ISO14001 -An Overview

First of all, let me explain a little about the requirements of ISO 14001:2004.

It helps if you understand the basis of the standard. In the same way that ISO9001 is entirely concerned with meeting customer requirements, ISO14001 is entirely concerned with meeting environmentally-related requirements. In particular, requirements relating to prevention and control of pollution.

So, in the UK, the mother of such legislation is the Control of Pollution Act. From this, many hundreds of regulations, powers and associated acts have arisen. All organizations are required (by law, not just by ISO14001) to be aware of the relevant legislation and to comply with the requirements. ISO14001 merely provides the structure to do this in a systematic way.

In addition, ISO14001 requires that your organization considers the significant impacts that its activities may have on the environment. Where it is possible, feasible and economic to make a meaningful improvement to those activities, your organization should set itself targets for improvement with associated plans.

• 1. Scope
• 2. Normative References
• 3. Terms & Definitions
• 4. Environmental Management System Requirements

The good news is that clauses 1 to 3 contain nothing against which your organization will be assessed. Hooray!

This explains that the standard is concerned with the requirements for an environmental management system, It does not tell any organization how to do anything. It merely requires that suitable control mechanisms are in place. 

This is a waste of a clause, since it states that there are no normative references involved. (A normative reference is another standard or set of requirements that can affect this standard). So, moving right along...

This clause explains what the standard means when it uses various terms. As usual for these standards, the terms defined are mainly the incredibly obvious ones. e.g. "Auditor" is "person with competence to conduct an audit". Well, doh!

It does completely avoid the terms that could be usefully defined. e.g. what is the difference between "identify", "define", "determine", "document/ed", etc? 

Don't expect to find any golden gems here.

is concerned with stating the general requirements for the system. Amongst other things, it requires that the scope of the system is defined and documented.

is concerned with the requirements for the environmental policy that the organization must define. 

It is very similar to the ISO9001 equivalent for a quality policy, but is targeted environmentally, of course.

Clause 4.3.1 - Environmental Aspects

requires that there is a procedure to identify the environmental aspects (within the scope defined under clause 4.1) that the organization can control.

It also requires that the organization must determine the aspects that can have a significant impact on the environment. Note: throughout the rest of the standard, these are referred to as the "significant environmental aspects". Defining these correctly can make a huge difference to your system.

Clause 4.3.2 - Legal and other requirements

requires that there is a procedure to identify and access applicable requirements (laws, codes of practice, customer requirements and so on) and to determine how these apply. Stating the obvious (hey, it's a standard!) it requires that the requirements are taken into account within the system.

Clause 4.3.3 - Objectives, Targets & Programmes

requires that environmental objectives and targets are documented at relevant functions. Where practicable, they should be measurable. There should be action plans (programmes) in place to achieve these objectives and targets. 

These plans should include the responsibilities of the persons concerned and the means and time frames for achieving them. The plans could be in any format. The standard is not specific. So perhaps the minutes of your management reviews (see clause 4.6) could include this information.

Clause 4.4.1 - Resources, Roles, Responsibilities and Authority

is very similar to its ISO9001 equivalent, but is a rolling together of much of clause 5 and 6 of ISO9001.

It requires that Management make sufficient resources available to implement, maintain and operate the environmental management system (people, infrastructure, skills, finances and so on). It also requires that a specific person or persons are appointed to ensure that the system is implemented and operated effectively and to report back to top management on the performance of the system.

Clause 4.4.2 - Competence, Training & Awareness

is concerned with persons "performing tasks for it or on its behalf" that could cause a significant environmental impact (I told you this would come back to haunt you!).

Those persons must be competent on the basis of education, training, experience etc. The organization must keep records that demonstrate this. 

Note: "Persons performing work for it or on its behalf" should probably include any contractors appointed to work for you.

Your organization needs to consider what the training needs are (with respect to the environmental impacts and for your system) and then provide the relevant training.

In addition, your organization must have a procedure/s that ensure that same group of people are made aware of

• the importance of meeting the requirements of the system (policies, procedures etc)
• any significant environmental impacts (those words again!) that could arise from their activities
• their role in achieving the aims, targets, objectives etc within the system
• the potential problems arising if they fail to follow your procedures

Clause 4.4.3 - Communication

requires that there is a procedure (or more) covering 

• internal communication within the organization
• receiving, documenting and responding to "relevant" communication from external interested parties

It also requires that your organization must decide whether to let the outside world know about the significant environmental impacts (those words again). It must document this decision (e.g. record it as a decision during the management review process - see 4.6) and have a method for doing so (in other words, if it decides to do it, it must actually do it)

Clause 4.4.4 - Documentation

This clause covers the range of things that must be documented. e.g. the environmental policy, scope of the system and so on.

Clause 4.4.5 - Control of Documents

This is virtually identical to the requirements of Clause 4.2.3 of ISO9001, except it is concerned with the documents within the environmental management system, rather than of the quality management system. (see ISO9000 Explanation)

Clause 4.4.6 - Operational Control

requires that operations associated with the significant environmental impacts (those words again) are suitably controlled. It requires that there are procedures where the lack of them would lead to a deviation from the policy and targets and objectives. (So if your organization makes sure that people are aware of what they need to do, there may be little or no need for written procedures).

It also requires that there are procedures relating to any significant environmental aspects (those words again) of goods and services used by the organization and that those procedures and requirements are communicated to "suppliers, including contractors".

Clause 4.4.7 - Emergency Preparedness & Response

requires that there are procedures concerned with how to identify potential incidents that could have a significant impact on the environment and how to deal with it to limit or prevent the environmental damage and deal with the effects.

The effectiveness of the procedures needs to be periodically reviewed, especially after any accidents have occurred.

Where practicable, the procedures should be periodically tested to confirm their suitability. (but don't cause major pollution just to check your procedures, please!)

Clause 4.5.1 - Monitoring & Measurement

requires that your organization has procedures to monitor and measure the key characteristics of its operations that can have have a significant environmental impact (those words again).

The monitoring and measuring equipment used must be calibrated (or verified as suitable for the purpose) with records kept (compare with clause 7.6 of ISO9001).

Clause 4.5.2  - Evaluation of Compliance is further divided into sub-sub-sub clauses! Although similar, they have slight differences in wording that make them very different in operational terms.

Clause 4.5.2.1

requires that your organization has procedures for periodically evaluating compliance with applicable legal requirements. Note the use of the term "legal". It does not require this for other requirements!

It also requires that records are kept of the evaluations.

Clause 4.5.2.2

requires that your organization periodically evaluates compliance with other requirements. Note that no procedures are required for this evaluation.

It does require that records are kept of the evaluations.

Clause 4.5.3 - Nonconformity, Corrective Action & Preventive Action

requires that your organization has procedures for dealing with "actual and potential nonconformities", and for taking the appropriate corrective actions (to modify the system to prevent recurrence) and preventive action (to stop nonconformities from happening in the first place).

Think of this as similar to clauses 8.3 and 8.5 of ISO9001 rolled together.

Clause 4.5.4 - Control of Records

requires that your organization has procedures for controlling the records required by ISO14001 and needed to demonstrate conformity to its requirements.

This is identical to Clause 4.2.4 of ISO9001 (see clause 4 of ISO9001).

Clause 4.5.5 - Internal Audit

requires that audits are conducted to determine if the system conforms to the requirements of ISO14001 and the organization's own requirements and to provide information to management.

It requires a procedure or procedures "that address" the responsibilities and requirements for planning & conducting the audits and reporting the results and keeping relevant records, etc. That procedure should also address the determination of the audit criteria, scope, frequency etc.

requires that the organization's management must review the system at "planned intervals" to ensure it remains suitable for the purpose. It specifies a list of topics to be considered. Some of them have been described above, but others include:

• follow-up actions from previous meetings
• results of audits 
• evaluations of compliance with legal and other requirements
• communications from interested (external parties). This should include complaints that relate to the environmental performance of the organization
• the achievement (or not) of the organization's objectives and targets
• status of corrective and preventive actions (e.g. the action plans described at the start of this page, actions related to any significant incidents, actions arising from audits and so on).
• any changes in circumstances that relate to the environmental aspects (changes in law, new products and services, etc)
• recommendations for improvement

The outputs of the meeting should include decisions arising related to changes in the policy, objectives, targets etc, relating to continual improvement.

Records of the reviews must be maintained.

clearly states that it is "strictly informative " and it "is intended to prevent misinterpretation of the requirements contained in Clause 4". It further goes on to say "it is not intended to add to, subtract from, or in any way modify those requirements".

So, read it for information's sake. But if your auditor tries to raise nonconformances against the contents of the clause (and I have seen a number of Certification Bodies try to), then read them the first sentence of section A.1.