The Emergency Planning and Community Right-to-Know Act (EPCRA) establishes requirements for federal, state, and local governments, Indian tribes, and industry, regarding emergency planning and "Community Right-to-Know" reporting on hazardous and toxic chemicals.

The Environmental Protection Agency (EPA) recently finalized several changes to the EPCRA reporting requirements. These changes include clarification on how to report hazardous chemicals in mixtures, and changes to the Tier I and Tier II forms. Additionally, the rules now use a question and answer format. Facilities subject to EPCRA reporting should become familiar to the new regulation.

The focus of EPCRA is to protect public health and the environment. It affects almost all facilities that manufacture, use, or store hazardous chemicals. EPCRA has three non-emergency chemical reporting components: hazardous chemicals reporting, annual hazardous chemical inventory reporting, and annual toxic chemical release inventory reporting. Nearly every state has its own community right-to-know rules, along with separate reporting forms.

The Community Right-to-Know provisions help increase the public's knowledge and access to information on chemicals at individual facilities, their uses, and releases into the environment. States and communities, working with facilities, can use the information to improve chemical safety and protect public health and the environment.

For more information, see this EPA web page.

Will you be ready for your transition audit to ISO 9001:2008? Although it was announced as not containing any new requirements, you still need to examine it to see how it might affect your quality management system.

Since ISO 9001:2008 provides clarified requirements and new notes, these changes might cause your organization to interpret the requirements differently. Your certification body will expect to see evidence during the transition audit that you have carefully considered these differences and revised your quality management system as appropriate.

For example, in clause:

4.1 Quality Management System (General Requirements) - Have you examined Note 2 to see if the new explanation of an outsourced process will cause you to identify more outsourced processes? Will the new Note 3 cause you to alter the type and extent of control over your outsourced processes?

5.5.2 Management Representative - Will this clarified requirement cause you to appoint a new management representative; one that is a member of your organization's own management?

6.2.1 Human Resources (General) - Did the new Note for this clause expand your view of the personnel expected to be competent based on their direct or indirect effect on conformity to product requirements?

6.3 Infrastructure - Has the new example of supporting services caused you to add information systems to your internal audit schedule?

6.4 Work Environment - Did the new Note for this clause result in you considering more conditions that might affect the work environment?

7.2.1 Determination of Requirements Related to the Product - Did the new Note for this clause expand your view of what should be considered as a post-delivery activity?

7.3.3 Design and Development Outputs - Did the new Note for this clause result in product preservation requirements, e.g., packaging, being considered as part of your design and development output?

7.5.4 Customer Property - Did the revised Note for this clause cause you to expand the category of customer property to include personal data?

7.6 Control of Monitoring and Measuring Equipment - Has the new Note for this clause clarified how to confirm the ability of computer software for the intended application?

8.2.1 Customer Satisfaction - Has the new Note for this clause identified more input sources for monitoring the customer's perception as to how well you are meeting their requirements?

8.2.2 Internal Audit - Has the revised requirement to ensure any necessary "corrections and corrective actions" are taken caused you to re-examine your audit procedure?

8.2.3 Monitoring and Measurement of Processes - Has the new Note for this clause resulted in a consideration of the impact of your monitoring and measurement methods on conformity to product requirements and the effectiveness of the quality management system?

8.5.2 Corrective Action - Has the revised requirement to review the effectiveness of the action taken caused you to update your corrective action process?

8.5.3 Preventive Action - Has the revised requirement to review the effectiveness of the action taken caused you to update your preventive action process?

Evidence

What would be credible evidence to share with an auditor as proof that you have considered all the differences between ISO 9001:2000 and ISO 9001:2008? For starters, do you have a copy of the new standard? See its Annex B for a table that identifies all the text changes from the 3rd edition to the new 4th edition.

Have you reviewed the differences and modified your quality management system as appropriate? The changes to the clauses discussed above may affect your organization. Planned changes should be addressed at your Management Reviews and captured in the meeting minutes.

Some changes are simple. For example, two of the ISO 9001:2008 clause titles were modified (6.2.2 and 7.6). If your quality manual uses the clause structure of the standard, you may want to revise those section titles to show your consideration of the changes.

And, did you reflect the changes as appropriate in your documented procedures? Have you gone over the differences with your internal auditors? Do you have proof of this training?

Resources

For an explanation of all the ISO 9001:2008 differences, see this PDF file at my web site.

ISO has developed an introduction and support package of documents that provide guidance on ISO 9001:2008.

Guidance on ISO 9001:2000 sub-clause 1.2 "Application"

Guidance on the documentation requirements of ISO 9001:2008

Guide to the Terminology used in ISO 9001 and ISO 9004

Guidance on the concept and use of the process approach for management systems

Guidance on 'Outsourced processes'

Implementation guidance for ISO 9001:2008

Frequently Asked Questions (FAQs)


Transition Schedule

ISO and IAF announce schedule for implementation of certification to ISO 9001:2008

The International Aerospace Quality Group (IAQG) wants to ensure continual improvement in the aerospace supply chain by focusing on:

1. Details and appropriateness of nonconformities identified during an audit.

2. Depth and adequacy of the root cause analysis and related corrective action plan.

This IAQG activity was initiated because of the perception of poor root-cause analysis by AS9100 certified organizations, and the soft grading of findings by third party auditors.

As a result, IAQG now requires certification bodies to enter additional information into the Online Aerospace Supplier Information System (OASIS), including:

• The audit report
• One corrective action report for each finding written during an audit
• Corrective action plan with root cause analysis for each finding

So, if your AS9100 certification body didn't in the past, it will now require a root-cause analysis and corrective action plan to be submitted for each nonconformity reported in an audit. The certification body will review your responses before the next audit and provide feedback on any inadequate root cause analysis or corrective action plan.

The certification body will upload the audit nonconformities and corrective action plans into the OASIS database. Since organizations control their own data in OASIS, they can determine who will have reviewing rights to this data.

OASIS Resources

To view the Supplier Chain Management Handbook, go to this IAQG Projects Web Page.

To view a list of published AS9100 family of standards, go to this IAQG Standards Web Page.

The recently issued ISO Survey - 2007 reveals that ISO management system certificates are held in 175 countries, demonstrating that the international standards have become essential tools of the world economy. The principal findings of the survey are described below:

ISO 9001:2000 (Quality Management):

By the end of 2007, at least 951,486 ISO 9001:2000 certificates had been issued in 175 countries. The 2007 total represents an increase of 54,557, or a 6% increase over 2006. The Service sectors accounted for 32% of the certificates issued.

The increase in 2007 was much smaller than the 16% increase in 2006. According to the survey, several factors may have combined to produce this result:

• The 2007 survey data collection methodology was strongly re-focused on obtaining figures from primary sources (the certification bodies that actually issue certificates) to reduce the increased possibility of error inherent in obtaining data from the secondary sources (accreditation bodies and databases). This resulted in the totals for several countries being revised downwards.
• Certification activity slowed down in anticipation of the forthcoming new edition of ISO 9001:2008, with organizations adopting a "wait and see" attitude, as many did in the run-up to the 2000 edition.
• The market for certification is maturing in certain countries where this activity began early on.
• The continuing growth of sector- or activity-specific editions of ISO 9001 reduces the number of certifications to the generic standard.
• The trend for organizations to replace multiple-site certificates by one certificate covering all sites continues, although its extent is difficult to quantify, which reduces the number of certificates.

Top 10 Countries for ISO 9001:2000 Certificates

1. China: 210,773
2. Italy: 115,359
3. Japan: 73,176
4. Spain: 65,112
5. India: 46,091
6. Germany: 45,195
7. USA: 36,192
8. United Kingdom: 35,117
9. France: 22,981
10. Netherlands: 18,922

ISO 14001:2004 (Environmental Management)

At the end of 2007, at least 154,572 certificates had been issued in 148 countries. The 2006 total represents an increase of 26,361 (+ 21%) over 2006. The Service sectors accounted for 29% of certificates issued.

Top 10 Countries for ISO 14001:2004 Certificates

1. China: 30,489
2. Japan: 27,955
3. Spain: 13,852
4. Italy: 12,057
5. United Kingdom: 7,323
6. South Korea: 6,392
7. USA: 5,462
8. Germany: 4,877
9. Sweden: 3,800
10. France: 3,476

ISO/TS 16949:2002 (Quality Management for Automotive Suppliers)

By the end of 2007, at least 35,198 ISO/TS 16949:2002 certificates had been issued in 81 countries. The 2007 total represents an increase of 7,199 (+26%) over 2006.

Top 10 Countries for ISO/TS 16949:2002 Certificates

1. China: 7,732
2. USA: 4,288
3. South Korea: 3,453
4. Germany: 3,068
5. India: 2,008
6. France: 1,165
7. Japan: 1,106
8. Italy: 1,024
9. Brazil: 972
10. Mexico: 947

ISO 13485:2003 (Quality Management for Medical Devices)

Up to the end of 2007, at least 12,985 ISO 13485:2003 certificates had been issued in 84 countries. The 2007 total represents an increase of 4,959 (+62%) over 2006.

Top 10 Countries for ISO 13485:2003 Certificates

1. Germany: 2,204
2. USA: 2,186
3. Italy: 1,482
4. China: 1,329
5. France: 709
6. Switzerland: 608
7. United Kingdom: 589
8. Japan: 456
9. Canada: 406
10. Israel; South Korea: 255

ISO 27001:2005 (Information Security Management)

By the end of 2007, at least 7,732 ISO 27001:2005 certificates had been issued in 70 countries. The 2007 total represents an increase of 1,935 (+33%) over 2006. Service sector organizations accounted for 90% of the certificates issued.

Top 10 Countries for ISO 27001:2005 Certificates

1. Japan: 4,896
2. United Kingdom: 519
3. India: 508
4. Taipei: 256
5. Italy: 148
6. China: 146
7. Germany: 135
8. USA: 94
9. Spain: 93
10. Hungary: 81

You can download the full 27 page Survey Principal Findings PDF file at this ISO Web Page.

Some organizations end up with separate management system certificates across their multiple sites due to business demands, site readiness, process variations, or company mergers. Individual certificates might have been the best solution at the time, but if these organizations qualify, they should consider merging their multiple certificates into a single scope of certification.

If the activities across the multiple sites are carried out in a similar manner, under the organization's authority and control, the organization may qualify for a single multi-site certificate with these benefits:

• Single audit of shared services
• Sampling plan for remote sites
• Reduced audit visits and costs
• More uniform system over time

Of course, the remote sites might fear the loss of their autonomy. The central site may be concerned about the weakest link placing the single certification at risk.

Multi-Site Certification

The criteria for multi-site certification are explained in the International Accreditation Forum (IAF) Mandatory Document for the Certification of Multiple Sites Based on Sampling.

A multi-site organization is defined as one with an identified central function at which certain activities are planned, controlled, or managed, along with a network of local offices or branches (sites) at which such activities are fully or partially carried out. The eligibility requirements for site sampling include:

• Sites have a contractual or legal link with the central office
• Sites are subject to a common management system
• Processes at the sites are substantially of the same kind
• Sites operate to similar methods and procedures
• Sites are under surveillance and internal audit by the central office
• Central office has the right to require site corrective actions
• Central office has authority to initiate organizational changes

Organizations that conduct their business through linked processes in different locations may also be eligible for multi-site certification. For example, fabrication in one location and assembly of those components in another location of the same company would qualify as linked processes.

Examples of possible multi-site organizations are:

• Company that operates franchises
• Manufacturing company with network of sales offices (multi-site is the network)
• Service company with multiple sites offering a similar service
• Company with multiple branches

Sampling Method

According to ISO 17021:2006, where multi-site sampling is used for the audit of a client's management system covering the same activity in various locations, the certification body must develop a sampling program to ensure proper audit of the management system.

Not all multi-site organizations are eligible for sampling. The certification body makes that determination based on site sizes and process variations.

At least 25% of the sample must be selected at random. The remainder of the sample is selected based on factors such as:

• Internal audit results
• Variation in size and shifts
• Customer complaints
• Differences in procedures
• Changes since prior audit
• Differences in language
• Geographic dispersion

The central site must be audited during the initial certification and recertification audits, and at least annually during the surveillance audits. The sample selection can be postponed until after the central audit. Sampling is for the remote sites.

Sample Size

The initial certification audit sample of remote sites is the square root of the number of remote sites, rounded up. For example:

• For 3 remote sites, it would be 2 of 3, with 1 random
• For 4 remote sites, it would be 2 of 4, with 1 random
• For 5 remote sites, it would be 3 of 5, with 1 random
• For 10 remote sites, it would be 4 of 10, with 1 random
• For 25 remote sites, it would be 5 of 25, with 2 random
• For 50 remote sites, it would be 8 of 50, with 2 random
• For 1000 remote sites, it would be 32 of 1000, with 8 random

For surveillance audits at remote sites, it is 0.6 times the square root, rounded up.

• For 3 remote sites, it would be 2 of 3 each year, with 1 random
• For 4 remote sites, it would be 2 of 4 each year, with 1 random
• For 5 remote sites, it would be 2 of 5 each year, with 1 random
• For 10 remote sites, it would be 3 of 10 each year, with 1 random
• For 25 remote sites, it would be 3 of 25 each year; with 1 random
• For 50 remote sites, it would be 5 of 50 each year, with 2 random
• For 1000 remote sites, it would be 19 of 1000 each year, with 5 random

For recertification audits, the sample size should be the same as for the initial audit. However, if the management system has proven to be effective over the three years, the sample size could be reduced by a factor of 0.8, or 0.8 times the square root of the number of remote sites, rounded up.

• For 3 remote sites, it would be 2 of 3, with 1 random
• For 4 remote sites, it would be 2 of 4, with 1 random
• For 5 remote sites, it would be 2 of 5, with 1 random
• For 10 remote sites, it would be 3 of 10, with 1 random
• For 25 remote sites, it would be 4 of 25, with 2 random
• For 50 remote sites, it would be 6 of 50, with 2 random
• For 1000 remote sites, it would be 26 of 1000, with 7 random

The guidance states the cumulative days for a multi-site certificate must at least equal the number of days if the functions were all part of a single organization at the same site.

Single Certificate

The single multi-site certificate is issued with the central office name and address. The remote sites are listed on that certificate or an attachment. The scope will clearly state that the certified activities are performed by the listed network of sites. If desired, sub-certificates can be issued for the remote site, with a sub-scope and reference to the main certificate.

For more information on multi-site certification, see the MD1:2007 document at the IAF web site. Select "Publications" on the left-hand menu at the home page and then select the entry titled "Mandatory Documents (MD Series)".

Root Cause Analysis

ISO 9001:2008
Understanding ISO 9001:2008
Implementing ISO 9001:2008
Quality System Documentation
ISO 9001:2008 Internal Auditor
ISO 9001:2008 Lead Auditor

ISO 14001:2004
Implementing an EMS
ISO 14001:2004 Internal Auditor
ISO 14001:2004 Lead Auditor

ISO/TS 16949:2002
ISO/TS 16949:2002 Internal Auditor
ISO/TS 16949:2002 Lead Auditor
Understanding and Implementing ISO/TS 16949:2002

AS9100B:2004
AS9100 Internal Auditor
Implementing AS9100
AS9100 Lead Auditor

ISO 27001 / ISO 17799
ISO 27001 - Understanding an ISMS
ISO 27001 - ISMS Implementation
ISO 27001 - ISMS Internal Auditor
ISO 27001 - ISMS Lead Auditor

ISO 20000
Understanding ISO 20000
Implementing ISO 20000
ISO 20000 Internal Auditor

ISO 22000
Understanding ISO 22000
ISO 22000 Internal Auditor
Understanding HACCP
Implementing SQF Systems
Advanced HACCP

ISO 13485:2003
Understanding ISO 13485:2003
ISO 13485:2003 Internal Auditor
Implementing ISO 13485:2003
ISO 9001 Lead Auditor - ISO 13485 Emphasis

Capability Maturity Model Integration
Introduction to CMMI v1.2

Six Sigma
Introduction to Statistics
Green Belt Certification
Black Belt Certification

Books
See our list of ISO 9001, Auditing, and Six Sigma books. Includes book descriptions and links to Amazon.

© 2000-2008 Whittington & Associates, LLC

email: larry@whittingtonassociates.com

phone: 770-517-7944

web: http://www.whittingtonassociates.com