The organisation shall Establish, Implement & Maintain a Procedure(s)? ISO 14001

[samsung]

Re: Establish, Implement & Maintain ?

Here is an example at your request. Let's assume that there is no documented procedure for this, threfore as an auditor I would ask a responsible function about the process steps then I would 'walk' the process to understand and verify the procedure. The potential verification methods are listed in parenthesis.

Example 1: Receiving process (or procedure, if you wish) at a company X:
1. Evaluate the condition of shipment before unloading. If no damages, then unload shipment, else take pictures of shipment and refuse delivery. (observation, interview)
2. Retrieve shipping paperwork (pack list, BOL, etc) and verify that shipment matches paperwork. If OK continue, else note discrepancies then continue. (observation, interview, records of discrepancies on receiving records)
3. Verify that item(s) was ordered against open POs in database. If ordered, check on paperwork and update database records. If quantity discrepancy, accept as is if w/n +/-5%, else contain product for review & disposition. If not ordered, contain product for review & disposition. (observation, interview, receiving records, data base updates, NC product records)
4. Submit product sample to QC for receiving inspection. (observation, interview, samples in QC lab)
5. QC inspects per receiving control plan. If OK then release product in database to available inventory, else reject product in database. Notify Receivign of disposition. (observation, interview, receiving inspection records, communication records)
6. Move product to stock if released, else contain for review & disposition. (observation, interview, NC product records)

During the 'walk' I would record employee names, equipment used, materials used, records retained, documents used (if any), performance indicators for the process and the product, inspection equipment, work environment conditions, etc. Now I can follow up on training, control of records, document control, goals & objectives (planning, management review, improvement actions), maintenance, safety, control of materials, etc. You can do this with any process within an organization, IMHO. Hope this helps.

Thanks for the response and example cited by you. Infact I was expecting one on an EMS related process since it was posted in ISO 14001 & Env. forum. Anyway, here are my points:

1. This appears to be a good example of how a procedure is 'followed' while the point I referred to was how a procedure is 'maintained' without documenting it.

2. How does the auditor ensure that the next time when he visits this site, another guy will be following through the same sequence.

3. How does the guy know that s/he is to proceed through step # 1 to 6 especially if s/he is new to this organization. Since 'receiving' is a complex sort of process, somewhere during the course of training, as I believe, s/he must be documenting (be it a personal note book) it, as a reminder, so as not to skip any of the steps when a responsibility is assigned to him.

4. Let's assume, it's a small organization and the one who has been looking after the job, suddenly leaves away. I don't presume that the one who is now transferred from another section to take over the charge, is competent enough to do the job effortlessly right for the first time.

5. And if it's a large organization with moderate level of staff turn around (which is not uncommon), is it possible to run the process(es) with 'consistent outcome'.

6. I'm sure there must be many expert auditors on the Cove who, with their vast experience of auditing different organizations, will let us know if the organizations which do not maintain documented procedures are really doing as effectively as the ones who maintain 'documented' procedures atleast for the sake of consistency, avoiding ambiguous situations and the like.

 

[DrM2u]

Re: Establish, Implement & Maintain ?

Samsung, you are raising some very good points. I will try to answer to some of the points from my perspective (which does not mean it is right or wrong, just that it makes more sense to me).

1. This appears to be a good example of how a procedure is 'followed' while the point I referred to was how a procedure is 'maintained' without documenting it.

2. How does the auditor ensure that the next time when he visits this site, another guy will be following through the same sequence.

As an auditor (or consultant) I would me more concerned if the current process is effective, effcient and compliant with the requirements rather than if it is the same like a year ago. An organization can make many improvements (hence changes) within a year, some large and some small, some documented and some not. When a process is changed the procedure changes also, hence it is impossible to be 'maintained'. What should be maintained or improved are the efficiency, effectiveness and level of compliance. Therefore I would 'walk' the process just like in the past. I would look for what changed if there would be any problems with the process and probably follow another audit trail from there.

3. How does the guy know that s/he is to proceed through step # 1 to 6 especially if s/he is new to this organization. Since 'receiving' is a complex sort of process, somewhere during the course of training, as I believe, s/he must be documenting (be it a personal note book) it, as a reminder, so as not to skip any of the steps when a responsibility is assigned to him.

There are many ways to transfer knowledge (teach) to someone, some more effective than others. Procedures or work instructions (if available)are one way to teach someone a new process or task and to use as reference (compensate for lack of knowledge). On-the-job training is another form of training that is frequently employed with success (and there is nothing wrong with taking notes). One way to minimize the need for training is to hire someone with previous experience who would need to learn only the tasks particular to the organization. Any way you look at it, the need for training and training methods should be identified by the responsible functions when any employee is assigned to a new task. This is part of clause 6.2.

4. Let's assume, it's a small organization and the one who has been looking after the job, suddenly leaves away. I don't presume that the one who is now transferred from another section to take over the charge, is competent enough to do the job effortlessly right for the first time.

5. And if it's a large organization with moderate level of staff turn around (which is not uncommon), is it possible to run the process(es) with 'consistent outcome'.

One thing that I often asked auditees in the past was "who will do your job if you win the lottery tomorrow?". For some reason this question seemed like a light switch for many organizations and individuals. I believe it is just good practice and good planning (and common sense to me) to have a back-up employee who can perform a task if the regular employee is not available (temporay or permanently). Surprisingly enough, from my experiences this type of cross-training seems to be more common in smaller organizations (less than 100 employees), probably because many employees have to 'wear more than one hat'.

To clarify my position, I am not against documentation, just against over-documentation. I believe the purpose of documentation is mainly to compensate for the lack of necessary knowledge. I also believe that documentation is also a good way to capture and preserve knowledge (although a knowledge database is a little more effective IMO). Therefore it is up to each individual organization to identify its needs for documentation. Now I will defer to the other current or former auditors to address your point #6.

 

[AndyN]

Re: Establish, Implement & Maintain a Procedure(s)? ISO 14001

Samsung - straight answer? How do you know an undocumented process/procedure is maintained? I've taken this to mean that, as changes occur, in requirements, methods, equipment etc. the 'defined' process - that is what the process owner and responsible personnel say - now includes the change and there is consistency in that description.

If we use an example of an environmental system, the auditor might ask a number of people responsible for the quality of water used in a process. The organization now has the right equipment to do the H20 analysis instead of being sent to a suppliers lab. All involved should be able to describe what had happened and the new process, possibly even what has been improved etc. They should, of course, also be able to demonstrate competency in the use of the new equipment etc.

 

[Randy]

Re: Establish, Implement & Maintain ?

Can you site an example or two to show that a Procedure is being 'maintained' without the need to document it and how it is demonstrated and verified by the auditors?

Just look at the Bushmen of the Kalahari or the Australian Aborigines as examples...lots of "procedures" and not much documentation, but they all seem to be able to hunt, eat, find water and survive where you and I might not.

Do you have a documented procedure on how to turn your office light on when you start work?

There are thousands of procedures being performed everyday within organizations that aren't documented, but they are maintained...continuity of required action and achievement of desired results demonstrates that.

 

[samsung]

Re: Establish, Implement & Maintain a Procedure(s)? ISO 14001

Samsung - straight answer? How do you know an undocumented process/procedure is maintained? I've taken this to mean that, as changes occur, in requirements, methods, equipment etc. the 'defined' process - that is what the process owner and responsible personnel say - now includes the change and there is consistency in that description.

If we use an example of an environmental system, the auditor might ask a number of people responsible for the quality of water used in a process. The organization now has the right equipment to do the H20 analysis instead of being sent to a suppliers lab. All involved should be able to describe what had happened and the new process, possibly even what has been improved etc. They should, of course, also be able to demonstrate competency in the use of the new equipment etc.

Yes, I do agree with the above if the things are seen in conjunction with your previous post which suggests some excellent points which can be considered as guiding factors like :

When the organization is small enough that effective verbal communication of requirements is sufficient and/or

When the turn over of staff is minimal, so there's a lot of retained knowledge of requirements, and/or

When the requirements are stable and have not changed frequently or significantly, and/or

When the requirements are very complex and their application can be risky, and/or

In a nutshell, if any one of the above conditions exist, need to or not to document a procedure should be determined. An 'undocumented' procedure can be considered to be 'maintained' & effective as long as it meets the above criteria.

 

[samsung]

Re: Establish, Implement & Maintain ?

You have provided a reasonably good explanation to my query and I do support to your quoting:

When a process is changed the procedure changes also, hence it is impossible to be 'maintained'. What should be maintained or improved are the efficiency, effectiveness and level of compliance. Therefore I would 'walk' the process just like in the past. I would look for what changed if there would be any problems with the process and probably follow another audit trail from there.

As far as EMS, in a manufacturing environment, is concerned, it's hard to demonstrate the 'efficiency, effectiveness & level of compliance on a consistent basis without documenting the processes. I would like to cite few instances where the standard does not (directly) mandate a document, but I don't think these can be effectively managed without some sort of documentation. e.g.

1. Procedure for identifying the environmental aspects & determining their 'significance' - without documenting the criteria, people within the organization may have different interpretations of the same aspect. This may lead to inconsistency in the 'desired' process outcome.

2. Legal & other requirements - Standard doesn't require the procedure to be documented yet, IMO, it's hard to remember which law says what. Why should a system rely on people's memory which is often ephemeral.

3. Similar is the case with 'Emergency Preparedness - Responding to emergency situations & accidents and mitigating the adverse environmental impacts is a highly complex process and thus may require to be documented even if the standard doesn't say so.

4. "Audit procedure(s) shall be established, implemented and maintained that address
— the responsibilities and requirements for planning and conducting audits, reporting results and retaining associated records,
— the determination of audit criteria, scope, frequency and methods" - again no reference to 'Documentation'

5. The standard, in certain cases, has also used terms such as 'determine', 'define', stipulate', 'identify', 'revise' etc. etc. which may require some sort of documentation.

One thing that I often asked auditees in the past was "who will do your job if you win the lottery tomorrow?". For some reason this question seemed like a light switch for many organizations and individuals. I believe it is just good practice and good planning (and common sense to me) to have a back-up employee who can perform a task if the regular employee is not available (temporay or permanently). Surprisingly enough, from my experiences this type of cross-training seems to be more common in smaller organizations (less than 100 employees), probably because many employees have to 'wear more than one hat'.

As a part of the Risk Evaluation process, when the organization can think of having a backup employee (which is not a bad practice either), why shouldn't it consider 'documenting' the process as the first step towards effective management of the processes.

To clarify my position, I am not against documentation, just against over-documentation. I believe the purpose of documentation is mainly to compensate for the lack of necessary knowledge. I also believe that documentation is also a good way to capture and preserve knowledge (although a knowledge database is a little more effective IMO). Therefore it is up to each individual organization to identify its needs for documentation.

Quite appreciable. And the most important reason to document a process is 'the need to ensure that the activity is undertaken consistently,'

Now I will defer to the other current or former auditors to address your point #6.

I heartily welcome the opinions of expert auditors on it.

 

[samsung]

Re: Establish, Implement & Maintain ?

Further guidance on documentation as provided in Annex 'A' (informative) of ISO 14001:2004 -

A.4.4 Documentation
The level of detail of the documentation should be sufficient to describe the environmental management system and how its parts work together, and to provide direction on where to obtain more detailed information on the operation of specific parts of the environmental management system.
Any decision to document procedure(s) should be based on issues such as
— the consequences, including those to the environment, of not doing so,
— the need to demonstrate compliance with legal and with other requirements to which the organization subscribes,
— the need to ensure that the activity is undertaken consistently,
— the advantages of doing so, which can include easier implementation through communication and training, easier maintenance and revision, less risk of ambiguity and deviations, and demonstrability and visibility,
— the requirements of this International Standard.

 

[jerzki]

Re: Establish, Implement & Maintain a Procedure(s)? ISO 14001

Hello guys,

Good day. This thread has caught my attention since during our last IMS certification audit this has been raised as an NC but eventually been closed and the RCA/CA had been accepted, we're recommended for IMS certification by the way.
Going back to our debate (me & the auditor), the auditor insisted that a documented procedure should be established since it is stated in the standards. However, we challenge the auditor stating the fact the such requirements has been covered in our Manual and evidence of fulfillment have been given. Since we are applying for IMS, he pointed out the requirements of 4.4.5 (ISO 14001) as an example wherein it is also stated the same, "establish,implement and maintain a procedure(s)". Still we justify our stand and had provided evidence that such requirements are fulfilled (the point of argument is 4.4.3 by the way). As the auditor noted as what you have said in the previous post(s).
However, IMHO, the need for DOCUMENTED procedures depends on the organization as long as it will be justifiable and evidence can be provided. In our case, I believe it's better to have it documented to avoid further debate during the surveillance audit.
Thanks to this site and to all of you.
Have a nice day.

jerzki

 

[samsung]

Re: Establish, Implement & Maintain a Procedure(s)? ISO 14001

Going back to our debate (me & the auditor), the auditor insisted that a documented procedure should be established since it is stated in the standards. However, we challenge the auditor stating the fact the such requirements has been covered in our Manual and evidence of fulfillment have been given. Since we are applying for IMS, he pointed out the requirements of 4.4.5 (ISO 14001) as an example wherein it is also stated the same, "establish,implement and maintain a procedure(s)". Still we justify our stand and had provided evidence that such requirements are fulfilled (the point of argument is 4.4.3 by the way). As the auditor noted as what you have said in the previous post(s).i

I can't precisely say why the auditor raised an NC in your case unless the exact wording of the problem are known. However, if the issue is related to 4.4.3 (communication), there are two explicit requirements that need documentation (but not to say 'documented procedure). One of them is documenting & responding to relevant communication received from the external parties. What's important is how to document & deal with the problem/concerns or information received from the external interested parties (complaints, feedback, show cause notices, directives to follow, media enquiries etc.), and who will respond & upto what extent (means delegation of authority) looking to the sensitivity of the issues, in particular, during the emergencies. Obviously such things need to be documented and should be seen concomitantly with other requirements, e.g. Responsibility & authority and Emergency Preparedness & Response.

Secondly, the standard also requires that the organization documents it's decision to (or not to) communicate externally about it's significant aspects. This is quite obvious and there shouldn't be any issue.

But I differ with your opinion that

the need for DOCUMENTED procedures depends on the organization as long as it will be justifiable and evidence can be provided.

IMO, standard has made it explicit in clause 4.1 General Requirements

The organization shall establish, document, implement, maintain and continually improve an environmental management system in accordance with the requirements of this International Standard and determine how it will fulfill these requirements.

Hence there is very little or no option for the organization but to "document the environment management system" and 'determine how the (documented) EMS fulfills the requirements of ISO 14001. It's immaterial how and where these requirements are documented; in a manual, procedure, handbook or elsewhere.

 

[db]

Also, don't forget about 4.4.4 e). If the absence of a documented procedure leads to ineffective planning, operation and control of its processes relating to significant aspects, then a procedure needs to be documented. So, if you have lapses in your EMS because there is no documented procedure (or any other level of document), then documentation is required.