Notes on the certification and surveillance of management systems for companies with subsidiaries

Transcription

1 Editor: Publisher: VdS Schadenverhütung VdS Schadenverhütung VdS-Leaflet Notes on the certification and surveillance of management systems for companies with subsidiaries VdS 2836en : Contents 1 Definitions Limitations of applicability Complexity of business areas Temporarily manned locations Notes on the certification procedure Application for certification Auditing Non-compliance / improvement measures Issue/Revocation of certificates Requirements for the head office and its subsidiaries Extension of certification to additional subsidiaries Specific notes for companies with VdS-approvals Reference

2 Notes on the certification and surveillance of of management systems for companies with subsidiaries VdS 2836en : Definitions A company with subsidiaries is defined as an organisation with a defined head office which plans, controls, monitors and performs certain activities (so-called management functions) and which supports a network of subsidiaries which fully or partly perform business processes according to a defined scope. The head office does not have to be the head office of the organisation. The head office may not be established only or predominantly in order to achieve an effort reduced group certification process. The subsidiaries may be legally independent or dependent companies which are tied to the head office and their joint quality management system (QM, OHSAS, integrated system) by contract. The entire management system must be provided, documented and permanently monitored by the head office. 2 Limitations of applicability 2.1 Complexity of business areas The nature of subsidiary business processes performed in the entire organisation must be generally equal and must be performed using similar proceedings and methods. Normally all applicable business processes must be audited at the subsidiaries. If some subsidiaries perform other or only a part of these processes, special attention must be paid to the fact that those subsidiaries performing most and/or critical processes receive a full audit. Organisations which perform their business processes in different subsidiaries by linked activities (e.g. manufacturing of electronic components and their assembly - at different subsidiaries of the organisation) may be group certified if all business processes as defined by the certification scope can be fully performed and audited within the organisation to be certified. With regard to this, special attention to each individual scope is necessary while identifying the subsidiaries belonging to the certification scheme. If multiple scopes of activity are covered by one or more subsidiaries, an individual sampling plan must be determined for each scope. 2.2 Temporarily manned locations Temporarily manned locations (e.g. on-site construction sites or planning / maintenance offices of the applicant) being part of the management system can participate in the group certification as well. If these locations are part of the certification scope, they must be flagged as such in the certificate. Temporarily manned locations will not be allowed to participate as head office of a group certification. In the following the term subsidiary will be used for temporarily manned locations and subsidiaries. 2

3 VdS 2836en : Notes on the certification and surveillance of management systems for companies with subsidiaries 3 Notes on the certification procedure 3.1 Application for certification Completed application forms according to VdS 2343 and/or VdS 3128, annex A and B must be handed in to VdS Schadenverhütung. The applications must include the head office and all related subsidiaries. Hence the applications must enclose documents which show that all subsidiaries contractually accept all administrative functions and authorities of the head office. For OHSAS certification procedures the head office must give proof of full legal (in particular with regard to labour law) and disciplinary control. The delegation of entrepreneurial duties to external parties or representatives is not permissible. Management functions are of particular importance, because not all subsidiaries will be audited each year (see para. 3.2). Due to this, prior to the audit by VdS Schadenverhütung, the head office must have completed the following activities for itself and for every related subsidiary: - Centrally held and with regard to the subsidiaries performed management review, including the establishment of company/group objectives in order to document the continuous improvement process - Documentation of the maturity check for each subsidiary and the head office - Internal audits (additionally for OHSAS, an adequate number of safety walkabouts, e.g. on construction and production sites) - Control of documents and records - Control of superior (systematic) corrective and preventive action, nonconforming product, incident investigations and other non-conformities including customer complaints and appeals 3.2 Auditing All auditing shall demonstrate that a consistent MS is effectively implemented and maintained throughout all subsidiaries. For this purpose a sampling plan will be determined and transmitted to the head office together with the audit schedules, appr. 1 to 4 weeks prior to the audit date. The minimum number of subsidiaries to be audited will be determined with regard to the total number of subsidiaries belonging to the group certification and their scope of activity, for OHSAS also with regard to the hazard class. The sampling plan for organisations, which perform their activities at different subsidiaries by linked processes, must consider at least one sample of each organisational process. As mentioned before, the nature of subsidiary business processes performed in the entire organisation must be generally equal. If multiple scopes of activity are covered by one or more subsidiaries, an individual sampling plan must be determined for each scope. While defining the sampling plan for OHSAS group certifications, the subsidiary processes and hazard classes must be equal. Due to this, increased focus shall be put on the field of activity and hazard class of each individual subsidiary. For different hazard classes the highest must be taken as a basis for the sampling plan. 3

4 Notes on the certification and surveillance of of management systems for companies with subsidiaries VdS 2836en : In the framework of a group certification various normative references as e.g. ISO 9001 and BS OHSAS can be locked into synergies. However, the sample for each certification procedure must be considered and documented individually. The sample size will be determined as follows (number of subsidiaries n > 1): Main audit: The sample (y) shall be the square root of the number of all subsidiaries (x), rounded up to the next higher integer (y = x ). Surveillance audit: The sample (y) shall be the square root of the number of all subsidiaries (x) multiplied by 0,6 and rounded up to the next higher integer (y = 0,6 x ). Re-audit: The sample (y) shall be the square root of the number of all subsidiaries (x) multiplied by 0,8 and rounded up to the next higher integer (y = 0,8 x ). The choice, frequency and number of subsidiaries to be audited may be changed with regard to the following: Extent of the company, number of employees and geographic distribution Complexity of product-/service range and of the management system Maturity level of the management system and other findings of the organisation Number of product-/service variants, shift patterns and work procedures Non-compliances/customer complaints/corrective action Changes and modifications Diversity in culture, language, law and official requirements Internal audit results, statistics For OHSAS group certifications the sampling size will be generally increased after higher numbers of accidents, special hazards, authority findings and safety walkabouts. Generally the sampling plan will be determined as a representative cross-section of the size and setup of the full organisation. At least 25% of the samples must be chosen randomly. The head office will be additionally audited at a yearly basis. All organisational units will be audited with regard to the full control of the head office and all applicable requirements of the standards ISO 9001 and/or BS OHSAS During on-site surveillance- and re-assessments business activities, projects, documents and records of the entire certification period will be audited. The audit time for each subsidiary to be audited will be individually determined and documented. Justified time reductions are permissible and must be documented as well. 4

5 VdS 2836en : Notes on the certification and surveillance of management systems for companies with subsidiaries The entire audit time to be spent at the head office and the subsidiaries may not be less than the time equivalent which would be determined for a single organisation of the same size and complexity. 3.3 Non-compliance / improvement measures If non-compliances will be raised by VdS Schadenverhütung or during internal audits, it must at first be assumed that all subsidiaries are affected (systematic error). Because of this, all non-compliances must be reviewed by the head office in order to identify the systematic or non-systematic nature of the error. This analysis must be documented. If a systematic error has been identified, corrective/preventive action must be initiated at the head office as well and at all subsidiaries. The same shall be valid also for improvement measures. If non-compliances will not be addressed at all or not in a timely manner, revocation of the certificate may result. If non-compliances or improvement measures will not be adequately implemented, future sampling plans may be extended until the procedures will be suitably re-established. Initial audit procedures and prolongations will not be concluded until all corrective action on systematic and non-systematic non-compliances will be satisfactorily completed in all subsidiaries and the head office. It is not acceptable to exclude a subsidiary, at which a non-compliance has been raised, from group certification in order to correct the non-compliance by doing so. 3.4 Issue/Revocation of certificates As a rule a multi-page certificate, which reflects the complete scope of the group certification, will be issued to the head office. In this sense the location responsible for the entire QM-system will be taken as head office. The first page of the certificate will display the complete scope of the group certification. The following pages will display the individual scope and full postal address of the head quarter and all legally independent and dependent subsidiaries. If all information can be formatted on one page, the following pages will not be issued. Generally the scope of the head office reflects the control activities of the management system. All subsidiaries receive a certificate which is dependent to the head office certificate by a corresponding note. Hence, the validity of all certificates will be published under If a single subsidiary or the head office fails to fulfil the requirements for certification, all certificates must be revoked. 4 Requirements for the head office and its subsidiaries The management system must be planned and reviewed by the head office. The review must include head office and subsidiary issues. All related subsidiaries and the head office must be internally audited at least once per year. Internal audits for all related subsidiaries and the head office must be completed before the audit by VdS Schadenverhütung. The completed internal audit report and related corrective/preventive actions for the whole organisation must be presented to the auditor during every external audit. 5

6 Notes on the certification and surveillance of of management systems for companies with subsidiaries VdS 2836en : The head office must demonstrate that all requirements of the ISO 9001 and/or BS OHSAS standard are met. The following activities must be completed by the head office: Control of documents and records Management review and derived quality objectives Follow-up of corrective action and customer complaints Planning and performance of internal audits Note: Internal audits for OHSAS may only be performed by the head office or an authorised external party. An independent internal audit performed by the subsidiary itself is not permissible due to the special obligation of the head office respectively the top management. Additional requirements for OHSAS: - Determination and monitoring of objectives and programs - Scheduling, chairing and documentation of safety committee meetings - Scheduling and performance of safety walkabouts (e.g. on construction and production sites) - Performance, examination and documentation of hazard analysis - Incident analysis (e.g. accidents, safety related incidents, fire hazards) - Examination of fulfilment of legal provisions and external requirements The following activities may be completed by the subsidiaries, while the control and surveillance of these activities lies in the responsibility of the head office: Product realisation Supplier evaluation, procurement Training, resource management Additional requirements for OHSAS: Hazard analysis and safety walkabouts on construction sites Process-related implementation of OHSAS measures Selection and supply of personal protection gear Work instructions and procedures of individual subsidiaries may give additional information with regard to specific local activities, the size of the subsidiary or the training situation of local staff. 5 Extension of certification to additional subsidiaries Additional subsidiaries may be included in the existing group during surveillanceand re-audits. A new sampling plan will be determined analogously to a main audit with regard to the number of new subsidiaries, and will be additionally audited to the already existing sampling plan. Subsidiaries, which already have been certified by another accredited certification body, may under certain circumstances be included in the existing group with reduced audit effort. 6

7 VdS 2836en : Notes on the certification and surveillance of management systems for companies with subsidiaries Off-schedule extensions of certification are possible as well. In this case the head office will also be audited to demonstrate that its administrative function and its authority with regard to corrective actions has been effectively implemented for the new subsidiaries. The extended certificates will be issued after the completion of all non-compliances (see para. 3.3). After successful certification the total number of subsidiaries will serve as a basis for future surveillance- and re-audit sampling plans. 6 Specific notes for companies with VdS-approvals A particular advantage of a single company management system certification procedure by VdS Schadenverhütung is the possibility to combine it with inspection activities for other VdS-approvals in order to reduce time and effort. These activities are in particular the following ones, which may be combined with main-, re- and surveillance audits: On-site installation inspections for installer companies of intruder alarm systems Plant visits at installer companies of intruder alarm systems Plant visits at installer companies of fire alarm systems and at companies specialised acc. to DIN Specific surveys at security companies Staff inspections at installer companies of fire extinguishing installations Performance of product surveillance activities and inspections of factory production control schemes at manufacturing companies of VdS-approved/ -certified products The combination advantages of inspection activities are limited in the framework of a group certification. The sampling procedure implies irregular visits at the subsidiaries, possibly resulting in additional effort for the applicant for separate journeys, as they are e.g. necessary to perform installation inspections or product assessments. Therefore it should be closely reviewed if any advantage in effort will result at all, in contrary to an individual certification and customer liaison and support scheme by VdS Schadenverhütung. Please balance the advantages and disadvantages carefully and contact, if desired, VdS Schadenverhütung GmbH, Mr. Edel under Reference VdS 2343en, Guidelines for the certification of quality management systems Internet: 7