Requirements for Site Inspections for Legal Compliance

[mjr511]

Hi,

We maintain a management system certified to 9001 and 14001.

The scope of our system is the “Management and design of Projects and Tasks including highways, bridges, drainage, coastal protection works and Road Safety Initiatives to meet the requirements of Customers and Stakeholders, whilst maintaining regard to this organisation's recognised environmental responsibilities.”

Basically our department (the system is for a department within a local government authority) handles the project management of civil engineering schemes, so it's the design and project management. With respect to the site we project manage (eg keep control of cost, time, and quality) but we employ external contractors from different organisations to do the work.

What is the view of the community on where our legal responsibilities end? Currently our system requires project managers to carry out regular site inspections (which cover quality, environmental and health & safety elements) on all schemes, and our audit team do the same (on the specific projects they audit).

Should the PM and the auditor (as we do now) be checking that the contractor is complying with legal requirements? Or should the auditor simply be checking that the PM is following the instruction to do site inspections? Does the PM need to do site inspections at all? (not that we would stop doing them but I'm interested in the views of the community)

Two of our audit team have different views on where they need to stop auditing. One suggests that carrying out a quick check that the contractor is complying with legal requirements is sufficient, whilst the other is of the opinion that they need to go into more depth than this.

We've also had differing views from our certifying body - some of their auditors seem to expect us to go quite indepth with the contractors compliance with the law, whilst the latest one we had just checked that we had carried out site inspections in line with our instruction under our management system and moved on.

Opinions on where our responsibilities under 9001/14001 start and end are welcomed.

Regards, Mike

 

[Jen Kirley]

Welcome to the Cove Mike!

From "across the pond" it is difficult to give specifics, but I can vouch for my own audit experience with 9001, TS 16949 and 14001.

In this experience the decision for extent of monitoring it comes down to liability. A specific example is handling of hazardous waste. While the transporter of hazardous waste is responsible to maintain the vehicle, licensing and logs according to Department of Transportation, legally m employer still "owned" the waste and as such we were responsible for its safe transport to its destination. So, based on that liability our people performed methodical inspection of the vehicle, logs, licenses and then the loading and securing of the material.

So, based on that I think the best advice I can give you is to investigate where your contractors' liability ends and yours begins. Maybe there is some overlap which add to the confusion, still liability is in place as in the example I described. If you need a legal expert's help, your local government may be able to direct you to an agency to help. I do support reasonable audit activities to verify the contractor's activities are performed legally, based on Note 3 of 4.1 in ISO 9001:2008:

Ensuring control over outsourced processes does not absolve the organization of the responsibility of conformity to all customer, statutory and regulatory requirements. The type and extent of control to be applied to the outsourced process can be influenced by factors such as

a) the potential impact of the outsourced process on the organization's capability to provide product that conforms to requirements,
b) the degree to which the control for the process is shared,
c) the capability of achieving the necessary control through the application of 7.4.

 

[somashekar]

What is the view of the community on where our legal responsibilities end?

It does not end as you stand accountable, while the contractor executes tasks for you and will perhaps have some responsibilities.

whilst the other is of the opinion that they need to go into more depth than this.

This opinion is logical as you remain accountable.

Ensuring control over outsourced processes does not absolve the organization of the responsibility of conformity to all customer, statutory and regulatory requirements.

When you read this quote, the above opinion makes more sense also.
In fact a lot goes into evaluation and selection of the contractors with considerations about his capabilities to meet your legal requirements. On going evaluation and compliance to legal stuff must be handled as closely and thoroughly AS IF you are managing them.

We've also had differing views from our certifying body - some of their auditors seem to expect us to go quite indepth with the contractors compliance with the law, whilst the latest one we had just checked that we had carried out site inspections in line with our instruction under our management system and moved on.

Please do not do anything from the view point of CB. Know that accountability is on you and ISO14K is also about commitment to identify and meet applicable legal requirements.

 

[mjr511]

Thanks for your responses, you've both been very helpful, thank you.

Just to clarify on one point, our Project Managers currently undertake site inspections of our contractors to ensure the contractors are adhering with legal requirements. When I audit a project that is being managed by one of our Project Managers, do you think I should be carrying out a site inspection of the contractors site in the same detail as the Project Manager, or am I auditing to ensure that the Project Manager has undertaken their site inspections in line with our management system instruction (which details how and when they should do site inspections) - quite happy to go either way, but it affects the approach all of our auditors need to take and what training they need.

The reason this stands out is because for the rest of the management system our audit essentially is to check that the PM has followed the management system, but the site inspection seems to go beyond this level, with the auditor essentially repeating one of the activities that the PM is instructed to do by the management system.

As an example, as auditors we check that the PM has produced their Project Initiation Document, and followed the various approval checks in the management system. But we don't check the design of the project, except to ensure that drawings are numbered in line with the management system, we rely on the PM to be responsible for the design. So shouldn't we (as auditors) rely on the PM to be responsible for carrying out site inspections?

Regards, Mike

 

[Jen Kirley]

There are a number of ways to verify processes are being completed - and performing site audits for contractors' legal compliance, as you and I both described, is a process.

Evidence is probably available in the form of records; for your legal protection such records might be required, so their review might be very important to you.

There is also examination of conditions in place when you visit the site. It stands to reason that if enforcement of compliance is being performed by your project manager, requirements are being met on a routine basis. You would need to know enough about these requirements to perform this review, or else bring a subject matter expert and/or documentation that can serve as a resource.

Lastly it can make sense to time your visit for one of these audits, which I was able to do for the inspection of hazardous waste transportation services. The project manager can walk you through the process used for the audits he performs. This might provide the added benefit of an opportunity to evaluate this person's competence in auditing. So I find this kind of visit ideal, but I reiterate that a review of records should be included in your audit of the process.

 

[somashekar]

Thanks for your responses, you've both been very helpful, thank you. <snip>

The auditor must have a good grip about the legal requirements.
The review of the previous legal compliance audit and open items if any, and how they have been addressed will form a part.
Please also look at new legal requirements and changes in legal requirements that stands applicable and how they have been identified and brought into the legal compliance.
Keep in mind that like all other processes the legal also falls into the PDCA cycle. Some legal compliance returns / submissions are date based and missing on them is a violation. Audit if these have been brought into the plan and likewise done.

 

[IMS REN]

We recently had a minor non conformance that read like this:

Nonconformity
Requirements for the evaluation of compliance have not been completed since 2008.
Procedures do not identify the “periodic” evaluation of compliance.

Requirement
The organization shall evaluate compliance with other requirements to which it subscribes. The organization may wish to combine this evaluation with the evaluation of legal compliance referred to in 4.5.2.1 or to establish a separate procedure(s).

The organization shall keep records of the results of the periodic evaluations.

Evidence
There is no evidence the site has conducted a full assessment to evaluate compliance to either the environmental and OHS requirements.

Note: There was a Stage 1 Environmental Site assessment completed in 2008 but it does not cover all requirements including “other”

Risk
Not assessing risks in a timely or effective manner could leave the organization exposed to penalties and fines or increased risk of injury to employees.

I asked our third party consultant to come in and assist in answering this minor. We conducted a current impacts and aspects analysis and also a current risk analysis. I also asked the third party to write me a letter of compliance and we defined periodic as annually. We had the follow up visit a few months later and this was the finding:

March 28, 2014
Compliance Evaluation was conducted on Jan 8, 2014 and 2-14-14 for EMS and SMS but was not comprehensive and did not cover compliance to management of hazardous and universal wastes.
The evaluation did not provide a statement of compliance and was not signed by the company representative.
The evaluation could not be associated with the legal and other requirements listed on the organizations aspect/legal registry.
The procedure PCP-02 does not define the frequency “periodic” of compliance evaluations for either EMS or SMS.

Status: Open
Will review at the next assessment to determine the resolution.

So, my first step is to get this third party back in and have them do this right this time. Questions are:
1. What is the best way to evaluate for legal compliance? By using my risk analysis and impacts and aspects records?
2. When asking for a signed statement from a third party stating we are in compliance with all regualtions, is there a format to follow?

Thanks

 

[kgott]

Opinions on where our responsibilities under 9001/14001 start and end are welcomed.

I would have thought this would all be spelt out in a contract, project execution plan or scope of work which was quoted on in the beginning.

I would also imagine its influenced by a risk assessment taking in account extent of control and by applicable legislation.