Msis 37 PDF
Msis 37 PDF
Msis 37 PDF
Date:16.08.10
(covering ISM Code, ISPS Code, ISO 9001 and ISO 14001)
CHAPTER 0
TABLE OF CONTENTS
PAGE REV.
CHAPTER 0 TABLE OF CONTENTS 2 0810
CHAPTER 1 PURPOSE 4 0810
1.1 Legal Basis and Authority for the Audit Programmes 4
1.2 International Safety Management (ISM) Code 4
1.3 International Ship and Port facility Security (ISPS) Code 5
1.4 External ISO 9001:2008 5
1.5 External ISO 14001:2004 5
CHAPTER 2 TYPES OF AUDIT AND FREQUENCY 7 0810
2.1 International Safety Management (ISM) Code 7
Table 1 ISM Code Audits 7
2.2 International Ship and Port Facility Security (ISPS) 8
Code
Table 2 ISPS Code Verifications (Audits) 8
2.3 External ISO 9001:2008 9
Table 3 External ISO 9001:2008 Audits 9
2.4 External ISO 14001:2004 10
ps
hi
PURPOSE
Key Changes
This is a new document (therefore has no highlighting of new text) that contains
instructions to surveyors on the ‘Audit Process’ which has been made common.
It complements the existing technical instructions to surveyors which will have
any sections on the audit process deleted.
1.0.1. These instructions set out the process to be followed when carrying out
audits in MCA. The technical requirements and guidance for different audit types
is covered in separate instructions (see Chapter 6).
1.2.1. ISM Code audits are carried out under the authority (sections 13-15 of
the ISM Code) given in Regulation 336/2006/EC which transposes the
International Convention for Safety of Life at Sea 1974, as amended (SOLAS)
Chapter IX and the ISM Code into UK law.
1
ISO 19011:2002
1.3.1. ISPS Code verifications are carried out under the authority (section
A/19 of the ISPS Code) given in Regulation 725/2004/EC which transposes
SOLAS Chapter XI-2 and the ISPS Code into UK law.
1.3.3. The timing of the audits is usually at the client’s request for the issue or
endorsement of statutory certification. MCA can also request an audit should
sufficient grounds exist.
1.4.3. The Quality Manager approves an audit schedule that has been
compiled in accordance with MCA QA8: Procedure for Assessing Audit Duration
and Frequency. It may be necessary to conduct short-notice audits as outlined in
MCA QA5: Procedure for Certification Assessments to ISO 9001:2008 and
ISO 14001:2004 Standards.
1.5.3. The Quality Manager approves an audit schedule that has been
compiled in accordance with MCA QA8: Procedure for Assessing Audit Duration
and Frequency. It may be necessary to conduct short-notice audits as outlined in
MCA QA5: Procedure for Certification Assessments to ISO 9001:2008 and ISO
14001:2004 Standards.
Key Changes
2.1.1. The ISM Code requires that separate audits are undertaken of the
Company (resulting in the issue or endorsement of a Document of Compliance
(DOC)), and ships (resulting in the issue or endorsement of a Safety
Management Certificate (SMC)) to verify the implementation of their Safety
Management System (SMS).
2.1.2. The competence requirements for ISM auditors is defined in the annex
to the Revised Guidelines on the Implementation of the International Safety
Management (ISM) Code by Administrations (Resolution A.913(22)) and
interpreted by MCA in Surveyor Customised Award 2 unit 4, OAN 412 and
OAN 557.
ps
shi
s4
eg
2.2.1. The ISPS Code requires that the implementation of the Ship Security
Plan (SSP) is verified (audited).
RESPONSIBILITIES
Key Changes
3.2 For ISM Code and ISPS Code audits the responsibility for supervising the
audit team and verifying the consistency of the work lies with the Lead Auditor’s
Line Manager.
ACTIONS
Key Changes
4.1 Audits
Definition
4.2 The ISPS Code uses the term verification for the Administration ensuring
the security system meets the requirements and is considered an audit for these
instructions.
ps
shi
s4
eg
Process Maps
R
by
d
ce
du
ro
ep
R
4.3 The required actions are described on the following process maps, which
have been split into three sub processes, and amplified in later paragraphs.
2
Adopted from ISO 9000:2005 paragraph 3.9.1
Review for
Audit Programme Audit Preparation Monitor and
continual
Defined Activities Measure Process
Improvement
(See 4.2) (See Flowchart 2) (See 4.13)
(See 4.14)
On-Site Audit
Activities
(See Flowchart 3)
Post Audit
Activities
(See Flowchart 4)
ps
hi
s
s4
eg
R
by
d
ce
du
ro
ep
R
Participates in
Identifies requirement Completes MSF
application/
and applies for audit 5100
transfer review
Administrator
s
ip
sh
s4
Manager
Defines resource
eg
Approves overseas
R
by
requirements,
d
Provides advice travel
ce
du
appoints Lead
ro
as needed arrangements
ep
Auditor, delegates
R
tasks (see 4.3.2-4)
Lead Auditor
Undertakes audit
For ISO audits preparation: Ensure team have
Informs client of Briefs audit team,
undertakes Fee estimate file and document required PPE and If overseas,
agreed assigns work to
application or to client review, audit that initial H&S Risk completes MSF
arrangements auditors
transfer review (see 4.4) team, audit plan, assessment is 5215 (See 4.10)
(see 4.8) (see 4.9)
(see 4.3.5-7) time and location completed
(see 4.5-7)
Audit Team
Familiarise self
To On-Site Audit
with MCA
Activities flowchart
documentation
Attend
Client
s
Manager
ip
sh
s4
Provides Provides Provides
eg
R
by
advice as advice as advice as
d
ce
du
needed needed needed
ro
ep
R
Lead Auditor
Collects and
Attends Contributes Contributes to Attends
verifies audit To Post Audit
opening to audit audit closing
information Activities flowchart
meeting findings conclusions meeting
(see 4.11.5)
Receives audit
Closes out follow
report and
up actions
certificate
s
ip
certificate report and
sh
(see 4.12.6.1) file to HQ for
s4
eg
(see 4.12.2) certificate
R
review
by
d
ce
du
ro
ep
R
Conducts
Signs certificate Technical Review
(see 4.12.6.2)
Handles Certificate
Approves audit Conducts audit withdrawal or
Prepares audit
report; signs follow up appeals and
report (see 4.12.1)
declaration (see 4.12.3) disputes (See
4.12.4-5)
4.2.1 The extent of the audit programmes covered by this process have been
summarised in Chapter 2. The overall objectives of the audit programmes are to:
Initial inquiries
4.3.1 Potential clients may be provided with information concerning the audit
requirement on request by the Administrator. Clients should be invited to
complete the application form, and for ISO auditing the questionnaires, if
applicable. For ISO the Administrator should follow up enquiries if the potential
client does not make contact within one month of the initial inquiry being
received.
4.3.2 Upon receipt of a completed application the Line Manager (or someone
with delegated authority) quantifies the requirements for the audit. There are
usually two aspects to this quantification: calculating the number of audits
required; and calculating the audit duration. Any deviation from the technical
guidance provided is to be justified.
4.3.4 The Line Manager (or someone with delegated authority) appoints a
Lead Auditor for the assessment who is responsible for ensuring the audit is
conducted in accordance with the requirements. The selection is based upon the
information gathered regarding to the requirements of the client and the
competence, training, qualifications and experiences of the available Lead
Auditors. Consideration is also given to the previous contact the Lead Auditor
may have had with the client, e.g. other audits. The following are to be taken into
consideration when selecting the Lead Auditor:
associated documents;
d
ce
du
ro
4.3.6 Any request regarding the ISM Code for recognition of foreign DOCs for
use on UK ships is to be referred to ISM/ISO Policy Branch who will conduct the
assessment and issue documentation.
4.3.7 Any request regarding the ISPS Code for initial approval of Ship
Security Plan at the flag-in stage is to be referred to the Security Liaison Officer.
4.4.1 The lead Auditor is responsible for calculating the fees and informing
the client of the estimate. For chargeable work the Lead Auditor must ensure
ISM Audits
4.4.2 ISM Audits are charged at the standard hourly fee rate. VAT is not
charged on the fee as statutory audits are exempt form VAT.
4.4.3 Guidance on the duration of ISM audits can be found on the Survey
Operations microsite.
ISPS Audits
4.4.6 ISO audits are charged at the standard hourly fee rate plus VAT (these
audits are not exempted from VAT).
4.6.1 If the circumstances of the audit warrant the Lead Auditor is responsible
for selecting, leading and managing the audit team, taking account of the
selection criteria in paragraph 4.3.2. The number of auditors required will
depend upon the size and nature of the client and the scope to be covered by the
4.7.1 The document review is the first stage in the assessment process and
must be undertaken prior to the Initial Assessment. If applicable work on a
document review should not be undertaken until receipt of fees has been
confirmed.
4.7.2 The Lead Auditor should make contact with the client in order to make
introductions and to arrange for appropriate documentation to be forwarded so a
document review can be undertaken. If the client is not yet ready to undertake
the document review the Lead Auditor should discuss time scales for when the
client is likely to be ready. The Lead Auditor should keep in regular contact with
the client.
4.7.3 The ISM Code’s SMS, ISO 9001:2008 and ISO 14001:2004 document
reviews are undertaken by the Lead Auditor (or delegated to an appropriate
person) and consists of an examination of the client’s policy documents,
ps
shi
s4
eg
manuals, key procedures and any other necessary documents to ensure that
R
by
d
ce
du
these meet the requirements. Document Review aide memoires are available.
ro
ep
R
4.7.5 Following the document review a report should be written to the client
outlining areas that do not meet the requirements of the standard, instances of
good practice should also be included in the report. Non-conformances are not
raised during this section of the certification process.
4.7.6 When satisfied that the documentation is adequate the Lead Auditor
must then make arrangements for the Initial Assessment. The information
gathered so far in the assessment process may be used in a confidential manner
to prepare for the on-site visit.
4.8.1 The Lead Auditor is responsible for establishing contact with the client
to:
4.9.1 Where appropriate, prior to the audit taking place a meeting between
the Lead Auditor and members of the audit team must be held. All audit team
members must be provided with the appropriate documentation and background
information to be able to successfully complete the audit.
4.10.1 The Lead Auditor is responsible for ensuring travel arrangements are
made for the audit team, and where international travel is involved, that form
MSF 5215 is completed and authorised.
ps
shi
s4
eg
R
by
4.11.1.1 An opening meeting must be held at the start of the first day of the
audit, it is left to the discretion of the Lead Auditor as to whether an opening
meeting is required at the start of each day or other. The Lead Auditor should
chair the meeting and note those attending the meeting. The meeting should
include suitable representatives of the client. During the opening meeting the
following should be discussed:
• Scope of Audit;
• Audit methodologies;
• Explanation of non-conformance process;
• Introduction of audit team;
• Confirmation of audit plan and any changes;
• Limitations of auditing process; and
• Confidentiality and the Freedom of Information Act.
4.11.2.1 The Lead Auditor is responsible for carrying out audits and should be
available to the audit team should queries arise. The purpose of the audit is to
4.11.2.2 The Lead Auditor must ensure that tasks are appropriately assigned to
suitably qualified and competent team members, i.e. where an activity requires a
particular specific competence, the auditor with that competency must be
assigned to complete that part of the assessment.
4.11.2.3 Audits are a two way process and their success depends on obtaining
the full facts. They are confidential between MCA and the client within the
precepts of the Freedom of Information Act 2000 and Environmental Impact
Regulations 2004. For assessment purposes different audit areas are followed
for each audit programme and are detailed in the technical guidance.
progress of the audit and any concerns to the client. Evidence collected during
ro
ep
R
the audit that suggests an immediate and significant risk should be reported
without delay to the client. Any concern about an issue outside of the audit
scope should be noted and reported to the Lead Auditor, for possible
communication to the client.
4.11.3.4 If the available evidence indicates that the audit objectives are
unattainable, the Lead Auditor should report the reasons to the client, and, if
practicable, to the Line Manager to determine what action is appropriate. Such
action may include reconfirmation or modification of the audit plan, changes to
audit objectives or audit scope or termination of the audit.
4.11.4.1 Guides and observers may accompany the audit team, but are not part
of the team. They are not to influence or interfere with the conduct of the audit.
In cases of inappropriate intervention by guides when an informal request has
not achieved resolution the matter should be referred to the client’s senior on-site
representative.
4.11.4.2 When guides are appointed by the client they should assist the team
and act on the request of the Lead Auditor. Their responsibilities are:
4.11.5.1 During the audit, information relevant to the audit objectives, scope and
criteria, including information relating to interfaces between functions, activities
and processes, is to be collected by appropriate sampling and should be verified.
Only information that is verifiable may be used as audit evidence. Audit evidence
ps
hi
is to be recorded by each auditor recording the details of the personnel who were
s
s4
eg
R
by
the focus of each activity/process assessed and the specific details relating of the
d
ce
du
ro
ep
4.11.6.2 The audit team should meet as needed to review the audit findings at
appropriate stages during the audit.
NCN Number
4.11.7.2 All NCN’s are allocated a unique number. The unique number should
follow the form:
This number combined with the ship or company name provides the unique
ps
shi
s4
eg
reference.
R
by
d
ce
du
ro
ep
R
Description of deficiency
4.11.7.3 The description of the deficiency on the NCN form should include:
4.11.7.4 In this example the root cause of the deficiency has been identified
rather than the shallower “control of records” (ISO 9001:2008, clause 4.2.4).
Classification of non-conformities
• The extent of conformity of the system under audit with the audit criteria;
• The effective implementation, maintenance and improvement of the
system under audit;
• The capability of the management review process to ensure the
continuing suitability, adequacy, effectiveness and improvement of the
system under audit; and
• If specified in the audit objectives, the future of certification.
4.11.8.2 The audit team are to confer prior to the closing meeting to:
4.11.9.3 The Lead Auditor must provide the client with an indication of the
conformity of the organisation’s system with the audit criteria.
4.11.10.2 Similarly, if an ISM Code or ISPS Code additional audit has been
ro
ep
R
4.12.1.1 Following the assessment the Lead Auditor is responsible for writing a
report on the findings of the audit team (see section 5 for audit report formats).
4.12.1.2 The Lead Auditor must endeavour to forward the report to the client
within two weeks of the completion of the audit. The Lead Auditor will need to
liaise with team members and to ensure receipt of draft reports relating to
activities and processes assessed. It is left to the Lead Auditor’s discretion as to
whether individual auditors should produce reports, which are then collated, or
whether one report is produced by a combined effort of the audit team.
4.12.1.5 Before the report is released it should be reviewed by the Line Manager
ps
shi
s4
eg
(or someone given authority). The original signed and for ISM, ISPS, and
R
by
d
ce
MCAQA audits, stamped, audit report is then sent to the client, and a photocopy
du
ro
ep
R
kept on the appropriate client file. The client’s local management are invited to
respond to this report highlighting any areas of ambiguity.
4.12.1.6 For MCAQA ownership of the audit report remains with MCAQA.
4.12.2.1 For ISM, ISPS and MCAQA interim, initial and renewal audits the Lead
Auditor is responsible for the preparation of the declaration and the certificate.
The Lead Auditor is to sign the declaration that the audit has been completed
and that all factors were covered. The Line Manager (or someone given
authority) who is independent of the audit process and the client (worked for,
close family member working for, or share holder of client) will take the
declaration and audit report and review the circumstances and if satisfied sign off
the certificate. The Administrator will distribute the certificate and file audit
documentation in the appropriate file.
4.12.3.4 If the auditor is satisfied with the documentary evidence supplied the
non-conformity may be closed out. If the auditor is not satisfied the client must
be informed with an explanation of the requirements.
effectiveness of the corrective action, the auditor may request that an additional
shi
s4
eg
R
visit to the client be made. This may take place immediately or after an arranged
by
d
ce
du
ro
time period to allow any new practices to be put in place. Such audits will be
ep
R
4.12.3.6 If it becomes clear, that close-out action cannot be completed within the
timescale, the client should contact the lead auditor explaining the situation. If
appropriate the Lead Auditor may then either:
4.12.3.7 If the Lead Auditor regards the client to be lacking in commitment when
undertaking any follow up action the Line Manager must be informed so a
decision on what action is required can be taken.
4.12.4.2 In cases were Lead Auditors consider that the correct course of action
is to discontinue certification they are to seek the endorsement of this conclusion
by their Line Manager. A report together with full supporting documentation is to
be forwarded to the Audit Policy Manager for review. The Audit Policy Manager
will review the case and made a recommendation to the final decision maker as
to whether the certificate is to be withdrawn or made invalid. The final decision
makers are identified in the following table:
accepted by the client, reasons for rejection must be provided and the
non-conformance note returned to the Lead Auditor. If satisfied by the evidence
offered, the Lead Auditor will close out the non-conformance note and sign
accordingly. However, where the Lead Auditor is not satisfied with the response,
the Line Manager is to be informed and liaison with a view to resolving
outstanding issues will continue. In cases where agreement cannot be reached,
the Lead Auditor will advise the client to initiate the appeals or disputes
procedure.
4.12.5.2 In cases where a complaint is made about the conduct of an ISM Code
or ISPS Code audit MCA’s complaints procedure which can be found in
CORP 43, Annex A will be followed.
4.12.5.3 In cases where a complaint is made about the conduct of an ISO 9001
or ISO 14001 audit MCAQA’s complaints procedure which can be found in
MCAQA 1 will be followed.
4
ro
ep
4.13.1 The Audit Policy Manager is responsible for conducting monitoring and
measuring of each process. The specific requirements for this monitoring and
management review vary with audit programmes and should be specified in
technical requirements identified in Chapter 3.
Key Changes
Form
Form Title Availability
Number
ISM Code
MSIS 2 Instructions to Surveyors MLD
MSF 1900 Document of Compliance E-forms
MSF 1901 Safety Management Certificate E-forms
MSF 1902 Non-Conformity Note Printed Pad
MSF 1904 Interim Document of Compliance E-forms
MSF 1905 Interim Safety Management Certificate E-forms
ps
shi
s4
eg
m3net.mcga.gov.uk/c4mca/qaf_list_rev_4.pdf
QAF 3 Declaration of Confidentiality
QAF 4 Internal Audit Schedule Proforma
Internal (ISO 17021) Audit Report
QAF 5
template
QAF 6 Internal Audit corrective action
QAF 7 Application Review Report template
QAF 9 Opening/Closing meeting log
QAF 10 Audit report template
QAF 12 9001:2008 declaration
QAF 13 Certificate of compliance
QAF 14 ISO 14001 ship questionnaire
QAF 15 ISO 14001 shore questionnaire
ps
hi
Certification Mark
_rev_4.pdf
5.2.1 The current Instructions to Surveyors covering the ISM Code and the
ISPS Code contain a mixture of process and technical information. All process
information will be removed from the documents and any reference in the current
documents to process is to be considered obsolete and replaced by that in this
document.
ps
shi
s4
eg
R
by
d
ce
du
ro
ep
R
Key Changes
6.1.1 The technical requirements for all Marine Office audits can be found on
the SCMS. Technical guidelines are not included in this document, they can be
found in the documents detailed in the table below:
Technical Guidance
Audit Programme
Ref No Title
International Safety Instructions to
1 MSIS 2
Management (ISM) Code Surveyors ISM Code
International Ship and Port Instructions to
2 MSIS 25
facility Security (ISPS) Code Surveyors ISPS Code
ps
shi
s4
eg
R
Certification
by
References
Audit Programme
Ref No Title
Regulation of the
European Parliament
and of the Council of
15 February 2006 on
the implementation
International Safety of the International
1 336/2006/EC
Management (ISM) Code Safety Management
Code within the
Community and
repealing Council
Regulation No
3051/95
ps
shi
s4
eg
R
by
d
ce
du
ro
ep
R
NON-CONFORMITY NOTE
Review of the Ship Security Alert System testing records shows that no test has been
du
ro
ep
R