From the-concourse-on-high Mon Sep 28 13:07:18 1998 Date: Tue, 25 Aug 1998 09:45:51 -0400 (EDT) Reply-To: iso14000@quality.org To: iso14000-digest@quality.org Subject: iso14000-digest V2 #40 iso14000-digest Tuesday, August 25 1998 Volume 02 : Number 040 ---------------------------------------------------------------------- Date: 18 Aug 98 08:16:06 +0100 From: Jack Blackmer Subject: ISO 14000 Services Announcement ENVIRONMENTAL RESOURCE CENTER AND COMPETITIVE EDGE ANNOUNCE ISO 14000 SERVICES AGREEMENT Environmental Resource Center has entered into an agreement with Competitive Edge to provide ISO 14000 implementation and training services. According to Brian Karnofsky, President of Environmental Resource Center, ^ÓCompetitive Edge brings Registration Accreditation Board (RAB) certified expertise and extensive experience in ISO 14001 implementation, auditing and training to complement our environmental management and compliance services.^Ô The executive staff at Competitive Edge was actively involved in the development of the ISO 14001 environmental management standard and has provided services since the inception of the standard. This agreement between Environmental Resource Center and Competitive Edge will focus on providing a full range of ISO 14000 services including: ISO 14000 awareness training, ISO 14001 Gap Analysis, initial environmental reviews, ISO 14001 environmental management system implementation and training, third party auditing, Internal Auditor and Lead Auditor training. Many organizations have realized significant cost savings and environmental benefits from implementation of ISO 14001 by reducing raw materials, energy, labor, and waste disposal identified through the implementation process. ^ÓThis agreement brings together the strength of a recognized national leader in environmental training and consulting with our extensive experience in providing bottom-line solutions to organizations striving to improve profitability and market competitiveness,^Ô says Bill Smith, President of Competitive Edge. Environmental Resource Center and Competitive Edge have also announced an ANSI-RAB accredited ISO14001 Lead Auditor Training course. Classes are scheduled for November 9-13 in Dayton, OH and November 30 - December 3 in Charlotte, NC, and many more sites will be announced for 1999. For more information on ISO 14000 services, please contact Jack Blackmer at 1-800-537-2372, extension 229 or e-mail at jblackmer@ercweb.com. ------------------------------ Date: Tue, 18 Aug 1998 15:34:36 +0200 From: "Ross Campbell" Subject: Re:business considerations and significant impacts Dear list members With some reference to Peter Matthew's and John Pepper's recent remarks, I'd appreciate any comment on the following: Using the valuation methods of environmental economics, it is possible to estimate the "total" cost of an environmental aspect. The valuation could, depending on the nature of the aspect, include the cost of preventing or minimising impacts, or the costs of rehabilitation of environmental impacts, AND an estimate of the costs to society of associated impacts . (Estimated as the costs of possible health problems associated with an impact, or the effects on property value (hedonic pricing), or interested parties' perceptions of the value or cost to them of an impact(contingent valuation)). The total cost (or benefit) to the organization and society would give a good indication of the relative significance of an aspect. Expressing an impact's significance in money terms could prove useful in communicating with people who are not environmental specialists. Regards, Ross Campbell Environmental Consultant Iscor Steel Pretoria South Africa rossc@hq.iscorltd.co.za (+27 12) 307 7273 Reqired Legal Disclaimer: The views expressed above are not necessarily those of Iscor Ltd. ------------------------------ Date: Tue, 18 Aug 98 21:37:29 +0100 From: Subject: Re ISO 14000 Services Announcement STUNNING ENVIRONMENTAL NEWS DELIVERY AGREEMENT SIGNED IN UK! Frey Environmental Associates is just thrilled to announce the signature of a corporate agreement for environmental news perusal with Jackson's Tabacconists and Newsagents, the well-known media source in Derby's Littleover village. The strategic agreement, estimated to be worth over seventy-five US cents a day, relates to daily review of 'The Guardian' newspaper, and will be delivered by an non-recyclable paperboy on an ecologically-friendly bicycle. ISO 14001 is a particulary hot topic in the UK at the moment! On an ever so slightly jarring note, Brian Karnofsky, President of Environmental Resource Center, said later "This is just the sort of inappropriate and self-aggrandising publicity stunt that the ISO 14001 discussion group should not have to put up with. It's a discussion group, innit?" (Seriously, folks, let's keep this an advertising-free zone.) Richard Frey Frey Environmental Associates Ltd. http://www.frey.demon.co.uk - -----PGP PASSWORD AVAILABLE----- PGPfreeware 5.5.3i for non-commercial use ------------------------------ Date: Thu, 20 Aug 1998 13:44:00 -0400 From: "Bursley, Juanita M" Subject: RE: business considerations and significant impacts Dear Peter, John & the rest of ISO-14000 list members who are interested, While I have a personal opinion on the current debate regarding the appropriateness of considering economic factors in determining whether an environmental aspect is significant or not, I believe there is a much bigger issue at risk here that deserves our attention. I, too, just returned from an ISO-14001 seminar and there were several similar debates over what should or should not be included/considered in meeting numerous criteria required in the standards. I was particularly troubled with the consistent use of personal opinions of what "should be" when there was a question of interpretation of what "must be" to meet the standard. There was no consistent reference to the specific language and definitions given in the standard, and the additional information given in both the ISO-14001 annex and ISO-14004 guidance document for the "right answer". Repeatedly, the participants with ISO-9000 certification experience expressed their obvious frustration with the ISO certification process and, in essence, told the rest of the participants that we might as well plan on doing more than the standard specifically requires (i.e. only the "shall" and "must" language) if we wanted to "pass" the certification process. Pleasing the auditor seemed to be a central theme in these discussions. I was even more disturbed when the instructor (who has, by the way, very impressive qualifications) indicated that all written documents developed for the EMS had to be included in the document control program. The standard very specifically identifies only certain procedures "shall" be documented and specifically states in 4.6 that a document control procedure "shall" be implemented for "documents required by this standard". It does NOT state it's required for ALL written EMS documents. I believe it is clear that if the standard does not specifically require a documented procedure, then the use of document control for any other EMS documents is discretionary. The information given in the guidances also appears to support this interpretation. Yes, it is my personal opinion that document control for every procedure we choose to put in writing may be an overkill and not necessarily "value added" work. And yes, it was certainly the instructor's opinion that document control procedures should be used for all EMS-related documents. But the real point, I believe, is that a large designated team with multi-talents, representing multi-national and multi-functional interests (e.g. business, regulators, academia) reached consensus and decided on the specific MINIMUM requirements to be included in this standard and, by design, left a lot to the personal choice of the individual organization. Flexibility was designed into the standard for a very specific reason -- so that the "one size" standard could truly "fit all" and allow every entity to choose an individual EMS that best fits its specific organization and environmental policy. If this were not the case, I believe the standard would be too prescriptive for many companies which would, therefore, significantly deter many that might otherwise be interested in getting their EMS program certified. This would certainly be contrary to the intent and interests of the ISO organization. I am very concerned with the integrity of the ISO certification program if the success of my multi-national company in becoming certified largely depends on the individual opinion of my third party auditor, and is NOT based solely on the consensus of the international team that originally developed the standard and some STANDARD INTERPRETATION of the MINIMUM REQUIREMENTS. Therefore, concerning the on-going debate, I would suggest the "right" answer is EXACTLY what the standard or guidance states, whether or not it seems "reasonable" or "logical" to everyone else. Apparently the ISO team believed that a site seeking certification under the ISO-14001 standard should decide for itself whether to consider economic factors in its significant environmental aspect determination process. I admit I'm relatively new to this ISO standard stuff, so if I've somehow missed something in the ISO standards and am obviously wrong, PLEASE SHOW ME THE LIGHT! I would appreciate, however, the reference to the specific citation in the standard and/or associated guidance documents so that I can study them myself and not rely solely on everyone's personal opinion. I mean no offense to any individual or the ISO organization, and respect that everyone is entitled to their personal opinions. However, I believe that this issue of standard application is critical to the worldwide success of the ISO-14000 program. Thanks for your input and sorry for being so long-winded! Juanita Bursley (Juanita.Bursley@UCAR.com) ______________________________ Reply Separator _________________________________ Subject: RE: business considerations and significant impacts Author: ,Pepper, John [SMTP:John.Pepper@dnv.com] at WWWEB Date: 8/10/98 3:57 PM Dear Peter In brief, I would agree with LRQA. However, economic factors could play a role in certain, limited cases. When it comes to certification, the certification bodies are basically looking to see how the significant aspects are managed by the organisation. This will be through a combination of objectives/targets, investigation and ongoing operational control. What you do about a significant aspect is up to the implementing organisation. In this case, I would agree with LRQA - the fact that the aspect is going to cost a fortune to fix is not something that should be used to decide whether its significant or not, but it would have an important role in deciding your objectives. I agree with you that the 14004 comments on the "difficulty of changing the impact" and the "cost of changing the impact" as possible criteria are, in my opinion, not logical at all. These criteria surely have nothing to do with the scale and nature of the impact. At DNVQA we have not seen economic criteria used in such a manner in any certification to date. Where economic factors could play a role are, I believe, with resource-use based aspects. For example "We spend only 2% of our procurement budget on substance X" or "Less than 5% of our energy budget is spent on gas". In this case, cost could be a sensible way of eliminating "trivial" issues. I have to add that I have never seen this in the real world either. Strangely, this topic also came up at a recent workshop I gave at the ERP Eco Management and Auditing Conference held in Sheffield in July. Some consultants in the audience were clear that economic grounds could be used in evaluation, but had no actual examples to demonstrate a logical approach. If anybody in the group has such examples, from a 14001 certified organisation, I would be very interested to learn of them. John Pepper Lead EMS Auditor Det Norske Veritas Quality Assurance Ltd Palace House 3 Cathedral Street London SE1 9DE United Kingdom Tel + 44 (0) 171 357 6080 (Main Switchboard) (E-mail) john.pepper@dnv.com - -----Original Message----- From: Peter Matthews [SMTP:pete@p-matthews.prestel.co.uk] Sent: Sunday, August 09, 1998 1:13 PM To: iso14000@quality.org Subject: business considerations and significant impacts Dear Subscribers, I recently attended an Institute of Environmental Management (www.iem.org.uk) workshop on the implementation of ISO 14001 here in Edinburgh (Scotland). Part of the discussion related to business considerations and environmental aspects. A representative of LRQA (an accredited certifier of ISO 14001) suggested that a business consderation such as cost could affect the *priority* given to a significant environmental impact. For example, it may be possible to postpone the purchase of abatement equipment (to deal with a significant impact) in certain circumstances, on grounds of cost, until some time in the future. This approach seems perfectly reasonable to me. After the workshop I re-read the ISO 14004 guidance document. This seems to state that business considerations such as cost can be used to *evaluate* the significance of an environmental impact (rather than just affecting the priority given to previously identified significant impacts). This seems less logical to me. Does anyone have any views on this? (if it makes sense!) Regards, Pete Matthews (Consultant and postgrad student at Aberystwyth University) E-mail: pete@p-matthews.prestel.co.uk ------------------------------ Date: Thu, 20 Aug 1998 23:33:42 -0400 From: Diana Baldi Subject: RE: business considerations and significant impacts Juanita, To simply restate my understanding of requirements is that if the company chooses to show the auditor documents in order to demonstrate conformance to a 14001 requirement, that document needs to be under document control since it is being used as part of the 14001-EMS. If you can demonstrate conformance with the requirement thru records and other such means (consistent verbal replies, etc.), then you do not need to have document control since there is no associated "document". However, it is non-value added to have documented procedures that address 14001 requirements and insist that since the standard doesn't say "documented procedure", it can exist without being controlled. If you need the document, then control it. If you don't need it for your EMS, then don't have it at all. It is the resistance to document control itself that seemed to be controversial in the course. The larger organizations find it harder to demonstrate conformance without documented procedures and are tending to write more than the minimum in the standard. I work with small companies and we have few procedures but lots of records. I hope this helps clarify my "position". I look forward to other answers from the group. Diana Baldi ------------------------------ Date: Thu, 20 Aug 1998 23:43:55 -0400 From: Diana Baldi Subject: RE: business considerations and significant impacts Juanita, I forgot to say....if anyone were to ask me what the most common "error" in implementation of 14001 is (i.e., having a beaurocratic, non-value adding EMS), I would say.....OVERDOCUMENTATION. One of the first steps for a company as large as yours, is to sort out all the stuff that's been written over the years and decide what is actually needed. For those documents that are needed for your style and size of business, then format them as simply as possible (process or flow diagrams) then control them. Diana Baldi ------------------------------ Date: Fri, 21 Aug 1998 00:33:24 -0400 From: Diana Baldi Subject: Request for DNV insights To any 14001 registrar, I am working with several clients for ISO 9001 that are implementing 14001. I am interested in getting acquainted with any key interpretations that registrar's have developed during the early implementation phases. Some of these clients have very mature EMSs and have fully integrated EH&S. They are migrating to a QEH&S system. As you know, this approach can be better for the business but can be quite a challenge to actually do well. Especially if their 9001 system is burdening in its documentation. Here are a couple specific questions: 1. Since the EMS is mature--with very different numbering than 14001, do you agree that as long as we index requirements to where you'll find them that we can call "things" what we want? For example aspects and impacts could be called hazards and risks since they also include safety and health in the process. 2. Even with the EH&S being integrated, would any nonconformance that was noted pertained to H&S, not be one for 14001 (granted, that there was a reasonable delineation--not trying to shroud a valid E nonconformance). The company would want to know, but not have a 14001 registration "blackmark". 3. For multi-site registrations, what do you expect for the level of consistency in the procedure for aspects and impact identification and methodology for determining significance? This was not one of the categories that has been stated by one registrar to be required to be coordinated at the highest level (like audits, management review, and evaluation of corrective action effectiveness). Does this mean, flexibility is acceptable for each site in the scope of registration? 4. What do you recommend for adding sites into the larger scope? What approaches have been a nightmare to manage from the registrar's side? Some clients want to be able to add onesies and twosies and some want to have a pilot site or two then register the rest all at once. I'd like to be able to assist them chose what will be more workable from both your side and theirs. I know you can't "consult", but if you have any factual info that would help us decide what to request of you in the quote, it would help us. 5. As a follow-on to question 4, have you experienced any "learnings" in trying to do integrated, sequential, or concurrent audits for 14001 and 9001? A question keeps coming up about trying to adjust the 14001 implementation schedule to coincide with 9001 periodic audits and/or the 3 year full reassessment. Any comments?? Since these clients are global, it would be helpful to me if your reply included the accreditations your Registration Service holds. Thank you. Diana Baldi . ------------------------------ Date: Fri, 21 Aug 1998 08:36:31 -0400 From: "Steve Ruddell" Subject: Re: business considerations and significant impacts Good morning, I would agree with Diana's response. There are only 3 places where "documented procedures" are required; under 4.4.6 a) Operational control, and under 4.5.1 Monitoring and measurement (paragraphs 1 and 3). Under 4.4.5 Document Control outlines the procedures for ensuring conformance. Any procedures that an organization has created to use beyond "documented procedures", if referred to in their EMS, can be used as evidence of conformance. It is up to the auditor to find this evidence through interviews, etc. It appears to me that the reason for this is to make these standards practical for all sizes of organizations. The larger the company, the greater the internal needs to have written procedures that are documented. Steve Ruddell Michigan State University Department of Forestry 126 Natural Resources Building East Lansing, MI 48824 (616) 866-0073 (home) (517) 355-0092 (office) (517) 432-1143 (FAX) ruddells@pilot.msu.edu - ---------- > From: Diana Baldi > To: Bursley, Juanita M ; ,Pepper, John ; ,'Peter Matthews' ; ,'iso14000@quality.org' > Subject: RE: business considerations and significant impacts > Date: Thursday, August 20, 1998 11:33 PM > > Juanita, > > To simply restate my understanding of requirements is that if the company > chooses to show the auditor documents in order to demonstrate conformance > to a 14001 requirement, that document needs to be under document control > since it is being used as part of the 14001-EMS. > > If you can demonstrate conformance with the requirement thru records and > other such means (consistent verbal replies, etc.), then you do not need to > have document control since there is no associated "document". However, > it is non-value added to have documented procedures that address 14001 > requirements and insist that since the standard doesn't say "documented > procedure", it can exist without being controlled. If you need the > document, then control it. If you don't need it for your EMS, then don't > have it at all. > > It is the resistance to document control itself that seemed to be > controversial in the course. The larger organizations find it harder to > demonstrate conformance without documented procedures and are tending to > write more than the minimum in the standard. I work with small companies > and we have few procedures but lots of records. > > I hope this helps clarify my "position". I look forward to other answers > from the group. > > Diana Baldi ------------------------------ Date: Fri, 21 Aug 1998 15:29:37 -0400 From: "Connie G. Ritzert" Subject: Juanita Bursley's comments Juanita, You opened a bear of a subject - why can't we create, and then audit an ISO 14001 EMS according to what the standard says, rather than various "opinions" ? I agree with you that ISO 14001 is intentionally specific on some points and intentionally flexible on others. It should not be the role of the Registrar or auditor to expand the mandatory provisions. It is understandably a challenge for auditors, since they must verify conformance by means that are sometimes less direct than simply examining documentation. It will benefit all involved parties, however, if we concentrate on facilitating understanding of the standard and means of verification rather than on expanding the requirements. The flexibility is there to enable different types of organizations to implement a system that works for them while still meeting key criteria. Regarding documentation in particular, I have heard various versions, also. I think we all can differentiate records (data, evidence of actions, meting minutes, etc.) from the type of information that defines policy, procedures, goals, etc. and to which the term "documentation" applies. The standard obviously allows for both documented and undocumented procedures and both documented and undocumented information of other types. For example, it requires documented objectives, but it does not call for documented "legal and other requirements" . Therefore, it distinguishes information from documented information. This and the wording of the Document Control clause indicate that EMS information which is "documented" must be controlled. Not all information that is written or in electronic format is necessarily "documented" in this sense. This may be a semantic argument, but semantics are basic to a specification. The standard allows an organization to choose the level of documentation it needs, within boundaries. One may have a procedure that is not documented, but if one has a documented ISO 14001 procedure, it needs to be controlled. I believe these are "facts" - i.e., what the standard says - but others may believe these are opinions. I even tried to stay away from my memory of "intent" during the drafting of ISO 14001 and deal only with the words on paper, since that is what the user of the standard must do. Juanita, your comments were intriguing, but I'm not sure I thank you - I am trying to resist the temptation to write such list responses. Regards, Connie Glover Ritzert Meredith-EMC environmental management consulting ------------------------------ Date: Mon, 24 Aug 1998 14:19:57 +0200 From: "Goodman, Sally" Subject: Legal compliance - to audit or not to audit? Dear Colleagues, There seem to be geographical differences arising in the way that legal compliance is audited for ISO 14001 certification. Most people would, I hope, find the following interpretation familiar: * The environmental policy must contain a commitment to comply with legal requirements * The system must contain a overview of the actual legal requirements, (commonly as list of references etc.) This must be kept updated. * There must be evidence that the organisation has investigated whether or not there is compliance to the legal requirements and, for areas where constant surveillance is needed, a programme to assure compliance and non-compliance reporting should be present. * If a company is not in compliance to some parameter in the environmental legal requirements, a programme to bring the organisation into compliance should be implemented (and agreed with relevant authorities if appropriate). I was recently made aware that in some countries (the US was given as a specific example), it is not acceptable for the auditor to check specifically for evidence of legal compliance. This apparent difference in practice has the potential for undermining the credibility of ISO 14001. Does anyone on the list have experience or knowledge of variances in the auditing of legal compliance within the ISO 14001 context, or any comments on this subject? Also, does anyone know of contries other than the US where the situation I have described is occurring? With kind regards, Sally L Goodman Service Responsible, Accredited Environmental Systems Certification Section for Certification (DTP 325) Det Norske Veritas Tel: +47 67 57 8213 Fax: +47 67 57 9705 Email: sally.goodman@dnv.com http://www.dnv.com ------------------------------ Date: Mon, 24 Aug 1998 09:08:35 -0400 From: Diana Baldi Subject: Legal compliance - to audit or not to audit? Sally, This is a great topic to gather input from many perspectives. So far, I see lots of different ways and different levels of detail in your 2nd bullet (identifying legal requirements). I don't believe it would be acceptable to require a "list" in the US. Many companies have developed one. Some lists are generic (air, water, land) and some have been very detailed (e.g., specifying details to be included in records such as time of sample collection). Where it is a tedious rationale to justify an exclusion to regulations, some companies are documenting the exclusion. This would help them if there is a process change that negates the exclusion; they will know the regulation applies at the time of the change. I would say this approach is somewhat rare--for the proactive company operating within laws without straightforward language where several interpretations are possible. As far as your point about whether the auditor can or cannot ask for evidence of their current level of compliance, you may need more information in your question. For companies that have this type of documentation under "attorney-client priviledge", they lose this priviledge when the document is shown to a third party--like a registrar auditor. For companies "substantially" in compliance, sometimes the internal legal counsel still will not allow documents associated with this compliance evaluation to be shown to third parties. The auditors need to be able to verify this type of evaluation takes place at some periodic intervals, that management is informed, and that corrective action is initiated. How they present this evidence to the auditors may be a subset or high level summary of the priviledged documents or perhaps a "verifiable" verbal description of the process. I would love to hear from other auditors or registrars who can share practical examples of what has worked and what has been a problem for them, especially in the US. Diana Baldi ------------------------------ Date: Mon, 24 Aug 1998 20:29:28 -0300 From: "Dan Wurster " Subject: Re: Legal compliance - to audit or not to audit? It seems to me that we have lost sight of why we are auditing when we stop checking for compliance because a lawyer told us that it was wrong. I always thought that lawyers were around to offer advice, when asked, and not to run things. Of course with contingency fees, too many lawyers, loss of morality ( fostered by lawyers, who else gains by it ) perhaps we should stop and think about why we are doing the audit in the first place. Isn't the objective to maintain and improve the environment? For those who have gone thru QS9000, there were sections in there which asked what you have in place to ensure compliance with legislative standards. Lets not skip daintily around the question of whether a facility is in compliance or not. And lets not have the regulators insist that they have the right to seize our audit documents. Two wrongs do not make a right. YES, audit, and YES, check for compliance. Companies being audited have to agree, before the audit to act on non-compliance, immediately. And regulators have to foster audits because its helping them do their jobs, and its the right thing to do. And lets keep the lawyers where they belong, arguing with Wolf Blitzer about someones sex life. Dan Wurster, MICHELIN Box 1883 Stellarton, NS, B0K 1S0 wurstd@north.nsis.com The usual disclaimers, esp. for my typing! ------------------------------ Date: Tue, 25 Aug 1998 11:10:19 +0200 From: "Pepper, John" Subject: RE: Juanita Bursley's comments Dear All Regarding the specific point in Connie's response of whether you need documentation regarding your identified legal requirements, I would draw your attention to 4.5.3 that requires "records ....to demonstrate conformance to the requirements of this standard" . Take this together with 4.3.2 and you would have to document (record) what the legal requirements are to your organisation. Just in case you think this is a DNVQA opinion, I would draw your attention to the CEN bridging document from 14001 to EMAS which has a very similar opinion. In other words, on an audit I would raise a nonconformance if the organisation did not record its legal requirements, or more commonly, if it has missed something out. Hope this helps in what is proving an interesting discussion! John Pepper Lead EMS Auditor Det Norske Veritas Quality Assurance Ltd Palace House 3 Cathedral Street London SE1 9DE United Kingdom Tel + 44 (0) 171 357 6080 (Main Switchboard) (E-mail) john.pepper@dnv.com - -----Original Message----- From: Connie G. Ritzert [SMTP:critzert@fyi.net] Sent: Friday, August 21, 1998 8:30 PM To: 'iso14000@quality.org' Subject: Juanita Bursley's comments Juanita, You opened a bear of a subject - why can't we create, and then audit an ISO 14001 EMS according to what the standard says, rather than various "opinions" ? I agree with you that ISO 14001 is intentionally specific on some points and intentionally flexible on others. It should not be the role of the Registrar or auditor to expand the mandatory provisions. It is understandably a challenge for auditors, since they must verify conformance by means that are sometimes less direct than simply examining documentation. It will benefit all involved parties, however, if we concentrate on facilitating understanding of the standard and means of verification rather than on expanding the requirements. The flexibility is there to enable different types of organizations to implement a system that works for them while still meeting key criteria. Regarding documentation in particular, I have heard various versions, also. I think we all can differentiate records (data, evidence of actions, meting minutes, etc.) from the type of information that defines policy, procedures, goals, etc. and to which the term "documentation" applies. The standard obviously allows for both documented and undocumented procedures and both documented and undocumented information of other types. For example, it requires documented objectives, but it does not call for documented "legal and other requirements" . Therefore, it distinguishes information from documented information. This and the wording of the Document Control clause indicate that EMS information which is "documented" must be controlled. Not all information that is written or in electronic format is necessarily "documented" in this sense. This may be a semantic argument, but semantics are basic to a specification. The standard allows an organization to choose the level of documentation it needs, within boundaries. One may have a procedure that is not documented, but if one has a documented ISO 14001 procedure, it needs to be controlled. I believe these are "facts" - i.e., what the standard says - but others may believe these are opinions. I even tried to stay away from my memory of "intent" during the drafting of ISO 14001 and deal only with the words on paper, since that is what the user of the standard must do. Juanita, your comments were intriguing, but I'm not sure I thank you - I am trying to resist the temptation to write such list responses. Regards, Connie Glover Ritzert Meredith-EMC environmental management consulting ------------------------------ Date: Tue, 25 Aug 1998 09:44:14 -0400 From: "Connie G. Ritzert" Subject: Reply to John Pepper on Requirements Records Dear John & All: The point you raise regarding the relationship of the records requirement in clause 4.5.3 to issues of documentation is an interesting one. I'm afraid this will be long-winded, but here goes: My original point on "Legal Requirements" and "Documentation" was that ISO 14001 does not specifically require a documented list of all the legal requirements that apply to an organization. What Clause 4.3.2 does require is that the organization "establish and maintain a procedure to identify and have access to " such requirements. Since "establish" means develop (or select) and implement, and "maintain" means apply over time and ensure continuing effectiveness, the organization must not only have such a procedure, it must be employing that procedure for its intended purpose. Neither the procedure, nor any "list" of requirements must be "documented" to conform with ISO 14001. As you point out, Clause 4.5.3 requires that records be "maintained, as appropriate to the system and to the organization, to demonstrate conformance to the requirements of (ISO 14001)". As we know, records that demonstrate conformance are not the same thing as documentation of the system. The qualifying phrase "as appropriate to the system and to the organization " points out that the standard is not dictating the nature of the records that must be kept, but is asking the organization to make those decisions and create records that demonstrate conformance. If we look at how to demonstrate conformance to clause 4.3.2, we see that we need to demonstrate: 1. That we have a procedure to identify legal & other requirements (related to our environmental aspects) 2. That this procedure (or a separate one) provides access to this information (current information to those who need it) 3. That we have implemented this procedure(s) 4. That the procedure(s) is fulfilling its intended function (i.e., that we have and are identifying requirements and providing access) 5. That we are maintaining the procedure on an on-going basis ( keeping up-to-date, etc.) The questions, then, is what records could demonstrate conformance? There could be many ways to approach this, but here are a few examples that come to mind: - Minutes of meetings in which development or approval of the procedures was discussed, including information on why the procedure is believed to be comprehensive and effective. - Transmittal memo authorizing use of the procedures - Information on the procedures in training programs - Reports on file discussing development or evaluation of the procedures - Records created specifically to verify that the procedure was implemented on specific dates - Records of distribution of the information generating by using the procedure ( e.g., distribution of information on regulatory requirements) - Records of periodic review of the procedure - Records of use of the distributed information, e.g. memo's or reports instituting changes in operating procedures based on information received on regulatory requirements - - Records of consideration of legal requirements in development of . objectives and targets, monitoring procedures, etc. - - Records of information transfer on where detailed legal requirements are stored ( e.g., memo on how to access electronic files on regulatory requirements) - - Records indicating how compliance to regulations was evaluated ( under clause 4.5.1) There are many other possibilities, including generating a list of all legal requirements, which some may choose to do. Others may choose to compartmentalize or store this information in some form other than a list. The user of the information must be able to access it and act on it. The auditor must be able to verify that this happens. Having a list does not assure either the organization or the auditor that the requirements of the standard have been met. The challenge for the organization is to have a systematic way of understanding all of its legal obligations and then using that information to achieve compliance. The challenge for the auditor is to verify that this is being done in the context of the language of the standard and the EMS as designed by the organization. I could comment on why some organizations don't like "lists", but I have already gone on too long. I am interested in hearing any comments you have, John - or others. Connie G. Ritzert critzert@fyi.net Meredith-EMC environmental management consulting Mars, Pennsylvania - -----Original Message----- From: Pepper, John [SMTP:John.Pepper@dnv.com] Sent: Tuesday, August 25, 1998 5:10 AM To: 'iso14000@quality.org' Subject: RE: Juanita Bursley's comments Dear All Regarding the specific point in Connie's response of whether you need documentation regarding your identified legal requirements, I would draw your attention to 4.5.3 that requires "records ....to demonstrate conformance to the requirements of this standard" . Take this together with 4.3.2 and you would have to document (record) what the legal requirements are to your organisation. Just in case you think this is a DNVQA opinion, I would draw your attention to the CEN bridging document from 14001 to EMAS which has a very similar opinion. In other words, on an audit I would raise a nonconformance if the organisation did not record its legal requirements, or more commonly, if it has missed something out. Hope this helps in what is proving an interesting discussion! John Pepper Lead EMS Auditor Det Norske Veritas Quality Assurance Ltd Palace House 3 Cathedral Street London SE1 9DE United Kingdom Tel + 44 (0) 171 357 6080 (Main Switchboard) (E-mail) john.pepper@dnv.com ------------------------------ End of iso14000-digest V2 #40 *****************************