OpCo Audit Program

29.06.2023 | Berlin
Audit Types and Purposes

Audit Type Goal Criteria Scope

OpCo Management System

Is our Management System
(9001 for Q, 45001 for Department
OK?
- Conform? Safety) Project
1st Party (Internal)
- Effective? - Is our sytem compliant to Team
- Improvement Ops? ISO, contract and internal Process
requirements?

Is the Supplier (or potential

Company specifications or
2nd Party (Supplier) Supplier) management Product or Service
the Contract
system OK?

Activities
ISO 9001 for Q, 14001 for
3rd Party (External) Certification Products
Env, 45001 for Safety
Limitation

DB Company | First Name and Last Name | Department | 16.06.2023 2

 Objectives

‒ Perform 1st Party / Internal Audits on OpCos

‒ Support the OpCo with ISO Standards Compliance

‒ Reduce risk at OpCo with a Risk based Audit Program

‒ Identify improvement opportunities

‒ Assess OpCo Management System

‒ In summary, to help the OpCo to assess the Operations according to world class standards.

DB Company | First Name and Last Name | Department | 16.06.2023 3

Workflow
Risk Manag.
Manag. Review
1 Pre-Audit
2 Audit Planning
3 Audit Notification
4 Audit Preparation
5 Perform audit
6 Communicate Audit Report
7 Review Actions
End
DB Company | First Name and Last Name | Department | 16.06.2023
Previous 1. Pre-audit with OpCo (one month before Audit) 6. Audit Report (15 days after Audit)
Audits ‒ Responsible: Lead Auditor ‒ Responsible: Lead Auditor
‒ Target: Identify scope, criteria and resourses ‒ Target: detail to the OpCo findings
2. Planning 7. Review Actions/Recommendations
‒ Responsible: Lead Auditor ‒ Responsible: OpCo
‒ Target: Plan the audit according to the processes and ‒ Target: action plan to correct the findings/improvements
resources
3. Audit Notification (at least 15 days before)
‒ Responsible: Lead Auditor
‒ Target: formally notify the OpCo
4. Audit Preparation (procedures from OpCo)
‒ Responsible: Lead Auditor
‒ Target: get ready and acquainted to OpCo MS
5. Perform Audit
‒ Opening Meeting, Audit and Closing meeting (all in-
loco)
‒ Responsible: Lead Auditor
‒ Target: find improvement opportunities
4
Auditor Resposibility and Profile

Responsible to perform a systematic, independent and documented audit in accordance with the audit schedule(s) and audit scope to
determine the extent of fulfilment of the audit criteria.

Lead Auditor Competencies:

‒ Knowledge in the area of expertise
‒ Lead Auditor training
1. TÜV: https://www.tuvsud.com/en-us/services/training/e-learning-courses/iso-9001-2015-qms-lead-auditor
2. LRQA - https://www.lrqa.com/en/training/qms-auditor-lead-auditor-cqi-irca-certified/

Internal Auditor Competencies:

‒ Knowledge in the area of expertise
‒ Auditor training
1. TÜV: https://www.tuvsud.com/en-us/services/training/e-learning-courses/iso-9001-2015-internal-auditor-online
2. LRQA - https://www.lrqa.com/de-de/training/interner-qualitaetsauditor-iso-9001/

DB Company | First Name and Last Name | Department | 16.06.2023 5

Suggested Audit Programme

Audit Scope Period

Operations Annually

Maintenance Annually
Period may shift based on the inputs from risk management, DBIO
Occupational Safety Annually management and previous audits. The program shall be adjusted to
reduce or increase the audit time frame based on the inputs.
Environment Annually
Normally external certification audits are done once every three to five
Quality Annually years depending on the company APL (Activities, Products and
Limitations).
HR Every two years

Financial Every two years

Other areas (subcontractors, Every two years

procurement, etc)

DB Company | First Name and Last Name | Department | 16.06.2023 6

Suggested Audit Programme

Record Keeping Example (can be done on sharepoint):

OpCo Scope Period Last Audit Status Last report #

DB RRTS Quality (ISO 9001) Yearly 20/06/2023 On Time 2023-006

DB RRTS Occupational Health Yearly 20/06/2023 On Time 2023-005
and Safety (ISO 45001)

DB RRTS Environment (ISO Yearly 20/06/2023 On Time 2023-004

14001)
DBCC Quality (ISO 9001) Yearly 01/06/2023 On Time 2023-003
DBCC Occupational Health Yearly 01/06/2023 On Time 2023-002
and Safety (ISO 45001)

DBCC Environment (ISO Yearly 01/06/2023 On Time 2023-001

14001)

DB Company | First Name and Last Name | Department | 16.06.2023 7

 Reporting

‒ Create a database with all reports for further consultation

‒ Findings in the PREI Model

‒ Process (P): The process where the non-conformity or improvement opportunity was found
‒ Requirement (R): maybe the ISO clause, contract or quality management system
‒ Evidence (E): where and how it was seen
‒ Impact (I): what can go wrong if not corrected / upgraded

‒ Example:
1. The process of control of externally provided products is not effecttive (P), based on ISO 9001 clause 8.4.1 requirements the
organisation shall ensure externally provided products conform to it‘s requirements (R). The evidences are the lack of inspection of
product A and B (E). The impact is that the quality of the produce/maintained good cannot be reliable (I).

‒ The actions will not be defined by the auditing team, but a target time of 30 days after the final report will be given to the operations to
set the actions and time line in a way it suits better the organisation. Of course, DBIO auditors will be available to help in setting the
actions and discussing it further.

DB Company | First Name and Last Name | Department | 16.06.2023 8

DBIO Audit Approach @ DB RRTS

‒ Audit Approach:
‒ Audit the system and the processes, not the people.
‒ Build rapport with auditee. Openness and honesty at all times.
‒ Risk based: Concentrate on any special, vulnerable, new or high-risk processes.
‒ Evidence-based: Evidence must be verifiable and be based on samples of the information available.
‒ Fair presentation: Audit findings, conclusions and reports reflect the audit activities. No hidden agenda.

‒ The scoring criteria for internal audits are broken up into three different sections:
‒ Compliant: means everything about a specific process is complying to the chosen the criteria.
‒ Observation: a small issue within the management system, that can be improved and changed. May be used as an audit trail for a
next audit.
‒ Non-Conformance: reflect a poor representation of a document and/or a low number of requirements met for the process.

‒ Auditors effort is to find compliance and conformity with chosen criteria

‒ Team:
‒ Lead auditor
‒ Operations Specialist
‒ Track maintenance Specialist
‒ Management System Specialist

DB Company | First Name and Last Name | Department | 16.06.2023 9

 DBIO Audit Approach @ DB RRTS

‒ Suggested Agenda: October 4-6 or October 25-27

Item Day 1 Day 2 Day 3

Opening meeting 09:00 – 10:00
Interviews with CEO / COO / CSO 10:00 – 13:00
Interview with key individuals from Ops, Maint, 14:00 – 17:00
Signalling,

Day 1 wrap-up 17:00 – 17:30

Field observations 09:00 – 13:00
Inteviews with train operators, attendant, station 14:00 – 17:00*
controllers, traffic controller, signalling, *maint. auditor may need to work
maintenance staff, 23:00 – 07:00

Day 1 wrap-up 17:00 – 17:30

Follow audit trails that were not planned 09:00 – 13:00
Prepare closing meeting 13:00 – 15:00
Closing meeting 15:00 – 17:00

DB Company | First Name and Last Name | Department | 16.06.2023 10