develop, apply and carry out processes, together with investigations, reports and measures,

to identify and manage OH&S-related incidents and non-conformities.

 An organization must take into account the following: the results from the evaluation and analysis of its

OH&S performance; the assessment of its OH&S compliance; the lessons learned from internal audits and the

lessons learned from management reviews.

 Corrective actions, continuous improvements, technological changes, innovations and re-organization can

improve the organization's OH&S position.

 Incidents that lead to health and safety risks, include: near misses, disabilities, injuries, ill health, damage to

property and equipment.

 When a nonconformity or incident occurs, the organization must respond in a timely way; they must act to

manage/contain the issue, correct it and deal with the outcomes.

 Organizations must assess the corrective actions that are required to eliminate the root causes of health and

safety-related incidents and non-conformities. They must endeavor to ensure that incidents and non-

conformities that occur in one part of an organization, do not occur in another part of an organization.

 Required corrective actions should be planned and implemented with the participation of employees and

interested parties.

 The concept of the continuous improvement of an organization's OH&SMS, is referenced in management

systems prior to ISO 45001:2018, for example ISO 14001 and ISO 9001.
 Module 14: Foundations of Auditing
After completing this module you will be able to:

 Clear misconceptions about the nature of auditing

 Describe how ISO 19011 helps auditors

 Explain basic auditing terminology

 Justify the need to conduct management system audits

 Describe different types of audits

 Summarize the attributes of successful auditors

 Illustrate the Plan, Do, Check, Act auditing cycle

 Prove general principles of auditing

 Prepare items for an audit

 Conduct an audit

Introduction and Purpose

Introduction
ISO 19011 is an International Standard published by the International Organization for Standardization. This
standard provides assistance on auditing management systems.
The standard encompasses: the principles of auditing, making an audit program and performing
management system audits. This standard enhances the awareness and competence of professionals
involved in the auditing process.

Purpose
Defying Misconceptions about auditing
Auditing is focused on the management system and not on the people. Auditing is not a blame
game, but rather a tool to improve systems.
Auditing is supposed to be unbiased, impartial and a systematic assessment aimed at observing
conformity and gaps within a system.

Features of Audits
Audit Evidence

An audit is defined as a:
1. Systematic process
2. Independent process
3. Documented process
It's purpose is to obtain evidence and objectively determine the extent to which certain practices and criteria are
fulfilled.
Audit evidence is defined as:
1. Records
2. Statements of fact
3. Any other useful information that is verified

Audit Criteria

Audit Criteria are reference standards against which a management system is checked. Audit
criteria are
1. Sets of policies
2. Procedures
3. Requirements
On the basis of the criteria, audit evidence is collected and compared.
Further examples of audit criteria are:
4. Standards
5. Laws/regulations
6. SOP
7. Specifications
8. Contracts

Audit Findings

Audit Findings are the results gathered from collected evidence as measured against the audit
criteria
Audit findings includes information on:
• Conformity or nonconformity
• The identification of opportunities for improvement and/or recording of "good" practices.
In the case of legal or regulatory requirements, audit findings provides information on compliance and non-
compliance.

Conformity and Non-Conformity

Conformity
Conformity is simply explained as the fulfillment of a requirement. For example:
Requirement - There is a requirement for a competent workforce, as per the audit criteria.
Situation - The company has a robust recruitment method to hire competent staff; training
mechanisms are in place to continually improve competency.
Deduction - Since the training function and recruitment process is in place, the requirement of a
competent workforce is fulfilled. This is conformity.

Conformity and Non-Conformity

Non-conformity
Non-conformity is non-fulfilment of a requirement. For example:
Requirement - The company was supposed to perform internal audits after six months,
as per corporate policy.
Situation - The company failed to do an internal audit in the last six months.
Deduction - This is a non-fulfilment of a requirement and thus is termed as
nonconformity.

Audit Types and Goals

Goals
WHY DO AN AUDIT?
An audit is done to achieve the following:
1. To assess the effectiveness of the management system.
2. To objectively report to the management regarding the performance of a system.
3. To identify opportunities for improvement.
NOTE: See the Auditing Cycle Flow Chart in the course resources section.

Audit Types
There are three types of audit, based on the auditee, auditor and client relationship:
1. First Party Audit: Audit by the internal auditing function of the company, requested by the
management itself. This function can be outsourced as well.
2. Second Party Audit: An audit of a supplier by a customer.
3. Third Party Audit: An audit by an independent auditing company/agent.

Audit Members
Audit Roles
What are the main audit roles?
An audit involves the following main roles:
1. The CLIENT, person or organization that requests the audit.
2. The AUDITOR OR TEAM that performs the audit.
3. The AUDITEE, whose work is being examined.

Audit Members
The Client
WHO IS THE CLIENT?
The client is the person or organization that requests the audit. The client does the
following:
• defines the audit's objectives
• outlines the audit's scope and establishes its criteria
• provides the necessary resources for performing the audit

Audit Members
Audit Lead
Who is a lead auditor?
The lead auditor is the head of the audit team. They do the following:
1. Plan the audit
2. Schedule the audit
3. Define the audit team size
4. Manage the workload
5. Determine who will audit which areas
6. Prepare the audit report

What is an Auditee?
The Auditee

WHO IS THE AUDITEE?

The auditee is the party being audited. The auditee does the following:
1. Establishes a professional, positive attitude about the audit, among the members of the
audited organization.
2. Participates in the audit.
3. Provides the required relevant materials and resources to the audit team.
4. Responds to the audit report.
5. Corrects or resolves deficiencies as stated by the audit team.
Auditor Attirbutes

NOTE: The attributes of the successful auditor are shown on the following slide.

Attributes of a Successful Auditor:

Audit Preparation
Audit preparation is based on the following steps:

 Objectives

 Scope and Criteria

 Plan

 Select Team

 Methodology

 Working Documents

 Preliminary Document Review

Pre-Audit and Objectives

Pre-Audit Activities
What are the pre-audit activities?
Pre-Audit activities are performed before the commencement of an audit. These activities involve the following
steps:
• Establish and implement systems as per the standards (verified by the auditee)
• Develop and establish an audit system and protocols (procedure, methodology)
• Develop a clear understanding of the audit requirements
• Define the audit's scope and objectives

Audit Objectives
What are the audit objectives?
A Management System audit should have defined objectives. Examples of typical
objectives are the following:
1. Determine conformance of an auditee’s management system with the audit criteria.
2. Determine whether the auditee’s management system has been properly implemented and maintained.
3. Identify areas of potential improvement in the auditee’s management system.
4. Verify that the management system conforms to all elements of the standard.
5. Verify if the management system is developed to achieve and attain performance improvement and regulatory
compliance.
6. Determine that the organization complies with its own policies and procedures.

Audit Plan, Scope and Team

Audit Scope

What is the audit scope?

The audit scope is defined as the extent and boundaries of the audit. The audit scope
generally includes the following:
1. The physical location
2. Organizational units
3. Activities and processes
4. Time period and duration
Example of an audit scope statement: "To verify the conformance of operations and manufacturing activities of ABC
steel company, at Plant-1, according to ISO 9001:2015 audit criteria, on 20th Feb 2018, from 9am to 5pm."

Audit Plan

WHAT IS AN AUDIT PLAN?

An audit plan includes the activities and arrangements of an audit. Audit plans
include:
• Audit team leader and members
• A methodology; review of documentation and records; interviews; cross-
verification; site inspections
• Working documents
• An audit schedule - allocation of proportionate time
• Communications procedures

Audit Team

How is an audit team selected for an audit?

An audit team is selected on the basis of their auditing skills, experience, sector relevancy
and availability.
Usually an audit team is composed of a lead auditor and his/her audit team members. A
lead auditor is a senior person, with experience of auditing and the necessary knowledge
and competence. Audit members have less experience and competence. They assist the lead auditor in the
completion of an audit.
For quality management systems like ISO 9001:2015, a lead auditor should be trained and certified from an
accredited body such as: IRCA or RABQSA. They must have prior auditing experience in the relevant sector.

Audit Lead and Methodology

Lead Auditor Characteristics
WHO IS A LEAD AUDITOR?
A lead auditor is the captain of the audit team and steers the audit in the right direction, without being misled by
distractions. The following are characteristics of a lead auditor:
• Experienced
• Has an understanding of the audit and operating processes
• Good communicator
The following are responsibilities of a lead auditor:
• Leadership
• Plan and schedule all stages of the audit
• Distribute tasks and responsibilities
• Control the audit scope
• Communicate with the team, client and auditee
• Report critical non-conformities on the spot

Audit Lead and Methodology

Audit Methodology

What is the audit methodology?

The audit methodology is the preparation of the audit team itself and the determination of
the involvement between the auditor and the auditee.
The audit methodology relies on the audit objectives of: scope, criteria, duration and location.

Audit Preparation and Team

Preparation
What are the preparations for organizing an audit team?
Audit team preparation includes:
• Team meetings/interaction
• Role clarity and work allocation
• Individual and collective review of criteria and documentation
• Prepare and select standard checklists
• Confirm logistics
• Briefings by the lead auditor to first-time auditors

Team Work
How are auditors and auditees involved in an audit?
Auditors and auditees are involved in the following ways:
• Interviews
• Document reviews
• Onsite observations
• Sampling of products

Systems and Documentation

Documentation

How are working documents prepared?

Working documents facilitate the auditor’s investigation. These can include:
• Audit checklists and procedures used for evaluating management system
elements
• Forms for documenting supporting audit evidence and audit findings
• Meeting and interview recording forms
• Memory aids

Systems and Documentation

Audit Check-lists

WHAT ARE AUDIT CHECKLISTS?

Audit checklists are the guiding documents for an auditor, to help keep the audit on
track and review and verify all checkpoints during an audit. They also help the auditor to foresee whether the audit
is going according to schedule or not.
However, audit checklists should not distract the auditor from following audit trails, before completing all
checkpoints.
Audit checklists are helpful for provisional and junior auditors. Senior auditors, due to their experience, may not
require a specific set of checkpoints. Experienced auditors will follow trails, to verify all checkpoints.

Review

What is a preliminary document review?

A preliminary document review is an initial process review, before verifying actual systems. In these cases, the
auditor needs to decide which documents will be reviewed. Examples of document reviews are:
• System manuals, procedures, programs
• Policy objectives and targets
• Complaints
• Previous audit reports
• Operations records
The preliminary document review can be done off-site, before the commencement of an audit.

Systems

Which management system information which can be reviewed in a preliminary document review?
Management system information that can be reviewed:
• Policies
• Manuals
• Management organograms/responsibilities
• Management system budget
• Improvement plans
• Operating process flows
• Complaints regarding management systems

Steps and Opening Meeting

Steps
HOW IS AN AUDIT CONDUCTED?
Basically, an audit is conducted by collecting evidence and establishing findings, based on
the following activities:
• Document reviews
• Onsite visits
• Interviews
• Verification
• Evaluation

Opening Meeting
WHAT IS AN OPENING MEETING?
An opening meeting consists of the following elements:
• Team introduction
• Review of scope, objectives, schedule, criteria and audit sampling method
• Summary of audit methodology/procedures
• Confirm resources and facilities needed are available
• Confirm time and date of closing meeting
• Promote active participation of auditee
• Review procedures and office arrangements for auditors
• Ensure confidentiality
• Clarify and reassure purpose (fact and fault findings

Gathering Evidence
Evidence Gathering

HOW TO RECORD AND OBSERVE AUDIT EVIDENCE

Audit evidence collecting is sometimes a tricky and tedious task, but with proper planning, evidence can be
gathered, to conduct an effective audit.
PROBLEM: Collection of audit evidence covering all aspects of the scope, with
sufficient depth, is a challenging task for an auditor.
SOLUTION: To collect proper audit evidence, with sufficient insight and
coverage of the audit scope, the following methods should be followed:
• Stick to the audit plan and follow the trail against procedures
• Employ audit checklists and memory aids cautiously
• Use time optimally (ensuring proper depth and audit spread)
• Record discussions with team members for consultation and verification
• Use the appropriate data collection methods listed below:
Interviews | Examination of documents | Physical observation of site activities and conditions | Follow trails; try to
trace and review linkages | Follow-up on previous audit findings

Behaviour

How should an auditor interact with the auditee, to successfully collect evidence?
For an audit to be successful, it is important the auditee cooperates with the auditor. On the other hand, if the
audit involves conflict, then obtaining audit evidence becomes hard and sometimes next to impossible
Therefore, the auditor should consider the following points for interacting with the auditee:
Understand the requirements of the audit criteria properly
Consider the auditee's perspectives and explanations
Maintain objectivity and professionalism
Keep a cool temper at all times
Be in listening mode most of the time
Be friendly/polite/civil, as appropriate
Work as a team with the auditee and any client guides

Records

How should queries be put forth initially and how should evidence be recorded?
It is important for an auditor to ask proper questions that are relevant to the scope and objectives of the audit.
From the start, the auditor should consider the following points:
Take an open-minded approach
Ask open-ended questions
Ensure the scope and objectives are covered during questioning
Recording of the audit evidence is the most important part of the audit. The auditor should pay
attention to the following, when recording evidence:
Record both conformance and non-conformance issues
Fill up audit forms/formats, as pre-defined in the audit protocol

Auditor Approach and Document Review

Auditing Approach
What should the auditor approach be for conducting an audit?
The audit approach should be friendly, but objectivity should be maintained. The following auditor traits should be
followed:
Be calm and polite
Meet area representatives first
Explain the purpose of the audit
Never act superior
Start with easy questions
Speak clearly and listen carefully
Talk personally to those performing the tasks
Never challenge the auditee
Record all answers

Auditor Approach and Document Review

Document Review
What is a document review and how is it done?
Document review is an important part of the audit. Different management systems have different documentation
types. Normally, all management systems follow a similar triangle of documentation.
A document review can start with the top level, i.e. the policy of the management
system. This can be followed with verification of the policy elements in the
management system manual. Then the trail of manual procedures can be reviewed.
Finally, procedure records can be verified. The latest sample records, as well as older
sample records can be reviewed. There is no hard and fast rule as to the order of the
review, as long as all of the content is reviewed.

Discussing Quality Management System

Quality Management
How is a document review done on a quality management system, based on ISO
9001:2015?
The basic concept of the document triangle applies to a Quality Management System (QMS).
The top level document of the triangle is the policy; in the QMS it is the quality policy.
Therefore, quality policy should encompass the considerations of ISO 9001:2015
requirements, as well as the strategic goals of the company. Moreover, the organization is
required to consider internal and external issues related to QMS, as a context for the
organization.
Organizations should also identify interested parties related to its context; the organization should analyze risk and
opportunities. After the content of the quality policy and the context of the organization is verified, it is important
to examine how quality objectives are derived from the policy and context. Then the auditor should examine how
these quality objectives are reflected in action plans of the relevant departments.

Quality Objectives
There should also be a mechanism to review quality objectives and change or modify plans, if performance deviates
from defined targets.
Some of the examples of quality objectives are: reduction in customer complaints; reworks and
rejections to specified targets; increased customer rating in support services; increased straight
pass production.
The audit trail does not stop here however. The auditor can see: quality plans; inspection criteria
for product releases; management reviews; internal audits; measurement and monitoring devices;
records of calibration; records of non-conforming products.

Environmental and Energy System Reviews

Environmental Systems

How is a document review done on an Environment Management System, based on ISO 14001:2015?
The document review of an Environmental Management System (EMS), compliant to ISO 14001:2015, can
start from the Environment policy and the context of the Environment Management System.
Based on that, the auditor can verify the risk and opportunities analysis, on internal and external issues, as
stated in context and the interested parties’ needs and expectations regarding the environment. The environmental
objectives are then verified for whether or not they are derived from the Environmental Policy and critical risk
opportunities, highlighted from the organization’s context. Examples of environmental objectives are: reduction in
paper consumption by percentage; reduction of CO2 emissions by reduction of power consumption; reduction of air
emissions.
The auditor can see: legal compliance records; legal evaluation regarding compliance; environment performance
reports; management reviews on environmental performance; aspect impact analysis and actions to address
significant impacts.

Energy Systems

How is a document review done on an Energy Management System, based on ISO 50001:2011?
Similar to QMS and EMS, the document review for an Energy Management System (EnMS), based on
ISO 50001:2011, can be started from the company’s energy management policy.
ISO 50001:2011 does not require the context analysis of EnMS. Neither does it focus on analyzing risk
and opportunities. Therefore there is no point in asking for such information from the auditee. Instead,
ISO 50001:2011 asks the implementing organization to conduct energy reviews and energy baseline
calculations, based on energy performance indicators such as: energy/unit space to heat and cool
buildings; energy/unit of materials transported; energy/unit of production of process machines etc.
Auditors can ask for the energy review record, or the energy baseline data. Then auditors can check whether
objectives and targets are aligned with energy policy and energy baseline records. The document of monitoring
objectives and targets with action plans, can be sought and checked. The documents of addressing, evaluating and
complying with energy-related legal requirements, can also be checked. Then the auditor can ask about the
implementation of actions; internal audits; non-conformity reporting and management reviews.

Interview and Questioning Techniques

Interviews
WHY ARE INTERVIEWS DONE IN AN AUDIT?
Interviews are done in an audit, in order to achieve the following:
• Develop subject matter
• Stimulate interest
• Obtain a balanced view
• Provoke thought
• Get true responses
• Gather data
• Identify interviewees' knowledge and understanding
• Simplify conclusions

Interview and Questioning Techniques

Interview Techniques
What are some interview techniques?
Some interview techniques are discussed below:
Who is being interviewed? Interview the right person for the right question. In order to interview the right person,
match the questions to the scale of responsibility. For example, executive officers should be asked about policy
management structures, but operators should only be asked about their jobs and related operations.
How should an interviewee be asked?
Put the interviewee at ease and pay them due respect whilst asking. Interviewees should be asked in a way that
doesn't look like an investigation or a jury inquiry, but in a simplified manner, in order to gain knowledge about a
system. Put forward an easy track of questions first, to see if the interviewee comprehends your queries.

Interview and Questioning Techniques

Planning
WHAT IS A CORRECT QUESTIONING STYLE?
Some interview questioning tips are shown below:
• Use "W" and "H" questions to identify facts. These are: who, why, when, where, which, what,
how.
• Don’t do aggressive questioning.
• Don’t frighten or intimidate the interviewee.
• Don’t make the interviewee feel "wrong".
• Ask general or "funneling" questions, e.g.: "Please state examples...Please explain more..."
• Don't ask "Yes or No" questions.
While questioning, keep a professional body language. Use eye to eye contact; look interested and remain silent while
listening.

Audit Findings and Closing

Findings
WHAT ARE THE RESULTS OF FINDINGS?
Some of the results of audit findings are:
• Supported evidence
• Accurate, clear, unambiguous, objective information
• Information with relevant clauses and procedures
• Information identified by functional areas

Finalization
How are audit findings finalized?
Audit findings are finalized in the following ways:
• Each auditor reviews findings
• The lead auditor takes an integrated review
• After checking for any additional data collection / site visits / documents
• By having factual, correct, complete and legible findings in defined formats
• When audit findings are reviewed with the auditee
• By preparing for a closing meeting (discussing processes & content)

Closing Meeting
How should a closing meeting proceed?
A closing meeting should include the following elements:
• First of all, give a thank you note to the auditees
• Present the audit findings
• Make sure the auditee and the client understand the findings
• Settle any outstanding differences
• Be open to new information given at the meeting
• Share the audit conclusion, if suitable
• Give recommendations as needed
• Talk over corrective actions and follow-up requirements
• Share the data from the final audit report
• Ensure confidentiality of the report

The main points from this module are as follows:

 ISO 19011 is an International standard published by the International Organization for Standardization. This

standard provides assistance on auditing management systems.

 Audit criteria are reference standards against which a management system is checked.

 An audit is defined as a systematic, independent, documented process, established to obtain evidence

regarding an organization's management and processes. This evidence is evaluated in accordance with the

specific audit criteria.

 Conformity is explained as the fulfillment of a requirement.

 Audit findings are the results of the evaluation of the collected audit evidence.
 Audit evidence is defined as records, statements of fact and other useful information, relevant to the audit

criteria, that can be verified.

 Party Audit: Audit by the internal auditing function of the organization, requested by the management

itself.

 Second Party Audit: Audit of a supplier by a customer.

 Third Party Audit: Audit of an organization, by an independent auditing company/agent.

 A lead auditor is the "captain" of the auditing team and steers the audit in the correct direction, without

being misled by distractions.

 The auditee is the party being audited.

 The audit team is selected on the basis of their auditing skills, experience, sector relevancy and availability.

 The audit scope is defined as the extent and boundaries of the audit.

 The audit plan is described as the aThe audit methodology involves the preparation of the audit team and the

determination of the involvement between the auditor and the auditee.

 The audit checklist is the guiding document for the auditor, to help keep the audit on track and to review

and verify all checkpoints during the audit.

 For an audit to be successful, it is important that the auditee cooperates with the auditor. If the relationship

is in conflict, obtaining evidence becomes difficult.

 It is important for the auditor to ask appropriate questions of the auditee, that are relevant to the scope and

objectives of the audit.

 The collection of audit evidence and the development of the audit findings involve: document reviews, onsite

visits, interviews, verification, evaluation.

 ctivities and arrangements of an audit.

 While questioning an auditee, maintain professional body language; keep eye to eye contact; look interested

and remain silent while listening.

 Interview the appropriate person from the auditee organization, with the right questions. Match the interview

questions to the scale of responsibility (manager, operative etc.).

 Provoke particular responses by using specific questions. Put the interviewee at ease and pay them due respect

during questioning.
 Module 15: Essential Elements of Auditing
After completing this module you will be able to:

 Describe the process of conducting an audit

 Discuss the starting point of an audit

 Recognize how non-conformance to requirements is reported

 Explain how audit requirements vary with different management systems

 Summarise the expectations of clients from audits

 Outline how audit findings are followed-up

Integrated Management System Policy Documents

Policy

WHAT IS POLICY?
Policy is a top level document that involves the following:
• Is defined by top management
• Is appropriate to an organization
• Involves commitment to continual improvement and the prevention of non-conformity
• Is a commitment to comply with legislation and other subscribed requirements
• Provides a framework for targets and objectives
• Is implemented and maintained at all levels of an organization
• Is available to the public
What does policy tell us about an organization?
• Risks
• Culture
• Commitment
• Focal areas of improvement

Integrated Management System Policy Documents

Document

How is a policy document audited?

It is checked for:
• False claims
• Continuing applicability
• Practicability
• Link to other policies

Planning and Objectives

Management System Planning

What is Management System Planning?

Management System planning includes:
• Understanding management system risks
• Understanding legal issues
• Developing a strategy for continuous improvement

Cause and Effect

Did an organization establish a procedure to identify management system issues and determine significant
consequences?
Management systems should work according to the principle: consequences are based on cause and effect. This helps
to identify the root cause of any consequence.
For example in ISO 9001:2015 we see the following relationships:
Cause - Effect
Issue - Consequence
Bad Quality - Lost Customer
In ISO 14001:2015 we see the following:
Cause - Effect
Aspect - Impact
Oil Discharge - Death of Wildlife
In ISO 45001:2018 we see the following:
Cause - Effect
Hazard - Incident
Exposed wiring on floor (Electrical Hazard) - Electric shocks to workers
In ISO 50001:2011 we see the following:
Cause - Effect
Energy Supply - Energy Loss
Energy supply in old equipment - energy loss because of old equipment

Targets and Objectives

How to audit targets and objectives

Auditors should check targets and objectives in the following ways:
• Check quantification
• Check consistency with policy and significant aspects
• Check other factors
• Check the basis of quantification and type of indicator used
• Check implementation

Auditing a Management System Program

Management System Program
How to audit a management system program
A management system program is a program developed to achieve targets and objectives, with a
defined action plan and target date.
A management system program defines what needs to be done, who will do it and when it will be
done. Click on the following tab to view a form.

Auditing a Management System Program

Form
Action and Verification
Action

What questions need to be asked when auditing a management system program?

The following actions should be taken by the auditor:
• Talk to responsible persons
• Check achievements/time-scales
In the case of non-achievement of a program, check for the following:
• Problems with new technology
• Problems with time-scale
• Problems with resources
• Other reasons for not reaching targets
• Follow-up

Verification
How to audit resources, roles, responsibility and authority
An auditor needs to verify the following:

 Document roles, authorities and responsibilities

 Delegated roles of management representatives

 Resources needed to run the management system (human, technological,

financial)

 Have all the necessary roles been assigned?

 Do assigned personnel have sufficient authority and resources?.

Documenting Communications
Competence & Awareness

How to audit competence, training and awareness, as managed through a system

All employees should have an awareness of the organization's policies and the consequences of their actions on the
objectives of the management system.
To check the competence, training and awareness, delivered through a management system, the following should be
done:
Check each department
Check the overall system
Check each procedure

Communication

How is the communication in management systems checked?

Communication in management systems is checked by asking the following questions:
• How is internal communication on the management system done?
• How is external communication on the management system done?
• How is communication with public authorities done?
• How are top management informed of the views of interested parties?
Document Control

How is the document control function verified, in a management system audit?

An auditor verifies whether or not the organization has established procedures to ensure that documents are
controlled in a proper way, by asking the following questions:
Can it be located, reviewed and revised?
What is the current version?
Is it obsolete; has it been removed?
Is it legible and dated?
What are the dates of revision?
What is the retention period?

Measuring Performance
Performance
How are monitoring and measurement processes for management systems verified in audits?
An auditor needs to verify that a procedure is established, by doing the following:
Monitor key areas of performance
Track performance
Check legal compliance
NOTE: Performance indicators allow the organization to track their performance over time.

Measuring Performance
Recurrence

HOW ARE RECURRING PROBLEMS CHECKED IN AUDITS? Operational logs can be reviewed to detect recurring
problems.
How is non-conformity, corrective action and preventive action checked in the audit of a management system?
An auditor should verify if previous non-conformities have been addressed with corrective actions or not. An
auditor can check for non-conformities by identifying the following:
• Responsibility is defined
• Corrections to mitigate impacts are implemented (or not)
• The appropriate corrective action is taken to avoid re-occurrence

Measuring Performance
Internal/External
HOW ARE INTERNAL AUDITS CHECKED IN EXTERNAL AUDITS?
The auditor should ask for the records of internal audits. This includes examples of conformances,
observations and nonconformities.
How has a department been recorded in a previous audit and how has the department responded?
How can an auditor check the internal audit of a management system?
The auditor can audit the management representative, to check whether internal audit planning, records and
activities have been carried out in accordance with the company’s procedures. This should be done whether the
previous non-conformities and observations have been followed-up or not.

Measuring Performance
Management Review

How does the auditor verify a management review having been done in a management system?
A management review is assessed with the following checkpoints:
• Top management conducts the management review and defines the frequency of subsequent
reviews
• Management reviews document minutes, agendas, attendances and discussions

Deviation Finding
Results
WHAT IS AUDIT REPORTING AND HOW IS IT DONE?
Audit reporting is the most important part of an audit. It is the evidence that shows
the management system has been assessed with findings and conclusions based on
standard audit criteria. Auditors have to identify two types of results during the
reporting of an audit:
1. Exemplary Practice or Conformance - A practice, procedure, or instruction that
meets the requirements, or is well above the expected requirements of an operating
procedure. This is normally reported as conformance in an audit report.
2. Deviation Finding – A deviation finding is due to the reasons presented on the following tab.

Deviation Finding

A DEVIATION FINDING INVOLVES:

• Any potential of existing non-conformance or inadequacy, which results in non conformance to a specified
requirement.
• The lack of a system or control to satisfy a customer or management system requirement.
• Any non conformance of a procedural requirement.
• An inadequate procedure that causes the conformance of a product, practices, or activities to be unknown.

Non-Conformance
Audit Findings

HOW MANY TYPES OF AUDIT FINDINGS ARE REPORTED?

There are usually three types of audit findings reported:
Major NC (Non-Compliance) - is a total absence of a complete requirement in terms of documentation or
implementation. A number of minor deviations spreading over a larger area is also termed as Major NC.
Minor NC - is an isolated incidence or a lapse or slippage on documentation or implementation of a standard
requirement.
Observation - is a potential nonconformity or opinion regarding a condition not covered by a standard.

Non-conformance

WHAT IS NON-CONFORMANCE?
Def. 3.4.3 ISO 14001:2015: "Non-fulfillment of a requirement”
Objective evidence exists showing that:
- a requirement has not been addressed [intent]
- practice differs from the defined system [implementation]
- the practice is not effective [effectiveness]
Non-conformity reports have two main areas:
1. The evidence or finding (what is or is not)
2. The requirement (what is supposed to be)

NC Statement

WHAT IS A NON-CONFORMITY STATEMENT?

A Non-conformity statement is based on the following principles:
• Completeness
• Accuracy
• Clarity
Example of a good nonconformity statement: (Finding) "One of the critical voltmeters, # ABC-P-12, at the
manufacturing plant was not calibrated, as required by clause 7.1.5.2 of ISO 9001:2015."
Requirement:
"The clause requires that all test equipment used for monitoring quality or performance parameters shall be
calibrated.”
Non-Conformance Statements
Poor NC Statements
EXAMPLES OF POOR NON-CONFORMITY STATEMENTS:
“Quality objectives were not defined”.
“Test equipment was not calibrated”.
“Training was not provided.”
“Identification of material was missing”.
“Obsolete work instruction was used.”
“The procedure for testing was wrong”.
“Job description was not available.”
Avoid Statements Blaming People - Blame The System!
A Non-Conformity statement blaming people: “An operator XGHJS did not know how to repair the machine”.
A Non-Conformity statement blaming the system: “The operator was not properly trained to repair the machine”.

Non-Conformance Statements
Objective
NON-CONFORMANCE FINDINGS MUST BE:
• Factual • Precise • Objective • Traceable • Concise
Traceability of non-conformance in a system is important. Ask yourself when writing a non-conformance finding: Is
someone else able to trace back and find the same evidence you found, based on your report?
NOTE: Click on the tab below, to see an example of a Non-Conformity Report for Cloud Document Management
Software.

Non-Conformance Statements
NC Report Sample
Audit Results
Controls
Audit Results Communication is an important part of an audit. It involves actions that include:
• Follow-up on observations and non-conformities.
• Analysis of corrective actions and their effectiveness.
• Summary of audit closure status shared for management reviews.

Major NC

WHAT IS MAJOR NON-CONFORMANCE?

Major non-conformance (Major NC) is absence of a standard requirement in the management system. It can exist
in the following forms:
• If one or more constituents of the management system have not been documented.
• If one or more requirements of the standard have not been implemented.
• When many aspects of the management system show non-conformances in documentation or implementation.
• If multiple minor non-conformances are observed against one clause of the standard or of a procedure.
• If numerous minor non-conformances are observed in specific areas or departments of the company.
• If an issue in the management system is observed as a repeated violation of any regulation or legislation.

Minor Non-Conformance
Minor NC

WHAT IS MINOR NON-CONFORMANCE?

Any shortcoming of the audited management system, which is not able to satisfy a written requirement of the
standard or procedure and is an isolated event. Thus, it is not reflected as a major nonconformity.
Minor non-conformities (Minor NC) can be identified by the following criteria:
• Minor non-conformity indicates the issue is not significant.
• The management system is not at stake or subject to high risk.
• This is referred to as a disturbance in the system.
• An isolated instance where a standard requirement has not been met.

Observation

WHAT IS AN OBSERVATION?
Observation is applied in instances where the non-conformance cannot be related to the requirements of the
management system or the standard, but if not rectified could disturb the management system performance or
would cause "noise" in the company’s management system. Therefore it can be termed as potential non-
conformity.

Documentation

How do auditors and auditees interact with one another to address a non-conformity?
A simple process flow, showing how an auditor and auditee can document a non-conformity, is shown on the
following tab.

Illustration

Quality Reporting
Reporting Mechanisms

WHAT IS REPORTING DURING AN AUDIT?

Reporting in an audit is given by communicating the outcome of the audit.
Reporting during an audit is done in many ways and is not limited to the preparation of the final written report. It
involves the following:
• Verbal and written reporting at all stages
• Report outcomes comprehensively
• Verification and confirmation of both conformances and non-conformances
• Report should add value to the management system

Quality Reporting
Quality Features
What are the quality characteristics of a report?
Contents of audit reports are based on the following quality factors:
• Informative
• Factual
• Accurate & Precise
• Complete
An audit report in document form should be:
• Concise
• Clearly structured
• Legible
• Unaltered

Style and Content of Audit Reports

Style of Audit Reports
What should the writing style be in an audit report?
Audit reports should have the following writing style:
• Simple language
• To the point
• Use of passive/reported speech, avoiding pronouns
• Do not use abbreviations

Content

What should be in the content of an audit report?

Audit reports should contain the following:
• Agreed objectives and scope of the audit
• Agreed audit criteria against which the audit is held
• The audit team and auditee’s personal details
• The audit date, time and duration
• Summary of the audit process and any problems encountered
• The audit's outcomes and findings
• A statement confirming the confidential and non-disclosure nature of the contents
• The recipient list of the report
• The overall conclusions of the audit

Corrections and Follow-up Activities

introduction
WHAT ARE AUDIT FOLLOW-UP ACTIVITIES?
Audit follow-up activities include the following:
• Observe corrective actions and correction plans.
• Ensure implementation of actions proposed.
• After the acceptance of proposed actions, this should be formulated in an action plan.
• The plan should have a target timeline for every action point.
• The next audit date is proposed as an audit follow-up activity.
• The timing of the next audit will be agreed by the seriousness of the non-conformities.

Corrections
WHAT ARE AUDIT FOLLOW-UP ACTIVITIES?
Audit follow-up activities include the following:
• Observe corrective actions and correction plans.
• Ensure implementation of actions proposed.
• After the acceptance of proposed actions, this should be formulated in an action plan.
• The plan should have a target timeline for every action point.
• The next audit date is proposed as an audit follow-up activity.
• The timing of the next audit will be agreed by the seriousness of the non-conformities.

Corrections and Responsibility

Corrective Action

WHAT IS CORRECTIVE ACTION?

Corrective action is an action that is taken to eradicate the root cause of a non-conformity, so as to avoid
recurrence in the future.
For example with a defective product, a re-work was the correction. However action needs to be taken to prevent
the defect arising again. Treatment to the production line is a corrective action. This same concept is applied in
management systems.

Target Date

Why does closure of a non-conformity require a target date?

Non-conformity cannot be left open and tolerable. The auditor and those responsible, must define a target date to
address the root cause of a problem and to contain any adverse effects. Without a target date, a non-conformity
can continue to weaken a management system.
For example with a defective product, a re-work is done as a correction. However, if no root cause is analyzed and
no corrective action is taken, this is not solving the problem and improving the system.

Responsibility

Why closure of a non-conformity requires defined responsibility

For a non-conformity to be addressed, it is important to identify the person(s)
responsible to make corrections and to take corrective actions. In a management
system audit, the auditee - or a person delegated by the auditee - is responsible for
taking the required action.
In the case of a defective product, if no one has been defined as responsible by the management or by the process
auditors, i.e. only the company has been held responsible, nobody may actually take ownership of addressing the
defect. Production lines may blame it on the maintenance department; quality control may blame it on the
production line etc. In the midst of a "blame game", non-conformity remains unaddressed in the system.
Measuring Effectiveness
NC Closure

What types of follow-ups are done for closure of non-conformities?

Non-conformity closure is the status of non-conformity, where both correction and
corrective action has been taken. In good manufacturing practice, effectiveness of the actions
taken is included in the closure.
There are two main types of closure of non-conformities, arising from an audit of a management system:
1) Documented evidence for verification of a non-conformity closure; this is done in the case of minor non-
conformities.
2) A re-verification audit for verification of a non-conformity closure; this is done in the case of major non-
conformity.
In the example of a defective product again, documented closure can be made, with evidence that corrections and
corrective action has been taken. However, the effectiveness of the actions taken must be verified in the current
production runs of the product.

Measuring Effectiveness
Effectiveness
How to measure the effectiveness of an audit-related corrective action
Measuring the effectiveness of a corrective action, as raised by an internal or external audit, is achieved by
monitoring the relevant processes after the action has been taken. This can be done by comparing it with the details
of the non-conformity as listed in the report.
The main points from this module are as follows:

Policy is a top level document. Policy tells about an organization’s culture, commitment and focal areas of

improvement. Policy is checked for false claims, continuing applicability, practicability and links to other polices.

A management system program, is a program developed by a management system, to achieve objective targets,

with defined action plans and target dates.

All employees should have awareness of the policies and consequences of their own tasks, as defined by the objectives

of the management system.

An auditor verifies whether or not an organization has established procedures, to ensure that documents are

controlled in proper ways, to address the following issues:

• Can be located, reviewed and revised

• Are the current version
• Are not obsolete or have been removed
• Are legible and dated
• Include dates of revisions where applicable
• Have a retention period
An auditor needs to verify that procedures are established, to address the following issues:
• Monitor key areas of performance
• Track performance
• Check legal compliance
An auditor should verify if previous non-conformities have been addressed, with corrections and corrective actions,
or not.
Audit reporting is the most important part of the audit. It is the evidence that shows the management system has
been assessed, with findings and conclusions based on a standard of audit criteria.
- Non-conformance is non-fulfillment of a requirement.
- Major Non conformance is a total absence of a requirement of a standard.
- Minor Non conformance is an isolated incidence or a lapse or slippage in documentation, or the implementation
of a standard requirement.

 Observation is a potential nonconformity, or an opinion, regarding a condition not covered by a standard.

 A non-conformity statement needs to be based on: Completeness, Accuracy and Clarity.

 Traceability of non-conformance in a system, is an important part of the audit and needs to be documented.

 A correction is an immediate measure taken to address a consequence of a non-conformity.

 Non-conformity cannot be left open and tolerable; the auditor must define those responsible and a target

date to solve the root cause and contain its adverse impacts. Without a target date the non-conformity will

continue to weaken the management system.

 A corrective action is an action that is taken to eradicate the root cause of a non-conformity, in order to

avoid its recurrence in the future.

 Audit reports should be written in clear and simple language; they should be to-the-point; use

passive/reported speech, avoid personal pronouns and do not use abbreviations.

 Each non-conformity that is raised, must identify personnel whose responsibility it is to make the relevant

corrections and take the appropriate corrective actions. In a management system audit, the auditee - or the

person(s) delegated by the auditee - are those responsible.

 Non-conformity closure is the status of a non-conformity, where both corrections and corrective actions have

been taken.

 Good manufacturing practices observe the effectiveness of corrections and corrective actions that have taken

place, as per the "closure".

 The effectiveness of a corrective action, raised in an internal or external audit, is checked by the following

audit and/or by a "critical self-inspection" of the process.