hygiene zone
quality tools
quality techniques
human issues
quality awards
quality extra
visitor tools


Stay Informed
Sign up below to receive our Occasional Newsletter.

We Respect Your Privacy!

Web SaferPak
SaferPak: Food Packaging Safety, Food Safety, Business Improvement and Quality Management
       Home     About     Contact

Is ISO 9001:2000 green and safe?
By David Powley DNV Certification Ltd

Is ISO 9001:2000 green and safe?

To put the question more sensibly, albeit soberly and verbosely, ‘To what degree can a management system that is based on ISO 9001:2000 be integrated or harmonised with those based on the standard ISO 14001:1996 (for environmental management) and the quasi-standard OHSAS 18001:1999 (for health & safety management)’? In this sense, is the 2000 version more appropriate than its 1994 predecessor?

The short answer is that the wording of ISO 9000:2000 facilitates this integration and more so than its predecessor. However there are three issues (relating to management systems and their standards) that should be appreciated by an organisation before providing a breakdown to this answer. These are (i) the organisational structure and responsibilities, (ii) the approaches to identifying, managing and monitoring the quality, environmental and safety & health (QESH) risks and (iii) recognising the associated relevant interested parties of the company.

(Note: QESH risks can be taken to mean quality critical aspects, significant environmental aspects and significant health & safety hazards and risks).

Prior to discussing these three issues it is worth considering the meaning of the term ‘integration’. Within the context of management systems, integration can be taken to mean a combining of all descriptions, mechanisms and regimes into one management system to an extent where a degree of efficiency of effort is achieved.

i) The organisational responsibilities of an entity have influence on the ease of integration. Too often the discussion on integration has been only at the level of the way in which the system and its planned arrangements (e.g. manual, documented procedures etc) are described – in other words the ‘paper’ aspects of the management system. The need for an integrated system description is significant but, more importantly, experience has shown that if the company is not ‘integrated’ a less efficient situation will ensue. Just one classic example symptom of this can be found in cases where representatives for the management of quality, environment and health & safety are different people in different reporting lines and do not communicate adequately with each other. Again based on experience, the better possibilities for QESH integration are found where the responsibility for the co-ordination of the management of quality, environment and health & safety ‘comes together’ or coincides at a management level (with supporting expertise) reporting to the chief executive officer of the organisational entity. To expect a junior employee, with little or no authority, to bring about the integration of a QESH management system is very ambitious and unrealistic. This subject is important and deserves more consideration than is possible within this article.
ii) The approaches to identifying, managing and monitoring QESH risks need to be sound and rational in order not only to demonstrate adequacy at a third party audit but far more importantly to show a due diligence with respect to relevant interested parties (see below). Logical gathering of data and evidence represents this due diligence related to the QESH risks together with appropriate decision-making and responses to this data and evidence.
iii) The relevant interested parties can vary depending upon the QESH risks. For environmental management the directly important parties are regulators and the environment itself, whereas for quality the ‘customer is king’ although there is a sound argument for including the potential customer base. For health & safety management the employees and any persons effected by the organisation’s activities would be the logical direct and relevant interested parties. The pertinent regulator would also figure as a relevant interested party for a health & safety management system. An overriding intention of an integrated management system of an organisation could be to manage and enhance the relationships with the relevant interested parties such that the organisation’s people, reputation and prosperity are not adversely affected.

With these issues appreciated, the potential for integration of systems based on ISO 9001: 2000, ISO 14001:1996 and OHSAS 18001:1999 can be discussed with respect to a few management system elements.

a) Identification of risks and quality critical aspects
The specifications for environmental and health & safety management have their well known respective stages (sub-clause 4.3.1) for maintaining procedures for identification (and understanding) of hazard/risks/aspects. This is essentially asking for a process that logically identifies risks both on a potential and an evidence-basis. But where is the corresponding and equivalent opportunity for a similar process in ISO 9001:2000? Although there is no single defined stage, the need to perform this for quality aspects is abundantly present in the document. Consider the following relevant requirements:

Clause 4.1 wants the organisation to ‘identify the processes needed for the quality management system….’
Clause 5.2 (Customer focus – an important phrase) has it that ‘Top management shall ensure that customer requirements are determined…’.
Sub-clause 5.6.2 (Management review – Review input) requires a consideration of a range of data sources related to quality criticality such as customer feedback, process performance, changes etc.
Clause 7.2 has a raft of equivalent (to risk identification) actions in ‘Customer-related processes’.
Probably the subtlest area of ISO 9001 requiring a kind of quality critical risk assessment is sub-clause 8.5.3 (Preventive action) where ‘The organisation shall determine action to eliminate the causes of potential non-conformities in order to prevent their occurrence’. In other words an incident or condition need not have occurred yet the organisation is asked to be pre-emptive and pro-active about likely causes.

For the purposes of integration, an organisation may use similar principles and methodology for risk/aspects identification whilst always of course keeping in mind the differing decision-making criteria and relevant interested parties. The requirement to understand quality critical situations was only implicit in the 1994 version. There is enough to suggest that this is made more explicit in ISO 9001:2000.

b) Regulatory framework

The specifications for environment and health & safety, at their respective sub-clause 4.3.2, require a process for gaining information on the regulatory framework. This is obviously necessary – the understanding of the regulatory framework is the first step to minimising the risk of a legal breach. There are many instances where quality of product or service is inextricably linked to regulatory compliance, which in turn has linkage with customer requirements – the food, medical devices and water management industries are just some of the many.

ISO 9001:2000 at sub-clause 7.2.1 (Determination of requirements related to the product) demands the organisation to ‘…determine statutory and regulatory requirements related to the product…’.

It is true that any sensible organisation providing a product within a legal framework would have provision for this and that this stated requirement in the ISO 9001 standard was almost superfluous. However such processes for keeping up-to-date with quality-related legal knowledge have hitherto been considered to be outside of the domain or control of the quality management system. The efficiency of integration can mean that similar processes to those used for health, safety and environment (HSE) management can be formalised and embraced by the integrated system.

c) Objectives, targets and continual improvement
ISO 14001 and OHSAS 18001 at clause 4.3.3 require an organisation to set objectives and targets and the associated supporting guidance uses terms such as ‘measurable’ targets and ‘quantifiable’ objectives. The objectives and targets are set, of course, after consideration of the risks to legal position as well as significant environmental aspects and health & safety hazards and risks. As such these HSE standards are regarded as being ‘dynamic’ with recognition that there should always be an opportunity for continual improvement.

ISO 9001/2:1994 barely mentioned objectives and neither did it give any indication of what form they should take or what considerations should be made when setting them. It gave the impression of being a ‘static’ standard without any accommodation of continual improvement.

This is not the case with ISO 9001:2000. The concept of continual improvement is apparent at many points.

Clause 5.3 (Quality policy) demands a policy that ‘provides a framework for establishing and reviewing objectives’ and a commitment to ‘…continually improve the effectiveness of the quality management system’.
Clause 5.4.1 (Quality objectives) requires that quality objectives be set and that they be measurable.
Clause 5.4.2 (Quality management system planning) wants the top management to ensure that ‘the planning of the quality management system is carried out in order to meet…the quality objectives….’. The management review at clause 5.6.2 wants ‘recommendations for improvement’ and at 5.6.3 ‘improvement of product related to customer requirements…’.
Clause 8.5.1 (Continual improvement) looks for improvement in ‘the effectiveness of the quality management system through the use of …quality objectives…’.

The processes for setting objectives and targets for all three current standards for QESH may have a resemblance to each other whilst bearing in mind that each standard associates with different relevant interested parties. However it is interesting to note the level of convergence in some instances. For example, in the management systems of organisations in environment front-line sectors such as environmental consultancy and wastes management, the same objectives may satisfy the requirements of both ISO 14001:1996 and ISO 9001:2000 simply because the concerns of the relevant interested parties tend to merge.

d) Assurance of people capability
A most welcome development within ISO 9001:2000 is acceptance that training and possession of training records is only part of the process of assurance of people capability for the provision of product quality. The text in the standard is an improvement on that which was in the 1994 version which tended to encourage a belief, especially for auditors, that the availability of training records was the sole evidential device for capability assurance.

ISO 9001:2000 recognises that people capability represents more than this. Consider sub-clause 6.2.1 (a general section of clause 6.2 Human resources) where it has it that ‘Personnel performing work affecting product quality shall be competent on the basis of appropriate education, training skills and experience’. In addition sub-clause 6.2.2 (Competence, awareness and training – the terms used are significant!) has a requirement for the organisation to ‘…determine the necessary competence for personnel performing work affecting product quality…’. More evidence of this recognition can be found in the guidance note 2 at clause 4.2 (Documentation requirements) where it claims that the ‘extent of the quality management system documentation can differ from one organisation to another due to …the competence of personnel’.

It should be appreciated that competence in a discipline can go a long way to ensuring QESH risk management. A capable chemical or civil engineer having maintained awareness and competence within the respective discipline is less likely to create adverse QESH risks and consequences and so specific quality, environmental or health and safety training may not be necessary.

Auditors (external or otherwise) of management systems intended to meet ISO 9001:2000 are therefore now expected to make judgement on the competence of personnel, if this was not the case before.
Auditors of systems meeting ISO 14001 and OHSAS 18001 would not find this unfamiliar. The HSE management system is expected to ensure that personnel (whose tasks may impact on occupational safety & health in the workplace or can cause significant environmental impacts) are competent with respect to training, education and/or experience.

e) Documentation needs
It was indicated earlier that the documentary angle was not the most important issue when discussing integration of management systems - nevertheless it does have its place.
ISO 14001 and OHSAS 18001 specify only some instances where it is obligatory to have documented procedures. This is also the case with ISO 9002:2000 which is consistent with its stance on more reliance on competence (see earlier) and is quite a departure from its 1994 predecessor which unnecessarily insisted on a documentary approach to just about every sub-clause. So now, with the exception of mandatory situations, the need for a written procedure is left to discretion, which is how it should be.

However this discretion should be exercised well before enthusiastically heading for the shredder or selecting the delete option! A documented procedure is usually necessary when the absence of it is likely to present a risk. There are several examples where written prescriptions tend to offset risks. Consistency (which is aided by written description) of certain operations may go some way to maintenance of product quality or performing an activity in a certain allowed fashion may reduce the risk of a HSE legal breach etc.

There is another good reason for the documenting of a procedure and that is to facilitate the auditing of that procedure. It is true that an expert auditor does not always need to be facing a written description of a procedure in order to perform even a compliance-type audit on it. It is equally true to say that it is likely to take longer to perform a competent audit of a procedure without a written description of it.

The above important system elements are just some where the wording of the standards ISO 9001:2000 and ISO 14001:1996 and the quasi-standard OHSAS 18001 have commonality. There are others but successful and true integration of management systems that are intended to meet them is facilitated with appreciation of other issues. These being the organisational structure of the company, its quality, environmental and health & safety risks and the associated relevant interested parties. However the alignment of the themes and text of the standard for quality and those for health, safety and environment should be welcomed by those who seek the efficiency and holistic approach that is brought about by the integration of management systems.


David Powley is a Principal Lead Integrated Management Systems Auditor for DNV Certification Ltd. He is a Chartered Chemist and Member of the Royal Society of Chemistry, Member of the Institution of Occupational Safety and Health, a Principal Environmental Auditor with the Institute of Environmental Management & Assessment, a registered Lead Auditor with the International Register for Certificated Auditors scheme for quality management systems and Lead Verifier for EMAS. David has produced many published articles on management systems for quality, environment and health & safety and their integration, being regarded as a pioneer on the subject of integration. He is currently finalising an experienced-based book on the subject of integrated management systems. David can be contacted on dave.powley@dnv.com







Back to previous page









top of page


home :: about :: contact :: terms

© 2006 SaferPak Ltd.