hygiene zone
quality tools
quality techniques
human issues
quality awards
quality extra
visitor tools


Stay Informed
Sign up below to receive our Occasional Newsletter.

We Respect Your Privacy!

Web SaferPak
SaferPak: Food Packaging Safety, Food Safety, Business Improvement and Quality Management
       Home     About     Contact

Eager to be legal! - Management systems and legislation
By David Powley - DNV Certification

"Ignorance of the law excuses no man - not that all men know the law"
John Selden (1584 - 1654)

An intended attribute of risk-based management systems (MS) is compliance with any appropriate regulatory framework. David Powley of DNV Certification explains this and offers basic advice on how the management system can be used to full effect as well as withstand an independent certification audit.

A management system can be regarded as a device to manage risks facing an organisation - one such risk is that of falling foul of the law. Certification to the various specifications for Quality, Environment and Safety & Health (QESH) requires or assumes a capability to understand any legal requirements and thereafter deliver relevant regulatory compliance.

The specifications ISO 9001:2000, ISO 14001:1996 and OHSAS 18001:1999 all have suitable wording to support this. Apart from being within the Scope of each, their clauses tend to weigh in with the need to appreciate and meet the governing regulatory framework (See Table 1). In all three specifications there is the need to understand the governing legislation and feed in the requirements to the setting of objectives, the adoption of suitable procedures and carrying out design and development processes, depending on whichever specification is considered. However ISO 14001 and OHSAS 18001 have a clear demand to periodically monitor compliance with legislation. The explicit requirement to do this for ISO 9001:2000 is curiously absent but if one accepts that the fundamental rider 'to demonstrate conformity of the product… ' (Ref. clause 8.1) is a strong implication to do so then this would be sensible. After all, many customers make an assumption (sometimes without basis) that someone in the supplying organisation is self-monitoring with regard to compliance with the quality-related law associated with the product or service being delivered.

Table 1.

ISO 9001:2000 ISO 14001:1996 OHSAS 18001:1999
5.1 insists that 'Top management shall provide evidence of its commitment by…communicating to the organisation the importance of meeting customer as well as statutory and regulatory requirements' 4.2 demands a policy commitment 'to comply with relevant environmental legislation and regulations…' 4.2 requires the policy to 'include a commitment to at least comply with current applicable OH&S (occupational health & safety) legislation…'
7.2.1 wants an organisation to 'determine statutory and regulatory requirements related to the product…' 4.3.2 requires a procedure 'to identify and have access to legal and other requirements….' 4.3.2 wants an organisation to 'establish and maintain a procedure for identifying and accessing the legal ……requirements that are applicable to it'
7.3.1 requires that design and development inputs include 'applicable statutory and regulatory requirements' 4.3.3 says that 'When establishing and reviewing its objectives, an organisation shall consider the legal and other requirements…' 4.3.3 demands that 'When establishing and reviewing its objectives, an organisation shall consider its legal and other requirements…'
  4.5.1 requires an organisation to 'establish and maintain a documented procedure for periodically evaluating compliance with relevant environmental legislation and regulations'. 4.5.1 requires monitoring of compliance with 'applicable legislation and regulatory requirements'.

So what do we have so far? Well it would appear that when looking at the meaning within all of the Standard-speak there are essentially two main demands for an organisation. These are

1. Understand and react to the governing regulatory framework and
2. Periodically check compliance with it.

1. Understanding and reacting to the regulatory framework.
This process is one of gathering and reacting to information and comprises a number of sub-processes which have similarities to that which intelligence agencies and well managed marketing functions adopt. The sub-processes are collection/collation, interpretation, dissemination and reaction (summarised in Fig1).

Fig 1.

Understanding and reacting to the regulatory framework

a) Collection/collation - 'getting it and putting it all together'
Currently there are masses of opportunities to access legal information what with the Internet, journals and regular subscription to information sources etc. Memberships of trade associations and involvement with industry or profession-based technical committees also offer opportunities to access the knowledge. Too much rather than too little information can be the problem and most organisations suffer from overload. Some organisations keep copies of the regulations as well as use a 'register' to show that it has carried out the collection/collation sub-process. An example of this 'registration' is arranging the database (paper or electronic) of regulations such that they are conveniently linked to the relevant QESH hazards/risks/aspects. Some examples are:

For environment, the legislation meant to protect watercourses may appear in a register under 'discharges to the aquatic environment'.

For safety & health, the legislation intended to control the risk of occupational noise-induced hearing loss may conveniently fall in with 'energy hazards'.

For a quality MS it could be the case that legislation is grouped according to quality-critical aspects but this may not be convenient. The tendency therefore would be to group all under 'product quality'. This may not be such a bad thing, after all industry sectors that are product-quality regulated do tend to have a specific or confined product regulatory framework e.g. food, pharmaceuticals, water, medical devices, toys etc.

A point worth noting here is that quality of information rather than quantity is more important - it is not a good idea to include statutory instruments that are obviously not applicable. Third-party auditors will tend to question capability in these instances.
Another point worth noting is that some organisations may want to include legislation governing its 'supply side' (i.e. supplying industries, sub-contractors etc.) and 'customer side' for good strategic reasons. A third-party audit (TPA) generally reveals that most organisations with quality, environment or safety & health management systems handle this sub-process very well but having access to the information or copies of the regulations or registers is not the end game!

b) Interpretation - 'what does it all mean to us?'
At some stage the organisation through its appointed personnel must decide on the meaning and applicability (to the organisation) of the legislation as well as considering the implications of amendments. Also, as above with regard to suppliers and customers, the interpreters may care to consider the existing and developing regulatory framework of these parties - again for good business reasons.

This interpretation sub-process requires some expertise, which an auditor will always look for during a TPA. This can be assessed through evaluation of experience or training of the person(s) responsible and actually considering if a sample piece of legislation was interpreted in the correct manner. However, it is all very well understanding and interpreting legal information but what is done with it?

c) Dissemination - 'communicating it to those who need to know'
This is where many organisations can fall short. It does not mean handing over copies of statutory instruments to operational personnel or quoting directly from legal documents, which of course have their own idiom that baffles most normal people! The appropriate content of the legislation should be communicated in a comprehensible form to the personnel most affected. The approaches to communication may be different for different levels of employee - not because of capability to comprehend but because of the differing ways in which they may be affected.

The main requirements of the trade effluent discharge consent (e.g. limits, volumes etc.) should be understood by the supervision or management of the site's effluent treatment process. The main points of legislation governing the risks associated with the occupational use of hazardous substances should be communicated in a user-friendly way and within the context of the particular hazardous substances being used and those at risk. Similarly in the water supply industry the main appropriate elements of legislation governing quality of water destined for human consumption may be communicated in different ways depending on whether the audience is management, technical or operational. Doling out pieces of paper in the hope that they will be read hardly satisfies. A communication job can be regarded as successful only when it is certain that recipients understand. A TPA will always evaluate whether indeed there has been communication to those who need to know.

d) Reaction - 'doing something about it'
This means complying with the applicable regulatory framework. What counts here is the setting and working to improvement objectives wherever there is evidence of non-compliance or alternatively maintaining the use of appropriate procedures in order to ensure the existing compliance.

For improvement objectives the TPA auditor will check that there is a high degree of intention and commitment that achieves or would achieve that improvement. In the case of management by use of appropriate procedures, the auditor will check compliance with these procedures (e.g. the operating instructions of the effluent treatment plant, written schemes for pressure systems etc.).

2) Periodically checking compliance with legislation
The most efficient way of checking compliance with legislation is via the internal or first party audit. For example, there is nothing more powerful or revealing than a line-by-line compliance audit of the requirements set out in licence conditions such as Discharge Consents, Process Authorisations, Site Licences and other statutory conditions. Similarly compliance with safety & health legislation can be achieved by auditing compliance with the legislation itself or, better still, any approved codes of practice associated with it. Legislation governing the quality of critical materials such as food, water, and pharmaceuticals usually specifies the approved testing and analytical methods. This can be internally audited not only to check that the correct methods are being used but also to establish the level of compliance with them.

The internal audit is ideally suited to check regulatory compliance and it is somewhat mysterious when not used in these circumstances. Any deviations (or non-conformances) found at audit would then be the subject of corrective action. In some cases it may be assumed that certain deviations are acceptable. At the TPA be prepared to justify these - preferably by prior approval from regulators. Why? Certification of environmental and safety & health management systems, at least, is granted on the basis of 'a capability to deliver regulatory compliance'. Third party auditors home in on this one by also auditing compliance with regulatory conditions such as the items already mentioned. It is their way of deciding if indeed there is a capability to deliver regulatory compliance.

Apart from the internal audit there may be other preferred ways of checking compliance but whatever method is used the TPA will want to see that some form of meaningful self-evaluation is carried out by an organisation.

An organisation does not need prompting from management system specifications to meet legal requirements. The main motivation will come from the need to protect the 'holy trinity' of QESH integrated management i.e. people, prosperity and reputation. Nevertheless the specifications and the management systems derived from them do offer convenient vehicles to enable this. The above is merely a brief and simplistic account of a subject deserving more detailed explanation. However it is hoped that readers will realise that the relationship between management systems and legislative compliance represents something more useful than accumulating information that is not reacted to. It means enabling an organisation to actually comply with the law.


David Powley is a well recognised and highly experienced integrated management systems Auditor and Trainer with DNV Certification. He is the author of numerous articles on management systems for quality, environment and health and safety. DNV Certification is one of the world’s leading certification bodies/registrars offering the latest in management systems certification services. With more than 49,000 certificates issued worldwide, our name evokes a strong commitment to safety, quality, and concern for the environment. DNV recently launched Risk Based Certification™, a fresh approach to auditing. For further information on Risk Based Certification or any other service DNV offer please visit www.dnv.co.uk/certification or call 020 7716 6543.







Back to previous page













top of page

home :: about :: contact :: terms

© 2006 SaferPak Ltd.