Clause 4.4.5 of ISO 14001 makes reference to documents "Retained for a specific period".
Can anyone help me to determine retention periods for the various documents. Everything seems to make reference to specified regulation retention times.

In my opinion "Specific period" would refer to either that which is stipulated by an organizations internal procedures and/or those periods stipulated by regulatory requirements. Some customer requirements may also contain periods they may want documents maintained.

Whatever the case, as an auditor I would look for conformancy to what you stipulate within your organizational procedures and not what I would presume or think I know.

Remember, it is the organization (auditee) that determines how it is to conduct business, not the auditor.

Randy Daily
EMS-LA #E052340

[This message has been edited by Randy (edited 11 December 2000).]

I concur with Randy.

Also, wherever the retention times are defined it can be helpful (to avoid a finding from a overly picky auditor) to state that the records are maintained for "at least" five years or whatever the specified time is. Otherwise, if there is a record that is onhand for five years and a day there is, technically, a nonconformance.

It may be OK from a "systems" viewpoint to audit against what the organization specifies, but retaining records for an incorrect (i.e. too short) period would be a regulatory noncompliance in many cases and, I believe, the EMS auditor should be expected to know this. It may also cause a QMS nonconformance for not meeting customer reqts, but that's a different story.

I understand what you are saying, but the bottom line is....you audit against conformance to the standard and not what you think there should be in place.

If an Auditee's procedure states that documentation will only be kept for 1 year and you know 5 years is required, as long as the Auditee keeps the documentation for 1 year conformance is satisfied.

An "Observation" may be in line or noted under this clause, but that's about it.



------------------
Randy Daily
EMS-LA #E052340

If regulations require a (minimum) time for specific records to be kept there is nonconformance in not meeting commitment to comply with regulatory reqts.

I agree, if the requirement has been previously stipulated "by the Auditee"as applying "to the Auditee" and not by what the auditor thinks or knows.

Yes, the standard requires compliance to regulatory requirements, but it is the Auditee who determines how that compliance is to be accomplished...not the auditor.

The auditor is charged with auditing to conformance to the standard and not compliance to the law. I personnaly do not agree with taking that stance, but I feel I have no choice. It is hard to talk of them as seperate issues, but they are.

Remember...as long as conformance to the standard is achieved there is no problem with a concrete lifesaver.

[This message has been edited by Randy (edited 11 December 2000).]

Randy - The "concrete preserver" analogy may work for a QMS, but its quite different for an EMS. The company must be aware of "applicable" regs - not just those it wants to comply with. If it didn't keep records required by law there is likely a system breakdown in how they obtain reg'y info and/or how they apply corrective actions, let alone not meeting their policy. Unless it was intentional, in which case there's a much bigger issue involved (getting a lot of attention these days). Either way, I'm not about to sign off on the system!

Jon,
Are you some kind of night owl or vampire being up at 2:30AM? I thought I kept crappy hours.

....I have always said that if a company were audited that was surrounded by stinkin' water, brown grass, 2-headed ducks and 1-eyed fish and their procedures/documentation stated that they did not have any processes that would contribute to the previously mentioned significant impacts, how could I not find them doing business as "they say" they should be.

I carry some other credentials behind my name (1 from the Cal/EPA, a rather "friendly" organization) and I know what should or should not be. But if an auditee says it will do "A-B-C" and I can verify that they do that to the letter, how can I show a non-conformancy to the Standard?

The burden of identifying which laws to comply with and in what way that is to be accomplished is on the auditee not the auditor. An auditor can only determine that the conduct of business meets that which is specified by the auditee.

As I stated earlier...a note or Observation of suspected error on the part of the auditee is what I would have to recommend in this case.

Sorry Randy, but don´t comply with laws and regulatory requirements it´s a nonconformance respect of the environmental policy.

Who's environmental policy?

An auditor has no environmental policy.

If I'm hired to perform an audit, and to determine conformance to ISO 14001, it doesn't matter what I as an Auditor think or believe in the way of compliance to regulatory requirements.

If the "Auditee" has stipulated that compliance to regulations 1, 2 & 3 are required and being accomplished, and I am provided objective evidence supporting that claim, conformance is met.

Nothing is prohibiting me from identifying potential regulatory violations as observations. But my job as an Auditor is not "Compliance" to regulations....it is "Conformance" to the standard being audited against.

Realistically from what I have been able to find out, many EMS Lead Auditors being used by Registrars came from the Quality arena and wouldn't know a RCRA, SARA, or CWA violation if they were hit in the head with one.

I am not one of those.........I was an environmental management/compliance professional before I was an EMS Auditor. I can however differentiate between "Compliance" and "Comformance".

Now ponder this thought....Clause 4.4.7 requires "Emergency Preparedness and Response". In the United States the only way to legally accomplish this is to have in place a viable and regulatory conforming Safety Program governed by OSHA. Clause 4.4.7 is telling us here in the states to have in place a program based upon 29CFR 1910.120 also called HAZWOPER. HAZWOPER contains within it other elements found under 29CFR. These other elements are 29CFR 1910.1200 (Hazard Communication), 29CFR 1910.132-139 (Personal Protective Equipment) and others.

Now if an organization has the most fantastic environmental regulatory compliance program ever developed and it can be verified, but its Emergency Preparedness & Response just states that the Fire Department will be called, is conformance met? Calling the Fire Department may seem to be adequate and acceptable but is it under the law?

Think on it.......

[This message has been edited by Randy (edited 06 February 2001).]

Randy - I believe the issue is "conformance" to the organization's environmnetal policy, which must have a commitment to regulatory "compliance". If the organization knowingly doesn't comply with an applicable regulation & doesn't do anything to correct that condition, then it surely is not meeting its environmnetal policy & is therefore not in conformance with the standard.

Hazwoper deals with responding to uncontrolled releases of hazardous substances. It requires an "Emergency Response Plan"(plus a bunch of other stuff). A plan of "call the Fire Dept & run like hell" would comply, but this may not be an appropriate way to mitigate the impacts, so the organization probably would not conform to its policy or objectives and other parts of the standard.

Bull fritters........

The original question concerned retention of records......the guist of the answers that I have given is that it is incumbant upon the "Auditee" to make the determination on which laws it must comply with, and how that compliance is to be accomplished. All an auditor is required to do is verify, through "Objective Evidence" that what the "Auditee" says it will do is actually being done.

Now if as an Auditor, I am expected/required to also show compliance to laws not specified by the Auditee, then I can guarantee no one I audit will ever make the grade. Just let me throw in the environmental and occupational safety stuff, top it off with some ADA, workers comp, and other stuff that could be determined to be related but not specified, and I could rip anyones nickers to shreds. It's what I do for a real living. But as an EMS Auditor I do not think it is my job.

Regulatory compliance and conformance to the standard are not and cannot be the same.

As a credentialed Safety & Environmental professional I have had to learn to seperate conformance and compliance. Most people are not able to differentiate the two.

I'm not disputing you Jon...far from it. I am just saying unless "Conformance" and "Compliance" are kept in their own place by auditors, Pandora's Box can be opened.

Randy - I don't post much any more (too busy earning a meagre living) & others, like you, are better at handling the questions. But I do enjoy your posts & our back & forth discussions. You do a good job of challenging our thought processes.

I recently did a large audit of a major company that used the words "conformance" and "compliance" almost interchangeably. In fact, the Registrar (a large, well respected company) used compliance almost exclusively when referring to management system "issues". No amount of convincing could get them to change their terminology. So its confusing to even the supposed authorities.

But I agree with you 100% - compliance and conformance are not the same & noncompliance does not automatically mean nonconformance. Its basically the "impact" of the noncompliance that determines whether the system works.

I do some internal here at my company for ISO14001 and so have followed Jon's and Randy's disagreement on the need to check for regulatory compliance in an EMS audit. I noticed in the "RAB News & Notes" that the second paragraph on the front page talks about the need for auditors to check for regulatory compliance during audits! (They said that not to do so would violate the intent of ISO14001.) They must have been listening to you two!!

I'll check News and Notes Roger.

I remember it being stressed when I took my LA course that we were not to play the compliance game. We spent about 10 minutes on regulatory issues and that's it.

I'm hoping that the reference meant to look at those compliance issues stipulated by the auditee and not in general. If they want a general compliance inspection from me I can almost guarantee failure of the system.

I was recently informed by a Registrar that my background in environmental compliance was not as important as my not being a degreed engineer (I have a degree in Safety w/a minor in Environmental Management). This Registrar is currently advertising for EMS-LA's in So. California. I'm a EMS-LA in So. Cal and answered the ad. I possess professional credentials from the Cal/EPA and have over 10 years experience in environmental compliance in California, one of the strictest areas in the nation. But the important thing to this Registrar is an engineering degree.

This tells me 2 things.
1) The Registrar doesn't give a crap about environmental compliance, and
2) The Registrar's program is a narrow as a .5mm pencil lead.

The intent of ISO 14000 as I see it is "Prevention of Pollution" which starts at the front of the pipe and not at the discharge end.

[This message has been edited by Randy (edited 13 February 2001).]

Randy - Think its more than just Prev of Pollution. Also need commitment to Reg'y Compliance & Continual Improvement.

Hey, I'm an engineer, so how about I apply & get the job then hire you to do all the work. Wadda ya think?

I meant the total document refers to Prev of Pollution. Specific portions address compliance and improvement and all that stuff which support the prevention effort.

About your question...sure I'll go for it, and to get away from here I'll go cheap. I'm beginning to hate this place real bad

Randy - I may have something for you in the San Fran area (serious). A friend of mine is looking for some help in reg compliance / insurance liability. E-mail me at jshaver@axs2000.net & we can discuss privately if you're interested.