National Security Inspectorate Sentinel House, 5 Reform Road Maidenhead SL6 8BY Website: nsi.org.uk Page 1 of 24 © NSI 2017 Quality Schedule FRAQS 123 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to the NSI Life Safety Fire Risk Assessment Gold Certification Scheme Issue 4.0 April 2017 FRAQS 123 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to the NSI Life Safety Fire Risk Assessment Gold Scheme Issue 4.0 Page 2 of 24 April 2017 © NSI 2017 NSI Life Safety Fire Risk Assessment (LSFRA) Gold, is an approval scheme combining Quality Management System (QMS) Certification and Product Certification (PC). The NSI LSFRA Gold Scheme holds Accreditation from the United Kingdom Accreditation Service (UKAS) for both QMS and PC. The QMS element of the LSFRA Gold scheme calls for compliance with BS EN ISO 9001, the British, European, International Standard for QMS. The ISO 9001 Standard can be applied to any organization, whether they are manufacturing a product or supplying a service, and is mandatory for any UKAS Accredited Certification of QMS. The PC element of the LSFRA Gold scheme calls for compliance with the BAFE Fire Protection Industry document SP205-1 for Life Safety Fire Risk Assessment and satisfies the BAFE requirement that certification bodies operating a fire risk assessment scheme must demonstrate and maintain a specific UKAS PC Accreditation for BAFE SP205-1. The BAFE SP205 scheme has been developed for organizations that provide fire risk assessment services in respect of life safety. The BAFE document, together with the NSI requirements, are designed to give confidence in the quality and relevance of the services being provided and to give assurance that fire risk assessments are carried out in accordance with BAFE SP205-1. This requires certificated organizations to employ risk assessors who are competent and, where required, security screened to a minimum standard such as BS 7858. This Issue 4 edition of the Quality Schedule reflects changes that have taken place with the introduction of BS EN ISO 9001:2015 and provides guidance and clarification on the application of BS EN ISO 9001:2015 in relation to BAFE SP205-1. Compliance with BS EN ISO 9001:2015, this Quality Schedule, and BAFE SP205-1 is a condition of any NSI LSFRA Gold approval. FRAQS 123 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to the NSI Life Safety Fire Risk Assessment Gold Scheme Issue 4.0 Page 3 of 24 April 2017 © NSI 2017 1 Introduction 1.1 Quality Schedules are designed for particular sectors of industry and are used to amplify the requirements of the QMS Standard (BS EN ISO 9001) and to provide an agreed basis for audit. 1.2 The 2015 standard is based on the quality management principles described in ISO 9000, which are customer focus, leadership, engagement of people, process approach, improvement, evidence-based decision making and relationship management. There is now a stronger focus on leadership and commitment to the quality management system (see BS EN ISO 9001:2015 Clause 5). 1.3 The concept of risk-based thinking has been implicit in previous editions of ISO 9001. However the risk-based thinking applied to the 2015 edition has enabled greater flexibility to be applied to the requirements for processes, documented information and organizational responsibilities. The requirement to maintain six documented procedures has been removed and is replaced with a requirement to maintain documented information required by the Standard and documented information determined to be necessary to ensure the effectiveness of the quality management system (see BS EN ISO 9001:2015 Clause 7.5). 1.4 The terms ‘documented procedure’ and ‘record’ have been replaced throughout by the term, ‘documented information’. Where B S EN ISO 9001:2008 would have referred to ‘documented procedures’ to define control or support a process, this is now expressed as the requirement to ‘maintain’ documented information. Where BS EN ISO 9001:2008 would have referred to ‘records’ this is now expressed as the requirement to ‘retain’ documented information. Documented information required by the 2015 standard includes: (1) the scope of the of the quality management system, (2) information necessary to support the operation of processes, which will probably require maintained information (documented procedures) and retained information (records), (3) the quality policy and (4) where appropriate organizational knowledge. More detailed information on the structure, terminology and concepts can be found in BS EN ISO 9001:2015 Annex A. 1.5 Use of a NSI LSFRA Gold approved company (called “you” or “organization” in this Quality Schedule) provides a high level of assurance that: FRAQS 123 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to the NSI Life Safety Fire Risk Assessment Gold Scheme Issue 4.0 Page 4 of 24 April 2017 © NSI 2017 a) all commissioned Life Safety Fire Risk Assessments will be carried out by competent fire risk assessors on behalf of an organization that has been assessed as compliant with the requirements within the BAFE document SP205-1. b) there is a commitment to customer satisfaction and continual business improvement derived from the implementation of a QMS designed specifically to meet the needs of the fire safety industry, such needs having been agreed in consultation with insurers, fire and rescue services, building control, installers, trade associations and professional institutions. 1.6 The scope of the organization’s approval is detailed on the NSI Certificate of Ap proval, and is referenced to this Quality Schedule. 2 Scope 2.1 Compliance with this Quality Schedule is a condition of NSI LSFRA Gold approval. 2.2 This Quality Schedule sets out the criteria for auditing the QMS of organizations engaged in carrying out fire risk assessments for the purpose of life safety and does not in any way diminish the NSI Regulations or the defined Scheme Criteria. The NSI LSFRA approval scheme does not include risk assessment for the purposes of property protection or business continuity. 2.3 In common with previous practice, this Quality Schedule retains alignment with the main clause numbers of the BS EN ISO 9001 Standard. Where special application of the Standard is considered necessary, this is stated. 2.4 The requirements of this Quality Schedule you must satisfy are shown in normal text and are further emphasised by the u se of “shall” or “must” . Additional guidance is reproduced in italics and is often further emphasised by the use of “may” or “can” within the text. 3 Definitions In addition to the definitions in BS EN ISO 9000, the following definitions also apply: 3.1 complaint means an expression of dissatisfaction made to an organization, related to its product or service, or the complaints-handling process itself, where a response or resolution is explicitly or implicitly expected 3.2 security screened means having been adjudged suitable for working in the fire risk assessment industry following completion of security screening See BS 7858 regarding completion of limited security screening, pending completion of full security screening. FRAQS 123 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to the NSI Life Safety Fire Risk Assessment Gold Scheme Issue 4.0 Page 5 of 24 April 2017 © NSI 2017 3.3 sub-contractor means an individual or company external to the organization that enters into an agreement or contract with the organization to supply processes, products and/or services This definition applies, irrespective of the contractual arrangements or parties involved, to all individuals performing work for your organization who are not staff personnel. BS EN ISO 9001:2015, clause 8.4, uses the term “external provider” and this includes “sub – contractors ”. 3.4 Staff personnel means the managing partners of the organization, the sole-proprietor of the organization, or (in the case of a limited company) the directors of the organization and employees from whose remuneration the organization deducts Income Tax and National Insurance contributions. 4 Context of the organization 4.1 Understanding the organization and its context No additional requirements apply to this clause of BS EN ISO 9001:2015. 4.2 Understanding the needs and expectations of interested parties No additional requirements apply to this clause of BS EN ISO 9001:2015. 4.3 Determining the scope of the quality management system Whilst there is no requirement in BS EN ISO 9001:2015 to hold a quality manual there is a requirement to maintain documented information that describes the scope of the QMS. When determining the scope you must consider the following: a) the internal and external issues affecting the QMS (clause 4.1), Issues to consider are for example, changes in technology, the introduction of new standards, or changes to standards, new legislation and personnel changes, b) the requirements of any relevant interested parties affecting the QMS (clause 4.2), Interested parties may include shareholders, trade bodies, certification bodies, fire & rescue services and insurers, and c) the organization ’ s products and services affected by the QMS, plus FRAQS 123 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to the NSI Life Safety Fire Risk Assessment Gold Scheme Issue 4.0 Page 6 of 24 April 2017 © NSI 2017 d) any justifications where the organization has determined that requirements of the standard are not applicable to the scope of the QMS (clause 4.3). BS EN ISO 9001:2008 permitted organizations to apply exclusions to parts of clause 7.3 (Design and development) if the requirements could not be applied to the organization’s QMS due to the nature of the product or service. Therefore previous issues of FRAQS 123 accepted the exclusion of the development aspects of clause 7.3, but not the design aspects. Under BS EN ISO 9001:2015, organizations may omit any requirement not applicable to the determined scope of the QMS and not affecting the organiz ation’s ability or responsibility to ensure the conformity of its products and services and the enhancement of customer satisfaction. Where you determine that a specific requirement does not apply to the scope of the QMS you must include the justification within the scope of the QMS. 4.4 Quality management system and its processes No additional requirements apply to this clause of BS EN ISO 9001:2015. 5 Leadership 5.1 Leadership and commitment 5.1.1 General No additional requirements apply to this clause of BS EN ISO 9001:2015. 5.1.2 Customer focus No additional requirements apply to this clause of BS EN ISO 9001:2015. 5.2 Policy 5.2.1 Establishing the quality policy In addition to the requirements of this clause of BS EN ISO 9001:2015, the Quality Policy must include a commitment to comply with this Quality Schedule, industry agreed Codes of Practice, any relevant Product Standards, and applicable legal and/or statutory requirements. For any management systems certification Accredited Certification Bodies (CBs) must comply with UKAS requirements to withhold or withdraw approval from organizations if any breaches of applicable legislation are found. This is reflected in BS EN ISO 9001:2015 where an organization is required to identify and comply with all relevant statutory requirements applicable to product(s) and/or service(s) provided (also expressed as legal requirements). FRAQS 123 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to the NSI Life Safety Fire Risk Assessment Gold Scheme Issue 4.0 Page 7 of 24 April 2017 © NSI 2017 As a UKAS Accredited CB, NSI does not recommend approval (or continued approval) to BS EN ISO 9001 if there are known breaches of legal requirements that relate directly to the product or service provided. You must include a commitment in your Quality Policy that it is your intention to comply with applicable legal requirements and periodically to evaluate compliance with the same as an input to management review. Appropriate management must also demonstrate they are generally aware of the prime legislation that impinges on their area of responsibility and authority. 5.2.2 Communicating the quality policy No additional requirements apply to this clause of BS EN ISO 9001:2015. 5.3 Organizational roles, responsibilities and authorities As detailed within the ISO 9001 Standard, you must define and communicate responsibilities and authorities within your organization. The size and complexity of an organization has a bearing on how such responsibilities and authorities are defined. In a large organization with various departmental interfaces, responsibilities and authorities can be defined through documented job descriptions, a schedule of key personal responsibilities in the quality manual and/or inclusion within the documented procedures. In a very small family run organization, provided management and staff can demonstrate on interview a common understanding of everyone’s prime responsibilities and authorities, it may not be necessary to have them fully documented. BS EN ISO 9001:2008 required that an individual from within the organiz ation’s management team be nominated to act as the Quality Management Representative (QMR). The 2015 Standard does not make the appointment of a QMR a specific requirement. However there remains a need for top management to assign the responsibility and authority for maintaining the QMS. Whilst this does not forbid the organization from appointing a sub-contracted quality consultant into this role, top management within the organization should consider the potential risks associated with managing the appointment in this way and identify the means to ensure the QMS is maintained and operated to the requirements of the organization. Notwithstanding the above, responsibilities and authorities of “Validators” must be clearly assigned, as defined within the BAFE SP205 Scheme. FRAQS 123 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to the NSI Life Safety Fire Risk Assessment Gold Scheme Issue 4.0 Page 8 of 24 April 2017 © NSI 2017 A “Validator” is a person having the authority to sign-off life safety fire risk assessments on behalf of the organization. A “Validator” must authorise e very life safety fire risk assessment your organization issues. 6 Planning 6.1 Actions to address risks and opportunities No additional requirements apply to this clause of BS EN ISO 9001:2015. 6.2 Quality objectives and planning to achieve them No additional requirements apply to this clause of BS EN ISO 9001:2015. 6.3 Planning of changes No additional requirements apply to this clause of BS EN ISO 9001:2015. However the following are examples of situations where changes to the quality management system should be considered: acquisitions and joint ventures introduction of new technologies organizational restructuring use of sub-contractors changes within legislation introduction of new government guidance 7 Support 7.1 Resources 7.1.1 General Whilst you must maintain adequate and competent resources to achieve the requirements, you may not always be able to provide a complete service using your own staff personnel and you may have to use sub-contractors (see also 8.4.1). 7.1.2 People You must adopt a documented policy statement in relation to the security screening of personnel who visit customers ’ premises for the purpose of carrying out life safety fire risk assessments. The documented policy statement must cover staff personnel and also sub-contract personnel. A copy must be available to customers and prospective customers on request. FRAQS 123 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to the NSI Life Safety Fire Risk Assessment Gold Scheme Issue 4.0 Page 9 of 24 April 2017 © NSI 2017 NSI LSFRA Gold is not prescriptive as to the content of the policy statement. However, you must be clear to your customers whether or not you ensure all personnel visiting customers’ site s, or having access to confidential information, are security screened in accordance with BS 7858 or to another security screening standard as may be required under contractual obligations. Your internal procedures and practices must ensure that any contractual obligations regarding use of security screened personnel are met. Identity cards All staff, including sub-contractors, coming into contact with customers and their representatives must carry an identity card or other equivalent means of identification. Such identity cards must as a minimum include a current photograph of the individual, the name of the organization represented and a contact telephone number for verification purposes. You must have evidence of control in respect of issue, control and withdrawal of identity cards. Dependent upon the client base and the type of sites visited you may also need to consider incorporating additional information on the identity cards, for example issue and expiry dates, signature and so on, and have clearly defined procedures to recover identity cards from leavers. If you permit another company to issue identity cards for the sub-contractors they are supplying to your organization, you must ensure (for example through written agreement with the other company and subsequent audit) that identity cards are properly issued, controlled and withdrawn. 7.1.3 Infrastructure No additional requirements apply to this clause of BS EN ISO 9001:2015. 7.1.4 Environment for the operation of processes No additional requirements apply to this clause of BS EN ISO 9001:2015. However we draw your attention to the following note in the standard: The environment for the operation of processes can include physical, social, psychological, environmental and other factors (such as temperature, humidity, ergonomics and cleanliness). Specific aspects of legislation may apply in some cases and NSI approval will not normally be granted if there are any areas of nonconformity with regard to applicable legislation. FRAQS 123 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to the NSI Life Safety Fire Risk Assessment Gold Scheme Issue 4.0 Page 10 of 24 April 2017 © NSI 2017 7.1.5 Monitoring and measuring resource You must maintain a register of all instruments and equipment used for measurement, inspection and testing purposes and where relevant you must retain up-to-date records of calibration. Whilst it is not usual for life safety fire risk assessments to require the use of measuring equipment, a client specification may, for example, require the determination of fire alarm sound pressure levels throughout the premises. 7.1.6 Organizational knowledge No additional requirements apply to this clause of BS EN ISO 9001:2015. 7.2 Competence In accordance with clause 7.2 of BS EN ISO 9001:2015, you must determine the necessary competence of persons doing work under your control that affects the performance and effectiveness of the QMS and you must ensure these persons are competent on the basis of appropriate education, training and experience. Where applicable, you must take actions to enable people to acquire the necessary competence and you must evaluate the effectiveness of the actions taken. You must retain appropriate documented information as evidence of competence. The fact that someone receives training does not guarantee they will be competent in carrying out their duties and therefore there has to be a system for confirming competency. We suggest you should consider a probationary period for all new people and review their competency formally before granting confirmed employment. The objective here is to identify and address any areas where competency is not immediately indicated and which could indicate a need for further training/development. Thereafter, you should have a process for verifying on-going competency which could include feedback from internal and external audit, formal staff appraisal/evaluation and so on. You must establish: (a) A person specification for fire risk assessors and Validators that identifies the knowledge and skills required. The person specification must identify the minimum competency requirements appropriate to the fire risk assessments to be carried out. (b) Procedure(s) and processes to ensure that the fire risk assessors and Validators are competent and remain competent. You must monitor these processes regularly through a robust and documented process of internal audit. FRAQS 123 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to the NSI Life Safety Fire Risk Assessment Gold Scheme Issue 4.0 Page 11 of 24 April 2017 © NSI 2017 In determining and being able to demonstrate the availability of the necessary competence within your organization it will be relevant to establish a training programme that includes, where relevant: fire risk assessment refresher training and continuing professional development quality procedures and/or documentation appropriate to the business processes company standards for quality and control over requirements internal auditing skills Training records must normally include the signature of the trainer and trainee* and include evidence to substantiate that staff have the necessary fire risk assessment competence with respect to the scope of the assessments they are expected to carry out. * where training records are held electronically and do not include actual signatures to confirm attendance, you must be able to demonstrate clearly by alternative means that the individuals did attend the referenced training session(s), for example diary entries, invitations to attend at certain times and dates, rostering records, timesheets, issue of certificates of attendance and so on. Evidence of competence should include: experience in the practice of fire safety training records listing on a national recognised register of fire risk assessors or completion of a nationally recognised training course evidence of successful application of knowledge such as NVQ documented continual professional development You should refer to the ‘Guide to Choosing a Competent Fire Risk Assessor’, Version 2, published on 9 October 2014 by the Fire Risk Assessment Competency Council, which is available on the BAFE website as part of the BAFE SP205 Scheme. Sub-contractors The SP205 scheme recognises that some fire risk assessors may be employed on a part time, temporary, or sub-contracted basis. For the avoidance of doubt, a sub-contractor does not have to be registered with the BAFE SP205 scheme but must comply with the requirements of the scheme through a formal agreement with your organization as the main contractor (who will be registered to BAFE SP205). You must use sub-contractors only as permitted by the BAFE SP205 scheme and only where the individuals involved are adequately skilled, experienced, trained, briefed, organised, supervised and monitored. If you engage one or more sub-contractors FRAQS 123 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to the NSI Life Safety Fire Risk Assessment Gold Scheme Issue 4.0 Page 12 of 24 April 2017 © NSI 2017 directly, or you engage an individual or other company to supply sub-contractors, you must ensure there are suitable and adequate procedures and controls in place within the QMS to ensure adequate skill, experience, training and so on. You must have written agreements with the sub-contractors covering confidentiality of information, training and assignment to agreed tasks. You must retain sufficient in-house expertise to verify an acceptable service has been provided and have evidence to show the adequacy of sub- contractors’ work is validated periodically. By adequacy we mean compliance with all the relevant Product Standards such as BAFE SP205-1 and with all your organization’s procedures and requirements. 7.3 Awareness No additional requirements apply to this clause of BS EN ISO 9001:2015. 7.4 Communication No additional requirements apply to this clause of BS EN ISO 9001:2015. 7.5 Documented information 7.5.1 General You must have the documented procedures required by BAFE SP205-1. 7.5.2 Creating and updating No additional requirements apply to this clause of BS EN ISO 9001:2015. 7.5.3 Control of documented information Within the general practices of controlling documented information: a) You must make provision to list the issue status of external documents including those called up in the NSI Regulations and Scheme Criteria, relevant Fire Safety Legislation, relevant Government Guides and other applicable Standards, Regulations, Codes of Practice and so on. b) You must make provision to list the issue status of internal documents pertinent to your QMS, including procedures, process maps and so on. c) If documented information is held electronically, you must observe the following safeguards and protocols: (1) Where a document includes a customer signature, the document must be held electronically as a facsimile copy, including a facsimile copy of the signature. FRAQS 123 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to the NSI Life Safety Fire Risk Assessment Gold Scheme Issue 4.0 Page 13 of 24 April 2017 © NSI 2017 Alternatively, traceability from a customer signature on a hard copy to an electronically held document will be acceptable. Where documents held electronically require authorisation (say customer specification) then issue status must be allocated and access rights controlled by password entry at appropriate levels of authorisation. If you introduce other arrangements, you must demonstrate that the above principles of authorisation and agreement are upheld. It is your responsibility to determine whether specific contractual documents are required to be held as originals for legal purposes. (2) You must have robust and secure backup arrangements and you must keep to these arrangements. (3) You must hold backups of retained information securely (preferably in a fire-resistant container or at a secure off-site location). We draw your attention to the Data Protection Act (DPA) and to the Information Commissioner’s Office (ICO) guidance on the use of cloud computing services in relation to compliance with the DPA. (4) You must have ready access to all documentation and records for the purposes of receiving NSI LSFRA Gold audits and so on. Control of retained documents You must include information security policies for the protection of retained information held on portable electronic devices (such as laptops, tablets, memory sticks) and you must ensure your personnel, including any sub-contractors, keep to these policies. For example devices should be password protected and/or have their hard drives encrypted. Also there should be restrictions on leaving devices unattended in vehicles and/or in premises that are not alarmed. Contract information You must retain documented information in respect of fire risk assessments (including quotations, reviews, site notes, site drawings and site photographs) for a minimum of 5 years from the date of the fire risk assessment. Complaint information You must retain documented information in respect of complaints for a minimum of 2 years after the date the fire risk assessment was carried out. FRAQS 123 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to the NSI Life Safety Fire Risk Assessment Gold Scheme Issue 4.0 Page 14 of 24 April 2017 © NSI 2017 Training information See BS EN ISO 9001:2015 clause 7.2 for training information. Security screening information For security screening information see clause 7.1.2 of this schedule. 8 Operation 8.1 Operational planning and control You must develop processes as required by the BAFE SP205-1 scheme document for the provision of life safety fire risk assessments to take into account the possibility that clients are not always clear what a fire risk assessment involves beyond the legal requirement to have one. Where a client does not provide a specification you must propose a specification prior to accepting t he client’s instruction. All life safety fire risk assessments must include, as a minimum, the information detailed in Appendix D of the current version of BAFE SP205-1. The specification should make clear the methodology such as the application of accepted guidance, using codes of practice or using mathematical modelling techniques, and should be suitable and sufficient for compliance with the relevant legislation. The processes should ensure that: contractual obligations are agreed and understood by all parties the specification upon which the fire risk assessment is conducted and the information recorded is explained and agreed. Guidance and a recommended methodology for fire risk assessments is given in BSI Publicly Available Specification PAS 79 the competencies of the risk assessors allocated to carry out the fire risk assessments are suitable adequate planning and monitoring of the execution of the project from the enquiry through to the delivery of the risk assessment is in place to ensure the c lient’s expectations can be met 8.2 Requirements for products and services 8.2.1 Customer communications The following requirements apply in addition to the requirements of this clause of BS EN ISO 9001:2015. FRAQS 123 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to the NSI Life Safety Fire Risk Assessment Gold Scheme Issue 4.0 Page 15 of 24 April 2017 © NSI 2017 Management of complaints You must deal promptly with all complaints and in an appropriate manner including sending the complainant an acknowledgment the matter is receiving timely attention. You must have a suitable register of complaints, which must include the date of receipt, complainant details, summary of the complaint, and a complaint reference number or code. You must register all complaints promptly and then investigate and action them at an appropriate level of seniority. You must find the root causes of complaints so that corrective actions are effective in preventing further occurrences. The decision on the appropriate course of action (or actions) must be documented. When all reasonable steps have been taken to restore confidence, complaints must be closed down by entering a date of closure in the complaint register. Complaints must be included in the review of nonconformities (see 9.3.2) and consequently clauses 10.1 and 10.2 of BS EN ISO 9001:2015. We draw your attention to the guidelines in BS ISO 10002:2014 – Quality management – Customer satisfaction – Guidelines for complaints handling in organizations, including guidance for small businesses given in Annex A of BS ISO 10002:2014. BS ISO 10002 defines “complaint” as “expression of dissatisfaction made to an organization, related to its products, or the complaints-handling process itself, where a response or resolution is explicitly or implicitly expected”. Such expressions of dissatisfaction could be made in a number of different ways for example in writing, including email, or orally on the telephone. We draw your attention to the guiding principles given in clause 4 of BS ISO 10002:2014, which are recommended for effective handling of complaints: visibility (well publicised information about where to complain) accessibility (easily accessible to all complainants) responsiveness (immediate acknowledgement and addressed promptly) objectivity (equitable, objective and unbiased) charges (free of charge) confidentiality (protected from disclosure except where consented) FRAQS 123 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to the NSI Life Safety Fire Risk Assessment Gold Scheme Issue 4.0 Page 16 of 24 April 2017 © NSI 2017 customer-focused approach (open to feedback and commitment to resolve) accountability (for and reporting on the organiz ation’s actions and decisions) continual improvement (permanent objective of the organization) 8.2.2 Determining the requirements related to products and services No additional requirements apply to this clause of BS EN ISO 9001:2015. 8.2.3 Review of requirements related to products and services The formal contract review process is set out below. Associated practices in respect of a risk assessment design specification are set out in clause 8.3. a) General The identity of the persons allocated responsibility and authority to carry out contract reviews must be clearly defined and communicated within the organization (clause 5.3 of BS EN ISO 9001:2015 refers). b) Review Reviews must be undertaken: (1) Before submission of any tender or quotation, to confirm the requirements are adequately defined and documented and your organization has the capability and resources to meet the requirements including any statutory and regulatory requirements. (2) After receipt of the customer’s reply to any tender or quotation, or on receipt of purchase order; to ensure any changes requested by the customer are resolved. There must be evidence, by means such as stamp, signature or electronic authorisation, of all reviews. You must make clear in appropriate documentation whether or not your organization accepts oral confirmation of orders and, if so, your policy must require you to send a written statement to the customer stating your understanding of the agreement and confirming this will be taken as the agreement unless the customer notifies otherwise in writing. c) Amendment to contract On completion of the life safety fire risk assessment, your procedures must ensure all amendments are agreed, recorded and authorized and the requirements of the contract are completed. FRAQS 123 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to the NSI Life Safety Fire Risk Assessment Gold Scheme Issue 4.0 Page 17 of 24 April 2017 © NSI 2017 d) Documented information You must retain documented evidence of contract reviews for a minimum of two (2) years after the fire risk assessment was carried out. Certain contract information may need to be held for a longer period to satisfy HM Revenue and Customs and VAT requirements and so on. e) Customer liaison You must maintain effective customer liaison through the life of the contract. Clause 8.2.2 of BS EN ISO 9001:2015 makes it clear that statutory and regulatory requirements shall be determined and a new NOTE in the Standard references that supplementary services such as recycling or final disposal are post-delivery activities and must also be considered. With any accredited management system certification there is increasing recognition that certification ought to give a level of assurance that the approved organization is aware of relevant legislation and is essentially compliant. The reference to recycling or final disposal is a useful pointer to the increasing amount of environmental legislation that applies to organizations whether or not they choose to implement an Environmental Management System. For example electronic and electrical equipment can no longer be sent to landfill (the WEEE Regulations apply) and manufacturers of certain types of equipment are obliged to have or participate in a take back scheme for the old equipment. We recommend you should maintain a consolidated list of the legislation you believe is relevant to your organization (see also clause 7.5.1). 8.2.4 Changes to requirements for products and services No additional requirements apply to this clause of BS EN ISO 9001:2015. 8.3 Design and development of products and services We accept that clause 8.3 of BS EN ISO 9001:2015 does not normally apply to companies solely providing fire risk assessments for life safety. Either the customer will specify the design of the risk assessment or a design which uses, or is similar to, the publically agreed specification PAS 79 will usually be suitable and sufficient. Compliance with the remaining clauses of BS EN ISO 9001:2015 should provide adequate assurance that the organization has the appropriate processes in place to carry out an effective contract and specification review in order to plan, execute and maintain an effective service in accordance with the specified requirements. FRAQS 123 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to the NSI Life Safety Fire Risk Assessment Gold Scheme Issue 4.0 Page 18 of 24 April 2017 © NSI 2017 8.4 Control of externally provided processes, products and services 8.4.1 General You must establish criteria for selection, evaluation and re-evaluation of suppliers and keep records of the results including any necessary actions arising from evaluation and re-evaluation. You must evaluate and select suppliers (including sub-contractors and companies who provide sub-contractors) based on their ability to supply product or service in accordance with your requirements, the requirements of this Quality Schedule, and the requirements of BAFE SP205-1. If you sub-contract any of the work to provide life safety fire risks assessments you must retain sufficient in-house expertise to verify that all assessments, and all subsequent assessments, meet the relevant standards, in particular BAFE SP205-1. 8.4.2 Type and extent of control You may use sub-contractors only as permitted by the relevant BAFE SP205 scheme documents. You must: a) Maintain a register of all sub-contractors, which must clearly show the services they can supply; b) Record clearly the basis of selection of all sub-contractors; c) Conclude formal agreements that adequately cover the services to be provided and make it clear services can only be delivered by named individual sub- contractors who have been security screened (where required) and whose competency is demonstrated; d) Audit and monitor sub-contractors on the same basis as staff personnel; e) Brief sub- contractors on the organization’s policies, procedures , work instructions and records to be completed to verify completion of assigned tasks or service delivery; f) Retain overall responsibility for all sub-contracted services even if extensive use is made of sub-contractors; g) Allow us to have the right to audit the work carried out by sub-contractors and interview such sub-contractors to confirm their competence; 8.4.3 Information for external providers No additional requirements apply to this clause of BS EN ISO 9001:2015. 8.5 Production and service provision 8.5.1 Control of production and service provision FRAQS 123 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to the NSI Life Safety Fire Risk Assessment Gold Scheme Issue 4.0 Page 19 of 24 April 2017 © NSI 2017 In addition to the requirements of BS EN ISO 9001:2015, you must have a defined process to ensure that a Validator authorises each life safety fire risk assessment before it is issued to a customer. 8.5.2 Identification and traceability You must maintain a system for uniquely identifying each risk assessment, associated enquiries, contractual documentation, notes, photographs, observations and evidence gathered through third parties. You must minimise the potential for mis-filing and ensure documentation in relation to each contract and the QMS can be readily achieved. 8.5.3 Property belonging to customers or external providers In addition to the requirements of the standard, you must hold an a ppropriate “Sc ope of Approval” in respect of the BAFE SP205 Scheme before a NSI/BAFE certificate of approval can be issued. The BAFE SP205 Scheme requirements need to be read and understood. A note in BS EN ISO 9001 reminds organizations that “customer property can incl ude intellectual property and personal data”. 8.5.4 Preservation No additional requirements apply to this clause of BS EN ISO 9001:2015. 8.5.5 Post-delivery activities No additional requirements apply to this clause of BS EN ISO 9001:2015. 8.5.6 Control of changes No additional requirements apply to this clause of BS EN ISO 9001:2015. 8.6 Release of products and services No additional requirements apply to this clause of BS EN ISO 9001:2015. 8.7 Control of nonconforming outputs Your retained documentation for control of nonconforming output must provide for potential failure to: (a) D etermine the client’s requirements accurately at the enquiry stage. (b) Deliver a life safety risk assessment that is suitable and sufficient in all respects. (c) Deal with nonconforming outputs identified through the internal audit process. FRAQS 123 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to the NSI Life Safety Fire Risk Assessment Gold Scheme Issue 4.0 Page 20 of 24 April 2017 © NSI 2017 You must be able to show how non-conformance is controlled and who has responsibility to deal with each situation. It must be possible to identify the available options, in each situation, to assist in determining the correct course of action. 9 Performance evaluation 9.1 Monitoring, measurement, analysis and evaluation 9.1.1 General You must have a process for the management of complaints (see clause 8.2.1). This process must cover all complaints whether they are from directly contracted customers or from other parties. This process (or a separate one) must also cover situations where we contact you about a complaint made to us about your organization. The process for management of complaints can be included in the process (or processes) for the control of nonconforming product (see 8.7) or can be a stand-alone process. 9.1.2 Customer satisfaction You must monitor customer perceptions of the degree to which requirements have been met. Sources of information on customer perception could include: the outcome of customer satisfaction surveys the number of risk assessments arising from recommendations letters of commendation received from satisfied customers retention of contracts complaints against your organization other sources as determined by you The maintenance of good relationships with customers is a significant factor affecting the success and growth of any business. Concern for the customer should be part of the overall business strategy. You should set out to avoid complaints. When complaints do occur, the objective should be to come out of each situation, wherever possible, with a strengthened relationship with whoever is complaining. 9.1.3 Analysis and evaluation Your analysis of data must include provision of information relating to: customer satisfaction (see clause 9.1.2) FRAQS 123 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to the NSI Life Safety Fire Risk Assessment Gold Scheme Issue 4.0 Page 21 of 24 April 2017 © NSI 2017 suppliers of products (including services) (see clause 8.4) core business processes such as the time taken to provide the customer with the completed risk assessment from the time the initial contract to carry out the assessment was accepted Timescales may well be incorporated into the contract in which case they can be used as the benchmark when analysing data. In relation to customer satisfaction, you must analyse the causes of complaints. The analysis must form part of the input to management review (see clause 9.3.2). The main purpose of the analysis is to assist you in deciding on appropriate corrective action with a view to improving customer satisfaction and reducing future incidence of complaints. The following analysis of rectified complaints by cause code is suggested: a) unsatisfactory life safety risk assessments b) failure to meet contract conditions c) disputed charges d) lack of timely response to enquiries and complaints e) behaviour of staff personnel f) behaviour of sub-contractors (if used) g) other (use text) You must examine causes of complaints at appropriate intervals and make (and record) suitable decisions or recommendations regarding corrective action (for example in relation to common causes of complaint). 9.2 Internal audit You must plan, establish, implement and maintain an internal audit programme, which must include a statement (or statements) of the frequency at which audits of fire risk assessors and Validators shall be undertaken and the person(s) nominated by the organization to undertake the audits. You must also define the steps to be taken if the risk assessments selected fail to meet the specified criteria and you must include a reference to possible training needs and/or an increase in the frequency and number of audits. The requirements are as specified within BS EN ISO 9001:2015, with the clarification that the audit programme must include auditing of each fire risk assessor using appropriate audit checklists which make reference to the relevant: FRAQS 123 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to the NSI Life Safety Fire Risk Assessment Gold Scheme Issue 4.0 Page 22 of 24 April 2017 © NSI 2017 i. legislation ii. building regulations iii. local government guidance documents iv. assessment specification Your capability to monitor standards of life safety fire risk assessment provision is an auditable element of NSI LSFRA Gold and you must be able to demonstrate you are capable of identifying all your own nonconformities. Selection, auditing and review of sub-contractors In accordance with BS EN ISO 9001:2015, you must have thorough and effective procedures for the selection, auditing and periodic review of sub-contractors. The level of auditing of sub-contracted work must not be less than the level of auditing that is applied to work undertaken by the organization’s own staff personnel. Where the auditing of the work of sub-contractors is undertaken by a sub-contractor company by, through or under which the sub-contractor is engaged, you must inspect the audit records and carry out audits of risk assessments to verify the standard of the sub-contracted audits. Periodically you must accompany the sub- contractor’s auditor on witnessed audits. You must maintain records of the audits and checks you carry out. 9.3 Management review 9.3.1 General The general requirements set out in clause 9.3.1 of BS EN ISO 9001:2015 apply. We recognise there are different views as to the top management personnel who should carry out the management review. Each case has to be considered on its own merit, particularly in large multi-layered organizati ons such as PLC’s. For example, it may not be practical or necessary for all Directors of the organization to be present at the management review meetings if, when interviewed on actual audit, they can demonstrate awareness of all the significant issues raised at the meetings. 9.3.2 Management review inputs Top management must review the organiz ation’s QMS , which must include, but not be limited to, the following areas as appropriate to the scope of the fire risk assessments carried out: the status of actions from previous management reviews new legislation or government guidance (when appropriate) information on the performance and effectiveness of the quality management system, including trends in: FRAQS 123 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to the NSI Life Safety Fire Risk Assessment Gold Scheme Issue 4.0 Page 23 of 24 April 2017 © NSI 2017 customer satisfaction and feedback from relevant interested parties (including the analysis of complaints) the extent to which quality objectives have been met process performance and conformity of products and services (including performance and trend analysis for routine maintenance, response to emergency call outs and false alarms(where applicable) non-conformities and corrective actions monitoring and measurement results results of internal and external audit the performance of external providers (including suppliers and sub- contractors) effectiveness of continual improvement initiatives adequacy of resources (including human, equipment and facilities) the effectiveness of actions taken to address risks and opportunities planned changes that could affect the business opportunities for improvement (including assessment of new software and hardware) review adequacy of Quality Policy and Quality Objectives competency evaluation and training needs including continuing professional development infrastructure (when appropriate) new technology with respect to active and passive fire protection systems and products (when appropriate) evaluation of legal compliance 9.3.3 Management review outputs No additional requirements apply to this clause of BS EN ISO 9001:2015. 10 Improvement 10.1 General No additional requirements apply to this clause of BS EN ISO 9001:2015. FRAQS 123 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to the NSI Life Safety Fire Risk Assessment Gold Scheme Issue 4.0 Page 24 of 24 April 2017 © NSI 2017 10.2 Nonconformity and corrective action Clause 10.2 of BS EN ISO 9001:2015 makes clear the need to take action to eliminate the causes of nonconformities in order to prevent recurrence and that nonconformities include customer complaints. You must have an effective process (or processes) for the development and implementation of appropriate corrective actions where a nonconformity is discovered in order to prevent a recurrence of the nonconformity. Nonconformities include substandard fire risk assessments, poor service performance and justifiable customer complaints. You must carry out root cause analysis to find the causes of nonconformities in order to support the corrective actions taken in response to nonconformities. You must retain sufficient documentation to provide evidence of the nature of any nonconformities identified and subsequent corrective actions and you must retain evidence of the results of this corrective action. As a minimum this retained information must include evidence of the review of audit results and customer complaints. 10.3 Continual improvement No additional requirements apply to this clause of BS EN ISO 9001:2015. Measures in 10.2 and 10.3 are not exhaustive. Corrective actions and opportunities for continual improvement may apply to other areas of the QMS.