INTEGRATED MANAGEMENT SYSTEM (IMS) MANUALsiscol.in/static/dist/pdf/siscol-ims-manual.pdfRev. No....

Integrated Management System of xx EFF. DT. : 1stJune, 2011

REV NO: 00 DOC NO: LNTP/IMS

MANAGEMENT SYSTEM

PREPARED BY

REVIEWED BY APPROVED BY

Head Office: 806, Kailash Building, 26 K G Marg, New Delhi - 110 001, INDIA Manufacturing Setup: Bhilai, Chattisgarh, INDIA and Design Office: Bangalore, INDIA

INTEGRATED MANAGEMENT SYSTEM (IMS) MANUAL

(QMS, EMS & OHSAS and ISMS)

QMS

Vinod Srinivasa V K Bansal V K Bansal EMS & OHSAS

ISMS 31.01.2018 03.02.2018 05.02.2018

Ravi Uppal

Chairman & Managing Director 06.02.2018

AUTHORISED BY

Doc. No.: SISCOL-IMS-MANUAL Rev. No.: 00

Eff. Dt.: 6th February, 2018

IMS MANUAL AMENDMENT HISTORY

of 118 Eff.: 6th Feb, 2018

Rev. No.: 00 Chapter No. 0.2 Doc. No.: SISCOL-IMS-MANUAL

UNCONTROLLED DOCUMENT IF PRINTED

AMENDMENT HISTORY

Rev. No. Date Remarks A 31.01.2018 Issued for Review/Comments 00 06.02.2018 Issued for Implementation

IMS MANUAL TABLE OF CONTENTS

of 118Eff.: 6th Feb, 2018



Chapter

No. Content Page

No 0.1 Cover Page 01

0.2 Amendment History 02

0.3 Table of Contents 03

0.4 Manual Authorization 04

0.5 Abbreviations 05 – 06

0.6 Mapping of Clauses 07 - 10

1 Introduction 11 – 13

2 Administration of Manual 14 – 15

3 IMS Policy 16

4 Context of the Organization 17 – 20

5 Leadership 21 – 25

6 Planning 26 – 32

7 Support 33 – 41

8 Operation 42 – 60

9 Performance Evaluation 61 – 68

10 Improvement 69 – 72

Annexure A List of Documented Information 73 - 74

Annexure B

Common Processes

B.1. Control of Documented Information (LNTP-CP-01) 75 – 79 B.2. Risk and Opportunity Identification, Assessment,

Implementation and Reviewing effectiveness (LNTP-CP-02) 80 – 84

B.3. Internal Audit (LNTP-CP-03) 85 – 89

B.4. Non-Conformance & Corrective Action (LNTP-CP-04) 90 – 95

B.5. Competence Development (LNTP-CP-05) 96 – 99

B.6. Management Review Meeting (LNTP-CP-06) 100 – 104

B.7. Objective Setting (LNTP-CP-07) 105 – 108

Annexure C Terms & Definitions 109 - 118

IMS MANUAL AUTHORIZATION




IMS Manual Authorization SISCOL is engaged in the design, engineering, manufacturing, logistics, erection and project management of structural steel based solutions for varied infrastructural sectors. To meet the customer’s requirements and ensure systematic working, guidelines have been described in this manual. This Integrated Management System (IMS) Manual bears the authorization of the undersigned. This IMS Manual describes the Quality, Environment, Occupational, Health & Safety and Information Security Management Systems’ requirements adopted by SISCOL and has been formulated as per the requirements of ISO 9001:2015, ISO 14001:2015, OHSAS 18001:2007 and ISO 27001:2013. All Directors and Functional Heads are responsible for ensuring compliance with the requirements mentioned in this manual. They have the authority to form an appropriate organization for discharging their functions, responsibilities and resolving non-conformities within their departments. Chairman & Managing Director designates Head – Quality, EHS & Training as Management Representative (MR) for IMS. The MR has the organizational freedom and responsibility to:

Implement and maintain this manual with the objective of continual improvement and to prevent non-conformities

Assess the compliance through internal audits and identify non-conformities, to initiate necessary corrective action with the involvement and support of all the relevant functions, monitor and verify the same; for ensuring improvement in organizational processes

Provide feedback to the Management about the performance of the Integrated Management System

The Management Representative has the authority to stop any work which is not in accordance with this manual and/or the specified requirements. New Delhi Date: 06.02.2018

Ravi Uppal Chairman & Managing Director

IMS MANUAL ABBREVATIONS




ABBREVATIONS

4S Systems, Spirit, Simplicity &

Speed MRM Management Review Meeting

ALARP As Low As Reasonably Practicable MS Management Systems

BD&M Business Development &

Marketing MSDS Material Safety Data Sheet

BOM Bill of Materials NC Non Conformity CA Corrective Action NCR Non Conformity ReportCFT Cross Functional Team OCP Operating Control Procedure CMD Chairman & Managing Director ODC Over Dimensional Cargo CP Common Process OEM Original Equipment Manufacturer

CTQ Critical to Quality OFI Opportunity for Improvement D&D Design & Development OH&S Occupational Health and Safety

D&E Design & Engineering OHSAS Occupational Health and Safety

Assessment Series

DCP Department Control Procedure OHSMS Occupational Health & Safety

Management SystemDI Documented Information PDCA Plan-Do-Check-Act

DRM Department Review Meeting PMG Project Management GroupEAI Environmental Assessment Impact PO Purchase Order EHS Environment, Health & Safety PR Purchase Requisition

EMS Environmental Management

System PRM Project Review Meeting

Ext. External QA Quality AssuranceFH Functional Head QAP Quality Assurance Plan

FQAP Field Quality Assurance Plan QC Quality Control FTR Field Trouble Report QHSE Quality Health Safety Environment GRN Goods Receipt Note QMS Quality Management System

H&S Health & Safety RASCI Responsible-Accountable-Support-

Consult-Inform

HIRA Hazard Identification and Risk

Assessment RCA Root Cause Analysis

HLS High Level Structure Rev. No.

Revision Number

HOD Head of Department ROAM Risk & Opportunity Assessment Model HR Human Resource SCM Supply Chain Management IMS Integrated Management System SDR Site Deviation Report Incl. Including SIPOC Supplier-Input-Process-Output-CustomerInt. Internal SISCOL Steel Infra Solutions Pvt. Ltd.

IMS MANUAL ABBREVATIONS




IS Information Security SoA Statement of Applicability

ISMS Information Security Management

System SOP Standard Operating Procedure

ISO International Organization for

Standardization SPoC Single Point of Contact

IT Information Technology TM Top ManagementITP Inspection & Test Procedure TPIA Third Party Inspection AgencyJD Job Description TSA Technical Service Agreement

KMS Knowledge Management System UoM Unit of Measurement KPI Key Performance Indicator VoC Voice of Customer MDL Master Document List w.r.t with respect to MoM Minutes of Meeting WI Work Instruction MR Management Representative

IMS MANUAL MAPPING OF CLAUSES

of 118 Eff.: 6th Feb, 2018



MAPPING OF CLAUSES

Clause Description ISO

9001:2015 ISO

14001:2015 OHSAS

18001:2007 ISMS

27001:2013 Understanding the

organization and its context

4.1 4.1 4.1 4.1

Understanding the needs and expectations of interested parties

4.2 4.2 4.1 4.2

Determining the scope of the integrated

management system 4.3 4.3 4.1 4.3

Integrated management system and its processes

4.4 4.4 4.1 4.4

Leadership and commitment

5.1 5.1 - 5.1

Leadership and commitment (General)

5.1.1 5.1.1 4.1 5.1

Leadership and commitment (Customer

focus) 5.1.2 5.1.2 4.3.2 5.1

IMS Policy 5.2 5.2 4.2 5.2

Establishing the IMS Policy 5.2.1 5.2.1 4.2 A.5 Communicating the IMS

Policy 5.2.2 5.2.2 4.2 A.5

Organizational roles, responsibilities and

authorities 5.3 5.3 4.4.1 5.3

Actions to address risks and opportunities

6.1 6.1 4.3.1 6.1

Environmental Assessment Impact (EAI)

and HIRA - 6.1.2, 6.1.4 4.3.1 -

Legal and other requirements

- 6.1.3 4.3.2 -

Information Security Risk Assessment - - - 6.1.2/8.2

Information security risk treatment - - - 6.1.3/8.3

Objectives, targets and 6.2 6.2 4.3.3 6.2


of 118 Eff.: 6th Feb, 2018



programs (planning to achieve them)

Planning of changes 6.3 6.3 4.3.3 -

Resources (General, People, Infrastructure,

Environment for the operation of processes)

7.1 7.1 4.4.1 7.1

Monitoring and measuring resources 7.1.5 - - -

General 7.1.5.1 7.1 4.4.1 -

Measurement traceability 7.1.5.2 7.1 4.4.1 -

Organizational knowledge 7.1.6 - - -

Competence 7.2 7.2 4.4.2 7.2

Awareness 7.3 7.3 4.4.2 7.3

Communication (General, Internal, External,

Reporting etc.) 7.4 7.4 4.4.3 7.4

Documented information 7.5 7.5 4.4 7.5

General 7.5.1 7.5.1 4.4.4 7.5.1

Creating and updating 7.5.2 7.5.2 4.4.5 /4.5.4 7.5.2

Control of documented information 7.5.3 7.5.3 4.4.5 7.5.3

Operational planning and control

8.1 8.1 4.4.6 8.1

Requirements for products and services

8.2 4.4.6 4.4.6 -

Customer communication 8.2.1 7.4 4.4.3 -Determining the

requirements related to products and services

8.2.2 8.1 4.4.6 -

Review of requirements related to products and

services 8.2.3 8.1 4.4.6 -

Changes to requirements for products and services 8.2.4 8.1 4.4.6 -

Design and development 8.3 8.1 4.4 8.1


of 118 Eff.: 6th Feb, 2018



of products and services

General 8.3.1 8.1 4.1 8.1

Design and development planning 8.3.2 8.1 4.4.6 8.1

Design and development inputs 8.3.3 8.1 4.4.6 8.1

Design and development controls 8.3.4 8.1 4.4.6 8.1

Design and development outputs 8.3.5 8.1 4.4.6 8.1

Design and development changes 8.3.6 8.1 4.4.6 8.1

Control of externally provided processes,

products and services 8.4 8.1 4.4 8.1

General 8.4.1 8.1 4.4.6 8.1

Type and extent of control (Purchasing Process and

controls) 8.4.2 8.1 4.4.6 8.1

Information for external providers

8.4.3 8.1 4.4.6 8.1

Production and service provision

8.5 8.1 4.4.6 8.1

Control of production and service provision 8.5.1 8.1 4.4 8.1

Identification and traceability 8.5.2 - - -

Property belonging to customers or external

providers 8.5.3 - - -

Preservation 8.5.4 8.1 4.4.6 -

Post-delivery activities 8.5.5 8.1 4.4.6 -

Control of changes 8.5.6 8.1 4.4.6 7.5.3

Release of products and services

8.6 8.1 4.4.6 / 4.5.1 -

Control of nonconforming outputs

8.7 8.1/10.1 4.4.7 / 4.5.3 10.1

Emergency Preparedness - 8.2 4.4.7 -


of 118 Eff.: 6th Feb, 2018



& Response Monitoring,

measurement, analysis and evaluation

9.1 9.1 4.5 9.1

Internal Audit 9.2 9.2 4.5.5 9.2

Management Review 9.3 9.3 4.2 / 4.3.3 /

4.5.3/4.6 9.3

Improvement (General) 10.1 10.1 4.2 / 4.3.3 /

4.6 10

Nonconformity and corrective action

10.2 10.2 4.5.3 10.1

Incident investigation - - 4.5.3.1 -

Continual improvement 10.3 10.3 4.2 / 4.3.3 / 4.6

10.2

IMS MANUAL Doc. No.: SISCOL-IMS-MANUAL

CHAPTER - 1

INTRODUCTION


Page 11 of 118Eff.: 6th Feb, 2018

Rev. No.: 00 Chapter No. 1 Doc. No.: SISCOL-IMS-MANUAL


1.1 PURPOSE This manual has been developed keeping in view the requirements of International Standards: ISO 9001:2015, ISO 14001:2015, OHSAS 18001:2007 and ISO 27001:2013 management systems. This is an Integrated Management System Manual. The objective of this manual is to map the requirements of these International Standards vis-à-vis SISCOL’s business processes. The requirements specified in this manual are primarily focusing on the following: Achieving customer satisfaction by providing all the deliverables as per their

requirements Ensuring process approach for establishing, implementing, maintaining and

continually improving above management standards Continually improving SISCOL’s business processes Endeavouring to achieve business excellence through process standardization

& innovation, benchmarking and continual improvement of our people, products and services

Establishing a systematic approach to risk management Designing of environmental friendly products and solutions to minimize the

impact of the product/solution/service on the environment throughout their life cycle and to meet new environmental challenges through conservation of natural resources, technological innovation and continual improvement

Complying with all the applicable legal, regulatory and other provisions related to environment, health & safety and information security

Ensuring confidentiality, integrity and availability of business information and information processing assets

Committed to the prevention of injury and ill health of our employees by ensuring compliance with the safe working practices and procedures established by the organization

1.2 OVERVIEW OF COMPANY Steel Infra Solutions Pvt. Ltd. (SISCOL) is a unique firm with comprehensive capability for providing end-to-end structural steel based solutions covering complete value chain of activities ranging from design, engineering, fabrication, installation at site and project management for the diverse infrastructural projects across the globe. SISCOL visions to be India’s largest supplier of steel based infrastructure solutions. More on: http://www.siscol.in SISCOL pioneered by a group of visionary & experienced veterans of India’s Steel and Construction industry has entered into a Technical Service Agreement (TSA) with Yongnam of Singapore to provide state-of-art and complete end-to-end solutions as a part of value proposition. A strong customer-focused approach





and constant quest for top-class quality enables SISCOL to remain competitive and sustain leadership position.

SISCOL has integrated following as its strengths from Design to Delivery:

- Architectural & structural design - Design & detailed engineering - Manufacturing & logistics management - Erection & projects management,

to offer single point responsibility under stringent delivery schedules and is committed to demonstrate the best project management practices, environmental friendly technologies and ensuring health & safety of all people.

To carry out the above functions in the most efficient manner, following organization structure and overall process will be deployed:

SISCOL Organization Structure





Ris

k M

gm

t.E

ng

ine

erin

g

En

ablin

g

Fu

nct

ion

s/S

up

po

rt

Pro

cess

es

(HR

, F

&A

, Ad

min

, IT

)

SC

MQ

M &

EH

S

Co

ns

tru

ctio

n

Pla

nn

ing

&

R

eso

urc

e

allo

catio

n

Pro

cure

men

t S

ou

rce

&R

ec

eip

t in

spec

tion

Pro

du

ct/

S

ervi

ce/

Pro

ject

R

ealiz

atio

n

De

live

ry to

cu

sto

me

rs

and

Aft

er

Sa

les

S

erv

ice

Customer Feedback

Co

rre

ctiv

e a

nd

Pre

ven

tiv

e a

ctio

ns

Co

nti

nu

al I

mp

rove

me

nt

Pre

pa

ratio

n o

f off

er

Le

tter

of

Aw

ard

/Le

tte

r o

f In

ten

t

Co

ntr

act

Re

vie

w/

Sig

nin

g

Iden

tifi

catio

n o

f b

us

ine

ss

op

prt

un

ity

or

Rec

eip

t of

Te

nd

er/

En

qu

iry

/Bu

sin

ess

Info

rma

tion

/Req

ues

t fo

r o

ffe

r b

y

FE

M/M

&P

Ins

talla

tio

n &

C

om

issi

on

ing

Co

mm

issi

on

ing

DO

C N

O:

LNTP

-IMS

-FC

-000

; R

ev.

No.

00;

Eff.

Dat

e: 3

0.06

.201

1

Cusomer Requirements

Re

vie

w b

y M

arke

tin

g

& P

rop

osa

l

In-p

roc

ess

in

spe

ctio

nF

ina

l in

spec

tionP

erf

orm

ance

m

on

ito

rin

g/

inte

rna

l au

dits

/ d

ata

an

aly

sis

D&

D P

lan

nin

g,

Re

vie

w,V

&V

Ma

rket

C

om

me

nts

/D

evia

tion

fro

m

rela

ted

fns

(ex

.QM

, E

HS

,LT

SL

,JV

s e

tc)

Co

mm

n. t

o I

nd

ust

ry b

y C

orp

. Co

mm

n D

ept

Overall Processflow


CHAPTER - 2

ADMINISTRATION OF MANUAL

IMS MANUAL ADMINISTRATION

Page 14 of 118 Eff.: 6th Feb, 2018



2.1 INTRODUCTION

This IMS Manual describes the Quality, Environment, Occupational Health & Safety (OH&S) and Information Security Management Systems requirements adopted by SISCOL. This manual lists down the procedures and measures stipulated for ensuring the quality of products and services through use of safe and environmental friendly work practices. This manual includes policies, processes, broad risk assessment methodology and controls for ensuring information security. The Integrated Management System has been formulated on the basis of ISO 9001, ISO 14001, OHSAS 18001 and ISMS 27001. This section titled “IMS Manual Administration” explains the Structure, Issue, Updating and Approval of the Integrated Management Systems Manual. This manual and the information incorporated herein are the property of SISCOL. It must not be reproduced in whole or in part or otherwise, disclosed without prior consent in writing from SISCOL.

2.2 STRUCTURE OF THE MANUAL

All the chapters are arranged sequentially as per the High Level Structure (HLS) of ISO. The respective requirements of QMS, EMS, OHSMS and ISMS are embedded into these clauses at relevant locations. This manual is available in English language only.

2.3 MANUAL ISSUE PROCEDURE

Head – Quality, EHS & Training has been designated as Management Representative for IMS (QMS, EMS, OHSAS and ISMS) and is authorized by the Chairman & MD to carry out the activities related to preparation, issue, deployment, maintenance and updating of this Manual.

This Manual is available as PDF/ XPS file at all the relevant locations. No hard copy of the manual is being distributed unless otherwise required, as this manual becomes uncontrolled document if printed. Note: If this manual is revised or updated, then the older version gets superseded

IMS MANUAL ADMINISTRATION




2.4 MANUAL REVISION, UPDATION & AMENDMENT PROCEDURE

The IMS Manual is reviewed when management systems standards get revised/updated or as-and-when the organization needs a change to its management systems by the Management Representative in consultation with Leadership Team; and authorization by Chairman & MD of SISCOL. No revision is implemented unless it has been approved and formally issued. When revisions take place, the revisions are indicated by the revision number in the document and recorded in the Amendment History (Chapter 0.2) of this manual. As suitable, the manual may be re-issued when sufficient no. of amendments have been made in it or on account of major changes to the requirements of the standards in Quality, Environment, OH & S and ISMS Management Systems.

2.5 APPROVAL OF MANUAL

This manual is approved by the CMD designated MR of SISCOL. No part of this manual shall be reproduced in any form without the prior approval from the concerned MR.


CHAPTER - 3

IMS POLICY

IMS MANUAL IMS POLICY





CHAPTER - 4

CONTEXT OF THE ORGANIZATION

IMS MANUAL CONTEXT OF THE ORGANIZATION




4.1 PURPOSE

To describe a system for understanding the organizations and its context along with needs and expectations of interested parties and identification of internal & external issues, that can impact on the planning of the quality management system & operations.

4.2 SCOPE

Covers all activities under the scopes of the following Management Systems: a) Quality Management System (QMS) b) Environment Management System (EMS) c) Occupational Health and Safety Assessment Series (OHSAS) d) Information Security Management System (ISMS)

4.3 OVERALL RESPONSIBILITY Top Management Management Representative Concerned Head of the Departments (HODs)

4.4 Context of the organization

4.4.1 Understanding the organization and its context ISO 9001 (4.1), ISO 14001 (4.1), OHSAS 18001 (4.1) & ISO27001 (4.1)

SISCOL shall determine, monitor and review external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended result(s)/outcome(s) of Integrated Management System (IMS) through:

‐ Annual General Body Meetings (AGMs) ‐ Board Meetings ‐ Strategic Meetings ‐ Objective Setting Workshops ‐ Periodic Reports issued by Marketing & Business Development ‐ Management Review Meetings ‐ Project Review Meets ‐ Sustainability/CSR Review Meets ‐ Investors Meet





‐ Statutory and Regulatory Bodies ‐ Customer meetings ‐ Employee engagement platforms & initiatives ‐ Business Associates meetings and feedback ‐ Customer Survey etc.

The issues arising from (but not limited to): ‐ External: legal, technological, competitive, market, cultural, social and

economic environments, whether international, national, regional or local and

‐ Internal: values, culture, people, knowledge and performance of the organization; constitute our approach.

4.4.2 Understanding the needs and expectations of interested parties

ISO 9001 (4.2), ISO 14001 (4.2), OHSAS 18001 (4.1/4.4.4) & ISO27001 (4.2)

SISCOL continuously identifies interested parties that effects or have potential effects on ability to consistently provide products and services that meet SISCOLs legal, regulatory and customer’s requirements, which are:

‐ Customers (Internal/External) ‐ Shareholders/Investors ‐ Corporate Functions ‐ Lenders ‐ Statutory and Regulatory body ‐ Business Associates (incl. Suppliers, Contractors, Service Providers) ‐ Employees ‐ NGOs ‐ Society at large etc.

The requirement related to these interested parties are being determined, monitored and reviewed during various meeting as mentioned in 4.4.1 of this manual. 4.4.3 Determining the scope of the integrated management system

ISO 9001 (4.3), ISO 14001 (4.4.4), OHSAS 18001(4.1/4.4.4), ISO 27001 (4.3)

This manual describes the core elements of Management Systems & their interaction and provides directions to the execution of various processes. The manual includes: a) Scope, boundaries and exclusions including justifications for the same





b) Reference to documented common processes established for the Quality, Environment, Occupational Health & Safety and Information Security Management Systems, including the interaction between the processes (List of DACPs as per Annexure-A and Common Processes as per Annexure-B and overall flow chart as per Chapter-1)

While determining the scope & boundary of Integrated Management System in SISCOL, the organization considers the external and internal issues (referred in 4.4.1 of this manual), the requirements of relevant interested parties (referred in 4.4.2 of this manual), for the products and services of SISCOL.

4.5 Integrated Management System and its processes

(SYSTEM DESCRIPTION)

4.5.1 General Requirements ISO 9001 (4.4), ISO 14001 (4.4), OHSAS 18001 (4.1/4.4.4) & ISO27001 (4.4) 4.5.1.1 All the applicable major processes under the ambit of SISCOL have been identified and their interaction is depicted in the overall flow chart (Chapter - 1). 4.5.1.2 SISCOL determines the inputs required and the outputs expected, assigning

of responsibilities and authorities, addressing the risks and opportunities for each of the processes (by defining SIPOC, RASCI, ROAM etc. as one of the methods) in its DCP and allied documents

4.5.1.3 Criteria for operation & control of these processes are defined in various

DACPs, Flow Charts, Operation Control Procedures, Work Instructions, Control Objectives, SOPs as applicable at relevant stages of the processes

4.5.1.4 During the complete life cycle of the manufacturing and project

management/execution, relevant information and adequate resources are ensured, so that these processes are carried out & monitored in a controlled manner

4.5.1.5 To ensure that all the identified processes continue to remain effective,

these are monitored through regular process/project/product/system audits & reviews as per the responsibilities defined in IMS manual, DCPs, Procedures, SOPs etc.





4.5.1.6 As per the organizational mandate and business requirements, time bound key performance indicators (KPIs) are identified and monitored for their realization.

4.4.2 Documented Information ISO 9001 (4.4.2), ISO14001 (7.5), OHSAS 18001:2007 (4.4.4), ISO 27001 (7.5)

3-tier documented information structure in SISCOL

4.4.2.1 Integrated Management System documentation includes:

a) IMS Policy, Objectives and Deployment Programmes b) IMS Manual c) DCPs, SOPs, Work Instructions, Quality Plans, OCPs, KPIs, MSDS,

Directives, Forms & Guidelines, Control Objectives, Risk identification, analysis and mitigation plans, on site emergency Preparedness plan, Statement of Applicability etc.

d) Common processes and Standard Operating Procedures (SOP) applicable throughout the organization are referred in the Manual

e) Documented information required demonstrates the evidence of operation and control of processes and as per requirements of these standards.

IMS Manual

(Level-1)

Department Control Procedures - DCPs

(Level - 2)

SOPs, WIs, OCPs, Checklists, Formats (Level-3)


CHAPTER - 5

LEADERSHIP

IMS MANUAL LEADERSHIP




5.1 PURPOSE To describe the Leadership engagement, accountability & commitment for establishing, implementing, sustaining, creating awareness & continually improving the Quality, EHS and Information Security Management Systems and integrating the requirements of the management system into core business to achieve its intended outcomes.

5.2 SCOPE

Applicable to the implemented Quality, Environment, Health & Safety and Information Security Management Systems covering various activities as per scope given in Chapter 1 of this document.

5.3 OVERALL RESPONSIBILITY

Top Management Leadership Team Concerned Head of the Departments (HODs)

5.4 SYSTEM DESCRIPTION

5.4.1 Leadership & Commitment 5.4.1.1 General ISO 9001 (5.1.1), ISO 14001 (4.1), OHSAS 18001 (4.1) & ISO27001 (5.1)

Top Management of SISCOL is committed and accountable for the development, implementation, involvement and continual improvement of the integrated management system by: a) Involvement in preparation, review, approval and authorization of IMS

Manual by Chairman & MD b) Involvement in review and approval of IMS Policy in reference to the

context and strategic direction of the organization c) Various management committees comprising of functional heads/HODs and

other senior management have been constituted to review the status of various management systems

d) Ensuring the integration of Management Systems’ requirements into the organization’s processes

e) Communicating all the employees the importance of meeting customer requirements, project requirements, EHS requirements, information security related requirements and applicable statutory & regulatory





requirements through regular training programmes, emails, display of documents, in-house magazines, web sites, in-house circulars and meetings

f) Encourage and ensure that all the persons in the workplace adhere to the management systems requirements and have process & risk based approach at their work place

g) Communicating documented IMS/Corporate policy to all the stakeholders and ensuring compliance at all relevant functional levels

h) Ensuring that IMS objectives (KPIs) are established, reviewed and achieved at organizational and functional levels, relevant to delivering the process/product/services to achieve customer satisfaction

i) Ensuring the availability of resources (people, finance, infrastructure, IT, communication, transportation, canteen, etc.) to establish, implement, operate, monitor, review, maintain and continually improve IMS

j) Defining roles, allocating responsibilities & accountabilities and delegating authorities to demonstrate leadership and facilitate effective implementation of IMS in the organization

k) Deciding the criteria for accepting risks and the acceptable levels of risk & review of identified risk and its mitigation plan and ensure the risk-based approach at all levels

l) Ensure timely conduct of IMS/Management System specific internal audits and management reviews

m) Appointment of HoDs and people from senior management team as IMS representatives whose additional responsibility will be to establish, implement and maintain IMS in accordance with various International Standards requirements.

n) Ensures the implementation of Voice of Customer (VoC), customer feedback process & address the customer issues

o) The top management and leadership team is committed to encourage and release their team members for development of processes, taking improvement initiatives in day to day activities, to conduct audits (which bring forth gaps for improvement) and giving employees space and time to develop and improve existing processes. TM has ensured PDCA approach is engrained in each of the processes mapped in DCPs/SOPs.





5.4.1.2 Customer Focus ISO 9001 (5.1.2), ISO14001 (5.1.2), OHSAS 18001:2007 (4.3.2), ISO 27001 (5.1) SISCOL’s Top Management is committed to customer focus and ensures that all the requirements of the customers & other interested parties are determined, understood & consistently met with respect to Quality, EHS and Information Security MS, including all the applicable legal & other requirements and these requirements are fulfilled with the aim of enhancing their satisfaction. While reviewing the requirements, the implied needs and expectations of the customer and interested parties are also identified. The same are communicated to the respective functions in the organization for ensuring their compliance and to determine how these requirements apply to system

Marketing/Business Development/Sales/Proposal team at the time of bidding identifies all the requirements related to the project/product/ services. These requirements may relate to the following: a) Scope of the work including technical parameters b) Delivery requirements including logistics c) Applicable statutory and legal requirements d) Quality control and assurance related requirements e) Installation and commissioning requirements f) Procurement or supplier requirements g) EHS related requirements h) Information security related requirements i) Performance, warranty and post warranty requirements j) Risk & opportunities which may reflect the conformity of products &

services etc. Operations/project management/execution team ensures that above identified requirements are met while execution of the projects, and same is reviewed during project review meets / department review meet etc. by Top Management; team conducts VoC (at least once a year) and surveys to determine the customer satisfaction level; develop action plans on the areas that need improvement in order to focus on enhancing customer satisfaction.

5.4.2 Policy ISO 9001 (5.2), ISO 14001 (5.2), OHSAS 18001 (4.2), ISO27001 (5.2)

5.4.2.1 Developing-Establishing the IMS Policy ISO 9001 (5.2.1), ISO 14001 (5.2.1), OHSAS 18001 (4.2), ISO27001 (A.5)





Chairman & MD of SISCOL has established, implemented & maintained the Integrated Management System Policy (Chapter 3 of this manual), and ensures that this Policy: a) Is appropriate to the purpose, context, strategic goals of the organization,

nature & scale of OH & S risks, environmental impacts, information security risks of the company and its activities, products or services

b) Provides the top management’s vision on Quality, EHS and ISMS for the organization

c) Includes objectives or provides the framework for setting IMS objectives d) Includes a commitment to comply with requirements and continually

improve the Effectiveness and performance of the Quality, Environment, Health & Safety and Information Security Management Systems

e) Includes a commitment to prevention of pollution, prevention of injury and ill health

f) Considers legal or statutory requirements related to product; EHS and contractual security obligations

g) Provides commitment for designing products considering the Environmental aspects

h) Provides a frame work for establishing and reviewing IMS objectives and targets

i) Is periodically reviewed for continuing suitability and appropriateness to the Organization during Management Review Meetings 5.4.2.2 Communicating the IMS Policy: ISO 9001 (5.2.2), ISO 14001 (5.2.2), OHSAS 18001 (4.2), ISO27001 (A.5)

Top Management ensures that IMS Policy is made available as documented information and communicated to concerns by following practices: a) Is made available to the public & other interested parties b) The IMS policy has been displayed at the strategic locations and being

shared/ communicated with all the stakeholders c) Is communicated to all the persons working under the control of the

organization & understood at all levels of the company through posters/intranet/awareness/training programmes/awareness campaigns





5.4.3 Organizational roles, responsibilities & authorities ISO 9001 (5.3), ISO 14001 (5.3), OHSAS 18001 (4.4.1), ISO27001 (5.3)

To execute various management systems effectively, Top Management along with HR as defined roles, responsibilities, accountabilities and authorities and same has been referred as documented information in the respective DCP/ SOP and being communicated. The Organization chart of SISCOL is depicted in Chapter 1 of this manual. The management of the company has defined RASCI matrices of those personnel within the Quality, Environmental, Health & Safety and IS Management Systems whose work affects the Quality, Environment, Occupational Health & Safety and Information Security. The ultimate responsibility for Quality & EHS rests with Head-Quality, EHS & Training and for Information Security responsibility lies with IT along with all the concerned HODs.

Concerned functionaries with management responsibility demonstrate their commitment to the continual improvement, ensure conformity with management system, reporting on the performance of IMS. The roles & responsibilities and authorities of key personnel in relation to IMS have been documented. These are readily available in the respective departments as well with the HR. However specific RASCI are defined in the applicable SOPs/DCPs which is prepared by respective departments under the leadership of HoDs; the DCPs & SOPs covers the necessary risk & opportunities for improvement. The team for conducting internal audit are identified by Top Management along with MR who conducts periodic audit of IMS and further the audit observations are reviewed by top management in project / department / management review meeting to ensure that conformity and integrity of the IMS are maintained as planned. The issues related customer are prioritized and tracked by top management for early resolution. If required necessary changes are made in the system and communicated for implementation. A review mechanism is put in place to have an effective management system approach.


CHAPTER - 6

PLANNING

IMS MANUAL PLANNING FOR IMS




6.1 PURPOSE

To describe the approach of organization to plan, implement the actions, to address risk & opportunities and establishment of IMS objectives and planning to achieve it. To define a system for planning and implement the changes in IMS.

6.2 SCOPE Applicable to the implemented Quality, Environment, Health & Safety and Information Security Management Systems covering various activities as per scope given in Chapter 1

6.3 OVERALL RESPONSIBILITY Leadership Team Concerned Head of the Departments (HODs)


6.4.1 Actions to address risks & opportunities ISO 9001 (6.1), ISO 14001 (6.1), OHSAS 18001 (4.3.1) & ISO 27001 (6.1, 6.1.1)

SISCOL’s Top management is committed to implement and promote a culture of risk based thinking throughout the organization, to determine and address the risks and opportunities associated with providing assurance that the IMS can achieve its intended result(s); provide conforming products and services, enhance customer satisfaction; promote desirable effects and continual improvement; and prevent, or mitigate, undesired effects. The risk management information is also used making strategic decisions and continual improvement. SISCOL has identified the risk and opportunity pertaining to all the process and mentioned as documented information in DCPs, which may be revised based on necessary changes proposed or derived while executing the process. The DCP of Operations/Project Management constitutes the detail plan and approach to identify & address the risk. However, while identifying and addressing the risks & opportunity, following approach (as applicable) is considered:





Identification of each potential risk Description of potential outcome of the risk Identification of potential cause(s) of risk outcome Rating the consequence or severity of the outcome Rating the likelihood of the cause occurring Rating the probability of early detection of the outcome Establishment of risk tolerance criteria Categorization of each risk into critical, high, medium or low based on

using a combination of severity, occurrence, detection ratings and other relevant factors to establish an overall risk score to all risks listed

Use the risk score to establish priority in addressing identified risks Identification and determination of the adequacy of any existing control to

address the identified risk Determination of appropriate controls to respond to each identified risk

(process control plans) Various tools such as cross-functional teams, flow charts, checklists, risk

analysis diagrams are used to brainstorm and facilitate risk identification, analysis and evaluation

SISCOL has integrated the actions to address these risks and opportunities into its IMS processes using the PDCA cycle (SISCOL-CP-02). Based on risks identified, SISCOL is committed to address following:

Avoiding the risk, where the only option is not to go forward with an activity or to withdraw from it

Taking risk, where risks have desirable potential consequences Altering risk, to optimize potential opportunities and minimize threats Transferring risk by measures including insurance, contractual

arrangements, partnerships and joint ventures Retain risk, where no worthwhile controls actions are feasible and the risk

is within the organization’s risk tolerance Removing the source of the risk by using alternate or new methods /

technologies

6.4.2 Environmental Assessment Impact (EAI) and HIRA ISO 14001 (6.1.2, 6.1.4), OHSAS 18001 (4.3.1)

The planning is done for identification of environmental aspects, OH&S risks and IS risks applicable to the company’s activities, products, projects or services that can have significant impact on Environment or H&S or Information Security performance





Procedure for Hazard Identification and Risk Assessment (HIRA) & Environment Aspect & Impact (EAI) has been developed by EHS and considers: routine & non-routine activities including activities of all personnel having access to the work place, facilities at the work place (whether provided by the company or others), human behaviour, capabilities, infrastructure, equipment and material at work place, changes or proposed changes in the organization, its activities or materials, modifications in OHSMS including temporary changes and their impacts on operation, processes and activities and the design of work areas, processes, installations, machinery, equipment’s and operating procedures Suitably EAI, OH&S and IS risk assessment is carried out for implementation of necessary control measures. The results of these assessments identified significant impacts & risks and controls are considered in setting its IMS objectives. The information on the assessments is documented and kept updated through on-going processes of impact/risk assessment. The company’s methodology for identification of hazard & environmental aspects:

Is defined with respect to its scope, nature and timing to ensure it is pro-active rather than reactive

Risk assessment methodology is commensurate with OH&S hazards Environment aspects, business information security and applicable legal & statutory requirements.

Criteria for accepting the risks and acceptable level of the risk has been established in the SOPs

Provides for classification of risks and identification of those that are to be eliminated or controlled based on significance

Is consistent with operating experience & the capabilities of risk control measures employed

Provides input in determining facility requirements, identification of training needs and /or development of operational controls.

6.4.3 Legal and other requirements ISO 14001 (6.1.3), OHSAS 18001 (4.3.2) All the applicable legal and other requirements related to EHS have been identified at relevant areas by Head EHS. Legal register has been prepared by Head EHS based on these identified requirements. Legal register is a comprehensive document containing brief description of the requirements





SISCOL subscribes, required parameters, current status, responsibility and compliance evaluation frequency and outputs.

6.4.4 Information security risk assessment: ISO 27001 (6.1.2/8.2)

Establish the risk acceptance criteria Identify the risks associated with the loss of confidentiality, integrity

and availability for information and assets within the scope of the ISMS and the owner of these assets

Identify the risk owner Describe the threats of an asset & determine its values Describe the vulnerability for each threats of an asset and determine

its values Arriving the impact value based on the Impact Analysis Matrix Determine the likelihood of occurrence for each threats Evaluating the risk value Developing and establishing the appropriate risk control Verifying the controls Evaluating the residual risk level

When determining controls after risk assessment, consideration is given to reducing the risks according to the following hierarchy:

Risk Elimination Risk Substitution Engineering Control Administrative control PPE (for EHSMS)

6.4.5 Information security risk treatment: ISO 27001 (6.1.3/8.3)

The control objective and controls are mentioned in Annex-A of ISO 27001

Appropriate control objectives and controls shall be selected from Annex-A of ISO 27001 and implemented to meet the requirements identified by the risk assessment. This selection shall take account of the criteria for accepting risks as well as legal, regulatory and contractual requirements.





Selected controls shall reduce the risk value. This may be in terms of: o Increasing the security o Stricter controls o Transferring the risk o Procurement of new hardware/software o Or any other appropriate mechanism

Obtain risk owner’s approval for risk treatment plan before implementation

Statement of applicability (SoA) has been prepared which includes the following:

o Control objectives and control selected o The control objective and controls currently implemented o The exclusion of any control objectives and control and

appropriate justification for their exclusion

6.4.6 Quality, Environment, Health & Safety and Information Security Objectives and Planning to achieve them: ISO 9001(6.2), ISO 14001 (6.2), OHSAS 18001 (4.3.3), ISO 27001 (6.2) Top management ensures that IMS objectives and targets, including those needed to meet requirements for SISCOL business requirements (Products, Projects, Services and Solutions) are established at relevant functions, levels & process within the organization. In the beginning of every financial year, a workshop/ brainstorming session is being organized to identify the Thrust Areas, based on the market evolution, organizational focus, SISCOL priorities, competitor analysis, organization’s strategic goals etc.; while customer satisfaction remains the core in all of these. Subsequently, based on these thrust areas, SISCOL’s Objectives are identified and communicated to stakeholders by HODs. While establishing & reviewing these objectives, the organization considers its legal & other requirements, its significant environmental aspects, its OH&S risks, its technological options, its financial, operational & business requirements, information security risks, and the views of interested parties. The objectives are measurable consistent with IMS policy, including the commitment to continual improvement and prevention of hazards/risks & pollution.





All functions identify their own measurable objectives based on SISCOL’s Objectives. The objectives are set and monitored for their achievement periodically. Review of the quality objectives is part of our management review meeting (MRM) process. After the review the quality objectives are updated as appropriate. The progress on the achievement of these objectives is monitored at MRM/DRM/PRM etc and if required same is updated as appropriate. Based on the project/organizational needs, EHS programmes are developed which include specific responsibilities/authorities, resources and the milestones with defined time frames. These programmes are reviewed at appropriate level in safety committee, monthly meetings, management review meetings etc. Where necessary, the management programmes are amended to address changes to the activities, products, services, operating conditions or new developments/new or modified activities including project management. When planning how to achieve the IMS objectives, the Top Management has put in place a system for defining, implementing, reviewing the objectives at various levels in the organization; in which what will be done; resources needed; who will be responsible; when it will be completed; how the results will be evaluated gets encapsulated. 6.3.1 Planning of changes ISO 9001 (6.3), ISO 14001 (6.3), OHSAS 18001 (4.3.3)

The continuity and effectiveness of IMS is maintained substantially in the event of significant changes in the IMS generated due to customer feedback, customer complaint, product failure, employee feedback, innovation, determined risk, determined opportunity, internal audit results, management review results, identified nonconformity etc. These changes are carefully planned so as not to disrupt ongoing capability and responsibility to effectively meet customer and regulatory requirement. In such instances, following points are considered:

Careful planning of the nature and timeline for the changes Determining the impact or outcome of such changes Ensuring adequate resources are available to implement the change Top management authorization Change deployment and follow-up Allocation/re-allocation of RASCI





Review of the IMS by top management after changes are effected

SISCOL follows well defined steps to implement changes which include following in brief:

Defining the specifics of what is to be changed Planned (tasks, timeline, responsibilities, authorities, budget, resources,

needed information, others) Engagement of other people as appropriate in the change process Development of communication plan (appropriate people within the

organization, customers, suppliers, interested parties, etc. may need to be informed)

Using a cross functional team review the plan to provide feedback related to the plan and associated risks

Training of people Measurement of the effectiveness

Prior to making a change, the review committee considers unintended consequences. After making the change the Top Management monitor the change to determine its effectiveness and to identify any additional problems that might be created. The integrity of the IMS is maintained by MR, when changes to the management systems are planned and implemented. As and when, any change in any documentation is envisaged, the other concerned documents are also modified as per procedure for Documented Information.


CHAPTER - 7

SUPPORT

IMS MANUAL SUPPORT




7.1 PURPOSE

To describe the Leadership involvement, accountability, commitment & support for ensuring resources for establishing, implementing, sustaining, awareness & continually improving the Quality, Environment, OH&S and Information Security Management Systems.

7.2 SCOPE

Applicable to the implemented Quality, Environment, Occupational Health & Safety and Information Security Management Systems covering various activities as per scope given in Chapter 1 of this document.


Top Management Leadership Team MR Concerned Head of the Departments (HODs)

7.4 RESOURCES

ISO 9001 (7.1), ISO 14001 (7.1), OHSAS 18001 (4.1) & ISO 27001 (7.1)

7.4.1 General, People ISO 9001 (7.1.1, 7.1.2), ISO 14001 (7.1), OHSAS 18001 (4.4.1), ISO 27001(7.1)

At SISCOL, top management ensures the availability of resources essential to establish, implement, operate, monitor, review, maintain and continually improve the Integrated Management Systems. Requirements of resources, essential for the implementation, control and improvement of the IMS are determined by various HODs and after approval from competent authority, provision is made in the budget. The provision includes: human resources people & specialized skills, software, hardware, technology, financial resources, infrastructure and environment for the operation of process.

SISCOL has a mechanism that evaluates/determines the capabilities/competencies/constraints of the internal resources and external providers, on regular intervals at Corporate, Project, Department levels; which will be considered while reviewing the resources for the implementation of IMS.

At the time of selection, the concerned HOD ensures that the employee’s competence level is mapped with the competency criteria defined by the

IMS MANUAL SUPPORT




organization on the basis of educational qualifications, relevant experience, training, skills & professional qualifications. It is also ensured that any person performing work that have potential to cause a significant environmental impact or H&S risks or quality deviation or IS related risks are competent. As part of continual business improvement, as and when there are any changes in organizational processes, the competency requirements are also reviewed by HODs along with HR and efforts are made to provide the competent personnel for effective execution of these jobs. Competency Matrices of the personnel in SISCOL gets mapped, being driven by HR and implemented by HoDs at individual levels; which brings out the gaps and competencies/expertise for their deployment (in projects/business activities etc.) for the effective implementation of IMS and for the operation and control of the processes.

7.4.2 Infrastructure

ISO 9001 (7.1.3), ISO 14001 (7.1), OHSAS 18001 (4.4.1) As a part of resource management process and to achieve conformity of products and services, the requirements for infrastructure related to office and project sites are determined & maintained by the Head-Operations and Head-Field Services along with Industrial Infrastructure team, with the approval of CMD. The infrastructure covers following:

a) Building and work space (office as well as project sites) b) Utilities such as, electricity, water, fuel gases, power backup etc. at

office & sites c) Process equipment’s required at the manufacturing & project sites d) Service, Logistics, Maintenance, Safety, Security, Transport, Information

& Technology (IT), Communication resources required at site and offices

7.4.3 Environment for the operation of processes ISO 9001 (7.1.4), ISO 14001 (7.1), OHSAS 18001 (4.4.1)

The requirements for maintaining the environment for the operation of process needed to ensure the conformity of the product & services throughout the realization & subsequent processes; are determined as part of resource management process. The environment for operation is maintained in accordance with process or project requirements/specifications. It ensures that the safe, hygienic, ergonomically (worker movement, fatigue, manual effort and loads, etc.), workplace location, heat, light, humidity, airflow, noise, vibration, hygiene, cleanliness, pollution, adequate facilities (lockers, lunchroom, cafeteria, washrooms etc.); health and safety regulations;

IMS MANUAL SUPPORT




cleanliness of premises and environment friendly working conditions are provided at the office, manufacturing and project sites. As and when required SISCOL conducts survey to access the satisfaction level of employees as evidence for social & psychological status and data for further continual improvement of the people. SISCOL has a team for devising & implementing numerous Employee Engagement initiatives thru’ Business Managers across the organization that ensures the upkeep of employee’s morale, human and physical factors; that creates the conducive environment for the effective operations. Additionally, behavioural training programs are devised by HR/Head-QHSE & Training related to emotional, de-stressing to have a calm and composed mind-set to implement IMS.

7.4.4 Monitoring & measuring resources

7.4.4.1 General

ISO 9001 (7.1.5.1), ISO 14001 (7.1), OHSAS 18001 (4.4.1) & ISO 27001 (7.1) SISCOL determines the resources needed for valid and reliable monitoring and measuring results (where monitoring or measuring is used for evidence of conformity of product & services to specified requirements), and ensures that the resources provided are: a) Suitable for type of monitoring and measurement activities being undertaken; b) Maintained to ensure continued fitness for their purpose, while conducting regular audits & checks. The calibration status of all the monitoring & measuring resources are mapped electronically to ensure compliance to the requirements. SISCOL retains appropriate documented information as evidence of continuing fitness for purpose of monitoring and measurement activities, where measurement traceability is:

a) Statutory or regulatory requirement, or b) Customer or relevant interested party expectation; or c) Considered by the organization to be an essential part of providing

confidence in the validity of measurement results; as a minimum

7.4.4.2 Measurement traceability ISO 9001 (7.1.5.2), ISO 14001 (7.1), OHSAS 18001 (4.4.1) & ISO 27001 (7.1) Appropriate system has been developed to ensure that all the measuring devices/gauges/templates being used at shop floor and the project sites including the measuring devices under the control of sub-contractors are calibrated during their use. For all the outsourced items, during selection & evaluation of the supplier it is ensured that their monitoring & measuring

IMS MANUAL SUPPORT




devices are calibrated with traceability to National/International standards. Additionally, the monitoring & measuring devices used for measuring and monitoring the safety/environmental parameter are also covered under calibration control system. The measuring equipment is identified based on the controls over Product & Services and process characteristics. It is ensured that the supplier or sub-supplier/contractor has prepared the master list of measuring instruments incorporating the instrument details, frequency of calibration, permissible error etc. It is ensured that the measuring devices are:

a) Calibrated or verified at specified intervals or prior to use, against measurement standards traceable to international or national measurement standards. Where no such standards exist, the basis used for calibration or verification is kept as documented information. Traceability of calibration to national/international standards is subsequently ascertained. In case there is no national/ international measurements standards exist, the basis of calibration is defined in the respective calibration procedure.

b) Adjusted or re-adjusted if found to be out of calibration, as necessary c) Identified to enable calibration status through status stickers or

calibration documented information d) Safeguarded from adjustments, as applicable, that would invalidate

the measurement result e) Protected from damage and deterioration during handling,

maintenance f) Storage by imparting training to the users of such devices g) All the software being used for designing or other purposes are being

validated before their use through some alternate mechanism and documented information of the same is maintained.

7.4.5 Organizational Knowledge ISO 9001 (7.1.6) SISCOL’s top management is committed to determine the knowledge necessary for the operation of its processes and to achieve conformity of products and services. Under the Knowledge Management System (KMS), SISCOL TM has deployed Knowledge Management Policy make SISCOL a knowledge driven organization. Standard documented information has been made to effect for implementation of SISCOL’s Knowledge Management Policy. Electronic/Server platform is the pivot of Knowledge Management System and repository of all the shared learning and the other documents listed in standard documented information. This platform serves as a single point interface for

IMS MANUAL SUPPORT




dissemination of all knowledge management documents. This platform also captures Lessons Learnt, Structured Knowledge, Good/Bad Practices, Ideas etc., which have been made accessible to all employees to capture, integrate, preserve, secure and share latest developments on SISCOL’s quest to build the knowledge base. Knowledge Management System at SISCOL is envisaged to be a consolidated, comprehensive and robust system comprising database of all project learning which are attained during any point of project life cycle and captured in the KM platform. The database is readily accessible to all stakeholders in SISCOL. The objective of KM platform is to ensure that the experiential knowledge acquired during execution/ operations is captured, shared and then effectively utilized in other/new projects further to improve systems and processes of SISICOL. Additionally, knowledge sharing sessions are organized in time-bound manner/regularly to share amongst team members (incl. from other projects/new projects) to take cue and implement. HoDs have processes to manage the organizational knowledge, with the association of Business Managers and HR. External Trainings are also arranged to keep SISCOL updated on the latest trends in the industry. SISCOL personnel also attends various conferences, meetings, assessments to gather the knowledge from customers & external providers.

7.4.6 Competence ISO 9001 (7.2), ISO 14001 (7.2), OHSAS 18001 (4.4.2) & ISO 27001 (7.2) Depending upon the job requirements and the available competence among the employees, the gaps in the existing competence are identified by the HODs during objective setting (SISCOL-CP-08) and performance appraisal processes. In order to fill up these gaps, actions such as providing training or any other actions are initiated by Head-QHSE & Training. The various training requirements are identified by the HODs through the performance reviews, job analysis, objective settings and annual appraisal system. Training needs are identified by the employees themselves or by the departmental heads or through any other feedback mechanism. Based on the identified training needs, training planning is done by Training/HR/HoD and training is imparted as per the training calendar released. In some cases, unplanned training programmes are also conducted as per the business needs. Through the procedure on competence, awareness & training (SISCOL-CP-06), the company ensures that:

a) Necessary competence levels for personnel performing work affecting the Product & Services/ project/system quality, environment, OH&S and IS are determined

IMS MANUAL SUPPORT




b) Training or other actions are taken to satisfy these needs c) Effectiveness of the actions taken are evaluated d) All personnel are aware of the relevance and importance of their

activities and how they contribute to the achievement of the Quality, Environmental, H&S and IS objectives

e) Appropriate documented information of education, training, skills and experience are maintained

f) Roles, responsibilities and abilities in achieving conformity to policy, procedures, objectives, targets, control of risk/impacts including the emergency preparedness and response are well defined

7.5 AWARENESS

ISO9001 (7.3), ISO14001 (7.3), OHSAS 18001 (4.4.2), ISO27001 (7.3) Employees are made aware of benefits from improved quality, environment, occupational, health and safety, information security performance for the interested parties and the organization. SISCOL ensures that persons doing work under the organization’s control are aware & made aware of:

a) the corporate / IMS policy b) relevant IMS objectives c) their contribution to the effectiveness of the IMS, including the benefits

of improved performance d) the implications of not conforming with the IMS requirements in

numerous avenues such as: i. while conducting the induction to IMS ii. HoDs ensure the IMS requirements are communicated iii. Promotional events further deep-root the awareness amongst

persons under SISCOL’s IMS control

7.6 COMMUNICATION

ISO 9001 (7.4), ISO 14001 (7.4), OHSAS 18001 (4.4.3) & ISO27001 (7.4) SISCOL ensures that appropriate communication processes are established within & outside the organization and communication takes place regarding the effectiveness of the IMS. The specific communication channels (email, newsletters, announcements, CMD address etc.) established for dissemination of pertinent information on Quality, Environmental aspects, Occupational, Health & Safety risks, IS risks and other information needed as per various management systems.

IMS MANUAL SUPPORT




The communication modes include departmental level formal or informal meetings, top management level review meetings, circulars or memos, displays on notice, IMS policy boards, e-mail, intercom, intranet, magazines, personal contacts, reports etc. The communication from top to bottom and vice versa is ensured for effectiveness of the implemented integrated management system. Appropriate procedure has been established to communicate supplier about any requirement related to quality, environment, health & safety and IS. To ensure Health & Safety of visitors visiting offices/manufacturing premises/project sites, procedure has been implemented at appropriate locations. For any external communication (incl. media etc.) protocol is already in place within organization and project level that what, who, when, how, with whom communication is to be made.

7.7 DOCUMENTED INFORMATION

ISO 9001 (7.5), ISO 14001 (7.5), OHSAS 18001 (4.4) & ISO27001 (7.5)

7.7.1 General ISO 9001 (7.5.1), ISO14001 (7.5.1), OHSAS 18001 (4.4.4), ISO 27001 (7.5.1) SISCOL has the following documented information structure that caters to the requirements of QMS, EMS, OHSMS and ISMS along with any additional documented information determined by the organization as being necessary for the effectiveness of IMS.

3-tier documented information structure in SISCOL

IMS Manual

(Level-1)

Department Control Procedures - DCPs

(Level - 2)

SOPs, WIs, OCPs, Checklists, Formats (Level-3)

IMS MANUAL SUPPORT




Integrated Management System documentation includes: a) IMS Policy, Objectives and Deployment Programmes. b) IMS Manual c) Department’s Procedures d) Work Instructions, Quality Plans, OCPs, KPIs, MSDS, Directives, Forms &

Guidelines, Control Objectives, Risk identification, Aspect & impact register analysis and mitigation plans, on site emergency Preparedness plan, Statement of Applicability etc.

e) Common procedures and Standard Operating Procedures (SOP) applicable throughout the organization are referred in the Manual

f) Documented information required demonstrating the evidence of operation and control of processes and as per requirements of these standards

The IMS manual describes the core elements of Management Systems & their interaction and provides directions to the execution of various processes. The manual includes:

a) Scope and exclusions including justifications for the same b) Reference to documented common procedures established for the Quality,

Environment, Health & Safety and Information Security Management Systems, including the interaction between the processes (Department Processes as per Annexure A and Common Processes as per Annexure-B and overall flow chart as per Chapter - 1)

7.7.2 Creating & Updating

ISO 9001 (7.5.2), ISO 14001(7.5.2), OHSAS 18001 (4.4.4/4.4.5), ISO27001 (7.5.2) SISCOL ensures the following practices while creating and updating documented information:

a) Identification: documented information have titles, document numbers, which indicates their identity and are unique to Department/Project/Customer/Function. Common documents are made by the central teams with proper identification/document numbers. Document Number system are in place to ensure the identification and description

b) Format: An appropriate format is created to the purpose of usability and accessibility of users, the language used is in general is English, various software’s used are compatible to each other, the size and scale of the document to be printed are generally mentioned on the documents specifically for drawings.

IMS MANUAL SUPPORT




c) SISCOL has a system to identify that which document shall be under approval or information category, the documents under approval category has multi-tier level of approval and same is done by competent authority either by email, initials, electronic signatures, MoM etc. Review and approval does have suitability, adequacy, traceability and security.

7.7.3 Control of Documented information ISO 9001 (7.5.3), ISO 14001(7.5.3), OHSAS 18001 (4.4.5), ISO27001 (7.5.3) Documented information required as per Integrated Management system has been controlled by means of documented information (SISCOL-CP-01) which ensures:

a) Approval of documents by the designated authorities b) Review and updating as necessary and re-approval c) The identification of nature of changes, control and revision status d) Distribution, access, retrieval and use e) Availability of relevant latest versions at points of use/issue with adequate protection as and when needed for that documented information f) Legibility, traceability and readily identifiable g) Identification of external origin documents and their distribution control h) Documented information retained as evidence of conformity shall be protected from unintended alterations (loss of confidentiality, improper use, or loss of integrity) i) Prevention of unintended use of obsolete documents and their storage/ preservation for future reference/use including legal obligations, if any j) Transfer, storage and disposition of the documents in accordance with the applicable procedure, as per the classification of documents

All the process owners ensure that the documented information remain legible, retrievable, readily identifiable & traceable to activities involved during the complete life cycle of the manufacturing and project execution. The master list of documented information indicating the retention period is maintained by the concerned process owner. Relevant documented information is maintained for all the Health, Safety and information security incidents. During the project closing cycle, all the important documents are archived by the PMG on the electronic format so that same can be referred if required in the future. If contractually required, the documented information is made available to the interested parties. Access matrices of the location of placement of documented information (in server, portal etc.) are defined and reviewed on periodic intervals along with IT team; and cross verified during audits for ensuring the effective implementation of IMS requirements.


CHAPTER - 8

OPERATIONS

IMS MANUAL OPERATION




8.1 PURPOSE

To describe the Leadership involvement, accountability & commitment in planning & controlling end-to-end value chain (including design) for establishing, implementing, sustaining, awareness & continually improving the Quality, Environment, H&S and Information Security Management Systems.

8.2 SCOPE Applicable to the implemented Quality, Environment, Occupational, Health & Safety and Information Security Management Systems covering various activities as per scope given in Chapter 1 of this document.




8.4.1 Organizational Operational Planning & control

ISO 9001 (8.1), ISO 14001 (8.1), OHSAS 18001 (4.4.6) & ISO 27001 (8.1) 8.4.2 Planning of Product Realization

ISO 9001 (8.1), ISO 14001 (4.4.6), OHSAS 18001 (4.4.6), ISO 27001 (8.1) SISCOL has put in place multi-disciplinary approach for planning the

project/product/service realization. The Process Flow Charts/DCPs/SOPs/ WIs/Formats have been prepared by the concerned process owners along with the control points and their acceptance criteria at the relevant points of usage. These documents also identify such characteristics/indicators for products and services which need to be constantly monitored to meet the specified objectives. These documents are developed at the system, projects and products levels during the different phases of manufacturing and project execution.

Based on the contractual requirements, critical to quality (CTQ) aspects and

inputs are identified by design & engineering and subsequently these inputs are taken into consideration while developing various QA/QC requirements.





Product, process and projects’ regulatory requirements are also identified by the concerned process owners and given due consideration during the development and preparation of relevant process control documents. Resources, infrastructure, work environment and competency of required personnel are identified by the concerned HODs along with HR.

8.4.2.1 The following functions in SISCOL shall collaborate during process, product and project realization:

a) Business Strategy b) Business Development & Marketing c) Sales d) Contracts e) Operations f) Vendor Development & Procurement g) Production h) Logistics & Delivery i) Industrial Infrastructure j) Design & Engineering k) Field Services l) Corporate Relations m) Key Account Management n) Project Planning & Monitoring, Execution and Control o) Stores (Incoming and Final product) p) Plant Maintenance q) Quality Assurance r) Environment Health & Safety s) Training t) Information Technology u) Human Resource & Administration v) Finance & Accounts

8.4.2.2 Following are considered, as appropriate, at the time of development, updating/modification for improvement in the existing process by process owners in due consultation with concerned team head: a) Identified quality objectives and requirements for the product b) The need to establish processes, documents, and provide resources

specific to meet the requirements of the product c) Required verification, validation, monitoring, inspection and test

activities specific to the products processed at relevant stages of processes and the criteria for the product acceptance

d) Records needed to provide objective evidence that the realization processes and resulting products fulfil requirements





The output of this planning in the form of quality plan, process monitoring instructions, material arrangements, inspection arrangements, review and validation of processes are made and provided at the relevant stages of processing for its implementation.

8.4.2.3 EMS, OHSMS and ISMS Planning

Head EHS maintains the inventory of all the applicable environmental aspects and Health & Safety risks, while list of information security related risks is maintained by Head-IT. A procedure has been established to identify and evaluate the environmental aspect/health & safety risks and IS risks. Based on the significance of these aspects/risks, control measures have been identified and being implemented throughout the organization. It has been ensured that these significant aspects, Health & Safety risks and IS risks are considered while developing IMS at SISCOL. SISCOL has established and maintains a procedure to identify and have access to legal and other requirements to which SISCOL subscribes to. To fulfil the commitments established in IMS Policy and achieve other organizational goals, IMS objectives, targets and programmes are established by the concerned HODs at the beginning of the year based on SISCOL annual objectives/thrust areas. The organization controls planned changes and reviews the consequences of unintended changes, takes action to mitigate any adverse effects, thru’ the implementation of the common process: Risk and Opportunity Identification, Assessment, Implementation and Reviewing effectiveness (SISCOL-CP-02) as necessary. Teams during the execution phase also identifies, reviews, monitors, mitigates the risks/changes in planned intervals. Whenever there is any outsourced process that affects product conformity to the requirements, adequate controls are exercised by the relevant functions. The type and extent of control on such outsourced processes depends upon criticality of the characteristics or extent of control exercised by the supplier. All the statutory and regulatory requirements of the product/project work being outsourced are discussed with the supplier and their compliance is ensured through periodic inspections and audits. All those activities of supplier or contractors which can be significant with respect to our environment, health and safety systems are identified by Head EHS, during environmental aspect and risk identification and are well addressed in the purchase order or purchase contract. Regular monitoring of supplier’s





activities is done to ensure compliance to these requirements by QA, EHS, Operations/PMG and SCM/Procurement.

8.5 REQUIREMENTS FOR PRODUCTS & SERVICES

ISO 9001 (8.2), ISO 14001 (8.1), OHSAS 18001 (4.4.6)

8.5.1 Customer Communication ISO 9001 (8.2.1), ISO 14001 (8.1/7.4), OHSAS 18001 (4.4.3)

Before award of the project, Business Development/Marketing/Sales department are responsible for establishing any communication with the customers or responding to the queries from customers. After award of the work, Head-Operations/Design & Engineering/Project Management Group or as nominated by CMD will be responsible for all the communications on the behalf of SISCOL. The product/ project information is communicated through various means like brochures, catalogues, website, in-house magazines etc. Customer feedback including customer complaints are reviewed and analysed for root cause of the problems by the respective HoDs. The decisions are taken for corrective and preventive actions including further improvements in the products, processes and services. Needful communications with regard to handling and/or controlling customer properties are taken care at pre-order and post-order stages. Whenever required, Head- Business Development/ Marketing/ Sales/ Operations/ Design & Engineering/Project Management Group or as nominated by CMD will communicate customer the specific requirement for contingency.

8.5.2 Determination of Requirement Related to the Product, Project and

Services

ISO 9001 (8.2.2), ISO 14001 (8.1), OHSAS 18001 (4.4.6)

Head Business Development & Marketing identifies the customer requirements before submitting the bid. It is ensured that financial viability, technical viability and risk assessment is completed before submission of the bid/offerings. All the customer’s requirements are considered including supplies, installation and commissioning, project management, transportation & logistics, quality, health & safety, contracts management, site management, handing over, legal/statutory & regulatory clearances, trainings, warranty, insurance etc. as per the scope of the project or services.





SISCOL has established various processes at appropriate levels to determine: a) Requirements specified by the customer, including the requirements for

environment, EHS, delivery and post-delivery activities b) Requirements not stated by the customer but necessary for the

application of product. c) Statutory and regulatory requirements related to the product, processes &

systems for environmental / OH & S performance, and d) Implied needs and expectation or any additional requirements required by

the organization e) Contract or order requirements differing from those previously expressed

8.5.3 Review of requirements related to the Product & Services

ISO 9001 (8.2.3), ISO 14001 (8.1), OHSAS 18001 (4.4.6)

Nominated Business Development & Marketing team along with other stakeholders like strategy, engineering, operations, manufacturing, quality, project management, EHS, insurance etc, review the requirements related to the product, project and services. This review is conducted prior to submission of the bid documents, to ensure that customer requirements including their product specifications, delivery schedules, packing, logistics, commissioning, installation and post commissioning requirements are clearly defined. Any specific environmental, H&S & IS performance required during project execution is also appropriately reviewed. Where the customer provides no documented requirements, the customer requirements are agreed with suitable division of responsibilities etc. Whenever it is felt that if some client requirements are not met the same is communicated to the client through deviation statement and concurrence obtained for the same.

8.5.4 Changes to requirements for products and services ISO 9001 (8.2.4), ISO 14001(8.1), OHSAS 18001 (4.4.6) During finalization of the contract, Head - Business Development & Marketing/ Sales ensures that there are no differences in the bid documents vis-à-vis contract documents. In case any deviation is found the same is recorded and resolved with the client. Records of contract review and actions arising from the review are maintained by Head - Business Development & Marketing. These requirements are communicated to the Operations/Design & Engineering/Project Management or suitable function for compliance, planning and execution of the subsequent product/service realization processes. As and when any amendment to product/project requirements are received from the customers, the responsible project/operations team ensures that the same are reviewed for their ability to supply and the relevant documents are amended





accordingly. These modified documents are conveyed to relevant functions by the process owner for making all stakeholders aware of the changed requirements for immediate compliance.

8.6 DESIGN & DEVELOPMENT OF PRODUCTS & SERVICES

ISO 9001 (8.3), ISO 14001 (8.1), OHSAS 18001 (4.4) & ISO 27001 (8.1)

8.6.1 General ISO 9001 (8.3.1), ISO 14001 (8.1), OHSAS 18001 (4.1/4.4) & ISO 27001 (8.1) SISCOL has established, implemented and maintains a design and development process that is appropriate to ensure provision of products and services.

8.6.2 Design and development planning ISO 9001 (8.3.2), ISO 14001 (8.1), OHSAS 18001 (4.4.6) & ISO 27001 (8.1) Planning for all the activities under the ambit of design & engineering is being done by Head-Design & Engineering. During D&D planning, the Head-Design & Engineering and nominated personnel from a specific project determine:

a) the nature, duration and complexity of the design and development activities based on the scope and technical specifications vis-à-vis organization’s capabilities

b) Design and development stages, considering all the interfaces c) The controls (review, verification and validation) that are appropriate

to each D&D stage d) Responsibilities and authorities for design & development being spelt

in DCPs and other associated documents e) the internal and external agencies that have to be involved for the

design and development of products and services f) The level of control expected for the D&D process by customers and

other relevant interested parties on a continuous basis and ensure the effective planning to manage it.

All the interfaces between various stakeholders involved in D&D process are managed adequately by the concerned Director - Operations or Project / Nominated Personnel, to ensure effective communication and clear assignment of responsibilities. As the D&D progresses, the planning outputs are updated, as appropriate. SISCOL has a structured approach to ensure the necessary documents are incorporated to demonstrate that D&D requirements have been met:

a) Periodic review with suppliers/vendors/contractors/service providers





b) Periodic review and/or meetings with customers/customers representatives/statutory bodies

c) Internal reviews and internal audits to verify the incorporation of the documented information

8.6.3 Design & Development Inputs ISO 9001 (8.3.3), ISO 14001 (8.1), OHSAS 18001 (4.4.6) & ISO 27001 (8.1) Before undertaking any D&D activity, all the design inputs are identified by the Head-Design & Engineering. These inputs may include:

a) Customers’ needs b) Applicable statutory and regulatory requirements c) Policies and objectives of the organization d) Timeline for deliverables e) Standards or codes of practice f) Functional and performance requirements of the product g) Information derived from previous designs, if applicable h) Testing and acceptance requirements i) Potential consequences of failure based on the review-sharing of

earlier/similar project data, holding knowledge sharing initiatives, having numerous test scenarios being simulated/reviewed by CFT

These inputs are reviewed for their adequacy by the Head-Design & Engineering and any incomplete or conflicting requirements are resolved. Records of design inputs are maintained by Head-Design & Engineering.

8.6.4 Design and development controls ISO 9001 (8.3.4), ISO 14001 (8.1), OHSAS 18001 (4.4.6) & ISO 27001 (8.1) SISCOL applies necessary controls (reviewing/verifying/validating) to the design and development processes.

8.6.4.1 Design & Development Review

To assess the ability of the results of D&D process to meet the product/project requirements, systematic review of various design activities including the interfaces is done as per the design review plan by the Head-Design & Engineering along with internal associated stakeholders. Cross functional team for the review of D&D is nominated at the planning stage. D&D reviews are carried out in a systematic manner, in accordance with the planned arrangements:

a) To evaluate the ability of the results of design & development to meet requirements

b) And to identify any problems and propose necessary actions





Records of the results of the reviews and any necessary actions are maintained.

8.6.4.2 Design & Development Verification D&D verification is done by Head-Design & Engineering along with the nominated operations/project team as per the D&D planning to ensure that outputs are meeting the design inputs. Records of the results of design verifications are maintained. It is ensured that all the deviations found during D&D verifications are resolved before progressing to the next stage of D&D.

8.6.4.3 Design & Development Validation D&D validation is done as per D&D planning to ensure that resulting product is capable of meeting the requirements for the specified application or intended use. Wherever practicable, validation shall be completed prior to the delivery or implementation of the product. Validation of the product may be done in presence of the customer or at customer’s premises as per the contractual requirements. Records of D&D validation are maintained appropriately.

8.6.5 Design& Development Outputs ISO 9001 (8.3.5), ISO 14001 (8.1), OHSAS 18001 (4.4.6) & ISO 27001 (8.1) The D&D outputs are documented and provided in suitable form (Drawings/ Technical Specifications/Calculations/Prototype/BOM/Data Sheets etc.) enabling verification against D&D inputs. The design outputs are verified, reviewed and approved before release by Design & Engineering. D&D outputs shall:

a) Meet the D&D input requirements b) Provide appropriate information for purchasing, production, operations,

manufacturing, erection, commissioning, testing and acceptance of the product/services along with adequacy for the subsequent processes

c) Contain or reference monitoring and measuring requirements and product acceptance criteria

d) Specify the characteristics of the product/services which are essential for its safe and proper use

8.6.6 Design & Development Changes ISO 9001 (8.3.6), ISO 14001 (8.1), OHSAS 18001 (4.4.6) & ISO 27001 (8.1) SISCOL has established procedures to identify D&D changes at all the stages of D&D. On identification of any change or request for any change in design, the same is reviewed, verified and approved before implementation by the CFT. During review of D&D changes, all the stake holders are taken into consideration





including all the interfaces likely to be affected by the change including the parts already delivered. SISCOL shall retain the following documented information:

a) Design and development changes b) The results of reviews c) The authorization of the changes d) The actions taken to prevent adverse impacts

8.7 CONTROL OF EXTERNALLY PROVIDED PROCESSES, PRODUCTS & SERVICES

ISO 9001 (8.4), ISO 14001 (8.1), OHSAS 18001 (4.4) & ISO 27001 (8.1)

8.7.1 General and Type & Extent of Control ISO 9001 (8.4.1, 8.4.2), ISO 14001 (8.1), OHSAS 18001 (4.4.6) & ISO 27001 (8.1) In SISCOL, procurement activities are managed through a dedicated function: Procurement, equipped with specialist team of buyers for various equipment’s. Stringent supplier selection and evaluation criteria have been established to ensure that the output product/services delivered by the suppliers meet the customer requirements. Prior to selection of the supplier, SISCOL team comprising Procurement/Vendor Development, Quality and Engineering/CFT/Expert may visit the supplier and completes the assessment based on pre-defined checklist and supplier selection procedure. The type and extent of control applied to these suppliers and the purchased product depends upon the criticality of the purchased product/services on subsequent product/service realization or the final product including packaging of material. Potential suppliers are being assessed by Procurement/Vendor Development and selection of suppliers is based on their ability to supply product in accordance with the organizations’ requirements. Criteria for selection, evaluation and periodical re-evaluation have been established considering quality, environmental, safety and delivery rating. Records of the results of evaluations and any necessary actions arising from the evaluation at company or supplier end are maintained. Orders for long delivery/critical equipment are placed early in the project to ensure timely deliveries by suppliers. The core activities of Logistics are handled by Logistics team and physical transportation activities may be outsourced to one or several freight forwarders depending on the project/operation requirements.





For ODC consignments/heavy lifts, a detailed route survey is undertaken in close co-ordination with the freight forwarder by Logistics team. Whenever there is any outsourced process that affects product conformity to the requirements, adequate controls are exercised by the relevant functions. The type and extent of control on such outsourced processes depends upon criticality of the characteristics or extent of control exercised by the supplier. All the statutory and regulatory requirements of the product/project work being outsourced are discussed with the supplier and their compliance is ensured through periodic inspections and audits. All those activities of supplier or contractors which can be significant with respect to our environment, health and safety systems are identified by Head EHS, during environmental aspect and risk identification and are well addressed in the purchase order or purchase contract. Regular monitoring of supplier’s activities is done to ensure compliance to these requirements by QA, EHS, Operations and Procurement/Vendor Development. SISCOL has established procedures for source or in-coming inspection as per the applicable QAP, drawings and technical specification to ensure that the purchased products meet the specified purchase requirements including that for environment/H&S. QA ensures that through these plans the products are verified at source and during receipt at the project site. In case, if any deviation is found, non-conformity is raised and communicated to the concerned (Procurement/PMG, Operations/D&E or Supplier) for initiating root cause analysis, corrective and preventive actions along with assessing the impact/potential impact. If required the services of TPIAs can be utilized by QA for conducting source/receipt inspection. For selection, evaluation and re-evaluation of these TPAIs procedures have been documented. If contractually agreed, the company also allows its customers or their representatives to witness the manufacturing processes/purchased materials at supplier end for ensuring product/materials conform to the specified requirements. When it is proposed to verify the purchased product at the supplier's premises by either customer or company’s representatives, the verification arrangements and the method of product release are specified in the purchase order.

8.7.2 Information for external providers ISO 9001 (8.4.3), ISO 14001 (8.1), OHSAS 18001 (4.4.6) & ISO 27001 (8.1) SISCOL has established criteria for detailing adequate purchasing information in the purchase documents for the products/services to be procured. To start with,





the buyer/requisition department prepares the purchase requisition (PR) containing all the relevant details of the product or the services (Critical to quality parameters, delivery requirements, etc) to be procured. The purchase order (PO) being raised contains complete information related to the product like: specification, acceptance criteria, logistics, packaging, delivery time, inspection requirements, performance evaluation process/parameters, reference to QAPs, verification or validation activities by SISCOL &/or its customers, or other acceptance criteria etc. The product/service details are described in purchase documents or other means, including where applicable:

a) Requirements for approval of product, services procedures, processes, and equipment

b) Requirements for qualification/competency of personnel, and c) Quality (ISO 9001), Environment (ISO 14001), Health & Safety (OHSAS

18001) and Information Security (ISO 27001) management system requirements

The purchase personnel review the purchase information to ensure the adequacy of specified purchase requirements prior to their communication or issue to the suppliers. Communication mechanism / protocol between SISCOL and the external providers gets defined during the ordering phase. It is ensured that for all the chemicals or hazardous substances being purchased, MSDS of the same is obtained from the supplier and necessary trainings are imparted to the end users for storage and handling of such substances.

8.8 PRODUCTION & SERVICE PROVISION

ISO 9001 (8.5), ISO 14001 (8.1), OHSAS 18001 (4.4.6) & ISO27001 (8.1)

8.8.1 Control of Production & Service Provision ISO 9001 (8.5.1), ISO14001 (8.1), OHSAS 18001 (4.4/4.4.6) & ISO 27001 (8.1)

SISCOL plans and carries out project and manufacturing/operations execution under controlled conditions which includes the following, as applicable (but not limited to):

a) The concerned HODs ensures that all the relevant technical requirements including special features are taken care while developing the drawings, engineering specifications, SOPs, Work Instructions etc. as per the contractual requirements, that defines: the characteristics of the products to be produced, the services to be provided, or the activities to be performed; and the results to be achieved





b) Quality Assurance develops the QAPs, FQAPs, ITPs & QA programme as per the customer and regulatory requirements

c) Vendor Development & Procurement coordinates for all the outsourced material and vendor approval/assessment/re-evaluation/development

d) Operations/project team develops the project planning & project execution procedures; prepares documented information and ensures the use of suitable infrastructure and environment for the operation of processes; Logistics & Delivery

e) The availability of job/work instructions at the point of use incorporating the controls exercised for EHS/IS performances are ensured by Head EHS and Head IT

f) It is ensured that the equipment being used are suitable for the relevant processes including their environment friendly set up & safe performance

g) QA and D&E ensures the availability and use of appropriate monitoring and measuring devices for control of identified characteristics

h) Head EHS ensures that measuring devices used for monitoring EHS performance are being calibrated at the defined frequency

i) Monitoring and measurement of all the identified parameters with respect to quality, environment, OH&S and IS are done as per the defined frequency and methodology. In case any deviation is found, necessary corrective and preventive actions are taken by the concerned process owner

j) QA gives the despatch clearance after ensuring completion of the required operations/inspection/testing

k) QA forward the inspection records as per the applicability to the nominated SPOC for further submission to the customer

l) Field Services ensures the product, service, solutions’ deliverance by erection & commissioning to the requirements agreed upon

m) Post-delivery activities are identified with respective stake-holders and their involvement are agreed-upon during contract finalization and the actual implementation are ensured

All the special processes required for the production, project and service requirements are validated and revalidated as per the laid down guidelines. Welding, painting, brazing, heat treatment etc. have been identified as special processes whose resulting output cannot be fully verified by subsequent monitoring or measurement. Special processes have been pre-qualified for their sets of operating parameters suited to various class and types of products by QA/D&E/Operations/PMG.





The qualification records and subsequent process monitoring records are maintained by QA/D&E/Operations/PMG. The qualification considers the following issues, as applicable:

a) Defined criteria for review and approval of the processes b) Approval of equipment and qualification of personnel c) Use of specific control measure and procedures d) Requirement of process monitoring records e) Whenever there are any changes to the process equipment/new

process equipment is procured or a new category/class of product is to be manufactured, these processes are re-validated as per need. Additionally, if the process results (in terms of product quality) are not found satisfactory, the relevant process may be revalidated to ensure product complying with the requirements through readjustment of qualified process control parameters

SISCOL emphasises on the competency building via numerous training mechanisms/drills ably supported by the infrastructure facilities/environment; putting in place systems in order to prevent human error. The key characteristics of the operation that can have significant environmental impacts/risks are identified in the relevant OCPs and are being monitored at the defined frequency.

8.8.2 Identification & Traceability ISO 9001 (8.5.2) The organization has established various systems for product identification and traceability, at the various stages of the project, product and service execution to ensure that the products/assemblies/sub-assemblies/components are identifiable throughout their life cycle. Identification: Raw materials and bought out components are received by stores from suppliers along with the details of material containing the supplier information. After receipt, the store in-charge raises the GRN and offers the receipt material to QC for incoming inspection. The inspection and test status of incoming bought out items are identified based on supplier’s certificate and inspection lot. QA / nominated person inspects the material as per QAP/FQAP/relevant reference document and if found acceptable, the material is cleared for storage at the designated location. From the store, the material is issued to the project team/manufacturing/operations divisions as per their requirements. During all the stages of the project/production execution, it is ensured that all the assemblies/sub-assemblies are identified by means of tags/stickers/locations.





The inspection and test status of items is identified through identification stickers, inspection records, identified storage space etc as applicable. These are then stored at designated locations. Separate areas have been identified and marked for accepted and non-conforming items throughout the life cycle of the project/product. Traceability: Whenever required (Customer requirements, legal requirements, contractual requirements) traceability for the products/assemblies/sub-assemblies are maintained through drawings, receipt vouchers, inspection reports, lot numbers or any other unique number. QA indicates the status of the material, components, and sub-assemblies by use of inspection tags. All the non-conforming products/assemblies/components are suitably identified through red tags, ‘Rejected’ tags, stickers, punch, marking and location and they are quarantined to avoid the inadvertent use of these materials. Components and the products at the dispatch stage are identified with respect to the dispatch documents. With these systems in place, the traceability back to the origin is traced back.

8.8.3 Property belonging to customer or external providers ISO 9001 (8.5.3) Customer or external providers’ property received by the organization (drawings/specifications/materials) are suitably identified at the point of receipt as per the contractual requirements. During the time of receipt, same is verified against our requirements, if found unsuitable returned to the customer/ external provider; otherwise adequately stored. Proper storage is done for all the customer/ external providers’ property and in case of any loss and damage same is reported to the customer/ external provider and records are maintained.

8.8.3.1 Preservation ISO9001 (8.5.4), ISO 14001 (8.1), OHSAS18001 (4.4.6) SISCOL has established procedures for preserving the product quality from receipt of materials through internal processing up to the handing over of project site/product/service to the customer. Concerned HODs ensure that adequate care is taken during handling of material, components and products/outputs to avoid any damage. Though specific responsibilities are defined in the relevant DCP/SOP, yet every employee is responsible for safe handling of the products at various stages of operations/manufacturing/project execution. Various SOPs have been developed for preserving the product/service





at various stages of value chain. Suppliers/OEMs manuals are being referred for storage of equipment at shop floor and site.

8.8.3.2 Handling and Transportation: It is ensured by the concerned HOD that the handling and transportation of products are controlled to prevent damage, deterioration or loss. When necessary, for particular items, special instructions/work instructions are issued/displayed and monitoring is carried out to check satisfactory implementation. The appropriate handling of products is followed to avoid any deterioration of quality of product and any damage during handling/transportation within the plant. Appropriate instructions are provided to the suppliers of goods and services for safe packaging, transportation and loading/unloading – as applicable.

8.8.3.3 Storage: Appropriate storage facilities are provided at production facilities and project site for materials and products for their safe upkeep, prevent damage and deterioration of the product quality including suitable preservation wherever necessary. Condition of product in the store is assessed at appropriate interval. Receipt and issue from stores is approved by authorized personnel. All materials having limited shelf life are issued on First In First Out (FIFO) basis, as applicable. Appropriate storage areas are provided for finished goods to prevent any damage or deterioration of these products. The stored products are periodically assessed for any deterioration or shelf life expiry. Safe handling/loading/unloading/storage instructions have been issued to the stores personnel from environmental/H&S view point.

8.8.3.4 Packaging & Despatch: Production/Operations hands over only cleared components and products to Logistics for packaging and dispatch as per the packaging list issued by D&E. Logistics/Transporter takes adequate precautions to avoid any damage or deterioration during packing and shipping. For all those products that has/envisaged to have contamination into it gets controlled with EHS Team with inputs from MSDS, Vendor etc. Regular audits also ensure the compliance to the controls established to this regard.

8.8.4 Post – Delivery activities ISO9001 (8.5.5), ISO14001 (8.1), OHSAS18001 (4.4.6) Post-delivery activities are identified with respective stake-holders and their involvement are agreed-upon during contract finalization and the actual





implementation are ensured. Head-Business Development & Marketing takes the necessary inputs from the customers/prospective customers related to any of the post-delivery contractual deliverables (not limited warranty, maintenance services etc.). These requirements are passed on to the internal team/functions/business associates in SISCOL for deliberation, planning, implementation when necessitated. SISCOL while ensuring the post-delivery activities, considers (when applicable):

a) All the applicable statutory and regulatory requirements b) Potential undesired consequences associated with its products and

services c) The nature, use and intended lifetime of its products and services d) All the customer requirements being mutually agreed upon e) Customer’s feedback

BD&M in consultation with Contracts reviews all the post-delivery related agreements before signing-off with Customers. The agreed post-delivery requirements are communicated to the Operations/PMG/relevant stakeholders for ensuring these requirements are met.

8.8.5 Control of changes

ISO 9001 (8.5.6), ISO 14001(8.1), OHSAS 18001 (4.4.6), ISO 27001 (7.5.3)

SISCOL has established procedures to identify changes at all the stages of production and/or service provisions (if necessitated). On identification of any change or request for any change in production and/or service provisions, the same is reviewed, verified and approved before implementation by the CFT. During review of production and/or service provisions changes, all the stake holders are taken into consideration including all the interfaces likely to be affected by the change including the parts already delivered. Records of the production and/or service provisions changes, authorising the changes and actions emanating from the review are maintained appropriately. Change Notes, Field Trouble Reports (FTRs), Site Deviation Reports (SDRs) etc are few of the ways of controlling the changes in production and/or service provisions. For ISMS there is a procedure to control the planned changes. Change Management Request is maintained with appropriate approvals and risks being evaluated for planned changes.

8.9 RELEASE OF PRODUCT & SERVICES

ISO 9001 (8.6), ISO 14001 (8.1), OHSAS 18001 (4.4.6/4.5.1) & ISO 27001 (8.1)





SISCOL has defined the characteristics for the different outputs to be achieved at appropriate stages of the project realization (receipt, in-process, final inspection and despatch clearance) for meeting the customer requirements. All these characteristics are monitored and measured by responsible personnel in respective departments in order to ensure that the product/service (output) requirements meet internal as well as external customer requirements including all the regulatory requirements. These characteristics have been defined by respective HODs, in their DCPs, OCPs, SOPs, QAPs etc. as applicable to the relevant stages of the processes. For all identified characteristics, the acceptance criteria for the evidence of conformity have also been defined. Source, incoming, in-process and final inspections are conducted by SISCOL inspector or SISCOL approved TPIAs to ensure/compliance evidence of the same. In-process inspection and testing is carried out at various stages of manufacturing and project execution. FQAPs have been developed to monitor and measure the critical parameters during site execution. No project/ product stage is allowed for further execution until it has been inspected and tested by QA/nominated representative as per QAP/TS/FQAP/applicable requirements. SISCOL ensures that all Quality Plans/OCPs/Inspection requirements are planned & implemented and that their inspection records are maintained to verify that at each stage of process, the characteristics conform to applicable instructions, procedures, inspection plans and / or specifications, as applicable. The final product/service is verified for conformance to the specified requirements as per procedures / inspection standards / Quality Plan and is handed over to the customer. The relevant records clearly indicating the conformance / non-conformance of the product and authority for releasing the product are maintained by QA. All the applicable legal and other requirements related to EHS have been identified at relevant areas by Head EHS. Legal register has been prepared by Head EHS based on these identified requirements. Legal register is a comprehensive document containing brief description of the requirements SISCOL subscribes, required parameters, current status, responsibility and compliance evaluation frequency and outputs.

8.10 CONTROL OF NON-CONFORMING OUTPUTS

ISO 9001 (8.7.1), ISO 14001 (8.1/10.1), OHSAS 18001 (4.5.3/4.4.7) & ISO 27001 (10.1)





8.10.1 Control of non-conforming outputs

SISCOL has established documented information (SISCOL-CP-04) to ensure that Quality, Environment, Occupational, Health & Safety and Information Security related non-conformities are suitably identified and controlled throughout the life cycle of the product and project (including post-delivery). The related responsibilities and authorities and ways for dealing with such non-conformities have also been defined in the relevant DCPs/SOPs, which include handling and investigation of incidents, accidents, nonconformities under normal/abnormal conditions. The controls include prioritizing the non-conformance, analysing them and taking immediate action, correction, segregation, containment, return or suspension of provision of products and services, based on their criticality, authorizing use, release or acceptance under concession by operation/project authorized personnel and, where applicable the concession may also be taken from the customer. Based on the decision, the non-conformances are suitably disposed-off. The final product characteristics are re-verified by QA/designated team for ensuring conformance to the requirements before being despatched to the customer. The records indicating the nature of non-conformities including the concessions, if any, and the subsequent actions taken for reducing and eliminating them are maintained by QA or other responsible function. The actions on accidents, incidents, safety non-conformances are reviewed through risk assessment process, prior to implementation by Head EHS. The trends of non-conformance are periodically reviewed for further deciding continuous improvements in the product and process. In case the nonconforming products/outputs found during any stage of manufacturing or project execution, are corrected (i.e. reprocessed or re-worked), the products / information is re-verified by QA/Nominated Team for the requirements in which these were found to be nonconforming in order to demonstrate the conformity to the requirements. In case the non-conformance in the product is detected after the same have been delivered to the customer or their use has started, organization examines the criticality of such characteristics. Such non-conformance which are critical and major in nature are informed to the customer and if required, the same are withdrawn from usage. The potential effects of the nonconformity are also analysed and appropriate actions are taken.





8.11 EMERGENCY PREPAREDNESS & RESPONSE / INCIDENT INVESTIGATION / INFORMATION SECURITY RISK

8.11.1 Emergency Preparedness & Response ISO 14001 (8.2)

All the potential emergencies related to EHS have been identified in “Emergency Plans” being maintained at relevant manufacturing/projects sites. Emergency Plan is a detailed document describing the various responsibilities of emergency coordinator, emergency communication team, emergency relief team etc. This plan describes how to respond to actual emergencies and prevent or mitigate associated environmental aspects and Health & Safety risks. In planning its emergency, SISCOL shall take account of the need of interested parties & neighbouring industries. The efficiency/response action of this emergency plan is demonstrated through regular mock drills (where practicable) twice in year respective to EMS & OHSMS planned by EHS and results of the mock drills/ occurrence of emergency situations are used to review & modify emergency preparedness plan & the planned response actions, if required. SISCOL shall provide relevant information and training related to emergency preparedness and response, as appropriate, to relevant interested parties, including persons working under its control. (employees, workmen, sub-contractors working at SISCOL’s premises)

8.11.2 Incident Investigation OSHAS 18001 (4.5.3.1)

Head-EHS shall devise the incident investigation procedure that shall record, investigate and analyse H&S incidents. The corrective and risk-based thinking/actioning procedures also includes mechanism for incident investigation so that all H&S deficiencies are identified, after having root causes analysis, necessary corrective (and preventive) actions are identified including opportunities for improvements. The results emanating from the investigations shall be documented and communicated to all the stakeholders. Head-EHS shall ensure the investigations are conducted time-bound.

8.11.3 Information security risk assessment & treatment ISO 27001 (8.2, 8.3)

Requirements and SISCOL’s approach are defined in 6.4.4 and 6.4.5 of Chapter-6 of this document.


CHAPTER - 9

PERFORMANCE EVALUATION

IMS MANUAL PERFOMANCE EVALUATION




9.1 PURPOSE

To describe the organizational process for monitoring, measurement, analysis and evaluation (incl. Internal Audits, MRMs etc.) for establishing, implementing, sustaining, awareness & continually improving the Quality, Environment, H&S and Information Security Management Systems.

9.2 SCOPE




9.4 MONITORING, MEASUREMENT, ANALYSIS & EVALUATION

ISO 9001 (9.1), ISO 14001 (9.1), OHSAS 18001 (4.5) & ISO27001 (9.1)

9.4.1 General ISO 9001 (9.1.1), ISO 14001 (9.1.1), OHSAS 18001 (4.5) & ISO27001 (9.1) SISCOL has determined who, what, how & when the processes needed to be monitored, measured, analysed and evaluated and it’s implementation to demonstrate conformance to product & service requirements and conformity to QMS, EMS, and OHSMS & ISMS and continually improve their effectiveness. Measurement & monitoring system is based on data and it’s analysis for which various analytical tools are being used. SISCOL has defined the measurable parameters for the different processes/ products and services /projects to ensure meeting the customers and regulatory requirements. While preparing the project schedules & plans and product delivery schedules, all the processes which have to be measured are identified by the concerned process owners/HODs. These process parameters are monitored, measured and its results are analysed & evaluated at the specified frequency as per the responsibilities defined in QAPs/FQAPs/Flow Charts/SOPs to ensure that these processes achieve the





planned results. When planned results are not achieved, the non-conforming outputs (products/services/information) are corrected (repaired/reworked/re-processed) and the suitable corrective actions, as applicable are taken by the concerned HODs, to ensure conformity of the products (outputs). The compliance to these identified process parameters are ensured during inspection or system audits. Appropriate documented information are maintained. Those processes or operations having significant environmental impact/ significant risks are suitably monitored by respective process owners/HoDs in order to ensure all the customer requirements (internal & external customers) are met. OCPs/SOPs has been defined by Head EHS, to control these significant environmental aspects and Health & Safety risks. Head EHS has established a procedure to monitor and measure EHS performance on regular basis by deploying: a) Qualitative and quantitative measures appropriate to the organizational

needs b) Monitoring of the extent to which EHS objective are met c) Monitoring the effectiveness of EHS controls being exercised at different

manufacturing locations, offices and project sites d) Proactive measures of performance that monitor conformance with EHS

programmes, controls and operational criteria e) Reactive measures of the performance like monitoring of ill health,

incidents, and other historical evidence of deficient EHS performance f) Recording of data and results of monitoring and measurement to facilitate

subsequent corrective and risk analysis.

Monitoring includes various operational parameters like water, stack/ambient air, noise levels and progress on management programmes, objectives & targets, compliances to relevant legislations & regulations, near-misses, incidents, accidents and ill health. The Head-IT has established a procedure to:

a) Monitor and review IT related controls to promptly detect errors, identify attempted and successful breaches and incidents, enable management to determine whether the security activities delegated to people or implemented by IT are being performing as expected, help detect security events and thereby prevent security incidents by the use of indicators and determine whether the actions taken to resolve a breach of security were effective





b) Undertake regular reviews of the effectiveness of the ISMS taking into account the results of security audits, incidents, results from effectiveness measurements, suggestions and feedback from all interested parties

c) Measure the effectiveness of controls to verify that security requirements have been met Review risk assessment at planned intervals and review the residual risks and the identified acceptable levels of risk, taking into account changes to the organization, technology, business processes, identified threats, effectiveness of the implemented controls and external events like any changes to the legal or regulatory environment, changed contractual obligations and changes in social climate

d) Undertake security plans to take into account the findings of monitoring and reviewing activities

e) Conduct internal audits and MRM as per the planned schedules f) Documented information actions and events that could have an impact on

the effectiveness or performance of ISMS

9.4.2 Customer Satisfaction ISO 9001 (9.1.2) SISCOL has established & implemented a system for measuring customer satisfaction (Voice of Customer - VoC) on transactional basis. Marketing/Business Development/Sales/Business Excellence captures the voice of customers based on the project progress/product deliveries on regular basis and forward the output to Quality or the concerned department for analyzing the feedback. Customer feedback (incl. complaints, pain areas & their opinion) are also being captured by the concerned Project Management Team during their regular interaction with the customers. For timely responding to the customer complaints and issues, detailed action plan is developed and subsequently KPIs are identified at relevant functions and monitored & reviewed regularly. Data on customer satisfaction is compiled and presented in the top management review meeting by MR along with the effectiveness of the actions being taken by SISCOL.





9.4.3 Analysis & Evaluation ISO 9001 (9.1.3), ISO 14001 (9.1.2), OHSAS 18001 (4.5.1) and ISO 27001 (9.1) SISCOL determines, collects and analyses appropriate data to demonstrate the suitability and effectiveness of the IMS and evaluate for deciding the continual improvement of these systems. The data is collected at the specified periodicity and by the designated personnel. The data is compiled and trends are made to indicate the comparison, trend along with targets. This data are analysed during the review meetings to decide the further improvements & action point are listed to address risks & opportunities. The “Analysis of Data” includes:

a) The data generated as a result of process/project monitoring and measurement-project delays, project cost, project non-conformances, customer complaints, rejections, rework, delivery issues, cost of quality etc.

b) Data on the external providers evaluation/performance c) Customer Satisfaction Levels d) Key Performance Indicators (KPIs) of each department e) The achievement of the planned activities f) effectiveness of actions taken by functions in SISCOL to address risks and

opportunities identified g) The data collected from other relevant sources, e.g. Bench Marking Data

from relevant association or from the customers. h) Data on Environmental and OH&S and IS performance – accidents/

incidents/near miss, status of EMP/OHSMP, spillage or leakages at site, mock drill data, security violations etc.

Sl No. Indicative data to be analyzed Responsibility

1. Project win loss analysis Marketing/BD 2. Project delays, project cost, project risks PM 3. Non-conformance, rework QM 4. Customer complaints PM/Quality 5. Customer perception (VoC) Mktg./BD/Quality6. External provider performance Quality/SCM/MM7. In process non-conformance Quality 8. EHS Incident, near miss and accident EHS 9. Information security violations/incidents IT 10. System non-conformance MRs 11. Employee engagement, attrition HR





12. Training feedback & effectiveness HR 13. Process KPI monitoring All function HODs

All the applicable legal & other requirements with respect to IMS have been identified in the legal register. These requirements are periodically reviewed as per designated persons for their compliance. Documented information of these reviews are maintained at appropriate levels as per the responsibilities defined in the legal register.

9.4.4 Internal Audit ISO 9001 (9.2), ISO 14001 (9.2), OHSAS 18001 (4.5.5) and ISO 27001 (9.2) SISCOL has established a documented information (SISCOL-CP-03) to ensure that all the activities which can have an influence, changes affecting the organization on the quality / environment / occupational, health & safety/ information security are subjected to internal audits bi-annually. The procedure defines the responsibilities and requirements for planning (audit programs), conducting/implementing, reporting & recording the audits. Internal audits are planned at six monthly frequency considering the audit criteria, scope, frequency and methods. Audit criteria include international standards, IMS manual, IMS policy, applicable legal requirements, objectives, targets, management programme, department procedures, SOPs, etc. The frequency of audits can be increased depending on the severity of Quality, Environment, Occupational, Health & Safety and Information Security risks and the non-conformances observed during previous audits or operations. Frequency of these internal audits can also be increased in case of customer complaints, process or product rejections and service failures. SISCOL has a well-documented information for training of internal auditors. Auditors are trained based on education, experience, skills and their performance in the written examination. The auditors are selected in a manner to ensure objectivity and impartiality of the audit process. Annual audit plan is being prepared by the respective MRs. Audit schedule is prepared based on the status and importance of the process and results of earlier non-conformances observed. Audits are also scheduled based on results of risk assessments and changes affecting the organization. It is ensured that Auditors do not audit their own work activities. The audit results/reports are the documented information, which are shared with all the concerned stakeholders. These reports form the basis of taking suitable corrective actions (CA) by the concerned HODs after suitable root cause analysis (RCA). The HoDs take the required corrective action (CA) without any





undue delay. Other non-conformances are prioritized and accordingly actions are started to avoid their recurrence. Follow-up activities include the verification of the corrective actions taken either by actual verification at site or by verifying the related documentation, depending upon the criticality of the non-conformances. The results of the action taken are reviewed and discussed in Management Review Meeting. Apart from the scheduled audits, other audits can also be initiated based on the importance of activities and change in processes or services.

9.4.5 Management Review ISO 9001 (9.3), ISO 14001 (9.3), OHSAS 18001 (4.6), ISO 27001 (9.3)

9.4.5.1 General

At SISCOL, management review happens at various levels: a) Management review meeting to review the effectiveness of IMS b) Project Review meetings/Departmental review meeting c) Risk Review Meeting etc.

9.4.5.2 Management Review Meeting

CMD reviews the company’s IMS, at planned intervals (at least once in a year), to ensure its continuing suitability, adequacy, effectiveness and alignment with the strategic direction of the organization. The review meeting interval can change considering the changing business conditions. At SISCOL implemented IMS is reviewed in the MRM which comprises of Senior Team Members under the leadership of CMD. Review includes, assessing risks & opportunities for improvement and the need for changes to the IMS, including the SISCOL policy and objectives. Documented information of management reviews including the minutes of Management Review Meeting (MRM) are maintained by CMD’s office/MR; for projects by Project Planning Team/PMG.

9.4.5.3 Review Input ISO 9001 (9.3.2), ISO 14001 (9.3), OHSAS 18001 (4.6), ISO 27001(9.3)

The input to management review in the form of agenda for Management Review Meeting includes information for the period under review on all elements of ISO 9001, ISO14001, OHSAS 18001 and ISO 27001. The specific agenda items relevant to each of these standards are given in the common procedure on MRM (SISCOL-CP-07). However, more focus is laid down on the following:





a) Status of actions from previous management reviews b) Changes in external and internal issues relevant to IMS, including

strategic direction c) Review the context of the organization d) Review the needs & expectations of interested parties e) Review the scope of IMS f) Information on IMS’s performance, including trends and indicators for:

o Nonconformities and corrective actions o Monitoring and measurement results o Audit results o Customer satisfaction o Feedback from relevant interested parties o performance of external providers o process performance and conformity of products and services o the extent to which IMS objectives have been met

g) Issues concerning external providers and other relevant interested parties h) Adequacy of resources required for maintaining effective QMS i) Process improvement and conformity of products and services j) Effectiveness of actions taken to address risks and opportunities, result of

risk assessment and status of risk treatment plan k) New potential opportunities for continual improvement

Specifically, to EHS; the review addresses the possible need for changes to policy, objectives and other elements of the environment/OH&S Management Systems in the light of EMS/OHSMS audit results, changing circumstances and the commitment to continual improvement of EHS performance.

9.4.5.4 Review Output

ISO 9001 (9.3.3), ISO 14001 (9.3), OHSAS 18001 (4.6), ISO 27001 (9.3) The minutes of the management review meeting are recorded and maintained for a specified period. The output of the management review shall include any decisions and actions related to:

a) Opportunities for improvement b) Need for change in IMS including resources c) Update of the risk assessment and risk treatment plan

The outputs from MRM shall also include any decisions and actions related to possible changes to:

a) Business requirements and security requirements, b) IMS performance c) IMS Policy and Objectives





d) Any changes in the context of the organization e) Any changes in the needs & expectations of interested parties f) Any changes in the scope of IMS g) Regulatory or legal requirements and contractual obligations h) Levels of risk and criteria for accepting risks i) Improvement of product related to customer requirements

The output of the management review meeting is communicated by CMD’s/MR’s office to all the stakeholders for initiating time bound actions and regular follow up is maintained for completion.


CHAPTER - 10

IMPROVEMENT

IMS MANUAL IMPROVEMENT




10.1 PURPOSE

To establish a system for identification of improvement opportunities of the various process identified in documented QMS, EMS, OHSAS & ISMS, to demonstrate the reduction in undesired effects and achieve continual improvement of SISCOL business processes. It includes various processes like continual improvement, incident investigation, non-conformity & corrective action.

10.2 SCOPE



Senior Leadership team Head of the Departments (HODs)


10.4.1 Improvement (General) ISO 9001 (10.1), ISO 14001 (10.1), OHSAS 18001 (4.2/4.3.3/4.6), ISO 27001 (10) SISCOL leadership is committed to create, determine, select opportunities & facilitate a culture of continual improvement in the organization. The leadership team encourages the continual improvement efforts put forth and reviews the implementation of improvement plans and evaluate their effectiveness to meet customer requirements and enhance customer satisfaction. SISCOL has established the processes with the best of intentions, focusing on performing the task at hand, with the resources at hand, in the environment where they exist. A structured approach to understand the existing conditions, generate improvement ideas, and then implement the changes to see the betterment has been made part of SISCOL’s systems and processes. Various improvement programmes are identified by Leadership team across the value chain of operations. In addition HoDs drives various improvement initiatives; all aiming to improve products and services; while meeting requirements as well as to address future needs and expectations.





SISCOL in every process puts efforts in correcting, preventing or reducing the undesired effects associated with it; in order to improve the performance and effectiveness of the established IMS.

10.4.2 Non-conformity & corrective action ISO 9001 (10.2), ISO 14001 (10.2), OHSAS 18001 (4.5.3), ISO 27001 (10.1) SISCOL has established documented information (SISCOL-CP-04) to react and ensure that Quality, Environment, Health & Safety and Information Security related non-conformities are suitably identified and controlled throughout the life cycle of the product & services and project. The related responsibilities and authorities and ways for dealing with such non-conformities have also been defined in the relevant DCPs/SOPs, which include handling and investigation of incidents, accidents, nonconformities under normal/abnormal conditions. The controls include prioritizing the non-conformance, analyzing them and taking immediate action, based on their criticality, authorizing use, release or acceptance under concession by project authorized personnel and, where applicable the concession may also be taken from the customer. Based on the decision, the non-conformances are suitably disposed-off. The final product & services characteristics are re-verified by QA for ensuring conformance to the requirements before being despatched to the customer. The documented information indicating the nature of non-conformities including the concessions, if any, and the subsequent actions taken for reducing and eliminating them are maintained by QA or other responsible function. The actions on accidents, incidents, safety non-conformances are reviewed through risk assessment process, prior to implementation by Head EHS. The trends of non-conformance are periodically reviewed for further deciding continuous improvements in the product and services and process. In case the nonconforming products & services and services found during any stage of design, manufacturing or project execution, are corrected (i.e. reprocessed or re-worked), the products & services / information are re-verified by QA/competent personnel for the requirements in which these were found to be nonconforming in order to demonstrate the conformity to the requirements. In case the non-conformance in the product is detected after the same have been delivered to the customer or their use has started, organization examines the criticality of such characteristics. Such non-conformance which is critical and major in nature is informed to the customer and if required, the same are withdrawn from usage. The potential effects of the nonconformity are also analyzed and appropriate actions are taken.





Based on non-conformity observed, the risk related to the NC shall be identified and updated in ROAM related to the concerned process. Corrective Action The company has established a documented information (SISCOL-CP-04) for taking actions to eliminate the cause of non-conformities in order to prevent recurrence of significant problems by analysis of non-conformance documented informations, product rework/ rejection data, external provider performance documented informations, project execution documented information etc. SISCOL ensures Corrective actions are appropriate to the effects of the nonconformities encountered, which are monitored to have cent percent compliance. Through this documented information it is ensured that controls are exercised for:

a) Reviewing the non-conformities (including customer complaints) b) Determining the causes/analysing non-conformities c) Evaluating the need for action based on criticality of the activities to ensure that non-conformities do not recur d) Determining, deciding the corrective action needed based on root cause

analysis and implementing the same e) Determining if similar nonconformities exist, or could potentially occur f) Maintaining the documented information of the results from the action

taken g) Communicating the results of corrective actions to all the stakeholders h) Reviewing effectiveness of corrective actions i) Determining the cause of reoccurrence of similar NCRs j) Update risks and opportunities determined during planning

All customer complaints, customer returns, rework, rejections, delays, incidents are identified during the project execution life cycle by the nominated persons. These deviations are analyzed, using various statistical tools/problem solving methods and the corrective actions are taken to eliminate the cause of non-conformities in similar areas. The effectiveness of the corrective action is verified during subsequent product/processes/project audits. Cross functional teams are constituted for the critical problems related to Quality, EHS and IT. Integrated management system is made richer by changing the way of operations/processes to incorporate the learnings from the non-conformities.





10.4.3 Continual Improvement ISO 9001 (10.3), ISO 14001 (10.3), OHSAS 18001 (4.2/4.3.3/4.6), ISO 27001 (10.2) Continual improvement is of paramount importance for SISCOL. The organization aims to utilize the analysis of product/project/process related data and continually enhance, improve the suitability, adequacy and the effectiveness of the Quality, Environment, Health & Safety and IS management systems. Continual improvement programmes/KPIs for Quality, Environment, H&S, IS are identified by use of Policy, Objectives & Targets, market analysis, results of risk assessments, environmental aspects evaluation, feedback for improvements through audit results, analysis of data, customer feedback, applicable legal requirements, significant environmental aspects, H&S risks, IS risks, corrective action and the discussions held in management reviews. The continual improvement programmes are identified based on the results of analysis and evaluation (defined in Chapter 9, but not limited to), outputs emanating from management review meets; by the concerned HODs, using following indicators (naming a few, indicative): a) Customer Dissatisfaction e.g. complaints or project delays b) Inventory Management improvement c) Delivery Problems from External providers d) On time delivery of projects to the customers e) Integrated Management Systems improvement f) Improvement in external provider Rating g) Reduction in consumption of natural resources h) Training feedback and effectiveness i) Improving housekeeping at manufacturing/project site j) Cost of quality k) Reducing environmental impacts through innovative product design l) Achieving stretched goals m) Analysis of data related to accidents, incidents, near misses n) Sharing the lessons learnt from the projects across SISCOL


ANNEXURE - A

LIST OF DOCUMENTED INFORMATION

IMS MANUAL LIST OF DOCUMENTED INFO.


Rev. No.: 00 Annexure - A DOC NO: SISCOL/IMS/MANUAL


ANNEXURE A: SAMPLE LIST OF DOCUMENTED INFORMATION (DI)

Sr. No. DI No. Details Scope of Standards

1 SISCOL-CP-01 Documented Information QMS+EMS+OHSAS+ISMS

2 SISCOL-CP-02

Risk and Opportunity Identification, Assessment,

Implementation and Reviewing effectiveness

QMS+EMS+OHSAS+ISMS

3 SISCOL-CP-03 Conduction of Internal Audits QMS+EMS+OHSAS+ISMS

4 SISCOL-CP-04 Control of Non-conformance and

Corrective ActionQMS+EMS+OHSAS+ISMS

5 SISCOL-CP-05 Competency Development QMS+EMS+OHSAS+ISMS

6 SISCOL-CP-06 Management Review Meeting QMS+EMS+OHSAS+ISMS

7 SISCOL-CP-07 Objective Settings QMS+EMS+OHSAS+ISMS

8 DCP-1

9 DCP-2

10 DCP-3

11 DCP-4

12 .

13 .

14 .

15 .

16 .

IMS MANUAL LIST OF DOCUMENTED INFO.


Rev. No.: 00 Annexure - A DOC NO: SISCOL/IMS/MANUAL


17 .

18 .

19 .

20 .

21 .

22 .

23 .

24 .

25 .

26 .


ANNEXURE - B

COMMON PROCESSES

IMS MANUAL COMMON PROCESSES


Rev. No.: 00 Annexure – B.1 Doc. No.: SISCOL-IMS-MANUAL

1.1. Documented Information

1.1.1. Process Flow




1.1.2. Process Notes P1. All the documented information required for the activity/ function should be identified well in advance and to be reflected in the functional DCPs/ Manual / MDL.

P2. As identified in MDL, all the documented information to be prepared and identification of the owner of the DI & retention period to be done, all the documents to be prepared as per reference national, International standards, contract document, customer requirement, SISCOL and applicable legal & statutory requirement in the standardized format/ template structure only.

D1. Before approving the documents, review should be done comprehensively for all the applicable processes with respect to QMS, EHSMS, ISMS, Customer, SISCOL and applicable legal & statutory requirements.

P3. The approved DI shall be circulated / distributed in controlled manner, and shall be stored in protected way to avoid any loss of data, to ensure that only the authorized users are having access to these documents, the access is controlled through IT.

P4. The documents approved shall be updated in MDL, the updated master list of documents should be available with concerned process owners along with the current revision no. The master list of drawings/specifications should be available with the nominated person.

P5. 1. The reason for the change should be justified in the change request.

2. In case the change is affecting more than one function/project, the issue to be discussed with the other interested parties before implementing the change

P6. Modify/amend the document. The changed part of the document should be identifiable through italics/ bold/ underline/ font colour / Box with Rev. No.

D2. The document should be approved by the same or higher level as in original document.

P7. The revision number to be incremented after the change and master list of documents of internal origin reflected in DCPs should be modified.

P8. The revised document to be communicated to all the original recipient or additional persons as per the business requirements.

P9. Obsolete documents to be discarded as per the prevailing practices and should not be available at the point of use. One copy of obsolete document should be archived for future reference.

1.1.3. SIPOC

Trigger – Ensure the Control of Document Information Frequency – Ongoing

Supplier Input P Output Customer Engineering/ Stakeholders/

Vendors/Client/ Manufacturing

National, International standards, contract document, customer requirement, SISCOL

and applicable legal &

MDL, DCP, Manual

Process Owners, Client,

External




Team/ Project Team

statutory requirement Providers

Engineering/ Stakeholders/

Vendors/Client/ Manufacturing Team/ Project

Team

MDL

DCP/Procedure/SOP/ QAPs/Engineering

Deliverables/ OCP/manual/Work

Instructions/Formats/ guidelines/flow chart/plans etc.

Process Owners, Client,

External Providers

1.1.4. RASCI

Activity Responsible Accountable Support Consult Inform P1. Identification of

needs for Documented Information (DI)

required for effective Management Systems

Process owner

HOD Stake holders

IMS Team, External Providers

Process Owner, Client,

External Providers

P2. Preparation of DI, identification of owner and its retention period

Process owner HOD

Stake holders

External Providers

Engineering team, Client,

External Providers,

stake holders

D1. Review & approval of documents;

Approved?

Process owner HOD - -

Client, External

Providers, Engineering

team

P3. Circulation/ Distribution/ Storage/

Protection of DI +

Process owner

HOD IT team -

Client, External


team

P4. Updating MDL of internal origin

Process owner HOD IT team

Client, External


team

P5. Receipt of change request or need for

change of document and its review

Process owner/

nominated person

HOD

External Providers,

cross functional

team members

- Process Owner

P6. Amendment/ modification in the

documents

Process owner/

nominated person

HOD External Providers Client Stakeholders




D2. Approval of documents; Approved?

Process owner HOD

External Providers - Stakeholders

P7. Update issue No/ revision No. and MDL

Process owner/

nominated person

HOD External Providers - Stakeholders

P8. Circulation/ Distribution/ Storage/

Protection of DI

Process owner/

nominated person

HOD External Providers

- Stakeholders

P9. Retention, archival & disposition of DI

Concerned user HOD

External Providers - Stakeholders

Note: Internal/IMS related documents may not be meant for Client/External Provider

1.1.5. ROAM

Probable/ Envisaged

Sl. No. Description

Possible Mitigation Plan/ Most-likely Benefits

RISK

1 Missing of identification of critical document in the

Document Management process 1. Availability of all references/standards for identification of documents

2. Higher level and CFT review 2

Missing important elements/parameters of the

processes/products to be captured in the document as per

requirement

3

Non-conformities due to non-communication of

approved/modified documents to concerned

Communication of approved/modified documents to

all concerned stake holders

4 Theft or loss of data Strict compliance to ISMS

OPPORTUNITY

1 Security of documents with sensitive information

Avoid access of sensitive information to competitors

2 Centrally controlled repository of

documents

To adopt and implement a structured method to establish,

update and communicate controlled documentation

3 Use of Standard

templates/Formats across Improvement in operational

effectiveness




1.1.6. KPIs

KPI Objective Formula UoM

Identification of document

To identify internal origin document required for effective Integrated Management System

Within 30 days of receipt of contract/Within 15 days of

change or revision of process

Days

Preparation, Review & Approval document

To prepare, review & approve document required

for effective Quality Management System

15 days in advance start of processes

Days

Communication of documents

To communicate document/amendments/modifications to all concerned

departments

Within 2 days after approval

Days




1.2. Risk and Opportunity Identification, Assessment,

Implementation and Reviewing Effectiveness

1.2.1. Process Flow




1.2.2. Process Notes The objectives of the ‘Risk Management’ process is to ensure that the project/ manufacturing/proposed project periodically goes through a comprehensive risk management process by:

● Assessing and quantifying all risks associated with the project/proposed project

● Developing risk mitigation/treating plans that can be followed through, using the

review mechanism

● Ensuring that top management is kept abreast with the overall risk profile of the

project/manufacturing/proposed project with focus on the most critical risks

P1. The assessment shall be performed in line with SISCOL risk guidelines. For the proposal project, risk assessment & treatment shall be performed before technical/price bid submission. For ongoing or under execution projects/manufacturing, risk assessment & treatment shall be performed once in a quarter.

a) Risks and Opportunities to be identified at various stages of the manufacturing and project life cycles through proactive monitoring of various process parameters/ acceptance criteria, product non-conformities and internal/external audits.

b) Risks and opportunities to be proportionate to the potential impact on the conformity of products.

P2. Determine/Identify the sources, causes/ processes/ activities in Risk and Opportunity form

P3. CFT/team/person constituted by the concerned HOD for risk assessment

P4. Nominated team/person will assign probabilities to each risk element based on past experience and current project expectations, segregates risks based on their impact on either delay liabilities or cost escalation. Severity calculated based on estimated delay and/or cost implication as per norms of the SISCOL Risk Policy. Nominated team/person will identify risk treatment plan and submit it for competent authority.

D1. Approval from competent authority to be obtained before implementation of Mitigation/Contingency plan

P5. In case any modification suggested by competent authority, same shall be incorporated

D2. After incorporating the changes, nominated team/person will identify any modification in system/process/document (DCP/SOP/QAP etc.)

P6 In case of any modification same shall be obtained from competent authority/process owner.

P7. Treatment/Mitigation and Contingency plan to be implemented within defined time frame. The record is maintained in risk register.




P8. Review/evaluation of effectiveness of implementation to be completed within defined time frame as per Mitigation/ Contingency Plans and maintained in risk register.

1.2.3. SIPOC

Trigger - Risk and Opportunity Identification, Assessment, Implementation and Reviewing effectiveness Frequency – As per SISCOL Policy

Supplier Input P Output Customer

Process owner

Process monitoring/ knowledge sharing/Audits/Non-

Conformities/external & internal issues w.r.t context of the organisation/ requirement

of interested parties

Risk register Nominated

Team/ person

BD&M Risk Register from pre-bid (for

project/manufacturing)

Nominated Team/person Mitigation / Contingency Plan Risk Register & record note

Competent authority

1.2.4. RASCI

Activity Responsible Accountable Support Consult Inform P1. Identification of

Risks and Opportunities

throughout the life cycle of the

Project/Process.

Process owner/

Nominated Team/person

Process owner

PMG/Functional Head

Leadership Team/Functional

Head

Nominated Team/ person/ Functional Head

P2. Determine the Sources, causes/

Process/ activities for the Risk and Opportunity

Process owner/



Functional Head

Leadership Team/Functional

Head

Nominated Team/ person

P3. Nomination of the Risk and Opportunity

Assessment person/team

Leadership Team

Leadership Team

Functional Head/HR

Functional Head/

HR/Contracts

Nominated Team/ person

P4. Identification of risks, areas of

impacts, events & their causes and their

potential consequences. Then

carry out Risk/Opportunity

assessment considering the Probability and

Severity. After that assign category for

Process owner/



Functional Head

Leadership Team/Functional Head/Contracts

Nominated Team/ person/

Leadership Team/Functional Head/Contracts




the same. Prepare the Mitigation and

Contingency plans for identified Risk

D1. Seek approval for implementation;

Approved?



Functional Head

Functional Head/Contracts

Competent Authority

P5. Modify the treatment plan



Functional Head

Functional Head/Contracts/

Competent Authority

Process owner/ Functional

Head/Contracts/ Leadership Team

D2. Any system change /

process modification required

Process owner

Process owner

Nominated Team/person/

Functional Head


Functional Head


Functional Head/Contracts/ Leadership Team

P7. Implementation of Risk Treatment

Plan

Process owner

Process owner


Functional Head


Functional Head



Leadership Team/

P8. Review and record the

implementation and evaluate

effectiveness of Risk Control/Opportunities

Process owner

Process owner


Functional Head


Functional Head



Leadership Team/

1.2.5. ROAM

Probable/ Envisaged

Sl. No. Description


RISK

1 Missing of risk/opportunity identification

Promote culture to identify the risk/opportunity by anyone during the

project cycle. Getting wetted from Contracts in line

with SISCOL guideline

2 Ineffective mitigation and contingency plan

● Mitigation and contingency plan to be prepared by competent team/ person.

● Mitigation and contingency plan to be reviewed and monitored for the implementation of effectiveness.

● Consultation with Contracts team

OPPORTUNITY 1 Culture to identify risk/opportunity

by anyone during the project cycle

Will have least possibilities to miss out major risk/opportunity and its impact of

organization/project

2 Effective implementation of mitigation and contingency plan

Damage owing to risk will be arrested or minimized




1.2.6. KPIs


Risk assessment and Opportunities

in risk

Identification of sources of risks, areas of impacts, events & their

causes and their potential consequences. Then carry out Risk/Opportunity assessment

considering the Probability and Severity.

As per SISCOL risk guideline Numbers

Risk Treatment Plan

Derive the treatment plan Preparing plan within defined

time frame Days

Effectiveness treatment plan

Evaluation of the effectiveness of mitigation and contingency plan

Number of change in plan Numbers




1.3. Internal Audit

1.3.1. Process Flow




1.3.2. Process Notes P1.

1. Minimum criteria for Auditors shall be they must have valid Internal / Lead Auditor certification in ISO Management Systems.

2. There shall be continuous process for identification of employees to be trained as new internal Auditors / Lead auditor certifications.

P2. 1. All the projects/activities/manufacturing facilities of SISCOL to be audited at minimum frequency of six months. 2. Internal audit schedule to be prepared at least 2 weeks before the date of internal audit. 3. Auditor independence to be ensured while planning the audits 4. Tentative audit duration to be specified in the audit plan

P3. Circulation of audit plan to the concerned auditee, auditors & stakeholders at least 2 weeks before the internal audit. P4. 1. The audit should be completed as per the internal audit plan.

2. The audit should be as per the defined scope, criteria and objectives

P5. Audit reporting & identification of OFIs to be done in specified format/platform by auditor after discussion (in audit closing) with auditee within 3 days after conduction of internal audit. P6. Review of Audit reports and improvement areas by Audit committee and approval / for circulation of Audit report / NCs/ OFIs to concerned auditee / functional head within 2 days of submission of reports by internal auditors. P7.

1. Root cause analysis and proposed closure date of NC/OFIs shall be provided in NC format/platform by Auditee / Process owner in consultation with stakeholders / function heads within 1 week of release of audit report.

2. Correction / corrective action on the NCs / observations raised to be taken within 3 weeks of submission of internal audit report or within the date of agreed proposed closure date.

D1. Audit committee to check and verify whether NCs / OFIs were vacated, within 2 days of submission of implementation of corrective action by auditee/ process owner. P8. Follow up audit (if required) to be conducted for verification of corrective action. D2. All NCs to be resolved within 3 weeks after conducting internal audit including the completion of corrective actions. P9. The audit summary report to be prepared and presented to the concerned HOD within 3 weeks of the completion of internal audit and in quarterly meet to TM & MRM.




P10. During the top management meetings the input for continual improvement programmes and updating of ROAM shall be derived. D3. Review the effectiveness of the internal audits, upto what extent management expectations are met by internal audit 1. Continuous process

2. Based on the review, further actions like refresher trainings to auditors etc. are planned.

1.3.3. SIPOC

Trigger – Conducting IMS internal audit Frequency – Six Months

Supplier Input P Output Customer Functional Heads / IMS

Team Auditor List Audit Schedule IMS Team

Auditors Audit schedule, DCP, Manuals,

Contractual / statutory requirements

Audit Reporting

Auditee / Process owners,

Functional Heads, IMS Team

IMS Team NC / Audit report / RCA Audit Summary

report Top Management

1.3.4. RASCI

Activity Responsible Accountable Support Consult Inform Identification of trained internal

auditors IMS Team Head Quality /

EHS / IT Functional

Heads

Reporting Manager of

Auditors

Auditors, Auditee,

StakeholdersPreparation & circulation of internal audit

schedule / plan

IMS Team Head Quality /

EHS / IT IT

Department

Auditors, HODs,

Process Owners

Auditors, Process Owners,

HODs

Conducting Audit & Reporting Auditor Auditor - IMS Team

Auditee, IMS Team,

Functional Heads

Vacating NCs/ Root Cause Analysis,

Corrective actions

Auditee / Process Owner

Functional Head Stakeholders Auditor IMS Team

Follow-up Audit and verification

of CA Auditor IMS Team

Functional Heads

-

Preparation of IMS Team, IMS Team, Leads Auditor, Auditor, Top




audit summary report &

presentation to concerned HOD

Leads Auditee Auditee Management

Identification of Continual

Improvement programmes (CIP)

and updating ROAM

Functional Heads

Functional Heads - - Stakeholders

Review the effectiveness of

the internal audits

Functional Heads Functional Heads IMS Team -

Head Quality / EHS / IT

1.3.5. ROAM

Probable/ Envisaged

Sl. No. Description


RISK

01 Non availability of enough no. of

competent auditors for conducting internal audit

Proactive action for identification of auditors and there training and maintaining proportional ratio between total employees and

auditors

02

Delay in conducting audits due to Non-availability of certified

internal auditors as per planned schedule

1) Schedule shall be made thoroughly considering the project schedule and commitment from top management, HODs. 2) Circulation of Audit plan well in advance (Min. 2 Weeks) for auditors and auditee to reserve there date and time.

02

Improper reporting by auditors (For e.g. the report is not clear to

address the issue) leading to failure of finding right issue.

Second level review by IMS team before releasing the report auditee

03 Closure of NCs by auditee without

ensuring proper root cause analysis

IMS Team / Auditor shall conduct verification audits for Major NCs

04 Repetition of similar NCs in

subsequent audit

Top Management, Process owner shall have analysis of audit results /

NCs

OPPORTUNITY

1 Involvement of Top Management / HODs in to review process.

Improvement in IMS effectiveness

2 Gap analysis by process owner at regular interval

Improvement in IMS effectiveness

3 To Identify hidden risk in the process

Improvement in planning




1.3.6. KPIs


IMS Internal Audit Conduction of IMS internal

audit minimum twice in a year and as per planned schedule

Six Monthly Numbers

IMS Internal Audit Conduction of IMS internal

audit as per planned schedule

% of Completed internal audits in comparison to the

internal audit planned %

Audit Reporting Timely reporting of internal audit observations / report

The length of time for issuing internal audit reports days

Audit Reporting

Creation of suitable observations w.r.t non-

conformance in reference to standard, IMS Manual, DCP,

OFIs, Good practices

External Audit NCs/ Observations

No. of Major audit findings & recommendations

Numbers

Vacating NCs Submission of corrective

action & Closure of NCs with objective evidence

Within 3 weeks of audit / within time frame of proposed closure date

Period

Audit summary report

Presentation of audit summary reports to HODs/Top

Management Within 3 weeks of audit Period

Effectiveness of internal audit

Evaluation of effectiveness of Internal audit

1) The progress in action implementation of audit recommendation

2) Reduction in final product rejections

%




1.4. Control of Non-conformance and Corrective Action

1.4.1. Process Flow




1.4.2. Process Notes

P1. Non-conformities, potential EHS risks and IS events will be identified during manufacturing and throughout life cycle of the project through proactive monitoring of various process parameters/ acceptance criteria, feedback from interested parties, risk identification & analysis, customer voice, project review, internal and external benchmarking and internal audits. NC may also be identified by the customer or relevant interested parties.

P2. Incase of product NCs, the material, component, equipment shall be adequately quarantined by placing at identified space/red tagging etc.(as applicable) in line with correction requirement. In case of System NCs, EHS incident or IS events appropriate action plan shall be taken based on proposed correction.

P3. Identify the appropriate corrections/containments action and nominated person/ team considering impact of Non-Conformance/ incident/ IS events. The nominated person/ team will take appropriate corrections/containments action P4. Relevant records of rework/ reject/ concessions/ risk mitigation to be maintained as appropriate. D1. Effectiveness of correction/ containments action verified by nominated person/ team. P5. Team will be identified/ nominated for root cause analysis and bring out corrective action plan. P6. The nominated person/ CFT shall identify the root cause analysis within specified time period. P7. Nominated person/CFT shall identify/propose corrective action for avoiding recurrence of in same or other site with in specified time period. D2. Approval concerned head to be obtained before implementation of corrective actions. P8. Corrective actions emerged out from root cause analysis to be implemented within specified time interval based on the recommendation of nominated person/CFT. P9 In case there is modification suggested by approving authority same shall be modified. P10. The implementation of corrective action will be reviewed/evaluated also effectiveness of the corrective plan checked. P11. Effectiveness of corrective actions will be presented/reported to concerned leadership team. P12. The existing document will be updated incase same is necessitated (QA Plans, QA, EHS & IT Risk assessment, Procedures, SOPs).




1.4.3. SIPOC

Trigger – Control of Non-conformance and Corrective Action Frequency – Continuous


Interested parties

Stakeholder feedback/ process measurement/ project review/ internal audits/ Inspection, VOC/

NCR/ supplier or contractor evaluation,

deviation reports

Raise of Non conformity and

quarantining product from use

Process owner through Vendor/

contractor/ service provider/SISCOL

project/functional incharge

Interested parties Non Conformity Report Root Cause Analysis;

Correction; Corrective Action

Nominated person/CFT

Interested parties Non Conformity Report

Effectiveness of correction,corrective

action report/ presentation

Leadership team/ Interested Parties

1.4.4. RASCI

Activity Responsible Accountable Support Consult Inform

P1. Identification of Non

Conformity

Interested Parties

MRs/HODs/ Auditors

IMS Audit Team/

Executing Agency/PMG/ Field Services

Team

IMS Audit Team/

Executing Agency/PMG/ Field Services

Team

Process owner/

Executing Agency / Relevant

Interested Party

P2. Immediate segregation/

quarantine the Non Conformity

to avoid any unintended use of the same, as applicable (not applicable for system NCs)

Process Owner /

Execution agency

Process Owner

Functional Team

Members

Functional Team

members / Relevant

Interested Party

Process owner/

Executing Agency / Relevant

Interested Party

P3. Identification and containment

actions to be taken on the Non Conformity along

with responsibility.

Process Owner /

Execution agency/

Concerned nominated

person

Functional Head

Functional team members

Relevant Interested

Party / Execution agencies

Execution agencies /

Process Owner/ Relevant

Interested Party

P4. Recording status of action

taken

Process Owner/

Execution

Functional Head

Functional Team

Members

Relevant Interested

Party /

Execution agencies /

Process




(correction/ rework/reject/ concessions/risk

mitigation)

agency Execution agencies

Owner/ Relevant

Interested Party

D1. Verification of correction

taken as effective?

Process Owner/

Execution agency/

Concerned nominated

person/team

Concerned nominated

person/team

Functional Team

Members

Functional Team

members

Core / Central team

P5. Nomination of team/person for root cause analysis of the identified non

conformity including EHS

Incident and IS events (As per requirement)

Functional Head/HOD

Functional Head/HOD

Process Owner/

Execution agency/

Functional Team

Members

Process Owner/

Execution agency/

Functional Team

Members

Process Owner/

Execution agency/

Functional Team Head

P6. Root cause analysis of the NC

Nominated persons/

team

Nominated persons/

team

Process Owner/

Execution agency/

Functional Team

Members

Process Owner/

Execution agency/

Functional Team

Members

Process Owner/

Execution agency/

Functional Team Head

P7. Identifying the corrective actions to be

implemented to avoid its

reoccurrence in the same or other

projects

Nominated persons/ team / Process Owner

Nominated persons/

team

Process Owner/

Execution Agencies/ Functional

Team Members

Process Owner/


Team Members

Process Owner/ other stakeholder

D2. Seek approval for

implementation; Is approved?

Nominated persons/

team

Functional Head/HOD

Process Owner/


Team Members

Process Owner/


Team Members/ Nominated

person/team

Process Owner/


Team Members/ Nominated

person/teamP9.

Implementation of output of RCA

(Corrective actions)

Process Owner /

Execution agency

Process Owner

Functional Team

Members/ Process Owner/

Functional Team

members / Nominated

Person/team/

Functional Head/ Process owner/

Executing




Execution Agencies

Relevant Interested

Party

Agency / Relevant

Interested Party

P10. Modify implementation

plan

Nominated persons/

team

Nominated persons/

team

Functional Team


Execution Agencies

Functional Team


Execution Agencies

Functional Head/ Process Owner/

Execution Agencies

P11. Review the implementation

and evaluate effectiveness of

Corrective actions

Process Owner /

Execution agency

Functional Heads

Functional Team


Execution Agencies

Functional Team


Execution Agencies

Functional Head/ Process Owner/

Execution Agencies

P12. Present/report

the effectiveness of corrective

actions to concerned HOD/ PD/RCM/Leadership team (as per

requirement)

Process Owner /

Execution agency

Functional Heads

Functional Team


Execution Agencies

Functional Team


Execution Agencies

HOD/Function Heads

P13. Updation of existing

documents (QA Plans, EHS, Risk assessment, IS

risk assessment, OCPs,

Procedures, SOPs)

Process Owner

Functional Heads

Functional Team


Execution Agencies

Functional Team


Execution Agencies

HOD/Function Heads

1.4.5. ROAM

Probable/ Envisaged

Sl. No. Description Possible Mitigation Plan/

Most-likely Benefits

RISK

1 NCs not identified during life

cycle of project which results in failure of component/equipment

All efforts to be done to identify and raise NCs during life cycle of

project. Conducting periodic audits.

2 Resolution of NCs kept on hold for longer time which delays progress of project or delivery schedule.

All NCs shall be resolved with proper corrective action within specified

time period 3 Irrelevant/ illogical or wrong RCA Support from experts to be taken for




done against NCs proper RCA

4 Improper or ineffective corrective actions/correction

Correction/Corrective actions to be verified for effective and proper

implementation.

OPPORTUNITY

1

Identification of NCs at right time during execution of project or

mfg. processes of components/equipment

NCs can be resolved with proper corrective action and avoid failure

of component/equipment.

2 Analysis of NCs Benefit in smooth execution of New

projects

3 Proper, logical RCA and effective

implementation of CAs Arresting the recurrences.

1.4.6. KPIs

KPI Objective Formula UoM Identification of

Correction, Corrective

Action, RCA

Within specified time by Leadership Team/Functional

Heads

100% identification within specified time

Numbers of days

Resolution of NCs Within specified time by

Leadership Team/Functional Heads

100% identification within specified time

Numbers of days

Recurrence of NCs

Arresting the cause of problem on account of same

issue Zero recurrence Numbers




1.5. Competency Development

1.5.1. Process Flow





P1. 1. The required job description for the position to be filled shall be identified by Business Manager/HOD, prior to selection process.

2. The JD to be approved by Functional Head/HOD and sent to HR for further processing

3. Competency Matrix Sheet gets generated, which captures the skill sets required for all the process/levels/functions/personnel. This shall be made by HODs with assistance from Training Team.

P2. During selection of the prospective employee, HR to scout and ensure personnel meets the JD. Interview panel conducts the interview. Selection Process (in HR DCP) is also referred to here.

P3. The gaps in the interview are captured in Interview Sheet, as well as during day to day review and also during the appraisal process of the employee. Competency Matrix Sheet gets filled for the function/level/process/personnel, and there by the gaps against the required skill-sets gets emanated. This process shall be carried out prior to start of financial year/issue of annual training calendar by Training Team; and as-and-when new profile is necessitated.

P4. The gaps are the input for identification of training needs for the department/ of all the personnel/profiles.

P5. The training needs are forwarded to Training Team for planning and execution of the same. Updating the training needs in Records. Both the technical and behavioural training needs to be identified.

P6. Training Team/HR/Ext. Agency conducts training programmes. Training feedback for all the trainings to be obtained by Training Team and analysed for circulation to the relevant interested parties.

D1. The effectiveness of the training imparted should be evaluated by Training Team along with reporting manager within 3 months from the completion of training. Ref.: Training Effectiveness Process of Training Team. Assess the gaps if the effectiveness is not up to the mark for re-conducting the training (can be on-job/classroom based/discussion/seminar etc.)

P7. Continuous/Regular/Periodic monitoring & updating the competence for re-mapping and once-again the cycle begins.

1.5.3. SIPOC

Trigger – System for identifying the job requirements, job competence & identifying competency gaps; obtaining training feedback, training effectiveness and subsequently enhancing the competence of all the employees of SISCOL Frequency – Continuous




Supplier Input P Output Customer JD – Business

Managers; Competence

Reqmnt.: HR in discussion with

DH/PDs/Business Managers

Existing and future business

requirement O1. Competency

Matrix Sheet Department/ Employees

Training Team Selection Process (in

HR DACP) O2. Filled Interview

SheetHOD/FH/Training

Team/HR

I1. HOD/FH I2. HR

I1. Competency Matrix Sheet

I2. Interview Sheet O3. Filled

Competency Matrix HOD/FH/Training

Team/HR

HOD/FH/Training Team/HR

Training Content/ Framework

O4. Training Feedback


Training Team/HR Training

Effectiveness Framework

O5. Training Effectiveness Report


1.5.4. RASCI

Activity Responsible Accountable Support Consult Inform P1. Identification of various job profiles along with detailed

competence requirements

Functional Heads HOD Training

Team/HR

Head Training/ Head HR

Top Management

P2. Selection of the potential personnel for

the identified job

Functional Heads HOD

Training Team/HR


Top Management

P3. Identification of gaps vis-à-vis

competence required

Functional Heads HOD Employees


Top Management

P4. Identification of training needs of all the

personnel/profiles

Functional Heads HOD Employees


Top Management

P5. Forward the training needs to HR for planning

and execution of the same. Updating the

training needs in PODP/Records

Functional Head HOD Employees


Top Management

P6. Conduct of training programmes by

Training/HR/Ext. Agency and obtaining

training feedback

Training Team/HR

HOD Faculty Employees Top Management

D1. Evaluation of effectiveness of training

Functional Head Training Team Employee

Head Training/

Top Management




Head HR P7. Continuous/ Regular/Periodic

monitoring & updating the competence

Functional Head

HOD Employee Head

Training/ Head HR

Top Management

P8. Assess the gaps Functional Head

HOD Employee Head

Training/ Head HR

Top Management

1.5.5. ROAM

Probable/ Envisaged

Sl. No.

Description Possible Mitigation Plan/ Most-likely Benefits

RISK (What can go

wrong?)

1 Selection of incompetent personnel

Identify job and skill requirement and involve concerned personnel in

selection process.

2 Wrong identification of required

gapProper identification of gap by

senior people/HODs

3 Ineffective training to fill the gap

Training effectiveness to be evaluated

OPPORTUNITY

1 Selection of skilled and competent personnel

Improves the operational excellence

2 Competency gap identification Proper / relevant gap identification by HR with FHs

3 Evaluation of training effectiveness

Training to be ensured for effectiveness

1.5.6. KPIs


Selection of the potential personnel for

the identified job

Ensure the resource is available for as per

the JD (or close match) requirement

Prior to start of intended work

Always

Identification of gaps vis-a-vis competence

required

Ensure the Competency Mapping

is carried out and gaps are identified in every

dept./project

100% of the cases Always

Increase in Competency Levels of Personnel/Process/

Function

Pre and Post Training interventions

As defined for the FY in the Objective of HR/Function/

Project

% Increase

Training mandays per employee

Conducting minimum no. of mandays of

training

Training mandays per employee Number




1.6. Management Review Meeting

1.6.1. Process Flow





P1.

1. MRM to be conducted on yearly basis 2. Project Review meetings/ Departmental review meeting 3. Quarterly Risk Review Meeting 4. MRM committee includes functional heads of SISCOL and for PRM etc. teams will be

constituted by respective Functional Heads.

P2. Information to be received at least one week prior to the MRM and it should include various information related to projects & manufacturing like status of NCs / Audits, Customer feedback, corrective action, internal reviews, ongoing progress etc.

P3.; P4 The agenda should be finalized based on the action points of last MRM, business requirements, IMS requirements and shall be circulated to all concerned participants of MRM committee one week prior to MRM, details for minimum MRM agenda point is mentioned below.

P5. All the agenda points to be discussed during MRM.

P6. Discussion points to be noted during MRM and a minutes of MRM will be formed and same needs to be circulated to MRM committee and relevant interested parties within 2 days of meet.

P7. IMS team will prepare action plan w.r.t points / issues discussed during MRM in consultation with members of MRM committee and circulation of the same will be done to all stakeholders for implementation.

D1. Completeness of the actions as per defined time frame.

P8. MRM committee member shall interact with stakeholders / process owner for expediting of closure action plan taken.

P9. Recording of action take and Verification/effectiveness of points from previous MRM.

Minimum agenda for IMS Management Review Meeting:

● Status of actions from previous management reviews ● Changes in external and internal issues relevant to IMS, including strategic

directions ● Review of Context of the Organization ● Review of Needs & expectations of interested parties ● Information on IMS’s performance, including trends and indicators for:

o Nonconformities and corrective actions o Monitoring and measurement results o Audit results o Customer satisfaction o Feedback from relevant interested parties o performance of external providers o process performance and conformity of products and services




o the extent to which quality objectives have been met ● Issues concerning external providers and other relevant interested parties ● Adequacy of resources required for maintaining effective QMS ● Process improvement and conformity of products and services ● Effectiveness of actions taken to address risks and opportunities ● New potential opportunities for continual improvement

1.6.3. SIPOC

Trigger – Conduction of Management Review Meeting Frequency – Once in a year


Functional Heads, Process owner

● Status of actions from previous management reviews

● Changes in external and internal issues relevant to IMS, including strategic direction

● Review of Context of the Organization

● Review of Needs & expectations of interested parties

● Information on IMS’s performance, including trends and indicators for:

o Nonconformities and corrective actions

o Monitoring and measurement results

o Audit results o Customer satisfaction o Feedback from relevant

interested parties o performance of external

providers o process performance and

conformity of products and services

o the extent to which quality objectives have been met

● Issues concerning external providers and other relevant interested parties

● Adequacy of resources required for maintaining effective QMS

● Process improvement and conformity of products and services

● Effectiveness of actions taken to address risks and opportunities

● New potential opportunities for continual improvement

Agenda for

MRM discussion

Stake holders / interested parties




Quality / EHS / IT

MRs Agenda For MRM Discussion

MOM and Action Plan of

MRM

Process Owner,

Functional Heads,

MRM Participa

ntsProcess

Owners / MRs (QMS

/EHS / ISMS) /

functional Heads

MOM and Action Plan of MRM Updated MRM

Output Stakehold

ers

1.6.4. RASCI

Activity Responsible Accountable Support Consult Inform Establish frequency

for MRM and constitution of MRM

committee

MR / Functional

Heads

Top Management

Process owner

- MRM

Committee / Stakeholders

Receipt of information from various projects/

functions/ manufacturing

facilities on Status of NC/ audits/ customer feedback/ Corrective

actions/ internal reviews/ ongoing

progress etc.

Process Owners

Functional Heads

Process Owner / IMS

Team HODs

MRM Committee

Preparation Finalization of

agenda for MRM MR MR

Functional Heads / IMS

Team

Top Management

MRM Committee

Circulation of agenda to all the concerned participants (MRM

Committee)

MR MR IT Team - MRM

Committee

Conduct of MRM MR Top

Management Functional

Heads -

Participants of the

meetingPreparation of minutes of MRM including continual improvement issues, Risk & Opportunities

MR MR

Top Management

/ MRM Committee

- MRM

Committee

Circulation of MR Top - Functional Stakeholder /




minutes of MRM for implementation to all the members

Management Heads Interested parties

Review of actions Top Management

Top Management

Functional Heads / MR

- MRM

Committee / stakeholders

Recording of actions taken and review of effectiveness of MRM

Top Management

Top Management

Functional Heads / MR

- MRM Committee

1.6.5. ROAM

Probable/ Envisaged

Sl. No. Description


RISK

1 Missing of important/critical

issues

● Agenda to be prepared in advance by considering all the important/critical issues and an effective review to be done before finalization.

● Emergency MRM can be organised in case of exigency.

2 Ineffectiveness of MRM

MRM to be attended by all HODs with defined agenda and all records to be kept for reference and action

plans

OPPORTUNITY 1 Platform to identify, review and monitor important/critical issues

Helps for smother execution of IMS and various business processes

1.6.6. KPIs


MRM Conduction of MRM to ensure

healthiness of QMS/IMS As defined Period

MRM Review of all the agenda points mentioned in MRM

agenda

All the agenda points to be reviewed / discussed %




1.7. Objective Setting

1.7.1. Process Flow




1.7.2. Process Notes ● P1. Thrust areas/Strategy map of SISCOL are identified at the start of FY ● Mission & Vision statement, IMS Policy, context of the organization, market trends,

competitor analysis etc. will become the bare minimum input for this workshop. ● P2. All the Thrust areas are communicated to Department Heads within 1 week for

identification and finalization of their departmental objectives. ● P3; P4. Identification & Finalization of Departmental objectives and its approval by

leadership team shall be completed as per HR timelines. ● P5. P6 Objective of Department once approved by Leadership team shall be shared

within the function and based on the objectives setting shall be carried out at sub function levels as per HR timelines.

● D1. Review of the objective setting shall be done by Functional Heads. ● P7. Approval of Objective setting shall be done with identification of training

needs. ● D2. Midterm review of objective shall be conducted by Reporting Manager/HODs ● P8. Any changes and action plan shall be communicated and implemented. ● P9. Update actions on regular basis as and when required. ● Adequacy of resources required for maintaining effective IMS

1.7.3. SIPOC

Trigger – Objective setting Frequency – Yearly

Supplier Input P Output Customer Top

Management Front End Marketing Corporate Strategy

L&T Power Mission/ Vision/ Policy/ market trends/ competitor analysis /

Results of KPIs / Context of Organization Thrust Area

Business Units &

Functional Heads

HR Head Top

Management

Thrust areaL&T Power Mission/ Vision/ Policy/

market trends/ competitor analysis / Results of KPIs

Departmental

Objectives

Functional Team

members

Department Head Approved Departmental objectives

Functional / Process / individual objectives

Functional Team

Members.

1.7.4. RASCI

Activity Responsible Accountable Support Consult Inform Identification of

SISCOL’s Thrust Area Top

Management Top

ManagementFunctional

HeadsBusiness Strategy

Functional Heads

Communication of Thrust Areas to HODs

Head HR Head HR IT

Department

Business Strategy

Top Management / Functional




HeadsIdentification and

finalisation of Department / Project objectives / KPIs of Functions Level /

Process

Department Head

Department Head

Functional Team

Members Head HR Head HR

Approval of objective by leadership

Top Management

Top Management HR HR HR

Sharing/communication of approved objective

within the function

Department Head

Department Head

HR HR Functional

Team members

Objective setting by Individual

Functional in charge

Department Head

HR

Functional Team

Members / Process Owners

HR

Review & Approval of objectives by

Department Heads

Department Heads

Department Heads

Functional in charges - HR

Midterm review of objectives

Department Heads

Department Heads

Functional Team

members

Functional in charges HR

Updating of actions on regular basis

Department Heads

Department Heads

Functional Team

members

Functional in charges

HR / Functional

Team Members

1.7.5. ROAM

Probable/ Envisaged

Sl. No. Description Possible Mitigation Plan/

Most-likely Benefits

RISK

1 Missing the link of objectives

among organization, departments and individuals.

Objectives shall be approved by assigned authorities, and link to be ensured by proper communication

2 Possibility of identifying non-measurable objectives

Care to be taken by ensuring SMART objectives by approving KPI by

assigned authorities.

3 Missing or failure of objectives by misdirecting the efforts/work

Regular monitoring to be done by individual and same is ensured

through MTR.

OPPORTUNITY

1 Establishing link among the

organization, departments and individuals

Efforts to be directed to achieve objectives

2 Ensuring to take SMART objectivesObjectives will be effective and

beneficial.

3 Clear Guidelines / work

instructions in form of objective Better Employee Engagement




1.7.6. KPIs


Objective Setting To set measurable objectives for SISCOL at start of FY

Numbers days

Objective Setting To set measurable objectives for

Departments

7 days from the formation of SISCOL’s

objectives days

Objective Setting To set measurable objectives for

function/level/employees

14 days from the formation of SISCOL’s

objectives days

Mid-Year Review

Mid-year review of performance objectives for

organization/department/ function/level/employees

October days

Final Year Review

Final year review of performance objectives for

organization/department/ function/level/employees

March days


ANNEXURE - C

TERMS & DEFINITIONS

IMS MANUAL TERMS & DEFINITIONS


Rev. No.: 00 Annexure – C Doc. No.: SISCOL-IMS-MANUAL


TERMS & DEFINITIONS

Acceptable Risk Risk that has been reduced to a level that can be tolerated by the

organization having regard to its objectively to determine the extent to which “audit criteria” are fulfilled

Access Control means to ensure that access to assets is authorized and restricted based on business and security requirements.

Analytical Model Algorithm or calculation combining one or more base measures and/or derived measures with associated decision criteria.

Asset Any tangible or intangible thing or characteristic that has value to an organization

Audit Systematic, independent and documented process for obtaining audit

objective evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled

Audit Criteria Set of policies, procedures or requirements used as a reference against

which objective evidence is compared

Audit Evidence Records, statements of fact or other information which are relevant to the

audit criteria and verifiable

Audit Findings Results of the evaluation of the collected audit evidence against audit

criteriaAudit Scope Extent and boundaries of an audit

Availability Something is available if it is accessible and usable when an authorized

entity demands access

Availability Property of being accessible and usable upon demand by an authorized

entity (ISO 27000)

Audit Programme Set of one or more audits planned for a specific time frame and directed

towards a specific purpose Audit Plan Description of the activities and arrangements for an audit

Audit Conclusion Outcome of an audit, after consideration of the audit objectives and all

audit findingsAudit Client Organization or person requesting an audit

Auditee Organization being audited

Audit Team One or more persons conducting an audit, supported if needed by technical

expertsAuditor Person who conducts an audit

Authentication Provision of assurance that a claimed characteristic of an entity is correctAuthenticity Property that an entity is what it is claims to be

Attack any unauthorized attempt to access, use, alter, expose, steal, disable, or

destroy an asset or information

Attack Attempt to destroy, expose, alter, disable, steal or gain unauthorized access

to or make unauthorized use of an asset Business It is a capability of an organization to continue its business of delivering its





Continuity products and services at acceptable predefined levels after disruptive incidents occur. Organizations use business continuity procedures and

processes to help ensure that operations continue after disruptive incidents occur

Base Measure Measure (2.47) defined in terms of an attribute (2.4) and the method for

quantifying it

Capability Ability of an object to realize an output that will fulfill the requirements for

that outputCompetence Ability to apply knowledge and skills to achieve intended results

Continual Improvement Recurring activity to enhance performance

Confidentiality The property that information is not made available or disclosed to

unauthorized individuals, entities or processes Correction Action to eliminate a detected nonconformity

Corrective Action Action to eliminate the cause of a nonconformity and to prevent recurrenceCustomer

Satisfaction Customer’s perception of the degree to which the customer’s expectations

have been fulfilledCustomer

Satisfaction code of conduct

Promises, made to customer by an organization concerning its behavior, that are aimed at enhanced customer satisfaction and related provisions.

Context of the Organization

combination of internal and external issues that can have an effect on an organization’s approach to developing and achieving its objectives

Control is any administrative, managerial, technical, or legal method that is used to

modify or manage information security risk Control Measure that is modifying risk (ISO 27000)

Consequence Outcome of an event affecting objectives

Customer Person or organization that could or does receive a product or a service that

is intended for or required by this person or organization

Change Control

Activities for control of the output after formal approval of its product configuration information. Changes to the organization, business processes,

information processing facilities and systems that affect information security shall be controlled

Control Objectives

An information security control objective is a statement that describes what organization’s information security controls are expected to achieve.

Control Objective Statement describing what is to be achieved as a result of implementing

controls (ISO 27000)Continual

Improvement is a set of recurring activities that are carried out in order to enhance the performance of processes, products, services, systems, and organizations.

Contract Binding agreementConformity Fulfilment of a requirement

Configuration Interrelated functional and physical characteristics of a product or service defined in product configuration information





Configuration base line

Approved product configuration information that establishes the characteristics of a product or service at a point in time that serves as

reference for activities throughout the life cycle of the product or service

Configuration status accounting

Formalized recording and reporting of product configuration information, the status of proposed changes and the status of the implementation of

approved changesCompetence Ability to apply knowledge and skills to achieve intended results

Complaint Expression of dissatisfaction made to an organization, related to its product or service, or the complaints-handling process itself, where a response or

resolution is explicitly or implicitly expected

Customer Service Interaction of the organization with the customer throughout the life cycle

of a product or a service

Concession Permission to use or release a product or service that does not conform to

specified requirements

Combined Audit Audit carried out together at a single auditee on two or more management

systems

Data Collection of values assigned to base measures, derived measures and/or

indicatorsDefect Nonconformity related to an intended or specified use

Design and Development

Set of processes that transform requirements for an object into more detailed requirements for that object

Document Information and the medium on which it is containedDocumented Information

Information required to be controlled and maintained by an organization and the medium on which it is contained

Determination Activity to find out one or more characteristics and their characteristic

valuesEffectiveness Extent to which planned activities are realized and planned results achieved

Event Occurrence or change of a particular set of circumstances

Environment Surroundings in which an organization operates, including air, water, land,

natural resources, flora, fauna, humans, and their interrelationEnvironment

Aspect Element of an organization’s activities, products or services that can interact

with the environmentEnvironment

Impact Any change to the environment, whether adverse or beneficial, wholly or partially resulting from an organization’s activities, products or services

Environmental Management System (EMS)

Part of an organization's management system used to develop and implement its environmental policy and manage its environmental aspects

Environment Objective

Overall environmental goal, arising from the environmental policy, that an organization sets itself to achieve, and which is quantified where practicable

Environmental Performance

Measurable results of the environmental management system, related to an organization’s control of its environmental aspects, based on its

environmental policy, objectives and targets Environmental Overall intentions and direction of an organization related to its





Policy environmental performance as formally expressed by top management

Environment Target

Detailed performance requirement, quantified where practicable, applicable to the organization or parts thereof, that arises from the environmental objectives and that needs to be set and met in order to achieve those

objectives

External Context External environment in which the organization seeks to achieve its

objectives

External Supplier Supplier that is not part of the organization for providing a product or a

service

Feedback Opinions, comments and expressions of interest in a product, a service or a

complaints-handling process Governance of

Information Security

System by which an organization’s information security activities are directed and controlled

Grade Category or rank given to different requirements for an object having the

same functional useGuide Person appointed by the auditee to assist the audit team

Guidelines The steps that are taken to achieve objectives and implement policies.

Guidelines clarify what should be done and how

Hazard Source, situation, or act with a potential for harm in terms of human injury

or ill health, or a combination of these Hazard

Identification Process of recognizing that a hazard exists and defining its characteristics

Human Factor Characteristic of a person having an impact on an object under consideration

Ill Health Identifiable, adverse physical or mental condition arising from and/or made

worse by a work activity and/or work-related situation

Incident Work-related events in which an injury or ill health (regardless of severity)

or fatality occurred, or could have occurred

Infrastructure System of facilitates, equipment & services needed for the operation of an

organizationInformation Need Insight necessary to manage objectives, goals, risks and problems

Information Processing Facilities

Any information processing system, service or infrastructure, or the physical location housing it

Information System

Applications, services, information technology assets, or other information handling components


Preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-

repudiation and reliability can also be involved Information

Security Continuity

Processes and procedures for ensuring continued information security operations

Information Identified occurrence of a system, service or network state indicating a





Security Event possible breach of information security policy or failure of controls, or a previously unknown situation that may be security relevant

Information Security Incident

A single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and

threatening information security Information

Security Incident Management

Processes for detecting, reporting, assessing, responding to, dealing with, and learning from information security incidents


Management System (ISMS)

That part of the overall management system, based on a business risk approach, to establish, implement, maintain, operate, monitor, review, and

improve information security

Inspection Determination of conformity to specified requirements

Interested Party Person or organization that can affect, be affected by, or perceive itself to

be affected by a decision or activity (ISO 9001)

Interested Party Person or group concerned with or affected by the environmental

performance of an organization (ISO 14001)

Interested Party Person or group, inside or outside the work place, concerned with or affected by the OH&S performance of an organization (OHSAS 18001)

Interested Party Person or organization (2.57) that can affect, be affected by, or perceive

themselves to be affected by a decision or activity (ISO 27000)

Internal Context Internal environment in which the organization seeks to achieve its

objectives

Internal Audit

Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the environmental management system audit criteria set by the organization are

fulfilled

Integrity The property of safeguarding the accuracy and completeness of assets

(Property of accuracy and completeness) Improvement Activity to enhance performance Joint Audit Audit carried out at a single auditee by two or more auditing organizations.

Level of Risk Magnitude of a risk expressed in terms of the combination of consequences

and their likelihoodLikelihood Chance of something happening

Management Coordinated activities to direct & control an organization

Measuring Equipment

Measuring instrument, software, measurement standard, reference material or auxiliary apparatus or combination thereof necessary to realize a

measurement processManagement

System Set of interrelated or interacting elements of an organization to establish

policies and objectives and processes to achieve those objectivesMetrological Confirmation

Set of operations required to ensure that measuring equipment conforms to the requirements for its intended use

Measure Variable to which a value is assigned as the result of measurement





Measurement Management

System

Set of interrelated or interacting elements necessary to achieve metrological confirmation and control of measurement processes

Measurement

Is a process that is used to determine a value. In the context of information security management, measurement is a process that is used to obtain

information about the effectiveness of an Information Management System (ISMS) and the controls that it uses

Measurement Function

Algorithm or calculation performed to combine two or more base measures

Measurement Method

Logical sequence of operations, described generically, used in quantifying an attribute with respect to a specified scale

Measurement Results

One or more indicators and their associated interpretations that address an information need

Mission Organization’s purpose for existence as expressed by top management

Monitoring Determining the status of a system, a process, a product, a service, or an

activityMonitoring Determining the status of a system, a process or an activity (ISO 27000)

Measurement Process Set of operations to determine the value of a quantity

Nonconformity Non fulfillment of a requirement or a failure to meet a requirement

Non-Repudiation Ability to prove the occurrence of a claimed event or action and its

originating entitiesObserver Person who accompanies the audit team but does not act as an auditor

Organization person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives

Outsource Make an arrangement where an external organization performs part of organization’s function or process

Object Item characterized through the measurement of its attributes Objective Result to be achieved

Output Result of a process Objective Evidence Data supporting the existence or verify of something

Occupational Health and Safety

(OH&S)

Conditions and factors that affect, or could affect the health and safety of employees or other workers (including temporary workers and contractor’s

personnel), visitors or any other person in the workplaceOH&S

Management System

Part of an organization’s management system used to develop and implement its OH&S policy and manage its OH&S

OH&S Objective OH&S goal, in terms of OH&S performance, that an organization sets itself to

achieveOH&S

Performance Measurable results of an organization’s management of its OH&S risks

OH&S Policy Overall intentions and direction of an organization related to its OH&S





performance as formally expressed by top management

Organization Person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives

Outsource Make an arrangement where an external organization performs part of an organization’s function or process

Preventive action Action to eliminate the cause of a potential nonconformity or other potential undesirable situation

Prevention of Pollution

Use of processes, practices, materials, or products that avoid, reduce or control pollution, which may include recycling, treatment, process changes,

control mechanisms, efficient use of resources and material substitutionProcedure Specified way to carry out an activity or a process

Product Output of an organization that can be procured without any transaction taking place between the organization and the customer

Product Configuration Information

Requirement or other information for product design, realization, verification, operation and support

Process Set of interrelated or interacting activities that use resources to transform

inputs into outputs. (Inputs to deliver an intended results)

Process Set of interrelated or interacting activities which transforms inputs into

outputs (ISO 27000)

Project Unique process consisting of a set of coordinated & controlled activities with

start & finish dates, undertaken to achieve an objective conforming to specific requirements including the constraints of time, cost & resources

Policy Intentions and direction of an organization as formally expressed by its top

managementPerformance Measurable result

Quality Degree to which a set of inherent characteristics of an object fulfils

requirements

Quality Assurance Part of quality management focused on providing confidence that quality

requirements will be fulfilled Quality Control Part of quality management focused on fulfilling quality requirementsQuality Policy Policy related to quality

Quality Management

Management with regard to quality

Quality Manual Specification for the quality management system of an organizationQuality Plan Specification for the quality management system of an organization

Quality Planning part of quality management focused on setting quality objectives and

specifying necessary operational processes, and related resources to achieve the quality objectives

Quality Improvement

Part of quality management focused on increasing the ability to fulfil quality requirements

Quality Management

Part of a management system with regard to quality





System Quality

Management System

Realization

Process of establishing, documenting, implementing, maintaining and continually improving a quality management system

Quality Requirement Requirement related to quality

Quality Objective Objective related to quality

Record Document stating results achieved or providing evidence of activities

performedResidual Risk The risk remaining after risk treatment

Reliability Property of consistent intended behavior and results

Review Determination of the suitability, adequacy or effectiveness of the subject

matter to achieve established objectives Review Object Specific item being reviewed

Review Objective Statement describing what is to be achieved as a result of a review Rework Action on a nonconforming product to make it conform to the requirements

Requirement Need or expectation that is stated, generally implied or obligatory, by an

organization, its customers, or other interested partiesRegulatory

Requirement Obligatory requirement specified by an authority mandated by a legislative

body

Repair Action on a nonconforming product or service to make it acceptable for the

intended useRisk Effect of uncertainty on objectives

Risk Combination of the likelihood of the occurrence of a hazardous event or

exposure(s) and the severity of the injury or ill health that can be caused by the event or exposure(s) (OHSAS 18001)

Risk Acceptance Decision to accept a riskRisk Acceptance Informed decision to take a particular risk (ISO 27000)

Risk criteria Risk criteria are terms of reference and are used to evaluate the significance

or importance of an organization’s risks. They are used to Determine whether a specified level of risk is acceptable or tolerable

Risk Criteria Terms of reference against which the significance of risk is evaluated (ISO 27000)

Risk Assessment overall process of risk identification, risk analysis and risk evaluationRisk Identification Process of finding, recognizing and describing risks

Risk Analysis Process to comprehend the nature of risk and to determine the level of riskRisk

Communication and Consultation

Continual and iterative processes that an organization conducts to provide, share or obtain information, and to engage in dialogue with stakeholders

regarding the management of risk

Risk Evaluation Process of comparing the results of risk analysis with risk criteria to

determine whether the risk and/or its magnitude is acceptable or tolerable





Risk Management Co-ordinated activities to direct and control an organization with regard to

risk

Risk Management Process

Systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context and identifying, analysing, evaluating, treating, monitoring and reviewing risk

Risk Owner A risk owner is a person or entity that has been given the authority to

manage a particular risk and is accountable for doing so

Risk Treatment Process of selection and implementation of measures/controls to modify risk

(Process to modify risk)Security

Implementation Standard

Document specifying authorized ways for realizing security

Stakeholder Person or organization that can affect, be affected by, or perceive

themselves to be affected by a decision or activity

Statement of Applicability

Documented statement describing the control objectives and controls that are relevant and applicable to the organization’s Information Security Management System (ISMS). It also give justification for inclusion or

exclusion of controlsSystem Set of interrelated or interacting elements Supplier Organization that provides a product or a service Strategy Plan to achieve a long-term or overall objective Statutory

Requirement Obligatory requirement specified by a legislative body

Success Achievement of an objective Sustained Success Success over a period of time

Service Output of an organization with at least one activity necessarily performed between the organization and the customer

Test Determination according to requirements for a specific intended use or

applicationTraceability Ability to trace the history, application or location of an object

Threat Potential cause of an unwanted incident, which may result in harm to a

system or organization (ISO 27000)

Top Management Person or group of people who directs and controls an organization at the

highest levelTechnical Expert Person who provides specific knowledge or expertise to the audit team

Trusted Information

Communication Entity

Autonomous organization supporting information exchange within an information sharing community

Unit of Measurement

Particular quantity, defined and adopted by convention, with which other quantities of the same kind are compared in order to express their

magnitude relative to that quantity Validation Confirmation, through the provision of objective evidence, that the





requirements for a specific intended use or approach have been fulfilled

Verification Confirmation, through the provision of objective evidence that specified requirements have been fulfilled

Vulnerability Weakness of an asset or control that can be exploited by one or more threats

Vision Aspiration of what an organization would like to become as expressed by top

managementWork

Environment Set of condition under which work is performed

INTEGRATED MANAGEMENT SYSTEM (IMS) MANUALsiscol.in/static/dist/pdf/siscol-ims-manual.pdfRev. No....

Documents

Transcript of INTEGRATED MANAGEMENT SYSTEM (IMS) MANUALsiscol.in/static/dist/pdf/siscol-ims-manual.pdfRev. No....