Is it Legal to Require Certification to an ISO Standard?

Contract, requirement, legal, standard

Q: Can a contract include a requirement stating that the manufacturer of the materials to be installed as part of the job must be ISO 9001 and ISO 14000 listed? My question is in reference to a contract I received that is requiring this.

A: In general, contracts between business entities are enforceable unless they violate laws or are contrary to public policy. Private businesses entering into commercial contracts have a great deal of freedom in establishing contract terms.

One of the common uses of ISO standards is to clearly delineate requirements in commercial contracts.   This can, and often does, include requirements for third-party certification of suppliers to ISO 9001-2008: Quality management systems–Requirements and/or ISO 14001-2004: Environmental management systems – Requirements with guidance for use.

This requirement is usually met by providing a copy of the certificate issued by a third-party certification body (registrar) that lists the name of the organization certified and the scope of the certification.

Based on the information provided along with your question, it appears that the question actually relates to a material specification that was included as part of a request for proposal (RFP) from a governmental entity. Note: the contract has not been included with this post to protect the anonymity of the questioner and the governmental entity.

The authority of governmental contracting officers is more limited.  They must comply with applicable purchasing statutes and regulations.  Whether or not a requirement for certification to ISO 9001 and/or ISO 14001 is permissible would be determined by reviewing these contracting rules.  These rules also often provide mechanisms for contesting the award of a contract if it is believed to be unfair.

There are often opportunities to request clarification of information included in a government-issued RFP. This may be something to consider in this situation since the requirements in this RFP appear to be unclear, such as:

  •  There is no comprehensive “list” of certified companies so there is no mechanism for a manufacturer to be listed.
  • There is no ISO 14000 standard.  There are over 20 different standards in the ISO 14000 family – each with a different number.  I assume the RFP is referring to ISO 14001.
  • It is not clear which of the materials specified in the contract must be manufactured by an organization that is certified to the ISO 9001 and ISO 14001 standards.

(Note: the contract has not been included with this post to protect the anonymity of the questioner and the governmental entity).

I hope this helps.

Thea Dunmire, JD, CIH, CSP
Chair, ASC Z1-Audit Subcommittee
ENLAR Compliance Services, Inc.
Largo, FL
www.enlar.com

Related resources:

Explore the content below or find more in the ASQ Knowledge Center.

“Quality Improvement through Proactive Contracting: Contracts Are Too Important to Be Left to Lawyers!”

by Helena Haapio Annika Varjonen, paper presented at the World Conference on Quality and Improvement (ASQ members only content)

Preventive law is the concept that legal opportunities must be identified early to take proper advantage and that legal problems must be detected early so that there are no negative surprises. Contracts can be used as preventive tools that avoid most such surprises. A vital contractual tool is the contract review, which the ISO 9000 standards identify as a device for ensuring that a supplier has the knowledge and capability for meeting a customer’s requirements. Read more.

Managing Contract Quality Requirements

by C. Robert Pennella, ASQ Quality Press

This book is for anyone who prepares contract quality requirements for a supplier, is a supplier, or is affected in any way by a contract. Readers will learn how to establish and implement contract requirements effectively; identify and resolve actual and potential contractual problems; preclude overlapping of administrative efforts; reduce unanticipated costs associated with errors of omission; and be better prepared for the administrative application and final outcome of contract quality requirements. Read more.

Career Corner: Has Information About Quality Become a Liability?

by Diane Kulisek, Quality Progress (open access)

In this career corner column, the author provides recommendations for approaching quality issue resolution in today’s complex legal landscape. Read more.

Explore the ASQ Knowledge Center for more case studies, articles, benchmarking reports, and more.

Browse open access content from ASQ magazines and journals here.

Modifying Programmable Logic Controllers (PLCs)

PLCs, programmable logic controllers

Q: I am seeking a standard to monitor, control and communicate existing Programmable Logic Controller (PLC) program changes.

We have a team of 15 electricians. They have access to various machinery and their PLCs. They can make modifications to majority of PLC programs.

The changes are under communicated and the current process in not monitored. We do capture log in/log out and some changes, but this is not sufficient.

Bud Salsbury’s take:

A: If these are Ethernet IP equipped PLCs that support remote login and can be network attached at all times, it isn’t an issue. It becomes an IT admin thing. For example, Allen Bradley’s PLCs can have their programs placed out on the network and treated like an FTP site. The PLCs can pull their programs at each start up from their predefined folders.

If we are talking about standalone PLCs, with no network,  it becomes a whole different animal. It is then more of a procedural thing. You must again place the master copy of the program on a network location, but it is up to each programmer to follow a routine, pull the program from the network, update, upload to the PLC, test/verify, and if good–replace the master copy. Now, if any step is missed, you’re up that well known waterway without any visible means of locomotion.

Ethernet IP is your friend. Note: they have to be newer/smarter PLCs to play nice.

Now if you are making changes to the program (whether it is a robot, or an NC machine, or a molding press), then these changes would probably affect the overall production process. Also, if the changes could affect the quality of the product in any way (either good or bad), then, at the very least, there should be a type of “deviation” procedure where the quality level of the product is verified after the process deviation has been implemented and prior to releasing any new parts produced off of this deviated process.  Also, there should be record of the before and after settings.

Bud Salsbury
ASQ Senior Member, CQT, CQI

Thea Dunmire’s take:

A: There are a number of significant risks associated with making modifications to PLCs used to control industrial equipment.  When you are modifying PLCs, you are making changes to “the brains” of your operations.  These changes can result in equipment that does not function properly, production lines that completely shut down or critical infrastructure that stops operating (e.g. water pumping stations that stop working). Thousands, or even millions, of dollars can be lost because of the modification or malfunction of a single PLC. These malfunctions can be caused by lack of ongoing maintenance, ill-conceived “trial-and-error” modifications, or even the insertion of malicious code by external hackers or disgruntled employees.

Organizations should have control processes in place that address all PLC modifications. Control processes are clearly required for PLCs that are used for safety-related applications or high-hazard process operations. For organizations that are certified to OHSAS 18001:2007 Occupational health and safety management systems — Requirements, management-of-change procedures must be established to assess the potential hazards of PLC modifications prior to any changes being made. After the fact validation is not acceptable.

There are a number of potentially applicable regulations and standards – whether they are actually applicable to your operations depends on the nature of the processes and equipment being controlled. It is important for organizations to carefully assess which requirements need to be met and institute the processes needed for conformance. In addition, organizations should periodically evaluate the robustness of the established systems to ensure the ongoing integrity of all PLC controlled operations.

Examples of potentially applicable regulations and standards include:

  • IEC 61508 Functional safety of electrical/electronic/programmable electronic safety-related systems defines the requirements for programmable electronic systems used in the safety-related parts of controls systems.
  •  U.S. regulations, including 29 CFR 1910.147 (Lockout/tagout requirements), 29 CFR 1910.119 (OSHA Process Safety) and 40 CFR 68 (EPA Risk Management Plan)
  • NFPA 79 – Electrical Standard for Industrial Machinery
  • ANSI B11.1 and EN 692 – safety requirements standards for mechanical presses
  • ANSI/RIA 15.06 – standard for industrial robots and robot systems

This is a complex area that requires input from individuals with specific training and competence in working with PLC controlled equipment.  It is not an area to for improvisation – the risks are too high.

Thea Dunmire, JD, CIH, CSP
Chair, ASC Z1-Audit Subcommittee
ENLAR Compliance Services, Inc.
Largo, FL
www.enlar.com

Related Content:

Webcast: You’re Closer Than You Think to EMS and OHSAS Registration

This webinar is developed for ISO 9001 registered companies that have a structured management system already in place and want to improve their business by incorporating Environmental or Occupational Health & Safety processes into their existing system. Listen in.

Case Study: Regional Team Approach Helps Energy Company Enhance Safety, Avoid Costs

Cross-functional teams identified root causes of injuries and reduced accidents by 48 percent in one year while saving an estimated $714,000 in cost avoidance over a 24-month period. Read more.

Scope of ISO 19011:2011

ISO documentation practices, requirements

Q: During a quick review of a recently revised standard, ISO 19011:2011– Guidelines for auditing management systems, we noticed that it is shorter than ANSI/ISO/ASQ 19011S:2008.

Also, we are wondering why there are no references to auditing the requirements in ANSI/ISO/ASQ Q9001-2008 Quality management systems.

Could someone please address our concerns?

A: With the expansion in scope of ISO 19011:2011 to cover all management system audits, the intent of the ISO 19011 standard is to provide guidance that is applicable to every management system discipline – not just quality management system audits.

One of the problems with the more general scope of ISO 19011:2011 is that it less helpful for addressing specific issues – such as internal audits of an organization’s quality monitoring and measuring processes.  This is why the ASC Z1-auditing subcommittee has initiated the process of developing supplemental guidance documents for internal audits and supply chain audits.  If there are specific issues or questions that you are interested in, you can ask that it be included in this supplemental guidance document (email standards@asq.org).

As to the difference in length –  with the U.S. adoption of ISO 19011:2011, the 2008 U.S. Supplement was made obsolete. What the Z1-auditing subcommittee is planning to do is to capture whatever guidance in that document is still important in the new supplemental guidance documents being drafted.

Thea Dunmire, JD, CIH, CSP
Chair, ASC Z1-Audit Subcommittee
ENLAR Compliance Services, Inc.
www.enlar.com/
Largo, FL

Related Content:

Read more open access content from ASQ about auditing:

Explore more using ASQ Knowledge Center search.

Restructuring an Internal Auditing Program

Reporting, best practices, non-compliance reporting

Q: For the last 15 years, my company has employed a small cadre of full-time, dedicated safety management system auditors.

A current proposal in our company is to recast those auditors as HES Superintendents under the supervision of an operations or safety manager who has significant management responsibility within the safety management system.  This change will give HES Superintendents (persons performing audits) additional, non-audit tasks for performance on the premises of the auditee immediately before, during or after the audits.  Those non-audit tasks could include workforce training, management mentoring and evaluation, facility inspection, etc. In addition, this change will reduce about 50% of the number of audits performed per person in a given time period.

My concerns are as follows:

•  Supervision of the HES Superintendents (especially assignment, evaluation and compensation determination) by an operations manager, safety manager, or someone under their supervision, could constitute auditee control of the audit program, and a thwarting of the principle of auditor independence.

•  The addition of non-audit tasks to auditors’ work seems to open possibilities for audit conflicts of interest. Since HES Superintendents will participate materially in the ongoing safety management of the company, their independence and impartiality as safety management system auditors would be subject to question.

•  The 50% reduction in number of audits per auditor would result in dilution of auditors’ audit experience and therefore their expertise, leading to attenuation of the company’s capability to audit expertly.

In terms of the principles of management system auditing, are my concerns valid?

Do you know of other instances of this part-time-auditor approach being used in high-risk industries?

Any comment on the wisdom of this proposal?

Occasionally, mutiple experts offer their expertise and viewpoints to assist quality practicioners. Add your voice by commenting on posts!

Bill Aston’s take:

A: You’ve mentioned valid concerns that should be assessed by top management prior to restructuring their organization’s audit program.  As I understand your concerns, they include two primary items:

1.    To ensure that the restructure of the audit program continues to provide auditors with independence, objectivity and impartiality from the processes and process owners to be audited.

2.    Potential result of a 50% reduction of the number of audits conducted per auditor diluting auditor experience and expertise.

With regard to the first item, this is a matter that top management should thoroughly evaluate to ensure that the requirements of ISO 9001:2008 — Quality management systems — Requirements, clause 8.2.2b internal audit, continue to be met.  This clause requires that The selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process.  Auditors shall not audit their own work.

In addition, although the requirements in ISO 19011:2011– Guidelines for auditing management systems are not auditable requirements, section 3.1, Terms and Definitions, (note 1), does mention the need for ensuring internal auditor independence.

The key point is that your organization’s registrar will most likely look very closely at how the audit program has been restructured to ensure that auditor independence, objectivity and impartiality have been maintained.

Regarding item number two, although maintaining an auditor’s level of expertise and experience are important, the primary purpose of internal audits is to assess the effectiveness and continual improvement of the quality management system and its processes.  If maintaining auditor expertise and experience becomes an issue due to the reduction in the number of available audit assignments, management should consider adjusting the number of auditors needed to meet the actual workload.

As you’re aware, ISO 9001:2008 requires internal audits to be conducted at planned intervals, but it does not prescribe any frequency for performing audits.  So this area is strictly a decision that must be made by each organization to meet their own specific requirements to ensure the continual improvement of the quality management system (QMS).

In summary, ISO 9001:2008, clause 5.4.2b Quality management system planning, requires top management to ensure that the integrity of the quality management system is maintained when changes are planned and implemented.  This includes the restructuring of processes such as the audit program.  Internal audits are one of the most important tools that an organization has to assess the effectiveness and continual improvement of their quality management system.   Therefore, it’s essential that the personnel performing these audits are trained, experienced and independent of the area being audited.

It has been my experience that there are few organizations that maintain a staff of fulltime QMS auditors.  Most organizations utilize staff personnel who are familiar with the processes to be audited and have been trained and are experienced as auditors.  Although they perform audits, this is usually not their only responsibility.  However, in some cases, large organizations may have one or two fulltime auditors who function corporate-wide and are supported by trained and experienced staff personnel on an as needed basis.

I hope this helps.

Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX
www.astontechconsult.com

Thea Dunmire’s take:

A: Given that this question involves audits of a safety management system rather than a quality management system, the more applicable standard would likely be OHSAS 18001:2007 Occupational health and safety management systems – not ISO 9001:2008.  However, OHSAS 18001 also specifically states – “Selection of auditors and conduct of audits shall ensure objectivity and the impartiality of the audit process.”  Although OHSAS 18001 does not include the statement – “Auditors should not audit their own work,” that is definitely true.   As a general rule, auditors should not audit activities for which they are responsible or accountable.

It is common for organizations to utilize individuals as internal auditors who have other staff responsibilities.  Few organizations have dedicated environmental, health and safety management system auditors.  Most internal environmental health and safety (EHS) auditors have other responsibilities.  In addition, based on surveys conducted by the Auditing Roundtable, the overall management of the EHS audit program is often located within the EHS department, not in a separate internal audit function.  This can make ensuring the independence of the EHS audit program very challenging.

The important question isn’t whether specific individuals are auditing full or part time. Instead, it is whether all of the auditors utilized within the audit program have the appropriate independence, competence and resources to conduct the audits they have been assigned.  Independence I have discussed above.  By competence, I mean the general knowledge and skills needed for management system auditing (as set out in clause 7.2.3 Possess appropriate knowledge and skills of ISO 19011) as well as technical expertise appropriate for their audit assignments.  By resources, I mean that there is sufficient support, including adequate time, to conduct the individual audits needed to meet the objectives established for the audit program.

Identifying the resources needed for the audit program is one of the key responsibilities of the person assigned the role of audit program manager (as set out in clauses 5.3.1 Perform audit program management tasks and 5.3.6 Identify program resource requirements  of ISO 19011:2011).  Lack of adequate resources is a common weakness of many internal audit programs.  Often, internal audit programs have very broad and expansively-stated objectives, but lack the resources needed to achieve these objectives.  It is the audit program manager’s responsibility to point out this disparity to top management.  The solution is for top management to either adjust the objectives of the audit program, taking into account the policy commitments made by the organization, or provide more resources for the internal audit program.

A key requirement of a safety management system is identifying the organization’s legal and other requirements to which it subscribes.   These identified requirements must be taken into account when establishing management system programs and procedures.  This includes any legal obligations associated with establishing and maintaining internal audit programs.  For example, for organizations subject to the BOEMRE regulations (offshore oil and gas), the Safety Environmental Management System  (SEMS) regulations require that auditors be qualified and independent (see 30 CFR 250.1926).  Legal requirements, as well as the commitments made by the organization in its occupational health and safety policy (or its sustainability reports), must also be taken into account when identifying the resources needed for the EHS audit program.

Internal audits are one of the important ways of assessing the effectiveness of a management system.  The audit program itself should be reviewed to determine its effectiveness in accomplishing this task.  Changes can, and should, be made to internal audit programs but the potential impacts of proposed changes need to be fully assessed in light of the organization’s policy commitments and its legal obligations.

Here is a link to the Auditing Roundtable survey results I mentioned: AR Member Survey Results – Organizational Location of the EHS Audit Program

Thea Dunmire, JD, CIH, CSP
ENLAR Compliance Services, Inc.
http://www.enlar.com/
Largo, FL

Jim Werner’s take:

A: This is indeed a unique question.  I read and re-read this question over and over, and I have come up with the same opinion – “it depends.”  I am assuming “audit” is referring to an independent review of the quality system.  Some places use the term “audit” to mean an inspection activity.  If the past audits have consistently demonstrated the effectiveness of the quality system, then it is appropriate to reduce the number and frequency of the audits.

As far as the re-organization of the staffing of the auditing function – this is a management decision.

Jim Werner
Voting member to the U.S. TAG to ISO TC 176
Medical Device Quality Compliance (MDQC), LLC.
ASQ Senior Member
ASQ CQE, CQA, RABQSA Lead QMS Assessor

Read more open access content about auditing from the ASQ Knowledge Center archive:

Framework to Integrate ISO Standards and Non-ISO Standards

Reviewing confidential files, training records, human resources files

Q: I have a few questions about integrating standards for one of the experts:

1) Will registrars (in addition to BSI, who wrote it) accept a documented quality management system organized around the framework suggested in PAS 99:2006 – Specification of common management system requirements as a framework for integration, given there is adequate audit evidence that the requirements of both of the integrated standards have been addressed and have been implemented?

2) Is PAS 99 only for ISO-related standards, e.g.,  ISO 9001:2008 Quality management systems–Requirements and  ISO 14001-2004: Environmental management systems – Requirements with guidance for use, or can other combinations be made – e.g., ISO 9001 and American Institute of Steel Construction-Bridge and Highway AISCQC028?

AISCQC028 is not an ISO or ISO sector-specific standard, although the framework and structure is very similar. The AISC has its own certification body (registrar) and would insist that their auditors conduct a certification audit even though an organization has been previously ISO registered. AISC does not object to an integrated system that integrates/combines ISO 9001 with one of their certification standards as long as AISC certification requirements have been addressed.

The integration of ISO 9001 and 14001 is becoming common place and I’m fairly certain that PAS 99 is an acceptable format in those cases. I’m more interested in other industry standards and requirements not generally considered ISO-related that are being demanded by certain customer segments and integrating them in a system that must also be acceptable to ISO registrars because of other customer segments who are demanding ISO registration by their suppliers.

A: This is an excellent, and timely, question.

More and more organizations are developing integrated management systems based on multiple specification standards – such as ISO 9001, ISO 14001 and OHSAS 18001.   In addition, there are more and more management system standards being developed.  This includes both ISO standards and non-ISO standards – such as OHSAS 18001, Responsible Recycling (R2) and, based on your question, AISCQC028.

It is not even clear how many different management system specification standards there are. What one individual considers a guidance document; someone else insists is a specification standard suitable for certification.

So when you are developing documentation for an integrated management system, how should it be organized?

There are several options:

•    One option is to choose one of the standards as the primary high-level structure – say, ISO 9001:2008 – and address the requirements of the other standards within that structure.

•    PAS 99:2006 offers a different option for a high-level framework for organizing the management system documentation for an integrated management system.  (As you correctly point out in your question, PAS 99 cannot be used as a replacement specification standard for any of the discipline-specific management system standards.)

•    Another option is to establish a high-level structure that makes sense for your organization.

There is no required framework for organizing management system documentation.  You can use whichever overall structure and numbering scheme works for your organization.

ISO has recognized that having different high-level structures for its various management system standards may be problematic for organizations that are implementing integrated management systems that are intended to meet the requirements of multiple specification standards.  As a result, in February 2012, the ISO Technical Management Board (TMB) approved a guide for ISO standard writers that specifies a common structure and definitions to be used for all new and future revisions of ISO management system standards.  This was circulated as ISO Guide 83. This action by ISO highlights the primary issue with using PAS 99:2006.  It is out-of-date.

First, the normative references listed in PAS 99:2006 are not the current versions for some of the standards (notably ISO 9001 and OHSAS 18001).  Second, the high-level structure set out in PAS 99:2006 is not consistent with the common structure recently approved by ISO.

The key to establishing an integrated management is NOT the use of a particular organizing framework or high-level structure.  How you organize your management system documentation needs to fit the needs of your organization – not the desires of a particular registration auditor.

What is important is being able to clearly explain how your management system meets the requirements of each of the specification standards to which you want to become certified.  This requires clearly written documentation that defines the links to the requirements you are addressing within your management system.  It may also require discussion with your registrar and/or the use of reference tables – similar to those set out in the Annexes of ISO 9001, ISO 14001, OHSAS 18001 – and PAS 99:2006.

Thea Dunmire, JD, CIH, CSP
ENLAR Compliance Services, Inc.
Thea’s Blogs:
www.OHSAS18001expert.com
www.managementsystemexpert.com