DOXONOMY
  • ISO 9001
  • ISO 14001
  • OHSAS 18001
  • ISO 27001
  • ISO 50001
  • Toolbox
  • FAQs
  • Blog

THE DOXONOMY BLOG

Risk Assessing Your Hazards

24/12/2016

0 Comments

 
Picture
Hazard Risk Assessment
Not every individual hazard needs to be assessed, as most organisations address risk assessment at two levels, generic and specific.

Generic risk assessments cover hazards or activities that are common throughout the workplace, while specific assessments address particular hazards related to specific tasks, procedures, equipment, locations, etc.

Once a hazard has been identified, risk assessment should generally be carried out in four steps:
  1. Decide who might be harmed and how.
  2. Evaluate the risks and decide whether existing precautions are adequate or more needs to be done. 
  3. Record your findings.
  4. Review your assessment and revise it if necessary.

In assessing risks, you should consider all types of staff including apprentices, trainees, young workers, new and expectant mothers and also those who may not be directly affected by the process. This may include domestic or security staff, contractors or members of the public.

Risk evaluation
Evaluate the risks to which individuals might be exposed and classify them as Low/Medium/High based on consistent criteria appropriate to your activities. This classification will be an indication of the priority with which the risk needs to be addressed. Where risks are already controlled, monitor the effectiveness of the controls to decide whether they are sufficient. Where the risk to individuals is thought to be medium or high, additional control measures must always be considered. 

To achieve consistency, it is best to adopt a standardised approach, for example, see this general risk assessment template and guidance.

While a standard template can be used for almost any risk, it greatly helps if you have access to specific templates and guidance, such as those provided by the Doxonomy toolkit, covering particular hazards, such as:
  • Compressed Gas Cylinderse
  • Control of Substances Hazardous to Health (COSHH)
  • Dangerous Substances and Explosive Atmospheres (DSEAR)
  • Display Screen Equipment Self-Assessment
  • Fieldwork
  • General Purpose Risk Assessment Template (Risk Matrix)
  • Hand-Arm Vibration
  • Lone Working
  • Manual Handling
  • New and Expectant Mothers
  • Noise
  • PPE Assessment 
  • Slips Trips and Falls 
  • Stress at Work - Risk Assessment by a Manager
  • Working at Home Safely
  • Young Persons

Risk control

Having evaluated the risk, decide what controls are necessary to reduce the risks to individuals and to comply with any statutory requirements (compliance with statutory requirements is a minimum level of control). It is often useful to seek out best practice advice, perhaps from your trade association or the appropriate regulator.

In controlling risks you should follow a hierarchical approach, starting with avoiding the hazard if at all possible:
  1. Avoid the hazard - can the hazard be avoided or altered to reduce the likelihood or risk?  Substitute or replace the hazard.
  2. Procedural controls – can the procedure be altered to avoid or reduce the risk? Can the individual be removed / distanced from the risk? Could the activity be carried out at a time that would have a lesser impact on others? 
  3. Engineering / mechanical controls – can engineering or mechanical aids be used to avoid or reduce the risk?
  4. Personal Protective Equipment (PPE) – where the above measures do not fully remove the risk, PPE should be considered. Identify the specific type of PPE necessary. 
  5. Emergency procedures – set procedures to follow in the event of things going wrong. e.g. an accident or incident.
  6. Health surveillance – where one cannot be 100% confident in the control measures put in place, should individual’s health be monitored? 
  7. Where engineering controls are used e.g. local exhaust ventilation (LEV), guarding, interlocks, safety valves etc. ensure that they are adequately utilised and maintained. Many will require specific checks as described in legislation, HSE Guidance or British Standards publications. 
Once the risk controls have been identified, consider what information should be made available and how will this be communicated to those at risk and what training / supervision will be required. Routinely monitor the control measures you have instigated to ensure that they are effective and implemented correctly.

Record your findings
Record the significant hazards and conclusions and any Safe System of Working (SSW) derived from the Risk Assessment.

Review your assessment
The assessment should be reviewed periodically to ensure it remains relevant and effective and also if there are any significant changes to the activity i.e. new procedures, substances, machinery, or if there are changes in legislation or an accident, incident or near-miss are reported.  

Free OHSAS 18001 
Resources and Downloads

Learn More
OHSAS 18001
Documentation Toolkit

VIEW DETAILS
Health and Safety
​Risk Assessment Toolkit

view details
0 Comments

Working Safely at Height

24/12/2016

0 Comments

 
Picture
The Risks of Working at Height
Not surprisingly, working at height remains one of the biggest causes of fatalities and major injuries. Most often, injuries arise from falls from ladders and through fragile surfaces. ‘Work at height’ means work in any place where, if there were no precautions in place, a person could fall a distance liable to cause personal injury (for example a fall through a fragile roof).

In addition to the danger of people falling, objects falling onto people below are a serious hazard. Both may occur as a result , for example, of inadequate edge protection, or from objects in storage being poorly secured.

Workers in maintenance and construction, and many other people in a variety of jobs, could be at risk of falling from height at work, for example; roofers, painters, decorators and window cleaners and those who undertake one-off jobs without proper training, planning or equipment.

Assessing Risks From Working at Height

If work at height cannot be avoided, a risk assessment should be carried out before any work at height is undertaken. The assessment should highlight the measures that must be taken to ensure people are not at risk of falling from height or of being struck by objects falling from height.

Factors to weigh up include the height of the task, its duration and frequency, and the condition of the surface being worked on.
Before working at height, work should work through these simple steps:
  • avoid work at height where it's reasonably practicable - this means balancing the level of risk against the measures needed to control the real risk in terms of money, time or trouble
  • where work at height cannot be easily avoided, prevent falls using either an existing place of work that is already safe or the right type of equipment
  • minimise the distance and consequences of a fall, by using the right type of equipment where the risk cannot be eliminated
However, it is not necessary to take action if it would be grossly disproportionate to the level of risk.

For each step, always consider measures that protect everyone at risk (such as permanent or temporary guardrails, scissor lifts and tower scaffolds, that does not require the person working at height to act for it to be effective) before measures that only protect the individual (such as
putting on a safety harness correctly and connecting it, with an energy-absorbing lanyard, to a suitable anchor point).

Some Do's and Don’ts of Working at Height
​Do….
  • as much work as possible from the ground
  • ensure workers can get safely to and from where they work at height
  • ensure equipment is suitable, stable and strong enough for the job, maintained and checked regularly
  • take precautions when working on or near fragile surfaces
  • provide protection from falling objects
  • consider emergency evacuation and rescue procedures
Don’t…
  • overload ladders – consider the equipment or materials workers are carrying before working at height - check the pictogram or label on the ladder for information
  • overreach on ladders or stepladders
  • rest a ladder against weak upper surfaces, e.g. glazing or plastic gutters
  • use ladders or stepladders for strenuous or heavy tasks, only use them for light work of short duration (a maximum of 30 minutes at a time)
  • let anyone who is not competent (who doesn’t have the skills, knowledge and experience to do the job) work at height

And Some Good Practice Advice

​Ladders
Ladders are acceptable only for access or work of short duration and should be:
  • erected at the correct angle (4 up to 1 out)
  • secured (preferably at top) or footed
  • positioned close to the work to avoid over-reaching
  • sufficiently protected at the base of any ladder or access equipment to prevent pedestrians or vehicles bumping into them
​
Stepladders
  • always spread them to their full extent and lock them off
  • do not work on the top platform
  • do not use the top tread, tool shelf or rear part of the steps as a foot support
  • only one person should be on the ladder at any one time
  • the ladder must be appropriate and of the correct grade for the intended use
​
Access equipment
  • any hired equipment must be fit for the purpose. Hire contractors must provide information about the risks involved.
  • all access equipment must be properly maintained and regularly inspected
  • those erecting and using access equipment must be competent to do so, and training should be provided where necessary
  • precautions must be taken to prevent the fall of objects or persons
  • do not increase reach by placing ladders on access equipment

Mobile elevated platforms
  • use the platform only on level, firm ground
  • only use the equipment with outriggers and stabilisers
  • work with a trained operator at ground level
  • safety harnesses must be worn while on the platform
  • keep the platform within safe working limits and radius, taking account of wind speeds

Scaffold towers
  • must be erected by a competent person
  • have a height to base dimension ratio not exceeding 3 to 1 indoors, or 2.5 to 1 outdoors
  • have stabilisers deployed as necessary to meet the correct height to base ratio
  • use outriggers or stabilisers if above 2.5 m high
  • have all casters firmly locked before use
  • have ladder access to the working platform
  • never be moved while the tower is occupied
  • be regularly inspected and maintained
​
Safety lines, harnesses and nets
  • Fall restraint and arrest equipment such as nets, airbags and harnesses, etc. should only be considered as a last resort when no other means are reasonably practicable
  • if used, should be erected by trained operatives and tested and inspected regularly
​
Free OHSAS 18001
Resources & ​Downloads

Learn More
OHSAS 18001
Documentation Toolkit
 

VIEW DETAILS
0 Comments

Information Classification and ISO 27001

24/12/2016

0 Comments

 
Picture
​Information Classification and ISO 27001
Classification of Information lies at the core of any information security system, be it a formal ISO 27001 system or otherwise.

Because most organisations already classify their information, many assume they can import their existing system into ISO 27001 without change. However, existing systems are probably old, often pre-dating computer records, so  it is often better to start from scratch and think through what you want to achieve, and how it will work in the context of ISO 27001, before you settle on a system to meet both your and ISO 27001’s requirements.
​
Although classification can be made according to many criteria, the focus of this article is on confidentiality, the most commonly used criteria. To meet the good practice requirements of ISO 27001, information should be entered into an Inventory of Assets (A.8.1.1), classified (A.8.2.1),  labeled (A.8.2.2), and finally handled in a secure manner (A.8.2.3).

You may wish to incorporate secondary criteria, such as speed of access.


Classifying Your Information
ISO 27001 does not prescribe a classification policy nor suggest levels of classification, and so rightly leaves it to you to develop your own. Contrary to what you might expect, it does not follow that the bigger and more complex your organisation, the more levels of confidentiality you will have or require. Indeed, the simpler the better, without compromising your information.

However, the needs of government and the private sector can be rather different and in the former case central government may make rules for all government related information users, both public and private sector.

Many organisations use the following classes, with three confidential levels and one public level:
  • Confidential (top confidentiality level)
  • Restricted (medium confidentiality level)
  • Internal use (lowest level of confidentiality)
  • Public (everyone can see the information)

The boundaries of each class are normally determined through risk assessment, where the higher the value of information (that is the higher the consequence of breaching the confidentiality), the higher the classification level should be.

Once the boundaries have been established, organisations usually create ‘rules’ which asset owners within, and without, the organisation are required to follow in classifying the information they own, for example:

Confidential - Information that has significant value and unauthorized disclosure or dissemination could result in severe financial or reputational damage, including fines, the revocation of contracts and the failure to win future contracts. Sensitive personal data falls into this category. Only those who need explicitly need access must be granted it, and only to the least degree in order to do their work (the ‘need to know’ and ‘least privilege’ principles).

Restricted - Information that is subject to controls on access, such as only allowing valid logons from a small group of staff. Information defined as Personal Data falls into this category. Disclosure or dissemination of this information is not intended, and may incur some negative publicity, but is unlikely to cause severe financial or reputational damage. Note that larger databases, >1000 records of Restricted information should be classified as Confidential.

Internal use - Information that can be disclosed or disseminated by its owner to appropriate members of our organisation, partners and other individuals, as appropriate by information owners without any restrictions on content or time of publication.

Public - Information that can be disclosed or disseminated without any restrictions on content, audience or time of publication. Disclosure or dissemination of the information must not violate any applicable laws or regulations, such as privacy rules. Modification must be restricted to individuals who have been explicitly approved by information owners to modify that information.

Sometimes, organisations may have more than one system where they work for a client, particularly government, who expect their protocols to be followed where government owned information is concerned. For example, the UK Government uses three classifications (note that none are public!):
  • TOP SECRET
  • SECRET
  • OFFICIAL

Useful Links:
  • UK Government - information security classifications
  • Protect and control your key information assets through information classification (Microsoft Whitepaper)
  • A Literature Review of Information Classification Issues, University of Skövde, Sweden
  • Information Classification Standard, London School of Economics
Free ISO 27001
Resources & Downloads

LEARN MORE
ISO 27001 
Documentation Toolkit

VIEW DETAILS
0 Comments

What Makes a Good Auditor?

24/12/2016

1 Comment

 
Picture
Good Auditors Are Key!
​Selecting and training good auditors is one of the key tasks in successfully implementing and getting the best from your management system. Any failure to ensure that your business is subject to effective and rigorous auditing leads to no end of problems and costs, and can reduce the management system to no more than just that, a system. To continually improve and get the best value from your implementation, good internal auditing is a must!

So What Makes A Good Auditor? 
Let’s start with “what makes a bad auditor”!

Who hasn’t been frustrated by a pedantic auditor who homes-in on unimportant details and misses the bigger picture? Equally depressing is the auditor who comes to you with a big smile on their face, to report how clever they have been in ‘catching you out’ (usually the trait of an external auditor, but not always!). Perhaps you accept it because “well, I suppose they feel they must find something, I suppose it may as well be this”? However, when an auditor fails to acknowledge the positive, and instead highlights a pile of negatives, they leave a trail of "gloom and despondency" in their wake. 

Some of you will have encountered auditors who simply don’t listen, and refuse to accept your input. Others actually steer away from difficult areas and don't ask the necessary, and often, vital questions. Such auditors may either hate the prospect of confrontation and will avoid it all costs, or they are simply not that interested in finding things out and want a quiet life; either way, this attitude is not helpful!

Finally, you may have felt that the auditor is not so much undertaking an Audit, but rather that they are redesigning your system, because, after all, they know what’s most appropriate for your organisation!  

W
ith all of these negatives in mind, let’s start to assemble the positive characteristics of a good auditor:
  • Empathetic; understands the impact of their auditing on the organisation
  • People-person; flexible and intuitive enough to adapt to your style; builds a productive relationship with you by celebrating good practices and collaboratively addressing important problems
  • Strategic; able to utilise the information gained as evidence to support important conclusions; mindful of external forces that impact operations (e.g., evolving technology, legal and regulatory matters, changing economic conditions) and considers them during internal risk assessment.
  • Flexible; the auditor may be expected to show up at the office of a CTO one day in suit and tie, and don a hardhat and steel toe boots on the factory floor the next. Hours and location of work shifts from client to client. A good auditor should never expect to show up to the same desk and office day after day. 
  • Observant; pays attention to details, and identifies patterns, trends, and errors - whether that be observing the same hashtag repeatedly while reviewing a dozen different router configuration files, or just being an amazing proof reader of reports.​
  • Good listener; willing to re-consider their conclusions in light of additional information and explanations provided - however, they will not alter their conclusions to pacify you, but will readily acknowledge any mistakes that they have made.
  • Naturally inquisitive; a good auditor is a polymath and lifelong learner. For example, consider all the areas of expertise an information systems auditor is required to touch upon; this individual will be expected to be familiar not only with Information Systems, but also SDLC processes, Accounting Principles, Legal and Regulatory Matters, Human Resources management and more. 
  • But stays focused; they will understand that they are not the consultant helping to create, and that rather, their role is to rigorously assess the effectiveness of the system to meet the requirements of the relevant standard, and to determine the extent to which the system is being properly implemented.
  • Excellent writer; whilst an auditor’s basic toolkit comprises questioning, listening, making observations, and evaluating evidence, it is very important that the auditor is able to capture their conclusions in a sufficiently detailed report to enable management to understand and accept the findings and conclusions of the audit. Therefore, very good writing skills are indispensable for a good auditor.
If the auditor displays these qualities and characteristics, then you are more likely to engage constructively in an exercise that you know is intended to assist the business. Information can then flow between the two of you, from which an accurate picture of the business can be assembled.

So, if you’re involved in devising/influencing the selection method for new auditors, consider if they display these qualities before hiring them or sending them off on a training course!

The Institute of Internal Auditors has also published a guide to finding the best auditor for your business: 
The 7 Attributes of Highly Effective Internal Auditors

Lastly, Some Insight Into External Auditors:
There are important differences between the roles and behaviours of internal and external auditors; one source of difference is the rules under which external auditors operate. An example of those rules, which often leads to a degree of unnecessary friction, is the reluctance of external auditors to help you ‘fix things’.

The auditor is not being difficult, nor is it an admission that they don’t know how to fix your problem! It is simply that they are not permitted, under their rules, to provide advice. While this may seem curious, the reasons, once you think about it, are obvious:

  • a conflict of interested is created, with you expecting them to agree that the non-conformity is fixed, even if it may not be, and
  • auditors see many problems and many solutions and if they tell you of a novel solution they have gleaned from elsewhere, they would be in breach of their commitment to commercial confidentiality

Thinking of implementing an ISO or OHSAS Standard?
Take a look at our Toolkits

1 Comment

Getting to the Root Cause of a Non-Conformity

23/12/2016

0 Comments

 
Picture
How do I Get to the Root Cause of a Non-conformity?
Sometimes the root cause of a non-conformity is obvious, but often it isn't. Even if you think it is obvious, there may be something lurking in the shadows! So, questions such as; How do I eliminate possible causes?; Am I seeing a symptom of something worse or an outcome?; Is there one cause or multiple causes? often arise. To uncover the root cause systematically and reliably, and to be certain of the root cause, you need to formally undertake what is commonly termed a 'Root Cause Analysis'.

As with most things there is no 'one size fits all' technique for getting to the root cause, but there are several commonly employed approaches that you can choose from, as the rest of this article explains.

What is a Root Cause Analysis?
A 'Root Cause Analysis' is a means to get to the bottom of a problem or unexpected event. Root cause analyses are important to undertake when your project or product is not what was expected. Root cause analyses aim at improving products or processes and they must be undertaken in systematic ways in order to be effective. The general process for undertaking a root cause analysis are:
  1. Describe the problem you are looking at
  2. Gather data associated with the problem
  3. Identify potential causes for the problem
  4. Identify which causes you will remove or change in order to prevent repeat problems
  5. Identify solutions that will be effective in preventing repeat problems
  6. Implement changes
  7. Observe the effect of changes to ensure that they have effectively eliminated the problem
There are many techniques that can be used to get to a root cause. You may already be familiar with the "Five Whys Analysis", but the story doesn't end there, there are several other types of root cause analysis - read on and find out about them all!

Five Whys Analysis
This might sound like the technique of a five-year-old wanting to get out of tidying up, but the five whys analysis is a useful and straightforward technique for getting to the underlying causes of a problem. By identifying the problem, and then asking "why" five times - getting progressively deeper into the problem, the root cause can be strategically identified and tackled.

Find out more


Failure Mode and Effects Analysis (FMEA)
Failure mode and effects analysis (FMEA) is a technique aimed to find various modes for failure within a system. Many manufacturing companies utilise this technique. FMEA requires several steps to execute:
  1. All failure modes (the way in which an observed failure occurs) must be determined.
  2. How many times does a cause of failure occur?
  3. What actions are implemented to prevent this cause from occurring again?
  4. Are the actions effective and efficient?
FMEA is often performed and updated any time a new product or process is generated, when changes are made to current conditions, or to the design, when new regulations occur, or when there is a problem determined through customer feedback.

Find out more


Pareto Analysis
Pareto analysis operates using the Pareto principle (20% of the work creates 80% of the results). You will probably want to use a Pareto analysis whenever there are multiple potential causes to a problem. In order to perform a Pareto analysis, you create a Pareto Chart using Excel or some other program. To create a Pareto Chart, you list potential causes in a bar graph across the bottom - from the most important cause on the left to the least important cause on the right. Then, you will track the cumulative percentage in a line graph to the top of the table. The causes reflected on the table should account for at least eighty percent of those involved in the problem.

Find out more


Fault Tree Analysis
Fault Tree Analysis (FTA) is another method of getting to the root cause of a problem. An FTA uses Boolean logic to determine the root causes of an undesirable event. This technique is often used in risk analysis and safety analysis. At the top of the fault tree, the undesirable result is listed. From this event, all potential causes cascade down from it. Each potential cause is listed on the diagram in the shape of an upside down tree.

Find out more


Current Reality Tree (CRT)
The current reality tree analyses an entire system in one go. It is used when many problems exist and you want to get to the root causes of all of the problems. The first step in creating a current reality tree is listing all of the undesirables or problems. For example, you may have the following problems with your computer:
  • the computer keeps crashing when using a particular program
  • the computer often runs slowly
  • the computer sometimes randomly turns off
  • items you save aren't where you expect them to be
Now, what you do next is to begin a chart starting with each of those problems using causal language (if...and...then). The tree will depict each potential cause for a problem. Eventually, the tree will show one cause that is linked to all four problems.

Find out more


Fishbone or Ishikawa or Cause-and-Effect Diagrams

No matter what descriptor you use for the fishbone diagram, it is a useful technique that will help you in your root cause analysis. A fishbone diagram will group causes into categories including:
  • people
  • measurements
  • methods
  • materials
  • environment
  • machines
Depending on the industry you work in, you may use different categories such as The 4 M's (manufacturing), The 4 S's (service) or the 8 P's (also service). The diagram gets its name from the fact that it looks like a fishbone, with categorised causes and their sub-causes visualised.

Find out more

Kepner-Tregoe or Rational Process Technique
The Kepner-Tregoe technique, also known as "Rational Process" is intended to break a problem down to its root cause. This process begins with an appraisal of the situation - what are the priorities and orders for concerns for specific issues? Next, a problem analysis is undertaken to get the cause of undesired events. Then a decision analysis is undertaken, outlining various decisions that must be made. Finally, a potential problem analysis is undertaken to ensure that the actions decided upon are sustainable.

Find out more

​
Rapid Problem Resolution (RPR)
One more technique used in root cause analyses is "Rapid Problem Resolution" and it deals with diagnosing the causes of recurrent problems. This process has three phases:
  1. Discover - team members gather data and analyse their findings.
  2. Investigate - a diagnostic plan is created and the root cause is identified through careful analysis of the diagnostic data.
  3. Fix - the problem is fixed and monitored to ensure that the proper root cause was identified.

Find out more

Thinking of implementing an ISO or OHSAS Standard?
Take a look at our Toolkits

0 Comments

“Life Cycle Perspective” and ISO 14001

22/12/2016

0 Comments

 
Picture
Lifecycle Perspective (LCP)
The use of the term “Life Cycle Perspective” (LCP) in ISO 14001:2015 is one of the bigger changes in the most recent revision. ISO have included the requirement to consider environmental impacts from a 'Lifecycle Perspective' because:

“A systematic approach to environmental management can provide top management with information to build success over the long term and create options for contributing to sustainable development by controlling or influencing the way the organization's products and services are designed, manufactured, distributed, consumed and disposed by using a life cycle perspective that can prevent environmental impacts from being unintentionally shifted elsewhere within the life cycle.”

So, the purpose of taking a lifecycle perspective, at least in part, is to prevent the unintentional transfer of environmental impacts to elsewhere in the supply chain. 

Lifecycle Perspective vs Lifecycle Assessment
The definition of life cycle given in ISO 14001 is:

“Consecutive and interlinked stages of a product (or service) system, from raw material acquisition or generation from natural resources to final disposal. Life cycle stages include acquisition of raw materials, design, production, transportation/delivery, use, end-of-life treatment and final disposal.”

If you have a background in environmental management you may be thinking "Oh no, not a lifecycle assessment!", but don't worry, that is a whole other topic as ISO make clear in A6.1.2:

“When determining environmental aspects, the organization considers a life cycle perspective. This does not require a detailed life cycle assessment; thinking carefully about the life cycle stages that can be controlled or influenced by the organization is sufficient. Typical stages of a product life cycle include raw material acquisition, design, production, transportation/delivery, use, end-of-life treatment and final disposal. The life cycle stages that are applicable will vary depending on the activity, product or service.”

While a full lifecycle assessment (taking as an example the case of a manufactured product, a lifecycle assessment involves making detailed measurements during the manufacture of the product, from the mining of the raw materials used in its production and distribution, through to its use, possible re-use or recycling, and its eventual disposal) isn't required - relief all round! - ISO does expect you to adopt a lifecycle perspective because:

“Some of the organization’s significant environmental impacts can occur during the transport, delivery, use, end-of-life treatment or final disposal of its product or service. By providing information, an organization can potentially prevent or mitigate adverse environmental impacts during these life cycle stages. The organization considers the extent of control or influence that it can exert over activities, products and services considering a life cycle perspective.”

And ISO 14004 provides some additional background;

"A life cycle perspective includes consideration of the environmental aspects of an organization’s activities, products, and services that it can control or influence. Stages in a life cycle include acquisition of raw materials, design, production, transportation/delivery, use, end of life treatment, and final disposal.

When applying a life cycle perspective to its products and services, the organization should consider the following:
  • the stage in the life cycle of the product or service,
  • the degree of control it has over the life cycle stages, e.g. a product designer may be responsible for raw material selection, whereas a manufacturer may only be responsible for reducing raw material use and minimizing process waste and the user may only be responsible for use and disposal of the product,
  • the degree of influence it has over the life cycle, e.g. the designer may only influence the manufacturers production methods, whereas the manufacturer my also influence the design and the way the product is used or its method of disposal,
  • the life of the product,
  • the organization’s influence on the supply chain,
  • the length of the supply chain, and
  • the technological complexity of the product.
The organization can consider those stages in the life cycle over which it has the greatest control or influence as these may offer the greatest opportunity to reduce resource use and minimize pollution or waste.”

What ISO 14001 Requires
ISO 14001 requires that a life cycle perspective be taken, in two places in the standard:

"6.1.2 Environmental aspects
Within the defined scope of the environmental management system, the organization shall determine the environmental aspects of its activities, products and services that it can control and those that it can influence, and their associated environmental impacts, considering a life cycle perspective. “

“8.1 Operational Planning and Control 
Consistent with a life cycle perspective, the organization shall:
  1. establish controls as appropriate to ensure that its environmental requirement(s) are addressed in the design and development process for the product or service, considering each stage of its life cycle;
  2. determine its environmental requirement(s) for the procurement of products and services as appropriate;
  3. communicate its relevant environmental requirement(s) to external providers, including contractors;
  4. consider the need to provide information about potential significant environmental impacts associated with the transportation or delivery, use, end-of-life treatment and final disposal of its products and services.”

Integrating 'Lifecycle Perspective' into your EMS
These actual requirements in ISO 14001:2015 are short, but can have a big influence in how you identify environmental aspects and how you control those aspects. 

To meet these requirements, you need to expand your view of the impacts derived from their product and services beyond their own boundary.  You need to look down their supply chain to understand the environmental impacts caused by your suppliers and those supplying your suppliers. In doing so, you may be able to identify environmental impacts of which you had previously not been aware. Similarly, you will need to look up your supply chains to identify environmental impacts that derive from the use of your products or services by your customers or end users.

Armed with this new information you can then consider what, if any, control or influence you have over these supply chain environmental impacts. Once these up chain and down chain impacts have been identified, 14001 expects you, where practicable, to endeavor to address the environmental aspects that are causing these impacts.  How you choose to address these life cycle aspects will depends on several factors including:
  • the level of risk the aspect presents to the organisations
  • the level of risk the aspect presents to the environment
  • the degree of influence or control that you have over the environmental aspect
The amount of control or influence that you have over life cycle aspects depends on:
  • how far the aspect is up or down the supply chain
  • how a design change might affect the performance or cost of the product
  • who controls the design of the product or service
You are also expected to use a life cycle perspective when you are reviewing the potential environmental impacts and aspects from outsourced processes that are performed by other organisations on your behalf.

This change in perspective can change what you do to reduce impacts, and in a good way!​

Free ISO 14001
Resources & Downloads


LEARN MORE
ISO 14001
Documentation Toolkit


view details
0 Comments

Risk Based Thinking and ISO 9001

22/12/2016

0 Comments

 
Picture
The Need for Risk Assessment
Risk management is a tool that helps you measure levels of risk in an operational context, it is repeatable and objective, allowing you to replace an otherwise subjective “gut sense” with a more analytical decision-making approach. Furthermore, it’s easy to understand for people who aren’t directly involved in the process. Risk assessment helps drive change. It enables you to build alerts for critical events and develop guidelines and solutions for risk levels that are unacceptable. 

However, it’s important to note that risk assessment is a tool, not a solution and that context is critically important. For example, someone on the shop floor might consider something a critical risk, whereas the senior management team might take a more sanguine view in the larger context of operations. So it’s a good idea to have a broad team in place to vet your risk assessment process to ensure you’re achieving the right results and to keep an open mind, so that as your operations change, or as more data accumulates, you adjust your levels of acceptable risks accordingly.

ISO 9001:2015 and Risk Based Thinking
ISO 9001:2015 includes a component of risk-based thinking, and it involves both the operatives and leaders within your organisation which focuses on a companywide commitment to quality that is championed and brought about by leaders. How can that be done using a centralized system, and where does risk fit in? There are two sections where risk appears in the standard: leadership and planning:

Leadership
ISO 9001:2015 is designed to create a companywide approach to quality, and expects leaders to be directly involved. 

​Although some leaders might not “speak quality,” they definitely "speak risk". That’s why the standard encourages the concept of “risk-based thinking.” This refers to a coordinated set of activities and methods that organisations use to manage and control the many risks that affect their ability to achieve objectives. Risk-based thinking replaces what an earlier version of the standard called preventive action.

Planning
This section is where preventive action used to be and is now replaced with managing risks and opportunities. It’s important to note that ISO 9001:2015’s take on risk is simple and doesn't amount to a directive to go out and build an all-embracing enterprise risk management program, or change all of your processes to comply with the requirements.

The standard directs organisations to “promote” risk-based-thinking, which is fairly broad and open to interpretation. Every organisation should evaluate its own processes in light of the risks specific to their situation.

In a nutshell, the planning section simply promotes an approach whereby risk management is an objective process that can be repeated and standardised. To implement this approach you first identify the risks in your operations, then determine how you’re going to measure those risks. Once you are clear which risks can be avoided and those that need further control, you can work out treatment options for those risks, implement actions and controls to address each risk and then monitor the outcomes to ensure that the controls that you have put in place are effective and sustainable.

Free ISO 9001
Downloads & Resources


Learn More
ISO 9001
Documentation Toolkit


view DETAILS
0 Comments

'Work Instructions' - What are they, and when do you need them?

22/12/2016

0 Comments

 
Picture
What is a 'Work Instruction'?
​While Doxonomy provides the top level Management System Manual and its associated Procedures, every organisation will have 'tasks' that are specific to them, and which underpin the management system procedures to ensure that they are undertaken properly and reliably. Those tasks, by their very nature, will typically need to be documented by the people who perform the actual work.

Those documented tasks are typically called 'Work Instructions' in manufacturing. But other terminology is also used, such as 'Operating Procedure' ( a term used in some ISO Management System Standards, which we find confusing! ) and 'Management Instruction'.

Work Instructions are not even mentioned in ISO 9001:2015. Nonetheless there are few management system tools that are either simpler or more effective in reducing non-conformities and preventing human error.


When are Work Instructions Required?
It is a common misconception that every task in an organisation needs to be documented in a work instruction. Work instructions are only required where there is not enough information at the Procedure level to ensure the management system is effective or where training is not sufficient to ensure the operator has enough knowledge to do their job consistently and correctly.

However, where you do add work instructions to your management system, then they become controlled documents and must be maintained and managed as such!

Work Instructions can come in many forms; flowcharts, checklists, text procedures, diagrams, photographs etc.

Here are some criteria that might help you decide if/when/where work instructions are necessary:
  • infrequent tasks – if a job is performed very infrequently, it is possible that staff will require work instructions
  • important tasks – if a job is very important or high risk, it may need to be defined in a work instruction
  • complicated tasks – if a job requires many or complicated steps it may require a work instruction
  • tasks where any of the following characteristics are present would probably benefit from a work instruction:
               -  staff are unsure
               -  errors are frequent
               -  regular inspection is required
               -  novices could not do the work
               -  consistency is important
               -  supervision is required
               -  mistakes are time consuming and difficult to fix
               -  specialised training is required

However, complexity of itself is not an indicator of the need for a work instruction, bear in mind that:
  • low complexity - baking a cake where every box of cake mix has the recipe (work instructions) printed on it
  • medium complexity - driving a car where there are no work instructions, but instead rules and training
  • high complexity - brain surgery where you would not want to hear your doctor ask for work instructions as you were going under anaesthetic, but instead want a highly trained individual who can think through any problems rather than looking to a manual!

Thinking of implementing an ISO or OHSAS Standard? 
Take a look at our Toolkits

0 Comments
    The Founder's
    Blog
    Picture
    The Best Business Documentation, Period.

    Archives

    January 2017
    December 2016

    Categories

    All
    Cross Cutting
    ISO 14001
    ISO 27001
    ISO 50001
    ISO 9001
    OHSAS 18001

    RSS Feed

Doxonomy

CERTIFICATION MADE SIMPLE
​
SOLUTIONS
​

​ISO 9001
ISO 14001
​ISO 14001 Plus
OHSAS 18001
ISO  27001
ISO 50001
Toolbox
COMPANY
​

About
​
Contact Us
Privacy Policy
Terms and Conditions
​​​


​
​RESOURCES
​

Blog
ISO 9001 
ISO 14001
OHSAS 18001​
ISO 27001
ISO 50001
​
Picture
​© COPYRIGHT 2016, 2017 | Doxnomy | All Rights Reserved
  • ISO 9001
  • ISO 14001
  • OHSAS 18001
  • ISO 27001
  • ISO 50001
  • Toolbox
  • FAQs
  • Blog