IMS-03 IMS Control Procedures
IMS-03 IMS Control Procedures
IMS-03 IMS Control Procedures
Page 1 of 18
POWER SYSTEM OPERATION CORPORATION LTD.
IMS-03 Last Updated On:
IMS Control Procedures December 31, 2018
Table of Contents
CHAPTER-1: CONTROL OF DOCUMENTED INFORMATION ................................................................................................... 4
CHAPTER-2: INTERNAL AUDITING ........................................................................................................................................ 7
CHAPTER-3: CORRECTION AND CORRECTIVE ACTION ........................................................................................................ 11
CHAPTER-4: MANAGEMENT REVIEW OF IMS .................................................................................................................... 14
CHAPTER-5: CONTROL OF NON-CONFORMING ACTIVITY / SERVICE .................................................................................. 15
CHAPTER-6: TRAINING PROCEDURE FOR AWARENESS AND COMPETENCY BUILDING ....................................................... 17
SCOPE: All documents and records used for QMS, EMS, OH&SMS and ISMS is listed in Master List of
documents and records in Asset register of each department.
DEFINITIONS/ABBREVIATIONS:
Controlled document: Document that is subjected to control as per procedure for control of documents.
Uncontrolled document: Document that is not subjected to control as per procedure.
Master Copy: The Master copy is also available in the hard disk of PC.
Reference Copy: The copy of the document that is kept for reference for outside agencies or for anyone
in the organization who is not a holder of the document.
Holder’s Copy: the copy that is allotted to a specific person (holder)
Format: The approved format for entering data. Format is a document.
Record: The filled format is referred to as a record.
Quality Data: Classified documented information (quality system related) that the operating personnel
refer to in the performance of their duties. e.g. list of approved suppliers, quality documents, machinery,
etc.
D&D: Document and Data
PROCEDURE:
Documents are format, departmental procedures, flowcharts and procedures required by QMS, EMS,
OH&SMS and ISMS.
The designated person for the activity writes the procedure and makes a final draft in word format. Final
draft is send to respective HODs for review of adequacy and accuracy of information in document,
corrections /amendments are done if required.
Policy documents: Authorised by CMD and issued by Corporate MR and further distributed by unit MRs
to employees and interested party. It is a controlled soft copy document, whenever required hard copies
are taken for use.
Apex Manual: Apex manual is top level document and it is prepared by the unit MR, it is reviewed by
Corporate MR for adequacy and correctness and approved by CMD of POSOCO. Corporate MR makes it
available on intranet in PDF format.
Procedure Manual (SOP/OCP): The management system procedures are written by unit MR, reviewed
by Corporate MR and approved by CMD of POSOCO. Corporate MR makes it available on intranet in PDF
format. This also gives the reference to specific procedures as per the requirements of the IMS standards
(QMS, EMS, OH&SMS and ISMS)
Departmental Procedure and Formats: These are actual working documents prepared by the activity
owner and approved by respective HOD. The final copies are approved by unit heads and PDF versions
are handed over to MR in softcopies. MR makes it available on intranet.
Documents of External Origin: The documents not generated by POSOCO but are necessary for service
operations - QMS, EMS, OH&SMS and ISMS, are identified by departmental HODs, the copies are
maintained by department heads. It is ensured that only current versions of such documents are
available at point of use. Management system related documents of external origin are maintained by
MRs.
All documents are given unique document number followed by revision number.
All documents are available with users in softcopies on intranet; hard copies of formats may be taken to
record information and stored in record files.
Whenever there is change or revision in documents the approval cycle is followed as per above
procedure. The earlier version of the particular page/document is replaced with new version on intranet
and the old versions are stored marked as obsolete files for reference.
New revision number will be assigned for every cycle of IMS certification and version number will be
changing as above for every change in the current revision.
Review/ Approval, Updating: The owner of the document is responsible for incorporating the
changes/suggestions resulting from the review. MR is authorized to control the version and revision of
the controlled documents and IMS records.
Identification & Adequacy Control: MR shall maintain a master list of all the IMS controlled records and
document. The same should be published to all the users and available from central repository for
reference purpose.
Only electronic version of IMS documents & record shall be considered controlled.
Control of records: Various activities and processes of POSOCO generate records, these are in hard
copies or soft copies.
The process owner is responsible for identifying, indexing, storage, retrieval and disposal of records.
Each department list of records in asset register and copy is available with MR.
Records which are hard copies are maintained in files and stored in departmental filing cabinets. Access
to these records is limited to preserve them. It is ensured by HODs that records are retrievable when
required by management/auditors /external parties.
Master list of records will contain the retention period for system related and business process related
document along with their disposition methodology.
Records are disposed off is environment friendly manner and confidentiality of records is ensured by
shredding/cutting papers before disposal.
In case of soft copies of records a regular back up of data is taken by HODs with help of IT department
and stored.
Copies of all records sent to NLDC, Power Grid, and Parliament correspondence, RTI correspondence is
maintained by designated officer authorized by unit head.
Repository Maintenance & Review: The MR will ensure that in line with the below given criteria,
common repository is maintained for controlled version of IMS documents and records.
The repository is being appropriately backed up.
Records and documentation is being stored in a protective enclosure with adequate access privileges to
the authorized person only. Final controlled copy of IMS documentation should be stored on the central
repository. Documents are being indexed and categorized properly so that they can be accessed when
needed.
There is a MASTER LIST of IMS documents and templates which captures all the revision and release with
required description
MR will ensure that the documents are distributed to the concerned staff and the vendors (if required).
Retention of Documents& Records: All documents/records related to the IMS, which are currently not
in use, will be appropriately identified and stored in a repository for future reference, at the discretion
of the MR.
The retention period will depend on various factors like regulatory requirements, confirmed warranty
period, discretion of top management or the period confirmed by MR and process owners.
Reference:
1. Master list of Documents
2. Master list of Records, and
3. List of external origin documents
SCOPE:
QMS: All departments except Finance &Accounting, Law and Company Secretary office.
EMS, OH&SMS and ISMS: All departments
DEFINITIONS/ABBREVIATIONS:
NC: Non-conforming
CARR: Corrective Action Request and Report
MR: Management Representative
R&A: Responsibility and Authority
Internal Audit will be carried out on a regular basis to check the compliance level of IMS as well to check
whether IMS policies and procedures are being implemented properly and are effective.
Inputs
Audit Plan
Checklists
Updated policies and procedures
List of Internal Auditors
Outputs
Internal Audit findings
Audit Summary Report
Corrective Action
Overview
The Internal Audit will be conducted by a team of Auditors well versed with IMS standards requirements.
The Audit will be carried out using checklists and process document which is according to the best
practices.
The Audit report should be presented to the MRCM and appropriate timelines and ownership should be
identified to close the findings. The process owner or department head will fill the gaps identified.
Process
Internal audit project normally consists of four stages: Planning (sometimes called Survey or Preliminary
Review), Fieldwork, Audit Report, and Follow-up Review. Independent Information Security Auditors
have to ensure POSOCO is kept informed and involvement in all the stages of audit as it is critical at each
stage of the audit process.
Planning
During the planning portion of the audit, the auditor has to notify POSOCO of the audit, discuss the scope
and objective of the examination in a formal meeting, gather information on important processes,
evaluate existing controls, and plan the audit steps.
Announcement Letter
POSOCO has to be informed of the audit through an announcement or engagement letter from the
corporate MR at least one week prior to the audit date.
This letter has to communicate the scope and objective of the audit, the auditors assigned to the project
and other relevant information.
Initial Meeting
During this opening conference meeting, POSOCO’s IMS team will enlist the unit or system to be
reviewed, available resources (personnel, facilities, equipment, funds), and other relevant information.
The internal auditor has to then meet the unit MR directly responsible for the unit under review and any
staff members he/she wishes to include.
Preliminary Survey
In this phase the auditor has to gather relevant information about the unit in order to obtain a general
overview of operations.
He/she has to interview with key personnel, reviews reports, files, and other sources of information.
Audit Program
Auditors have to prepare an audit program and this has to be shared with POSOCO UNITS in advance.
The program has to outline the fieldwork necessary to achieve the audit objectives.
Fieldwork
The fieldwork concentrates on transaction testing and informal communications.
During this phase auditor has to determine whether the controls identified during the preliminary review
are operating properly and in accordance with POSOCO’s objectives.
The fieldwork stage has to be concluded with a list of significant findings from which the auditors will
have to prepare a draft of the audit report.
Audit Summary
Upon completion of the fieldwork, the auditor has to summarize the audit findings, conclusions, and
recommendations necessary for the audit report discussion draft.
Exit Conference
Internal Auditors have to meet the unit's management team to discuss the findings, recommendations,
and text of the draft.
In this meeting the auditors and POSOCO team have to work to reach an agreement on the audit findings.
Final Report
Internal Auditors have to print and distribute the final report to the unit's MR.
This report is primarily for the internal use of POSOCO, department’s team or vendors who will be
responsible for implementing the findings.
Management Response
MR or the department head in scope’s team should explain how report findings will be resolved and
include an implementation timetable. In some cases, managers may choose to respond with a decision
not to implement an audit recommendation and to accept the risks associated with an audit finding. The
client should copy the response to all recipients of the final report if s/he decides not to have their
response included/attached to Internal Audit's final report.
Audit Follow-Up
Within three months of the final report, Internal Auditors will have to perform a follow-up review to
verify the resolution of the report findings.
POSOCO’s response letter has to be reviewed and the actions taken to resolve the audit report findings
have to be tested to ensure that the desired results were achieved.
Activity Chart
SL ACTIVITY DESCRIPTION ACCEPTANCE CRITERIA RELEVANT R&A
DOCS.
1 Make annual audit plan and - MR
schedule on the basis of the
status and importance of the
activity
CROSS-REFERENCES:
1. Internal audit Plan
2. NC report form
SCOPE:
This procedure is applicable to:
Customer detected NCs (i.e. Customer Complaints)
NCs detected by any other external agencies
NCs related to the products and processes as registered in the NC register
Sources of data for potential NCs are:
Records of Inspection reports
Process capability studies of Equipment
System Studies
Maintenance reports of machinery
Concessions, etc.
Internal Audit Reports
Customer Complaints
Customer feedback
NOTE:
NCs related to IMS as and when detected during the process of internal audit is covered in Procedure
for Internal Audit
DEFINITIONS/ABBREVIATIONS:
NC: Non-conforming
CA: Corrective Action
Procedure
The process for corrective action shall be initiated whenever a condition warrants an investigation to
determine if corrective action is required.
Corrective action shall be documented using the nonconformance report if a non-conformance is raised
during the internal audit and processed electronically in accordance with this document.
In other instances a separate corrective action log shall be maintained by the coordinator of the
respective projects/departments. Corrective action shall be initiated as a result of, but not limited to,
the following:
Non Conformances identified during internal audits
Action items from management reviews of IMS effectiveness
Customer complaints
Problems identified by employees pertaining to IMS
Violation of IMS policy and objectives
Verification
Internal auditors/MR shall verify effectiveness of corrective action taken for the concerned projects /
sections every month.
Review by management has to be conducted half yearly.
The senior management shall review the results of corrective actions during MRCM.
ACTIVITY CHART
SL ACTIVITY ACCEPTANCE RELEVANT DOCS. R&A
DESCRIPTION CRITERIA
1 Select NCs for All major NCs are NC-CA Register Head of
investigation based to be taken for CA <UNIT>/IMS/RECORD/NCCA/001 Dept.
upon Pareto Analysis Minor NCs: only
and severity of NC. 20% prioritized NCs
need to be taken
for CA
2 All sources of data as This study is to be - Head of
defined in the scope undertaken at Dept.
are studied to predict intervals not
potential NCs exceeding 3
months
CROSS-REFERENCES:
<UNIT>/IMS/RECORD/INCIDENT/001 INCIDENT Register
<UNIT>/IMS/RECORD/NCCA/001 NC- CA Register
The agenda points for above review will include the following:
a) The status of actions from previous management reviews;
b) Changes in external and internal issue that are relevant to the IMS Management system;
c) Information on the performance and effectiveness of the IMS management system, including:
1. Customer satisfaction and feedback/needs and expectations from relevant interested parties
including compliance obligations;
2. The extent to which IMS objectives have been met;
3. Process performance and conformity of products and services including fulfilment of its compliance
obligations
4. Nonconformities and corrective actions;
5. Monitoring and measurement results;
6. Audit results;
7. Customer/ interested parties’ feedbacks/complaints
8. Performance of external providers;
d) Adequacy of resources;
e) Effectiveness of actions taken to address risks and opportunities
f) Opportunities for improvement.
SCOPE:
All products and services at all stages from receipt to delivery, including aux support services.
DEFINITIONS/ABBREVIATIONS:
NC: Non-conforming
CA: Corrective Action
PROCEDURE:
Identification of NC Products and Services
STAGE RESPONSIBILITY
INCOMING Concerned HOD
IN-PROCESS Group Head
PRE- DESPATCH INSPECTION Group Head
AFTER DELIVERY (NC detected by Customer) HOD
However, the authority to point out NC product is given to all personnel. They may point out the NC to
the departmental manager concerned who then initiates the control process.
NC disposal decision may take the form of any one of the following:
DOWN GRADE If the NC is minor and will not affect the functioning of the service
adversely
REJECT If the NC is major and cannot be tolerated
The Implementation of the NC disposal decision is then done by the designated authority and
documented.
Corrective Action
The NCs are subsequently analyzed for Corrective Action as per Procedure for CA
PURPOSE:
To ensure that there is companywide awareness of IMS requirements.
To ensure that manpower employed is competent.
SCOPE:
All departments and functions
DEFINITIONS/ABBREVIATIONS:
NC: Non-conforming
CAR: Corrective Action Request
MR: Management Representative
R&A: Responsibility and Authority
QMS
All staff and Workers are made aware of the importance of meeting Customer requirements and
also statutory and regulatory requirements
EMS
The importance of conforming to Environmental Policy and Procedures
The consequence of not conforming
OH&SMS
The importance of the awareness OH&S consequences, actual and potential
The consequence of not conforming
ISMS
The importance of the awareness information security activities and how they contribute to the
achievement of ISMS objectives
RESPONSIBILITY
MR/HSSE Team Leader/ HODs
PURPOSE:
To ensure that there is companywide competence for IMS requirements
SCOPE:
All departments and functions
DEFINITIONS/ABBREVIATIONS:
NC: Non-conforming
CAR: Corrective Action Request
MR: Management Representative
R&A: Responsibility and Authority
Competence is ensured by providing training or taking other necessary action to satisfy IMS
requirements
The competency requirements are defined in terms of Education/ Knowledge, Experience and Training.
Competency is checked at regular intervals by internal audit. Where the personnel are lacking in
competence training is provided and again competency check is done. If the personnel fail to meet
requirement, he/she is transferred.
RESPONSIBILITY
MR/HSSE Team Leader/ HODs
CROSS REFERENCE
1. Competency Matrix