30 years in the Quality field including experience as QA Manager for a Fortune 100 company and as a Quality System Certification auditor for the top Registrars in the field - plus over 10 years of Information Technology Management in dual roles.
Specialties:ISO 9001 Quality, ISO 14001 Environmental, OHSAS 18001 Safety, ISO/IEC 27001 Information Security, RAB QSA Certified Assessor,
Are you in the midst of implementing 9001? Are we ever not in the midst of it?
I’d like to begin a series of posts on implementing 9001 – or any management system, from scratch. It will be focused on 9001, based on the draft of the next version of it in fact, but it should be well applicable to any management system; quality, environmental or information security – pick your flavor.
Where should one begin? Document control? Internal audits? The bones of a nice corrective action system? So many choices…
I audit these systems on a daily basis, I finding the folly alongside the fabulous. I’ll do what I can to make it a worthwhile read.
If you’re a current implementor, please – let us know any challenges you are having.
I should probably make apologies to Stephen Covey for using his book title (but it does provide me an opportunity to plug a very good resource – click it!).
During a recent audit, it happened that a lapse within an organization’s OSHA compliance was observed. When I say “observed”, I don’t mean to imply it was an observation – it became a non-conformance.
This is a particularly good company, by the way – they do better than most with much of their process. But I’m here with the requirements of ISO 9001 in one hand, and the snapshot of what is happening in their company at that moment in the other.
OSHA does a fair amount of enforcement themselves – they audit companies too. So, where does the management system auditor come in?
And quickly, particularly for those of you in other countries, OSHA is short for “Occupational Safety & Health Administration”. The meat of their mission is to assure safe working conditions by setting and enforcing standards.
An OSHA finding by an ISO 9001 Auditor??
And that’s the question. It often takes the client by surprise when I spring the HazCom card on them, and nobody likes surprises – particularly not I. It isn’t good for business – and it isn’t nice.
“How can you write me up for OSHA in 9001? This isn’t 18001! I just had my OSHA guy in last week and he found nothing.”
It’s an emotional activity sometimes; this business of poking holes in someone else’s presumably good pie. We all take pride in what we do.
Two Hooks
First, what’s the requirement? How exactly do you find the OHSA in 9001? That’s a two-parter; one is the OSHA regulation and the other is the ISO clause that hooks into it.
OSHA CFR
OSHA has its Code of Federal Regulation and it is, in a word, beastly. It is divided into 50 titles that represent broad areas subject to federal regulation. It is close to 180,000 pages, including a 1,000-plus page index. For comparison, all the books in Game of Thrones total just over 4200 pages – though I think more people die in Game of Thrones.
Except for some exceptions that will rarely apply, it parses to:
“…the employer shall ensure that each container of hazardous chemicals in the workplace is labeled, tagged or marked with the following information:
(i) Identity of the hazardous chemical(s) contained therein; and,
(ii) Appropriate hazard warnings, or alternatively, words, pictures, symbols, or combination thereof, which provide at least general information regarding the hazards of the chemicals, and which, in conjunction with the other information immediately available to employees under the hazard communication program, will provide employees with the specific information regarding the physical and health hazards of the hazardous chemical…”
Secondary Containers
The real issue is usually around “secondary containers”. These are not the containers that a chemical comes in – those are often correctly labeled from the manufacturer – it is the container that is used either to transport the chemical to the point of use, or the container it is temporarily stored in, or refilled into, that wasn’t originally used to store the chemical.
What kinds of chemicals are we talking about? Well, everything from water to cleaning agents to MEK (methyl ethyl ketone – unpleasant stuff). In most facilities I find various oils, alcohols of all kinds, acetone occasionally, solder flux, coolants.
Usually the more dangerous items have been taken care of – though lack of diligence or awareness in one area, can bleed into others.
Globally Harmonized System (GHS)
Because it was recently implemented as a change to how chemicals are labeled, I will cover it here. When OSHA adopted the Globally Harmonized System (GHS) in 2012, it wasn’t immediately clear how changes to labeling rules would affect the workplace.
The latest guidance from OSHA shows that the general requirements for workplace labeling have not changed. When it comes to secondary container labeling, OSHA said organizations can proceed as usual as long as they are adequately informing employees about hazardous chemicals.
“If an employer has an in-plant or workplace system of labeling that meets the requirements of HazCom 1994, the employer may continue to use this system in the workplace as long as this system, in conjunction with other information immediately available to the employees, provides the employees with the information on all of the health and physical hazards of the hazardous chemical,”
Clarence is a Secondary Container for cat food.
What Labeling is Acceptable?
According to OSHA, as long as employees have immediate access to all information about the hazards of the chemical, and as long as secondary container labels do not conflict or confuse GHS pictograms or signal words, employers can use a workplace labeling system that includes any of the following labeling methods:
Signs
Placards
Process sheets
Batch tickets
Operating procedures
Other written materials to identify hazardous materials
The generally accepted approach to this is the HazCom label, but some combination of the above works as well. Let the resident expert tell you what they do to satisfy the regulation – if there is one (there should be).
The placard option is one I’ve seen that works well in many organizations. Essentially a largish laminated HazCom label hung in the area where the containers would be found, possibly also attached to a work surface. This is going to be more effective when the chemicals are of low risk (oils, for example).
This is really up to the company to define, but it has to be established – and that brings us to the 9001:2008 requirement.
The OSHA within 9001
OSHA requirements fall into the category of “statutory and regulatory requirements” which are referenced in several places – feel free to skip to “The Best Place…” below, for my take on it.:
1.1 General
This International Standard specifies requirements for a quality management system where an organization a) needs to demonstrate its ability to consistently provide product that meets customer and applicable statutory and regulatory requirements, and b) aims to enhance customer satisfaction through the effective application of the system, including processes for continual improvement of the system and the assurance of conformity to customer and applicable statutory and regulatory requirements.
1.2 Application
… Where exclusions are made, claims of conformity to this International Standard are not acceptable unless these exclusions are limited to requirements within Clause 7, and such exclusions do not affect the organization’s ability, or responsibility, to provide product that meets customer and applicable statutory and regulatory requirements.
Translation: You can’t exclude yourself from an OSHA Requirement in your Scope of Registration on your Certificate.
5.1 Management commitment
Top management shall provide evidence of its commitment to the development and implementation of the quality management system and continually improving its effectiveness by
a) communicating to the organization the importance of meeting customer as well as statutory and regulatory requirements…
7.2.1 Determination of requirements related to the product
The organization shall determine … c) statutory and regulatory requirements applicable to the product…
7.3.2 Design and development inputs
Inputs relating to product requirements shall be determined and records maintained (see 4.2.4). These inputs shall include … b) applicable statutory and regulatory requirements…
The Best Place (ymmv) to find OSHA within 9001
For myself, the “go to” clause to find OSHA within 9001 is the one in 5.1, specifically the “communicating to the organization the importance of meeting customer as well as statutory and regulatory requirement”. And that is a responsibility of management.
The salient point being that if the requirement were effectively communicated, then it would not be an issue. By placing it there I believe it addresses the likely root cause and can help an organization solve the entire problem; helping them look at all of their applicable statutory and legal requirements and how those are implemented in the workplace.
One of the other clauses above may in some cases work better, particularly the one with regard to design input, but frankly, this pre-supposes a familiarity with the product that an auditor can’t be expected to have.
The Last Word(s)
The OSHA requirements, the common ones and some of the not-so-common ones, have almost certainly been seen in many different organizations, particularly by an auditor with some seasoning.
HazCom as described above is the most common place to find OSHA within 9001. Occasionally there is also forklift or Powered Industrial Truck (PIT) safety. The regulation for that is fairly complicated as well. I may cover that in another post but basically, there is a law that all PIT’s be given a safety inspection every day, and before each shift. Typically this means forklifts, but there are other hand-carts that are powered that fall into this category.
This often is done in a company, but no records are kept of it because the OSHA requirement for record keeping is less clear. For 9001, since the action stems from a specified requirement – there needs to be a record of it.
The auditor is cautioned, however, not to “second guess” any local authority on the subject. You are being paid for your management system auditing expertise, not your OSHA compliance acumen. If they have a system in place; someone with the proper credentials (see the requirements in 6.2) then hear them out – you may learn something.
Last How To’sday we introduced the topic of metrics and half of the Why of it – namely, “because it makes sense”.
This week, the other Why, “because it’s required” is covered – it means putting a little more focus on Objectives, but metrics are at the core of that.
Lastly, we’ll make a good start at examples of metrics by looking at a typical suite of HR measureables.
Where are the Requirements?
Within 9001:2008
Let’s start with ISO 9001:2008 as it is representative of the requirement within several other standards. Mainly, there’s this:
4.2 Documentation requirements 4.2.1 General The quality management system documentation shall include
a) documented statements of a quality policy and quality objectives,
b) a quality manual…
This section requires that objectives be documented, and by documented this means according to the methods described in 4.2.3 Control of documents.
So, objectives are in the same documentation category as your Quality Manual, the Quality Policy and all of the required procedures as stated in the standard.
I thought we were talking about metrics? As covered in the last installment, metrics are the method by which performance to an objective is measured. Can’t discuss objectives, without touching metrics.
5.4.1 Quality objectives Top management shall ensure that quality objectives, including those needed to meet requirements for product…, are established at relevant functions and levels within the organization. The quality objectives shall be measurable and consistent with the quality policy.
One key point here is, “established at relevant functions and levels within the organization“. So, if a function doesn’t have at least one objective, an organization would have to make the claim that the function isn’t relevant. If it isn’t relevant – why is it there?
And to underscore the point of what a metric is, the section also contains, “The quality objectives shall be measurable“.
I do realize that may present a slight contradiction to what is stated in ISO 9000:2005 (Definitions) as it says, under the term (3.5.1) distinguishing feature (a component of an objective), “A characteristic can be qualitative or quantitative.”
We’ll have to assume that a qualitative characteristic is measurable. I guess that’s what adjectives are for. Don’t worry, that potential disconnect is the least of your worries.
Objectives are built into PDCA
Also, within 9001:2008 is a discussion of the Plan-Do-Check-Act (PDCA) process. In the description of “Plan” it states:
“establish the objectives and processes necessary to deliver results in accordance with customer requirements and the organization’s policies.”
And for “Check”, it adds:
“monitor and measure processes and product against policies, objectives and requirements for the product and report the results.”
Clearly, for an organization to be compliant with ISO 9001:2008, it must conform to the model presented by PDCA – a major component of the current version. Establishing objectives and monitoring performance against them via metrics is then a key management system component.
Annex SL
For the future, it’s wise to look toward Annex SL as a guide as this will cover many sectors – and it is built into the next version of ISO 9001.
Where is says, “XXX” it means “Insert management system nomenclature of choice here” – such as “Environmental” or “Quality” or “Safety“, etc.
6.2 XXX objectives and planning to achieve them The organization shall establish XXX objectives at relevant functions and levels. The XXX objectives shall
be consistent with the XXX policy
be measurable (if practicable)
take into account applicable requirements
be monitored
be communicated, and
be updated as appropriate.
Nearly the same as 9001:2008, right? Those bullets are, with the exception of the last, accounted for within the current text in several places.
There’s a few helpful Notes further down the section as well:
NOTE 1 to entry: An objective can be strategic, tactical, or operational.
NOTE 2 to entry: Objectives can relate to different disciplines (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process (3.12)).
NOTE 3 to entry: An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an operational criterion, as an XXX objective or by the use of other words with similar meaning (e.g. aim, goal, or target).
Some Actual Metrics
Here’s a look at the possibilities. Not all of these are suitable for all organizations and the list isn’t exhaustive.
And, just like more rivets won’t make an airplane stronger, the full collection isn’t something to “strive for”. Some of these may even be mutually exclusive.
In no particular order – Here we go!
Human Resources
Timing related
Days to orientation training: Assumes must be done within X days,
Other required training completed on-time
Reviews done: (percentage)
Reviews late
Training Related
Percentage of required training completed: Forces a clearer definition of training requirements
Pass/Fail rate for verification of effectiveness: Are some methods better than others; can they be made better? Should everyone pass every time?
Trainer/Training satisfaction indexes: Are some trainings better than others… Ask the students.
Recruitment related
Interviews to offers ratio: Provides a measure of how efficient recruitment is. Track by manager to get data across departments, and which managers might need help.
Referral rates by department:Part of the new hiring process or even the exit interview (in some cases) – “Would you recommend [your company] to a friend?” Better to make it a scale from 1-5, for example.
Percentage of hires by source: For your business, is Monster better than LinkedIn? And so-on.
Retention related
Retention rate by type of employee: What are the mission critical roles, or the day-to-day “getting it done”, or the “can find this role anywhere” types? Are you better at retaining some levels over others?
Resignation rates by department: Not necessarily a reflection of a bad manager, there may be other factors at work.
Overall Monthly Turnover Rate: The standard calculation goes: (number of departures during month divided by the average number of employees during month) x 100 to get the rate).
Performance Related
Revenue per Employee: Simply total revenue divided by total number of employees.
Human Capital Cost: Pay + Benefits + Contingent Labor Cost / Full Time associates.
HR to Staff Ratio: Employees / Human Resources Team Members. Essential if you ever want to justify departmental expansion.
Promotion Rate: Promotions / Headcount.
Overtime per Individual Contributor Headcount: Overtime Hours/Individual Contributor Headcount.
Employee Absence Rate: Number of days in month / (average number of employees during month x number of days).
Demographic Related
Hires that meet certain demographic characteristics can reflect a broad spectrum of requirements, policies and philosophies. These metrics are not a means toward discrimination, but as a tool to determine progress toward a goal or objective.
Percentage [Females, Military Service, Race] by Management Level: Can be essential when bidding some government contracts and to fortify positions with a given quality policy.
Average Age of Employees: Consider breaking this down by department, management level – or both.
Until Next Week!
I hope you were able to find something useful in the HR list of metrics. And, with some luck, you’ve gained a broader understanding of why we need metrics at all.
Next week we’ll look at the other main departments within a typical organization – along with additional rationale behind their implementation.
Are you in the midst of implementing 9001? Are we ever not in the midst of it?
