QUALITY MANAGEMENT
PROGRAM PLAN
FOR
REGION 10
DOCUMENT CONTROL NUMBER
RQMP-001/96
U.S. ENVIRONMENTAL PROTECTION AGENCY
1200 SIXTH AVENUE
SEATTLE, WASHINGTON 98101
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 2 of 47
TABLE OF CONTENTS
ACRONYMS 4
GLOSSARY 5
1.0 QUALITY MANAGEMENT PROGRAM PLAN IDENTIFICATION FORM 6
2.0 INTRODUCTION 8
3.0 REGIONAL QUALITY MANAGEMENT POLICY 8
4.0 EPA POLICY ON FRAUD. WASTE. AND ABUSE 11
4.1 Supplying of PE Materials to Suspended or Debarred Entities 13
5.0 QUALITY MANAGEMENT 13
5.1 Regional Program Identification 13
5.2 Multiple Office Responsibilities 17
5.3 Assignment of Responsibilities 18
5.4 Records Management of OM/OA Documents 23
5.5 Computer Hardware and Softwater 24
5.6 Communication/Reporting/Work Plan 24
5.7 OM Program Operation/Review 25
5.8 Program Evaluation 28
5.9 Resources 29
6.0 CONCEPTS AND CONSIDERATIONS OF QUALITY ASSURANCE PROJECT PLANS 30
6.1 Quality Assurance Project Plan Contents 30
6.2 Data Quality Objectives 32
6.3 Laboratory Quality Assurance Plan Contents 32
6.4 Standard Operating Procedures 33
6.5 Data Processing and Verification 35
6.6 Data Quality Assessment 36
6.7 Corrective Action 39
7 . 0 TRAINING 39
8.0 IMPLEMENTATION REQUIREMENTS AND SCHEDULE 40
APPENDIX A - EPA Order 5360.1 Mandatory Quality Assurance .... 41
APPENDIX B - Interim Guidelines and Specifications for Preparing
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 3 of 47
Quality Assurance Project Plans 42
APPENDIX C - Regional Program-Specific Quality Assurance Project
Plan Guidance Manuals 43
APPENDIX D - Headquarters Program-Specific Quality Assurance Project
Plan Guidance Documents 44
APPENDIX E - National/Regional Audit Procedures
45
APPENDIX F - Laboratory Quality Assurance Plan Guidance Documents 46
APPENDIX G - Related Regional Program-Specific Documents .... 47
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 4 of 47
ACRONYMS
CERCLA
Comprehensive Environmental Response, Compensation and
Liability Act
CLP
Contract Laboratory Program
CSIS
Compliance Sampling Inspection
DMR
Discharge Monitoring Report
DQOs
Data Quality Objectives
ESAT
Environmental Services Assistance Team
FIFRA
Federal Insecticide, Fungicide, and Rodenticide Act
GSA
General Services Administration
I & M
Inspection & Maintenance
IAGs
Inter-Agency Agreements
NAMS
National Air Monitoring System
NERL
National Environmental Research Laboratory
NESHAPS
National Emissions Standards for Hazardous Air Pollutants
NIST
National Institute of Standards and Technology
NPDES
National Pollution Discharge Elimination System
NSPS
New Source Performance Standards
OAQ
Office of Air Quality
OCI
Office of Criminal Investigations
OEA
Office of Environmental Assessment
OECL
Office of Environmental Cleanup
OIG
Office of the Inspector General
OMP
Office of Management Programs
OSC
On-Scene Coordinator
OWCM
Office of Waste and Chemicals Management
OW
Office of Water
PAIS
Performance Audit Inspections
PE
Performance Evaluation
QAMS
Quality Assurance Management Staff (Hq)
RCRA
Resource Conservation and Recovery Act
RPM
Remedial Project Manager
RPO
Regional Project Officer
RQMP
Regional Quality Management Program
RQPM
Regional Quality Program Manager
SARA
Superfund Amendment and Reauthorization Act
SEA
State-EPA Agreement
SLAMS
State/Local Air Monitoring Station
SO
State/Field Office
SOP
Standard Operating Procedure
TSCA
Toxic Substances Control Act
QA
Quality Assurance
QAPjP
Quality Assurance Project Plan
QC
Quality Control
QM
Quality Management
QMPP
Quality Management Program Plan
WP
Water Pollution
WS
Water Supply
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 5 of 47
GLOSSARY
EDCA Environmental data collection activities include any-
laboratory or field data generation activity or
investigation involving the determination of
biological, chemical, or physical factors related to
the environment. Some examples are: determining the
presence or absence of pollutants in waste streams;
health and ecological effect studies; clinical and
epidemiological investigations; engineering and process
evaluations; studies or measurements of pollution
transport, etc.
QAMS The Quality Assurance Management Staff is the Agency
office, located at Headquarters, that is the focal
point for quality assurance policy and is responsible
for developing QA requirements and overseeing
Agency-wide implementation of the QA Program.
The term Regional Program Managers shall be used in
this document to include all supervisory and management
personnel (e.g., Unit Chief or Office Director).
RPMs The term Regional Project Managers shall be used in
this document to include all personnel responsible for
overseeing environmental data collection activities.
This shall include, but not be limited to: Remedial
Project Managers, Work Assignment Managers, Delivery
Order Officers, On-Scene Coordinators, permit writers,
compliance personnel, investigators, project officers,
etc.
RQMP The Regional Quality Management Program has the
delegated authority for managing and overseeing
regional quality management policies, practices, and
requirements. The RQMP is also responsible for
overseeing the implementation of the Agency-wide QA
program, including grants, contracts, formalized and
interagency agreements.
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 6 of 47
1.0 QUALITY MANAGEMENT PROGRAM PLAN IDENTIFICATION FORM
Document Title: Quality Management Program Plan for Region
Document Control Number: RQMP-001/96
Organization Title: EPA Region 10
Address: 1200 Sixth Avenue
Seattle, WA 98101
Regional Administrator: Chuck Clarke
Quality Management Program Manager: Barry Towns
Address: EPA Region 10
1200 Sixth Avenue, OEA-095
Seattle, WA 98101
Plan Coverage:
This plan covers all monitoring and measurement
activities mandated through EPA regulations and
memoranda. This includes all internal and external
environmental data generated by activities conducted
through regional monitoring programs, grants,
contracts, interagency, and cooperative agreements.
-------�
Region 10 QMP Plan
Revision No. 2B
Date: 00-16-96
Page: 7 of 44
fame Barrv Towns
Title Quality Manage:
Phone oofi) 553-1675
"'¦j—*•—* ¦ »•
T men-am Manager
Name Jania Hastings
Title n-irector. office of Environmental Assessment
Phone (206) 553-1582
Signature,
omJ
Approval for Implementation
e rhnmk marks
Title Raoional Administrat
Signature
rM
rator L
Name rliiicV Findlev
Signature.
Approval for Aaencv
Phone f2Q6) 553-1234
Phone f206) 553-1793
Name Nancy W. Hentworth
Title Director. Quality Assurance Management Staff
Signature
Phone
Name
Ph.D.
Phone <3260-5767
Title pi raetor ¦ National Cantar for F.nvi ronmenCal
Raaearch anrl final i fv ftssnrancfi
Signature_
rep and Qua.
^ , A
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 8 of 47
2.0 INTRODUCTION
Region 10 is strongly committed to good science and
aggressive quality management (QM) practices. This commitment is
consistent with the goals of the Administrator's Quality
Assurance (QA) Policy Statement and EPA Order 5360.1.
Region 10 has already developed and integrated quality
management (QM) practices into monitoring and measurement
activities within its purview. These QM practices are
specifically designed to generate and process data of known and
appropriate quality in a cost-effective manner.
The purpose of this document is to define and describe the
QM, QA, and Quality Control (QC) policies and responsibilities
required by Region 10, in concurrence with the Agency's mandated
QM program. The document is designed to provide a logical
connection between Agency QM policy and the implementation of
such policies in Region 10. This document is intended to assist
Region 10 Project Officers and Managers in the uniform
implementation of QM, QA, and QC requirements for Region 10
Monitoring Programs, Grants, Contracts, Cooperative Agreements,
and Interagency Agreements.
3.0 REGIONAL QUALITY MANAGEMENT POLICY
It is the policy of Region 10 that there shall be sufficient
Quality Management (QM) activities conducted within the Region to
ensure that all environmental data generated and processed shall
be: scientifically valid, of adequate statistical quantity, of
known precision and accuracy, of acceptable completeness,
representativeness, and comparability, and where appropriate,
legally defensible. This goal can be achieved by ensuring that
adequate QM steps and procedures are used throughout the entire
monitoring process (from initial study planning through data
usage).
Regional policy shall comply with EPA Order 5360.1 which
requires a Quality Assurance Project Plan for all environmental
data collection activities. Environmental data collection
activities are defined as the collection or generation of any
chemical, physical, or biological measurements. EPA Order 5360.1
requires compliance for all environmental data collection
activities in which data is generated by or for the Agency. EPA
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 9 of 47
Order 5360.1 is attached in Appendix A.
A. Specifically it is the policy of Region 10 that:
1. Each monitoring program that generates environmental data
shall develop and implement a QA Project Plan (QAPjP)
addressing the major elements contained in appendices B & C
and shall ensure that adequate resources (both monetary and
staff) are provided to support the QA objectives of the
QAPjP. The project plan should specify the detailed
procedures required to assure the generation of quality
data. All QA project plans must be approved prior to data
collection and/or scheduling of laboratory space. The
Regional Quality Management Program (RQMP) can assist with
plan reviews and concur on the approval/disapproval of all
QAPjPs. Special exemptions can be requested through the
RQMP for emergencies or special investigations. Special
situations shall still require the preparation and approval
of a QAPjP after the field event. The occurrence of special
situations is expected to be limited and is not to be a
routine operational procedure.
2. All environmental data generated shall be of known and
acceptable quality. The data quality information developed
with all environmental data shall be documented and
available.
3. All Regional monitoring programs shall ensure that
acceptable QM requirements are included and implemented in
all applicable external monitoring activities funded by the
EPA.
4. The intended use(s) of the data shall be defined before the
data collection effort begins, so that appropriate QM
measures may be applied to ensure a level of data quality
commensurate with the monitoring objectives. The
determination of this level of data quality shall also
consider the prospective data needs of secondary users.
Data Quality Objectives (DQOs) shall be established to
ensure the utility of monitoring data for its intended use
and as guidance for preparation of QA project plans. The
Programs shall be responsible for determining the
appropriate QM practices, using the DQO process for each
QAPjP. The intended data uses, level of quality, specific
QM activities, and data acceptance criteria needed to meet
the data quality needs of these uses shall be described in
each monitoring activity's QA project plan.
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 10 of 47
5. Quality assurance activities shall be designed in the most
cost effective fashion possible, without compromising data
quality objectives.
6. The development and maintenance of acceptable State QA
programs shall be integrated, as appropriate, into the
overall State-EPA Agreement ("SEA") process.
The Regional Administrator has the overall responsibility
for the development, implementation, and continued operation of
the Regional QM Program. The authority and responsibility for
managing the QM activities within the Region shall be assigned to
the Regional Quality Program Manager (RQPM). To ensure that the
Region's QM policy is uniformly applied to the generation and
processing of all environmental data, a Regional Quality
Management Program (RQMP) shall be established and maintained.
The Regional Quality Program Manager shall act as Manager of the
Regional Quality Management Program. The RQMP shall function as
a central quality management authority organizationally
independent of the programs supported, i.e., environmental data
generators and users.
B. The Regional QM Program shall meet the following
requirements:
1. The RQMP shall be the technical and central management
authority for all QM matters within the Region. The RQMP
shall review, comment, and concur on all Regional QA Project
Plans. The RQMP shall be the focal point for interaction
between the Quality Assurance Management Staff (QAMS),
NERL's, National Program Offices, state, local, private, and
other Federal agency QA personnel on Quality Management
issues to ensure that agency QM requirements are met.
2. The RQMP shall be adequately organized and staffed, and able
to request specific technical expertise primarily from the
technical staff of the Office of Environmental Assessment or
from other Office programs when specific expertise is
needed, i.e. Radiation, Health Physics, etc. After being
requested through appropriate management, the technical
expert shall function as part of the RQMP.
3. Region 10 Project Officers (RPMs) shall inform the RQMP of
activities relating to QM within their specific monitoring
programs and facilitate development and implementation of QA
Project Plans.
4. Facilities, equipment and services that, directly or
indirectly, have an impact on data quality or integrity
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 11 of 47
shall be routinely inspected and maintained where
appropriate (as outlined in facilities plan). The
facilities plan shall identify the parties responsible for
conducting routine inspections.
5. Data processing shall be documented, reviewed, and revised
as required by the Regional Quality Management Plan or
Agency mandates and guidelines. Data shall be validated
according to specific criteria, which shall follow EPA
guidelines and regulations.
6. When data falls outside acceptable limits, the appropriate
management official (Regional Project Manager, Regional
Program Manager, etc.) shall, with the assistance of the
RQMP develop and implement a mechanism for corrective
action. This will assure that any deficiencies in data
generation activities, detected by the QM program, can be
corrected in a timely manner.
7. The RQMP shall submit an annual Region 10 QM Report and
Work/Audit Plan, to the Regional Administrator and the
Director of the QAMS, for review and approval. The annual
Region 10 QM Report and Work/Audit Plan will be used by the
QAMS in preparation of the annual Agency QM Report. The
annual Agency QM Report will be sent to the Administrator.
8. The Region 10 QM Program Plan shall be reviewed at least
annually, by the RQMP, and updated as required. Significant
revisions to the Region 10 QM Program Plan shall be
submitted to the Regional Administrator, OEA Office Director
and the QAMS for review and concurrence or approval.
4.0 EPA POLICY ON FRAUD. WASTE. AND ABUSE
It is the responsibility of Region 10 managers and
supervisors to inform EPA employees of their responsibilities
concerning Federal Fraud, Waste, and Abuse regulations, and of
their responsibilities under the Agency's Standards of Employee
Conduct. The following information is a summary of Federal
requirements as they pertain to EPA employees:
A. Paragraph 2.b, Chapter 3, of EPA Manual 6500. "Functions
and Activities of the Office of the Inspector General"
(January 22, 1985) states:
All employees of the Agency, within the limits of their
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 12 of 47
authority and duties, are responsible for (1) fostering
the enforcement of laws, executive orders, regulations,
and other applicable directives; (2) maintaining high
standards of ethical conduct; and (3) promoting
efficiency and effectiveness in the administration of
the Agency's programs and activities.
These responsibilities require that all employees
promptly report instances of and information on any
known or suspected violation of law, rules, or
regulations; mismanagement; gross waste of funds; abuse
of authority; or substantial and specific danger to the
public health and safety. Employees should report such
instances to their supervisors, or if necessary,
directly to the Office of the Inspector General
(emphasis added).
As stated in Section 7c of the Inspector General Act,
action shall not be taken or threatened against any
employee as a reprisal for making complaints or
disclosing information to the Office of the Inspector
General (OIG) unless the complaint was made or the
information disclosed with the knowledge that it was
false or with willful disregard for its truth or
falsity.
In accordance with Section 7b of the Inspector General
Act, the identity of an employee, other than a
supervisor or manager acting in his or her official
capacity, who comes forth with a complaint or
information by contacting the OIG shall be kept
confidential. Exceptions can be made to this general
rule where (1) the employee consents to the release of
his or her name, or (2) the Inspector General
personally determines such disclosure is unavoidable
during the course of the investigation. The provisions
of confidentiality under Section 7b is limited to EPA
employees who directly contact the OIG.
A telephone hotline, maintained in the OIG, is
available to all EPA employees and the public for
reporting Agency activities involving fraud, waste, or
mismanagement.
Washington, DC OIG Hotlines:
(800) 424-4000
(202) 260-4977
Seattle, WA OIG Hotline:
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 13 of 47
(206) 553-1273
B. The Agency's standards-of-conduct regulations for EPA
employees are stated in 40 CFR Part 3. The EPA Region 10
library has a current copy of 40 CFR Part 3.
4.1 Supplying of PE Materials to Suspended or Debarred Entities
In order to assure the scientific quality of EPA's decision
making, and in order to more completely protect the public's
health, welfare, and the environment, it shall be Regional policy
not to supply performance evaluation materials to parties that
are suspended, debarred or excluded parties (voluntarily or
otherwise). This shall mean that any company, individual or
other parties listed in the document entitled, "GSA Lists of
Parties Excluded From Federal Procurement or Nonprocurement
Programs" shall not be eligible to receive, directly or
indirectly, any performance evaluation samples provide by the
EPA. This restriction shall include all water supply (WS), water
pollution (WP), discharge monitoring report (DMR) or other
performance evaluation materials.
The "GSA Lists of Parties Excluded From Federal Procurement
or Nonprocurement Programs" is published on a periodic basis by
the General Services Administration. Copies of this document are
usually available in the Office of Regional Counsel or through
the Regional Contract Officer. A subscription to the "Lists" is
available through GSA by calling (202) 501-3566 or (202) 501-
4704 .
5.0 QUALITY MANAGEMENT RESPONSIBILITIES
5.1 Regional Program Identification
Identification of each Regional program role covered by the
QM requirements is described below:
The Office of Environmental Assessment (OEA) has management
responsibilities for the Regional Quality Management program.
OEA provides specialized technical support; conducts special
studies and analyzes environmental samples; processes, analyzes,
and recommends the use to be made of environmental data by the
program offices. OEA overviews some external environmental
monitoring. OEA shall prepare QA project plans and/or Standard
Operating Procedures (SOP) for all monitoring and measurement
activities it conducts. These plans shall be developed according
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 14 of 47
to National and Regional QM requirements and specifications
(Appendices B, C, & D).
The Office of Air Quality (OAQ) has the lead program management
responsibilities for the SLAMS/NAMS, Stationary Source
(NSPS/NESHAPS), Mobile Source (I & M) and part of the TSCA
programs. OAQ manages a portion of the Regional Federal grants
and contract fund processes. OAQ ensures that QM matters are
reflected in budgets, program plans, and work/operating plans.
OAQ serves as the technical/program authority for all air
environmental monitoring activities within the geographical
boundaries of Region 10. Data arising from these programs are
the product of efforts, both internal and external to the Region.
OAQ overviews external environmental monitoring programs.
The Office of Environmental Assessment (OEA) provides the
OAQ with technical assistance relevant to monitoring and
data processing activities. This includes system and
performance audits on air monitoring activities, inspections
of stationary and mobile sources, and coordination of the
Performance Evaluation Studies. QA project plans for
special ambient studies conducted by the Region will be
prepared by OEA. QM/QA program/project plans developed by
State/Local Agencies shall be approved by the OAQ with
concurrence from the RQMP. These plans shall be reviewed
annually and revised as needed. QA program/project plans
shall be developed according to National and Regional QM
requirements and specifications (Appendices B, C, & D).
The Office of Ecosystems and Communities (OEC) has the program
management responsibilities for the Pesticides and NEPA programs.
OEC ensures that QM matters are reflected in budgets, program
plans and work/operating plans. OEC serves as the
technical/program authority for all of the toxics and NEPA
monitoring activities within the geographical boundaries of
Region 10. Data arising from these programs are the product of
efforts, both internal and external to the Region. OEC overviews
external environmental monitoring activities.
The Office of Environmental Assessment (OEA) provides
assistance to the OEC relevant to monitoring and data
processing activities and through the coordination of the
Regional Pesticide Performance Evaluation Studies. OEC
shall develop QA project plans for FIFRA monitoring
activities they conduct. QM/QA program/project plans
developed by State/Local Agencies shall be approved by the
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 15 of 47
OEC with concurrence from the RQMP. These plans shall be
reviewed annually and revised as needed. QA program/project
plans shall be developed according to National and Regional
QM requirements and specifications (Appendices B, C, & D).
The Office of Environmental Cleanup (OECL) has the program
management responsibilities for the Comprehensive Environmental
Response, Compensation, and Liability Act (CERCLA and SARA); and
Emergency Response Programs. OECL ensures that QA matters are
properly reflected in budgets, program plans, contracts, permits,
Interagency Agreements (IAGs) and work/operating plans. OECL
serves as technical/program authority for all Superfund and
Emergency Response environmental monitoring activities within the
geographical boundaries of Region 10. The data arising from
these programs are the product of efforts, both internal and
external to the Region. OECL overviews external environmental
monitoring programs.
The Office of Environmental Assessment provides the OECL
with technical assistance relevant to the collection and
analyses of environmental samples. This includes Regional
management of the Contract Laboratory Program (CLP) and
Environmental Services Assistance Team (ESAT) Contract;
review of CLP data; and preparation of QA project plans for
Superfund monitoring activities that OEA conducts. OECL
shall develop QA project plans for all Superfund and
Emergency Response monitoring activities they conduct.
QM/QA program/project plans developed by State/Local
Agencies shall be approved by the OECL with concurrence from
the RQMP. QA program/project plans shall be developed
according to National and Regional QM requirements and
specifications (Appendices B, C, & D).
The Office of Waste and Chemicals Management (OWCM) has the
program management responsibilities for the Resource Conservation
and Recovery Act (RCRA); Toxic Substance Control Act (TSCA), and
the Emergency Prevention and Community Response Act (EPCRA). OWCM
is responsible for permitting and compliance, as well as,
enforcement for facilities storing hazardous waste. OWCM manages
Federal grants and contract funds. OWCM serves as
technical/program authority for all RCRA environmental monitoring
activities within the geographical boundaries of Region 10. The
data arising from these programs are the product of efforts, both
internal and external to the Region. OWCM overviews external
environmental monitoring programs.
The Office of Environmental Assessment (OEA) provides the
OWCM with technical assistance relevant to monitoring and
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 16 of 47
data processing activities. This includes system audits on
monitoring activities, and compliance inspections and
preparation of QA project plans for RCRA monitoring
activities that OEA conducts. OWCM shall develop QA project
plans for all RCRA and TSCA monitoring activities they
conduct. QM/QA program/project plans developed by
State/Local Agencies shall be approved by the OWCM with
concurrence from the RQMP. These plans shall be reviewed
annually and revised as needed. QA program/project plans
shall be developed according to National and Regional QM
requirements and specifications (Appendices B, C, & D).
The Office of Water (OW) has the program responsibilities for the
public water supply; ambient surface and groundwater; underground
injection control; estuarine waters; off-shore discharge; and
domestic and industrial wastewater treatment programs. OW is
responsible for permitting and compliance, as well as,
enforcement for water stationary sources, domestic and industrial
treatment facilities. OW manages Federal grants and contract
funds. OW ensures that QA matters are properly reflected in
budgets, program plans, contracts, permits, Interagency
Agreements (IAGs) and work/operating plans. OW serves as the
technical/program authority for all water related environmental
monitoring activities within the geographical boundaries of
Region 10. The data arising from these programs are the product
of efforts, both internal and external to the Region. OW
overviews external environmental monitoring programs.
The Office of Environmental Assessment (OEA) provides the OW
with technical assistance relevant to monitoring and data
processing activities. This includes oversight of
State/Local fixed ambient water monitoring networks; special
ambient studies; system and performance audits on water and
waste field monitoring; and laboratory operations; NPDES
compliance inspections and oversight inspections (CSIs and
PAIs). OEA shall prepare QA project plans for all special
studies, and compliance monitoring/inspections it conducts.
OW shall develop QA project plans for data collection
activities they conduct and require permittees to develop
and maintain QA project plans for all permits. QM/QA
program/project plans developed by State/Local Agencies
shall be approved by the OW with concurrence from the RQMP.
QA program/project plans shall be prepared according to
National and Regional QM requirements and specifications
(Appendices B, C, & D).
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 17 of 47
The Office of Criminal Investigations (OCI) is responsible for
conducting investigations of criminal violations within Region
10. OCI prepares criminal cases and takes enforcement actions to
attain compliance with environmental laws and EPA regulations.
This involves surveillance activities, file searches, and the
collection of environmental samples. The Office of Criminal
Investigations will prepare QA project plans for environmental
monitoring activities it conducts. These plans shall be
developed according to appropriate National and Regional QM
requirements and specifications (Appendices B, C, & D).
The State/Field Office (SOs) (Alaska, Idaho, Oregon, Washington)
represent the Regional Administrator on State matters and provide
leadership, coordination, and liaison with the officials of each
State's environmental agency, Tribes, and other Federal, State,
and local organizations. SOs perform program specific functions
according to approved work plans as implementation work,
inspections, permits, outreach, Superfund site management,
ecosystem/geographic work, and multi-media coordination. Actual
assignments to each office may vary according to the needs of the
State and the nature of EPA activities in each state as
documented in the work plans. The work plans may require
collection of environmental samples. The State Offices shall be
responsible for preparing QA project plans for each data
collection activity they conduct. These plans shall be developed
according to appropriate National and Regional QM requirements
and specifications (Appendices B, C, & D).
5.2 Multiple Office Responsibilities
The Region has some projects in which responsibilities are
split between more than one Office. This section will briefly
discuss the responsibilities for these projects.
A. Regional Groundwater Data Management Order
In 1989, the Region adopted the Regional Groundwater Data
Management Order (RIO 7500.1) to establish consistent procedures
for organizing, reporting, transmitting, storing and retrieving
groundwater data. This order applies to all groundwater data
collection activities carried out by EPA staff or EPA
contractors, including research and development, enforcement and
permit issuance. The responsibilities defined in this order are
summarized below. For specific details refer to the Order.
1. Office Directors shall be responsible for the implementation
of this order within their respective Offices.
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 18 of 47
2. The OEA Laboratory shall encode and input the results of all
groundwater sample analysis performed at the Laboratory into
the Laboratory Sample Data Management System. The
Laboratory shall also enter contract laboratory data for
projects conducted directly by EPA staff.
3. OEA shall provide guidance and training, as requested, to
ensure that data is properly encoded according to
specifications contained in the Order.
4. OEA shall be responsible for determining the disposition of
the data received by EPA, and transferring data to the
appropriate EPA data management system.
5. OEA shall code and enter historical data, and data collected
under ongoing agreements, as allowed by time and resources.
6. Sampling plans and QA plans shall be reviewed for compliance
with this Order, prior to approval.
7. OECL, OCWM, OW, OEC and SO's shall, where appropriate,
require that all groundwater data management procedures are
complied with as described in this Order.
B. Regional Environmental Monitoring and Assessment Program
The Regional Environmental Monitoring and Assessment Program
(REMAP) is ....[to be added]
5.3 Assignment of Responsibilities
In order to properly manage the QM activities of
environmental monitoring programs within Region 10, all QM/QA
management responsibilities shall be assigned to the RQMP. The
Manager of the RQMP shall be under the administrative management
direction and support of the OEA Director. The RQMP shall
function independent of the programs it supports. The
organizational structure is shown in Figure 1.
A. Regional Quality Management Program Responsibilities
The RQMP, located in the Quality Assurance and Data Unit
(QADU) of the Office of Environmental Assessment, has the
responsibility for managing the Region 10 QM Program. The RQMP
Manager shall serve as the Unit chief of the QADU and as the
Regional QM Program Manager (RQPM). The following list
enumerates the responsibilities of the RQMPM or their designated
staff:
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 19 of 47
1. The official Regional contact for all QM matters in the
Region.
2. Respond to QM/QA needs, resolve problems, and answer
requests for guidance or assistance.
3. Assist in the development of Regional QA Project Plans with
Regional Project Managers, managers and others.
4. Review and concur on the approve/disapprove all Regional QA
Project Plans required by EPA Order 5360.1. Review
implementation of selected QA plans and adequacy of the data
generated from a quality perspective.
5. Assure that Agency and Regional QM Program requirements are
integrated into all Regional contracts, Interagency
Agreements, grants, and the overall State/EPA Agreement
process and grants.
6. Assist States in the development and implementation of QM/QA
Program and Project Plans (see below).
7. Coordinate and/or conduct System and Performance audits of
selected environmental monitoring programs.
8. Submit annual QM Status Report and Work Plan to Regional
Management and QAMS.
9. Participate in QAMS review of Region 10 QM Programs.
10. Provide training on QM/QA policies and procedures.
An important part of the QM program in Region 10 has been
the excellent interaction of the Region with State and local
agency personnel. Each State's environmental agency has
developed an approved QA Program Plan, and appointed a QA Officer
to interact with the RQMP. The Region and states will work to
ensure that all environmental data generated and processed by the
states, for agency use, shall be of known and documented quality.
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 20 of 47
Figure 1. Organizational Structure of EPA Region 10 QMP.
Note:
Administrative Management responsibilities are represented by a solid lines Interactions between
Regional Programs are represented by dashed lines. PM/PO: Project Managers/Project Officers; TS:
Technical Specialists.
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 21 of 47
B. Technical Specialists Responsibilities
To ensure that a satisfactory level of QM/QA capability is
maintained in Region 10, the RQMP shall be able to request
technical assistance from technical specialists within the OEA or
from other Office programs when special expertise is needed.
These personnel have expertise in specific areas such as: air,
water, drinking water laboratory certification, compliance
monitoring, field operations, chemistry, microbiology, biology,
and data processing. After being requested, through appropriate
management, the specialists shall function as part of the RQMP.
The specific duties which shall be assigned to the OEA
Technical Specialists are as follows:
1. Assist the RQMP with technical aspects of QA as related to
their expertise in air, water, toxic substances, hazardous
waste, chemistry, biology, microbiology, field operations
and data operations.
2. Identify QA needs, resolve problems, and answer requests for
guidance or assistance in their area of expertise.
3. Conduct and/or participate in on-site field and laboratory
system audits; performance audits; and assist Office of
Regional Counsel in conducting audits and evaluations.
4. Conduct compliance monitoring inspections.
5. Carry out Region 10 requirements for the Drinking Water
Laboratory Certification Program.
6. Conduct system and performance evaluations of all special
studies and SLAMS/NAMS monitoring networks.
7. Inform RQMP of the need for new or improved methods.
8. Participate in technical assistance and training of
State/Local, and private laboratory personnel in EPA
methods, instrumental, and QA requirements.
9. Review subordinate's and associates' data for QA before
transmittal to the submitter and data system.
10. Interact with other Agency programs on technical problems
particularly as related to QM, QA, methods, instrumentation,
and new programs.
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 22 of 47
C. Regional Program Managers Responsibilities
Regional Program Managers are responsible for ensuring that
their internal and external monitoring projects are in accordance
with Agency QM policy.
Some of the key responsibilities of Regional Program
Managers are:
1. Establish planning policies to ensure that QM/QA matters are
reflected in monitoring budgets, program plans, grants,
contracts, Interagency Agreements and operating plans.
2. Participate in the development of data quality objectives
for monitoring activities.
3. Review and evaluate internal/external monitoring QA
implementation and progress.
4. Review and evaluate the quality of data generated by
monitoring projects.
5. Take corrective action that may be required by audit
findings. Corrective action shall be handled at the lowest
management level possible. This often should be at the
Project Manager's level but if additional resources are
needed then the Program Manager should be involved.
6. Spot check Project Manager's QA activities.
7. Report quality problems to the RQMP.
8. Ensuring all staff are aware of the requirements of this
policy.
9. Ensuring staff comply with this policy and EPA Order 5360.1.
10. Requesting appropriate training for staff to comply with
this policy.
D. Regional Project Managers Responsibilities
Regional Project Managers (RPMs) who are responsible for
specific monitoring projects, shall be held accountable for the
management of the project and its ultimate data products.
Therefore, Project Managers have the principal responsibility for
ensuring that project data quality objectives are met. Some of
the key responsibilities of Project Managers are:
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 23 of 47
1. Coordinate the preparation of a QA Project Plan for
applicable environmental data generation activities and
ensure that the QA Project Plan has received an appropriate
technical review. Provide the final approval of the QA
Project Plan prior to the commencement of data collection.
Final approval authority of QA Project Plans resides with
the Regional Project Manager. This review will include a
review and recommendation on approval or disapproval from
the RQMP.
2. Prepare data quality objectives, specifications, and
acceptance criteria for the project.
3. Review/evaluate data quality generated from projects.
4. Participate in conducting QA system/performance audits of
projects.
5. Approve external (contractor or grantee prepared) QA
Program/project plans and submit for RQMP
review/concurrence.
6. Review/evaluate data quality generated from external
projects.
7. Coordinate project oversight through the use of QA
system/performance audits of project QA activities.
8. Take corrective action that may be required by audit
findings.
9. Report QM/QA problems to the RQMP.
5.4 Records Management of OM/OA Documents
Official file copies of approved QM/QA Program Plans,
Project Plans, SOPs and applicable Program or Project Specific
QM/QA documents related to all environmental monitoring programs
within Region 10 shall be maintained by the Regional Program
Offices. The establishment and routine use of filing system and
security procedures are the resposibility of the Regional Program
Offices. Applicable QM/QA guidance, requirements documents and
agency orders pertaining to QM/QA activities will be maintained
and distributed by the RQMP. The RQMP (through the Customer
Service Office or CSO) also tracks and maintains documents
related to the status of environmental data collection projects
that are scheduled through the CSO. In addition, the RQMP
maintains Regional copies of technical Statements of Work, Users
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 24 of 47
Guides and Validation Procedures relevant to Superfunds Contract
Laboratory Program (CLP) through the CLP techical project officer
(TPO).
5.5 Computer Hardware and Software
The Region 10 Senior Information Resources Management
Official SIRMO), located within the Office of Management, is
responsible for managing the hardware, software, and
communications components for the Region in accordance with
Agency hardware and software standards. In conjunction with this
effort, the SIRMO has developed and adopted the following
guidance and policies for Region 10 (attached as Appendix G).
• Region 10 Security Policy
• Region 10 Electronic File Management Guidance
• Guidelines and Protocol for sending, receiving and using
Electronic Information
5 . 6 Communication/Reportincr/Work Plan
The purpose of communications is to ensure that staff
personnel in different monitoring programs can effectively
develop and implement programs; perform activities; and resolve
problems. One responsibility, of the QM Program, is to
facilitate communications through the establishment of guidance
documents and the issuance of procedures. QAMS shall be
considered, by the Region, as the Agency's environmental
monitoring QM/QA clearinghouse. As such, all QM/QA items of
interest or need to the Region, shall be provided by QAMS to the
RQMP. Regional needs shall be forwarded, by the RQMP, to QAMS
for review and action. The RQMP shall exchange QM/QA information
with the QM Managers of: NERL's, EPA Laboratories, and Head-
quarters' Program Offices.
The RQMP shall exchange information with Regional Program
Managers, Regional Project Managers, OEA Technical Specialists,
and State QA Officers. The State QA Officers shall communicate
with appropriate state environmental monitoring personnel, local
Agencies' QA Officers, and industrial QA Officers.
By October 1 of each year, the RQMP shall submit a QM Status
Report and Work/Audit plan to Regional Management and to the
Director of QAMS. This report shall reflect the implementation
status of the Region 10 QM Program. The Work Plan shall describe
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 25 of 47
all planned QM activities for the fiscal year beginning in
October. The Audit Plan shall describe specific audits and audit
responsibilities.
The QM Report/Work Plan shall contain at least the following
types of information:
1. Implementation Status of Regional QM Program.
2. Revisions to Regional QM Program Plan.
3. Significant QM/QA related needs; i.e., new policies, changes
to existing policies, guidance documents, audit protocols,
etc.
4. Data Quality Objectives.
5. Status of QA Program/Projects and Standard Operating
Procedures.
6. Audits
7. Resources
8. Training
In addition to the regular communication/reporting
activities described above, the RQMP shall participate in QAMS QM
Annual Management/Technical meetings.
5.7 QM Program Operation/Review
Effective management of a data collection program requires
periodic assessment of the quality of data being obtained to
establish a basis for corrective action, which may be needed. To
ensure that this assessment occurs, all environmental monitoring
planned or conducted within the Region shall have an associated
QA Project Plan, as required by EPA Order 5360.1. The QAPjP must
be approved prior to the start of data collection and/or before
laboratory arrangements are finalized. The RQMP can assist the
programs in the review of the QAPjPs and provide a recommendation
on the approval/disapproval of the plans(Figure 2).
Specifically, the QA Project Plan shall ensure that:
1. The level of needed data quality should be determined and
stated before the data collection effort begins.
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 26 of 47
2. All environmental data generated and processed shall be of
the quality and integrity established by each QA Project
Plan.
Oversight of the data generation activities in Region 10
shall be tailored to the nature of the activity and the
associated management and administrative system. Within the
Region, QA operations and overview fall into three categories: 1)
internal (data generation programs designed and operated by
Regional EPA staff); 2) grants and cooperative agreements (data
generation under program grants, etc.); and 3) contracts and
interagency and other formal agreements (special contract
studies, USGS, NOAA work, etc.). A brief description of QA
operations and review procedures in each of these categories
follows:
A. Internal OA Operation (item 1)
Program Managers/Project Managers shall be responsible for
preparing, review and approval of QA Project plans prior to data
collection. The RQMP will be available to assist in the
development of QA Project Plans and shall review and provide a
recommendation of their approval/disapproval. The RQMP shall
review and evaluate the implementation of selected plans during
the operational phase of the monitoring activity. Within
resource constraints, selection of projects will depend on the
following criteria: projects supporting litigation, high
visibility projects, and requests from Project Managers. Upon
completion of the monitoring activity, the Program
Manager/Project Manager, etc. shall assess the actual performance
of the planned activities and subsequent results. The final
project report shall contain the results of this assessment.
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 27 of 47
Figure 2. QA Program/Project Plan Preparation, Approval, and Overview.
(Approval and Overview occurs in the reverse direction indicated for QAPP
submission.)
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 28 of 47
B. OM Operations for Contracts and Interagency and Formalized
Agreements (items 2 and 3)
The originating Program Office shall notify the RQMP of all
contracts and interagency/formalized agreements during the
planning phase. The RQMP shall ensure that all requests for
proposals shall contain an acceptable description of the QA
requirements prior to advertisement. The Program Office shall
ensure that QA Program/Project Plans are acceptable prior to
awarding of the contract or interagency/formalized agreement. QA
Program/Project Plans shall be reviewed and approved by the OM
Program Manager/Project Manager. The RQMP shall provide
assistance in the review of QA Project Plans and provide
recommendations on their approval/disapproval. The Program
Manager/Project Manager shall review and evaluate the use of
these Plans. Upon completion of the monitoring activities, the
Program Manager/Project Manager shall assess the actual
performance of the planned activity and subsequent results.
The RQMP Manager must review the QA component of all
regional contracts, IAGs, SEAs, that involve environmental data
collection activities and concur on their approval.
5.8 Program Evaluation
Audits are the principal means in Region 10"s QM Program to
determine compliance with established QA Program/Project Plans.
Different types of audits are used to verify that measurement
systems are operating properly; to assess whether data quality
information is adequately documented; and to evaluate the
management of QA programs. The RQMP has the primary
responsibility for conducting audits, and has the authority to
delegate certain audit functions to various Technical Specialists
within OEA.
The Agency's QM Program requires that an adequate level of
auditing be performed in all EPA programs involving the
collection of environmental data. Toward this end, Region 10
shall prepare and submit, along with the annual Report, a
Regional Audit Program Plan. This Audit plan shall describe the
scope, schedule, and types of audits to be conducted in Region 10
during the fiscal year. The choice and type of audit shall be
based on applicable regulations, program guidance, emergency
requirements, and resource constraints.
Four specific types of audits will be used at appropriate
times by Region 10 to determine the status of measurement
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 29 of 47
systems; the adequacy of the data collection systems; the
completeness of documentation of data collection activities; and
the abilities of program management to meet mandated data
collection and data quality objectives. These four audit types
are respectively: performance audits, technical system audits,
data quality system audits, and management system audits.
Each type of audit is described below:
1. Performance Audits: Qualitative audits in which data are
independently obtained for comparison with routinely
obtained data in a measurement system.
2. Technical System Audits: Qualitative audits that shall
include, on-site evaluation of the QA system and physical
facilities for sampling and analysis.
3. Data System Audits: Quantitative audits in which measurement
data are reviewed and evaluated following collection, to
determine conformance to data quality objectives and data
reduction methods.
4. Management System Audits: Qualitative audits to assess the
ability of monitoring program managers to implement and
conduct an effective QM/QA program.
A description of specific audits and audit responsibilities
shall be presented in the Region 10 QM Audit Program Plan. Audit
procedures are described in Appendix E. Without exception, all
audits shall be conducted by senior EPA technical specialists;
who are familiar with the technical and procedural requirements
of field and laboratory operations and applicable sampling QA
Project Plans. Non-EPA specialists shall not be used to lead
audits.
The results of system and performance audits shall be
documented by the auditor(s) for presenting a visual picture of
the performance of the program, to see if the minimum
requirements of the Agency's QM program are being met. If not,
deviations will be identified and recommendations made for
corrective action. If corrections are not made, recommendations
will be made to the appropriate program manager for action (i.e.,
withholding grants or contract funds, etc.).
5.9 Resources
Through workload models, Headquarters recommends funding
levels for QM activities in each of the monitoring programs. The
OEA Director, the RQMP, and the individual program managers
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 30 of 47
jointly determine the level of resources that need to be
allocated to the OEA, to ensure program compliance with QM
objectives. Region 10 Program Managers allocate the enabling QM
resources to the OEA Director. The OEA Director, in turn,
distributes these QM resources within the OEA. Some portion is
dedicated to the continuing support of the RQMP, with the balance
distributed to the units responsible for providing technical
support to the respective programs. The amount and distribution
of QM resources, in the Region, is not static, but a dynamic
function of the changing emphases of Agency monitoring programs.
Therefore, resources allocated to the QM Program, for each fiscal
year, shall be explicitly identified in the annual QM work plan.
6.0 CONCEPTS AND CONSIDERATIONS OF QUALITY ASSURANCE PROJECT
PLANS
Environmental-related measurement activities include: all
field and laboratory investigations which generate data; and the
data processing functions which include data storage, retrieval,
and analysis. QA Project Plans shall be developed and
implemented for all environmental monitoring activities, so that
all data generated and processed shall be of acceptable and
documented quality.
6.1 Quality Assurance Project Plan Contents
The QA Project Plan (QAPjP) documents the data quality
objectives (DQOs) (acceptance criteria) for a project; identifies
the critical measurements to be performed; and discusses the QA
activities to be conducted during the sampling, analytical, and
validation phases of the project. All QA Project Plans shall
adhere to QAMS-005/80 (Appendix B); Region 10"s Program-Specific
QA Project Plan Guidance Manuals (Appendix C); Headquarters' QA
Project Plan Guidance Documents (Appendix D); and/or Laboratory
QA Plan Guidance (Appendix F). Region 10"s QA Manuals are
designed to provide explicit guidance for the development of
comprehensive Program Specific QA Project Plans. These manuals
will aid Program Managers/Project Managers by advising them of
quantitative limits of data quality associated with available
methodologies. This shall not relieve them of the sometimes
difficult task of establishing individual project DQOs. These
guidances and the RQMP will assist them, by informing them of
data quality limits achievable through the various methodologies.
The QA Project Plan shall contain the following types of
information:
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 31 of 47
1. Title Page, with provision for approval signatures
2. Table of Contents (more than 5 pages)
3. Project Description
4. Project Organization and Responsibilities
5. Objectives for Measurement Data
6. Sampling Procedures
7. Sample Custody and Documentation
8. Calibration Procedures and Frequency; and Preventive
Maintenance
9. Analytical Procedures
10. Data Reduction, Validation, and Reporting
11. Internal Quality Control Checks
12. Performance and System Audits
13. Specific Routine Procedures Used to Assess Data Precision,
Accuracy, Completeness, Representativeness, and
Comparability.
14. Corrective Action
15. Quality Assurance Reports to Management
16. Safety (if applicable)
Region 10 QM policy requires that all Regional monitoring
projects must have an approved QA Project Plan prior to data
collection and/or before the scheduling of laboratory space. The
RQMP shall review all QA Project Plans and concur on approval of
final plans. Upon request, the OEA Technical Specialists shall
peer review all QA Project Plans within their area of expertise.
The QAMS and Headquarters1 programs are expected to provide
guidance and assistance to the RQMP on the preparation of project
plans; either through written documentation, workshops, or on an
individual consultation basis.
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 32 of 47
6.2 Data Quality Objectives
Data Quality Objectives (DQOs) are comprised of qualitative
and quantitative statements developed to ensure that data of
known and appropriate quality are obtained, to support specific
decisions or regulatory actions. Over the years, EPA has refined
the primary tool used to derive project specifc DQOs. This is
known as the DQO Process. The RQMP encourages the use of the DQO
process through EPAs guidance documents: Guidance for the Data
Quality Objectives Process (Interim Final), EPA QA/G-4, July 1994
and Data Quality Objectives Process for Superfund (Interim Final
Guidance), EPA 540-R-93-071, September 1993. In short, the DQO
process is comprised of the following steps:
• Clarify the study objective
• Define the most appropriate type of data to collect
• Determine the most appropriate conditions from which to
collect the data
• Specify tolerable limits on decision error (determining an
acceptable level of both false positive and false negative
error rates for sample design, collection and analysis)
which will be used as the basis for establishing the
quantity and quality of data needed to support the decision.
Because the DQO process requires an up-front planning with
the project decision makers and stakeholders (e.g., data users,
field and laboratory personnel, risk assessors, hydrogeologists,
QA specialists, modeling experts, etc..) the OEA has developed an
organizationally based project planning process designed to
compliment the DQO process for internal Regional use. This
document (attached in Appendix G) outlines the: 1) team approach
to project planning, 2) roles and responsibilities of team
members, 3) the use of scoping meetings, 4) development and
implementation of Work Plans and QA Plans, and 5) communication
processes between team members and decision makers.
6.3 Laboratory Quality Assurance Plan Contents
The Laboratory QA Plan shall contain the following types of
information:
1. Title Page
2. Table of Contents
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 33 of 47
3. Quality Assurance Policy Statement
4. Corporate Ethics Policy on Waste, Fraud, and Abuse
5. Quality Assurance Management
6. Administrative Organization
7. Personnel Qualifications
8. Facility Description and Capital Equipment
9. Preventive Maintenance
10. Corrective Action
11. Laboratory Evaluation and Audits
12. Quality Assurance Reports to Management
13. Lab Documentation and Forms
14. Sub-Contracting of Services
15. Standard Operating Procedures
16. Laboratory Personnel Training Record
It is highly recommended that a copy of the Laboratory QA
Plan be obtained and reviewed, to determine laboratory
capabilities and QC procedures, prior to the awarding or
arrangement of any laboratory services. The RQMP can provide
assistance in reviewing Laboratory QA Plans.
6.4 Standard Operating Procedures
Standard Operating Procedures (SOPS) are documented methods
for performing certain routine or repetitive tasks. These tasks
frequently involve such operations as sampling, sample tracking,
analysis, instrument or method calibrations, preventive and
corrective maintenance, internal quality control, and data
reduction and analysis. The SOPs shall be prepared in document
control format by the user, as required, and shall be maintained
on permanent file by the SOP user and the RQMP. The following
are considerations involved in the development and utilization of
Standard Operating Procedures.
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 34 of 47
Standard Operating Procedures Objectives
Adequate to establish traceability to standards,
instrumentation, samples, and environmental data.
Simple, so a user with basic education, experience, and/or
training can properly use them.
Complete enough so the user/reader can follow the directions
in a step-wise manner through the sampling, analysis, and
data-handling processes.
Consistent with sound scientific/engineering principles.
Consistent with current EPA regulations and guidelines.
Consistent with the instrument manufacturers' specific
instruction manuals.
Benefits of Standard Operating Procedures
Record the performance of all tasks and their results.
Explain the cause for missing data.
Demonstrate the validation of data each time they are
recorded, calculated, or transcribed.
Items to be Addressed in Standard Operating Procedures
General network design.
Specific sampling-site selection.
Sampling and analytical methodology.
Probes, collection devices, storage containers, and sample
additives, such as preservatives.
Special precautions, such as holding times and protection
from heat, light, reactivity, and combustibility.
Federal reference, equivalent, and alternate test
procedures.
Instrumentation selection and use.
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 35 of 47
8. Calibration and standardization.
9. Preventive and remedial maintenance.
10. Duplicate, spiked, blank samples and analysis.
11. Quality control procedures such as inter-, and intra-field
laboratory activities.
12. Documentation, sample custody, transportation, and handling
procedures.
13. Safety.
14. Data handling and assessment procedures.
15. Precision, accuracy, completeness, representativeness, and
comparability.
16. Service contracts.
17. Document control.
All environmental monitoring shall meet established EPA
regulations and guidelines and Region 10 SOPs. Deviations shall
be justified and documented. The degree of adherence to the
approved SOPs shall be determined during the systems audits.
SOPs shall be revised by the user and approved by the user's
supervisor. As appropriate, these SOPs may be reviewed by the
RQMP.
Agency contractors shall be responsible for developing
appropriate SOPs for repetitive work they perform for the Agency.
Agency contractors shall be responsible for the quality of their
work when using their SOPs. These SOPs, if appropriately
written can be used to supplement a QA Plan, but SOPs cannot be
used in lieu of an approved QA Plan.
6.5 Data Processing and Verification
Data processing includes collection, validation, storage,
transfers, and reduction. Precautions shall be taken each time
the data are reduced, recorded, calculated, and transcribed to
prevent the introduction of errors and the loss of information.
As our reliance on computers increases, consideration should
be given to the transmittal and storage of data in an electronic
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 36 of 47
(digital) format. Most data systems and users have specific
electronic data format requirements. Because of this
variability, electronic transmittal and storage of dat will have
to be addressed on a project or program specific basis, which is
beyond the scope of this document.
The data processing requirements are detailed as follows:
A. Collection - Each QA Project Plan shall address the checks
which must be used to avoid errors in the data collection
process.
B. Validation - Data validation is defined as, "the process by
which data are accepted or rejected based on a set of
criteria." Since this aspect of QA may include various
forms of manual or computerized checks, criteria for data
validation shall be specified in each QA Project Plan.
C. Storage - Each QA Project Plan shall indicate how specific
types of data will be stored.
D. Transfers - Each QA Project Plan shall describe procedures
which will be used to ensure that data transfers are
error-free, and that no information is lost in the transfer.
Data transfer steps contained in each QA Project Plan shall
be kept to a minimum.
E. Reduction - Each QA Project Plan shall contain procedures
for ensuring the correctness of data reduction processes.
Data reduction includes, all processes which change either
the form of expression or quantity of data items. It is
distinct from data transfer in that it entails a reduction
in the size (or dimensionality) of the data set. The QA
Project Plan must identify the processes used to obtain the
reduced data set.
Each QA Project Plan shall describe procedures for verifying
the accuracy of the data reduction process.
6.6 Data Quality Assessment
The quality of all environmental data generated and
processed shall be assessed for: accuracy, precision,
completeness, comparability and representativeness, based upon
the QA Project Plans. The data assessment requirements are
detailed as follows:
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 37 of 47
A. Accuracy
Each QA Project Plan shall contain a mechanism which will
demonstrate that the reported data are favorably comparable to
the true value(s). Examples of activities to assess accuracy
are:
1. Traceability of Instrumentation - Each measurement device
shall be assigned a unique identification number.
Documentation shall identify the specific measurement
device; where and when used; maintenance performed; and the
equipment and standards used for calibration.
2. Traceability of Standards - Each standard and each
measurement device shall be compared against a standard of
known and higher accuracy (where possible). All calibration
standards shall be traceable to available National Institute
of Standards and Technology (NIST). If NIST standards are
not available, other documented primary standards shall be
used.
3. Traceability of Samples - Each sample shall be assigned a
unique identification number (laboratory No.).
Documentation should identify sampling time, place, samplers
name and action taken on each sample.
4. Traceability of Data - Data shall be documented to allow
complete reconstruction, from initial field records through
data storage system retrieval.
5. Methodology - If available, Federal reference, equivalent,
or approved alternate test methods of known accuracy shall
be used. For very critical work, it is recommended, in
Region 10 at least, that two independent analytical methods
be used to check for accuracy.
6. Reference or Spiked Samples - Recoveries shall be within
predetermined acceptance limits.
7. Performance Evaluation - Each environmental monitoring
program shall continually participate in the EPA National
and Regional Performance Evaluation Programs.
B. Precision
Each QA Project Plan shall contain a mechanism which will
demonstrate the reproducibility of the measurement process.
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 38 of 47
Examples of activities to assess precision are:
1. Replicate Samples - Replicate sample data shall be within
predetermined acceptance limits.
2. Collocated Samples - Sample data from collocated sampling
points or monitors shall be within predetermined acceptance
limits.
3. Inter-/Intra-Laboratory Testing - Sample data from
independent studies shall be within predetermined acceptance
limits.
4. Instrumental Checks - Each measurement device shall have
routine checks performed to demonstrate that variables are
within predetermined limits. Examples of these include:
~ Zero and span ~ Flow rate
~ Noise levels ~ Pressure rate
~ Drift ~ Linearity
C. Completeness
Each QA Project Plan shall identify the quantity of data
needed to support a planning or enforcement action. Completeness
shall take into consideration the potential for environmental
change with respect to time and timing.
D. Comparability
Each QA project plan shall contain procedures to assure the
comparability of data. Examples are:
1. Consistency of reporting units.
2. Standardized siting, sampling, and analysis.
3. Standardized data format.
E. Representativeness
Each QA Project Plan shall contain procedures to ensure that
all samples collected, are as accurate and precise as possible
and represent the media sampled.
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 39 of 47
Examples of activities to assess representativeness are:
1. Site Purpose - Each sampling site shall have a preidentified
and documented purpose.
2. Site Description - Each sampling site shall be specifically-
identified by location and by suitability to meet the pre-
identif ied purpose.
3. Site Photo Documentation - Each sampling site should be
photographed from each of the four major compass directions
when possible.
4. Sampling Conditions - The conditions under which each sample
was collected shall be described. Conditions include such
items as:
~ Stream flow and homogeneity ~ Temperature
~ Wind speed and direction ~ Barometric pressure
6.7 Corrective Action
Each QA Project Plan shall include, provisions for written
requirements establishing and maintaining QM reporting or
feedback channels to the management responsible, to ensure that
early and effective corrective action can be taken when data
quality falls outside established data quality objectives
(acceptance criteria). Each QA Project Plan shall also include,
provisions to keep responsible management informed of the
performance of all data collection systems. Each QA Project Plan
shall describe the mechanism(s) to be used when corrective
actions are necessary. Corrective action shall relate to the
overall QA management scheme: who is responsible for taking
corrective actions; when are corrective actions to be taken; and
who follows-up to see that corrective actions have been taken and
that they have produced the desired results?
7.0 TRAINING
Each monitoring program manager shall ensure that all
personnel performing tasks and functions related to data quality
shall have the needed education, training, and experience. This
includes laboratory technicians, analysts, maintenance
technicians, supervisors, principal investigators, statisticians,
project managers, and Regional QM staff. Training needs shall be
identified during performance evaluations and through career
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 40 of 47
development plans. The RQMP develops and provides QM/QA guidance
manuals and identifies QM/QA training courses. Training needs
are not static, but are a dynamic function of program
requirements. Therefore, training needs shall be addressed in
the Region's Annual QM Report/Work Plan. The Report/ Work Plan
shall be submitted annually to the Director of QAMS for approval.
8.0 IMPLEMENTATION REQUIREMENTS AND SCHEDULE
Implementation of the Agency's mandatory QM Program requires
that each major milestone be identified and scheduled for
accomplishment. Major National/Regional milestones shall be
identified, scheduled, and progress reported in the Region's
Annual QM Report/Work Plan. The Report/Work Plan shall be
submitted annually to the Director of QAMS for approval.
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 41 of 47
APPENDIX A - EPA Order 5360.1 Mandatory Quality Assurance
-------�
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
APR 17 1984
Office of
The Administrator
Memorandum
SUBJECT: EPA Order 5360.1, "Policy and Program Requirements to
Implement the Quality Assurance Program"
FROM: Alvin L. Aim
Deputy Administrator
TO: Addressees
One of my major goals is to ensure that all decisions by EPA
can be supported by a sound data base. An important step toward
achieving this objective is to require that quality assurance
become an integral part of all data collection activities.
Quality assurance is the total integrated program for assuring
the reliability of environmental measurements and consists of
multiple steps undertaken to ensure that all acquired data are
suitable for the user's intended purpose. Two of the major steps
are: the user must first specify the quality of data he needs;
then the degree of quality control necessary to assure that the
resultant data satisfies his specifications must be determined.
Central to this process is assuring that the data is of known
quality. The quality of data is known when all components
associated with its derivation are thoroughly documented, such
documentation being verifiable and defensible.
In order to establish quality assurance solidly in all data
collection activities, the important step of issuing this order
on quality assurance is being taken. The implementation of the
elements in this order will require dedication and hard work by
the Quality Assurance Management and Special Studies Staff, by
quality assurance officers throughout the Agency, and by senior
management. This order identifies the goals, objectives, and
general responsibilities of each program area. To carry out the
order, specific policy and technical guidance materials need to
be prepared. I will be following that progress.
The attached order reflects my commitment to the Agency's QA
program and to the promotion of good science in all EPA
monitoring and measurement activities. Therefore, I expect that
each of you work cooperatively to ensure that the appropriate
level of quality assurance is embedded in all data collection
-------�
undertaken by or for the Agency.
-------�
EPA ORDER
5360 .1
APR 3 1984
POLICY AND PROGRAM REQUIREMENTS
TO IMPLEMENT THE MANDATORY QUALITY ASSURANCE PROGRAM
1. PURPOSE. This Order establishes policy and program
requirements for the conduct of quality assurance (QA) for
all environmentally related measurements performed by or for
this Agency.
2. BACKGROUND. Agency policy requires participation in a
centrally managed QA program by all EPA organizational units
supporting environmentally related measurements. Under
Delegation of Authority 1-41, "Mandatory Quality Assurance
Program" (dated 4/1/81), the Office of Research and
Development (ORD) is the focal point in the Agency for
quality assurance policy and is responsible for developing
QA requirements and overseeing Agencywide implementation of
the QA program. ORD established the Quality Assurance
Management and Special Studies Staff (QAMSS) to serve as the
central management authority for this program. The QAMSS
activities involve the development of policies and
procedures; coordination for and direction of the
implementation of the Agency QA program; and review,
evaluation, and audit of program activities involving
environmental monitoring and other types of data generation.
The Agency QA program embraces many functions including:
establishing QA policy and guidelines for development of
program and project operational plans; establishing criteria
and guidelines for assessing data quality; serving as a QA
information focal point; auditing to ascertain effectiveness
of QA implementation; and identifying and developing QA
training programs.
3. GOALS AND POLICY. The primary goal of the QA program is to
ensure that all environmentally related measurements
supported by the EPA produce data of known quality. The
quality of data is known when all components associated with
its derivation are thoroughly documented, such documentation
being verifiable and defensible. It shall be the policy of
all EPA organizational units to ensure that data
representing environmentally related measurements are of
known quality. Decisions by management rest on the quality
of environmental data; therefore, program managers shall be
responsible for: 1) specifying the quality of the data
-------�
EPA ORDER
5360 .1
APR 3 1984
required from environmentally related measurements and 2)
providing sufficient resources to assure that an adequate
level of QA is performed. All routine or planned projects
or tasks involving environmentally related measurements
shall be undertaken with an adequate QA project plan that
specifies data quality goals acceptable to the data user and
assigns responsibility for achieving these goals.
In discharging its responsibility for implementing the
Agency-Mandated Quality Assurance Program, the ORD/QAMSS
will strive for consensus by submitting for review proposed
policies and procedures to affected program offices and
regions. Responsibility for adjudication of unresolved
issues, with respect to the above and QAMSS conducted
audits, will be at the lowest level of authority consistent
with the scope of the issues. The QAMSS will refer issues
which remain unresolved at lower levels of authority to the
AA/ORD for decision, after consultation with the appropriate
AA or RA.
The following activities are basic to the implementation of the
QA program:
a. Preparation and annual update of a QA program plan
based on guidelines established by QAMSS.
b. Developement of a QA project plan for all projects and
tasks involving environmentally reelated meaurements in
accordance with guidelines established by QAMSS.
c. Assuring implementation of QA for all contracts and
financial assistance involving environmentally realted
measurements, as specified in applicable EPA
regualtions, including subcontracts and subagreements.
d. Conducting audits (system, performance evaluations,
data quality, bench, etc.) on a scheduled basis of
organizational units and projects involving environ-
mentally related measurements.
e. Developing and adopting technical guidelines for
estimating data quality in terms of precision
(variability), bias (accuracy), representativeness,
completeness and comparability, as appropriate, and
incorporating data quality requirements in all projects
and tasks involving environmentally related
-------�
EPA ORDER
5360 .1
APR 3 1984
(7) Serve as the Agency QA information focal point.
(8) Develop generic training program, based on
perceived needs, for all levels of management to assure
that QA responsibilities and requirements are
understood at every stage of project implementation.
(9) Ensure that all ORD investigations involving data
collection are covered by an acceptable QA plan with
resources adequate to accomplish program objectives.
(10) Ensure that deficiencies highlighted in review of
ORD program plans or in audits of ORD components are
appropriately addressed.
b. In accordance with policies and procedures established
by AA/ORD, National Program Managers shall:
(1) Ensure that QA is an identifiable activity with
associated resources adequate to accomplish program
goals in the development and execution of all projects
and tasks, both intramural and extramural, involving
environmentally related measurements.
(2) Ensure that appropriate QA criteria are included in
operating guidance.
(3) Establish data quality acceptance criteria for all
projects and tasks conducted by the program office.
(4) Ensure that an adequate degree of auditing is
performed to determine compliance with QA requirements.
(5) Ensure that deficiencies highlighted in audits are
appropriately addressed.
(6) Ensure that all projects and tasks involving
environmentally related measurements are covered by an
acceptable CA project plan and that the plan is
implemented.
(7) Identify program-specific QA training needs and
provide for the required QA training.
C. In accordance with policies and procedures established
by AA/ORD, Regional Administrators shall:
-------�
EPA ORDER
5360 .1
APR 3 1984
measurements.
f. Establishing achievable data quality limits for methods
cited in regulations based on results of methods
evaluations arising from the methods standardization
process, e.g., ASTM Standard D2777-77.
g. Implementation of corrective actions, based on audit
results, and for incorporating this process into the
management accountability system.
h. Provision for appropriate training based on perceived
needs, for all levels of QA management, to assure that
QA responsibilities and requirements are understood at
every stage of project implementation.
4. RESPONSIBILITIES.
a. In conformity with the oversight responsibility for the
mandatory QA program, the AA/ORD shall:
(1) Establish Agency policies and procedures for
implementing the mandatory QA program.
(2) Provide guidance for determining precision, bias,
representativeness, completeness, and comparability of
data.
(3) Review QA Program Plans from Agency components
involved in environmentally related measurements.
(4) Conduct QA audits of all organizational units
supporting environmentally related measurements based
on established audit criteria and procedures.
(5) Recommend corrective actions, based on audit
results, for inclusion in the management accountability
system.
(6) Establish achievable data quality limits for
methods provided by ORD for citation in regulations,
based on results of methods evaluations arising from
the methods standardization process, e.g., ASTM
Standard D2777-77, to help project officers define data
quality goals.
-------�
EPA ORDER
5360 .1
APR 3 1984
(c) Environmentally Related Measurement. Any laboratory or
field data gathering activity or investigation involving the
determination of chemical, physical, or biological factors
related to the environment.
The following are representative examples of
environmentally related measurements. Data collection or
investigation of chemical, physical, or biological factors
for determination of:
(1) pollutant concentrations from sources, in the ambient
environment, or pollutant transport and fate;
(2) response of organisms to pollutants;
(3) the effects of pollutants on human health and on the
environment;
(4) risk/benefit analysis;
(5) environmental or economic impact.
(6) the environmental impact of cultural and natural
processes;
(7) pollutant levels, exposure levels, etc., used in
modeling.
(d) Organizational Unit. Any administrative entity
(national program office, regional office, ORD or NEIC
laboratory) which engages in environmentally related
measurements.
(e) Proiect. An organized undertaking or specified unit of
investigation involving environmentally related
measurements.
(f) Quality Assurance. The total integrated program for
assuring the reliability of semitoring and measurement data.
(g) Verifiable. The ability to prove or substantiate any
claim or result related to the documented record.
6. ADDITIONAL REFERENCE. This Order will be amplified by a
detailed implemetation plan.
-------�
EPA ORDER
5360 .1
APR 3 1984
Howard M. Messner
Assistant Administrator
Office of Administration and
Resources Management
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 42 of 47
APPENDIX B - Interim Guidelines and Specifications for
Preparing Quality Assurance Project Plans
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 43 of 47
APPENDIX C - Regional Program-Specific Quality Assurance
Project Plan Guidance Manuals
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 44 of 47
APPENDIX D - Headquarters Program-Specific Quality Assurance
Project Plan Guidance Documents
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 45 of 47
APPENDIX E - National/Regional Audit Procedures
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 46 of 47
APPENDIX F - Laboratory Quality Assurance Plan Guidance
Documents
-------�
Region 10 QMP Plan
Revision No. 2C
Date: 09-26-96
Page: 47 of 47
APPENDIX G - Related Regional Program-Specific Documents
-------�
PROJECT PLANNING - A PROCESS
BACKGROUND
The Office of Environmental Assessment (OEA) has a powerful array of technical experts
in the areas of quality assurance, laboratory analysis, ecological and health risk assessments, field
monitoring, modeling, facility inspections, engineering data management, GIS applications,
economics and data interpretation.
The OEA Management Team recently conducted a review of OEA's organization
effectiveness in an effort to identify impediments to the overall effectiveness of the office. These
included: 1) the need f or a strategic - planning process; 2) early and continued involvement of
key technical and management personnel in project planning; 3) confusion over roles and
responsibilities and 4) lack of a clear decision-making process.
The balance of this document addresses the project planning issue and roles and
responsibilities associated with project planning. While strategic planning will be addressed in a
separate document, it should be noted that an effective strategic planning process will play an
important role in addressing project planning issues. Attached is a simplified flow diagram
depicting a potential project planning process.
PROJECT PLANNING
Team Approach - The new regional organization disperses responsibility for the Region's
programs across several offices, many without a single, media focus. Successful project
managers will assemble teams of relevant expertise from all affected off ices. Team members may
be more or less active at various stages of the project but should remain informed and involved.
The team approach is characterized by frequent communications between team members and
frequent meetings of the team and any designated subsets. In addition to insuring that the project
remains focussed, frequent interaction between team members insures that roles and
responsibilities remain clear.
Decision-making - Historically, one of the major conflicts between ESD (and to a lesser degree
ORC) and some program offices centered on the way and degree science and legal input was used
by the program in the project planning and decision making processes. That the program should
make programmatic decisions has never been in dispute, only the process by which the relevant
factors, specifically science and legal considerations, have been factored into the project planning
and decision making process. The team approach will go a long way toward involving relevant
expertise and defining issues and options. However, successful project planning will also require
a clear decision-making process with a recognized mechanism for resolving disputes.
ROLES AND RESPONSIBILITIES
1
-------�
Successful teams are those which function in a setting characterized by honesty, respect
and candor. Everyone's views are encouraged, solicited, and honored. The only agenda pursued
by team members is the project. Above all, the successful team communicates often and well.
Roles by Function
Team Leader - The team leader has a major leadership role in the conduct of the business of the
team. The team leader would most often be the program representative initiating the project.
This person would be responsible for initially deciding the general composition of the team and
calling the first meeting. The team leader would evaluate team exchanges to insure that team
rules were followed. This individual also has particular responsibility for keeping team members
well informed throughout the life of the project.
Team Members - Each team member has the responsibility to insure that team rules are
followed. They have the obligation to participate and be interested throughout the life of the
project. Team members must understand how their work fits into the overall project and be
committed to its success. They must avoid programmatic or discipline parochialism and work for
the result that best protects the public interest.
Roles by Discipline
Program Representative(s) - Program representatives will bring to the team the program
requirements for the project. These will be extremely important since the project will have often
been initiated by the program to accomplish a program goal. The program representatives will
help the team understand the scope and objectives of the project and any potentially confounding
implications such as resources, politics, policy, or public concern.
Science Representative(s) - Science representatives may come from several different
organizations depending on the needed discipline. The scientists' responsibility is to provide
objective and relevant scientific input into all phases of the project planning and execution
processes. The scientists will be expected to take a primary role in determining data needs,
evaluating data quality and assist the team in understanding the application of the data to the
project parameters.
Legal Representative(s) - Attorney support may be necessary to insure that any action
consequent to the project is legally defensible. The legal representative should be an active
participant in project deliberations since intimate knowledge of the project might result in an
innovative legal interpretation that yields better project decisions.
Role of the Contractor The availability of contractors provides options in assigning work, an
especially attractive option given the lack of growth in the federal work force. Irrespective of
their use, the team must rely heavily on relevant EPA staff to insure appropriate oversight of
contractor work. The level of oversight required will he decided on many factors, such as
2
-------�
contractor experience, chances of litigation, and resource limitations. In many cases, contractors
prepare work plans and QA project plans.
PROJECT PLANNING FOR EFFECTIVE DECISION-MAKING
What follows is an outline of a potential project planning process.
• Scoping Meeting - The scoping meeting is a critical step in the project, planning process.
Once the project officer concludes a project approach is appropriate and that the resource
investment will be consistent with Regional priorities, a scoping meeting is called. The
project officer must be well prepared for this meeting. He/she must insure that the right
people are present and clearly define the scope and objectives of the project. The
discussion should clarify the objectives where there is some uncertainty or where the
expertise represented at the meeting describes a better objective or a more appropriate
scope. The participants may suggest including additional expertise in the meeting to better
accomplish project goals.
• Work Plan— The work plan is prepared which describes the work to be done, the
schedule for its accomplishment and who is responsible for the various elements. For
some projects, a Statement of Work (SOW) is prepared for work the contractor is
expected to perform. In both cases, while the author might be the team leader, the team
should be involved in the definition of the major elements of the document. Differences of
opinion regarding the data needs for the project must be resolved before finalizing the
work/QA plan. The project sponsor (probably the team leader) requesting the project will
make a decision on data needs where consensus cannot be reached. Their decision can be
appealed to the decision maker if the person disagreeing with the decision feels the project
would be compromised.
• Work/QA Plan Implementation - When the work/QA plan is endorsed by the team and
finalized, the various processes by which work is accomplished must be activated.
Naturally, the earlier a work process is accessed, the more responsive it can be. For
projects profiting from the science/technical expertise OEA has to offer, for-example, the
work would be requested through OEA's project/tracking system. This system keys off
the Work/QA plan but reduces the project focus to OEA scale providing a detailing of the
scientific/technical expertise required, a sense of the scope of work expected of OEA, its
relative priority, and deadlines. The same tracking system would pertain whether OEA
was doing the work or reviewing the work of the programs and/or contractors.
• Decision - making - When the relevant information has been collected, the team would
meet to discuss the project in the context of the Regional priority that defined the projects
need. At this point, any differences of opinion between team members would be explored
in detail and hopefully resolved by consensus. The team leader would then forward the
3
-------�
team's recommendation to the decision-maker. If consensus cannot be reached, the team
leader would forward a recommendation to the decision-maker with a accurate
representation of any substantive disagreements. The decision-maker would evaluate the
recommendation and any outstanding disagreements. The decision-maker may wish to
call a meeting of the team to discuss the recommendation and any outstanding issues. In
any case, if a member of the team disagrees with the recommendation, they can meet with
the decision-maker to discuss their disagreement before the final decision is made. Once
the final decision is made the team is notified of the decision and its basis.
• Communication - Good communication is the responsibility of all team members. If any
team member feels that responsibilities and expectations are-not defined well enough,
he/she should address that issue first with the team leader and/or the entire team.
Similarly, if the basis for a decision is not communicated clearly to any team member, that
individual should take the initiative to seek out the team leader and/or decision-maker, if
needed.
CONCLUSION
The Region is blessed with a remarkable array of talent. Too often, this powerful
capability is neutralized by our failure to apply it effectively. A process that effectively mobilizes
the right people and engages them in an honest and considerate fashion will substantially improve
the quality of many of the Region's more difficult decisions.
4
-------�
-------�
REGION 10 COMPUTER SECURITY POLICY
TABLE OF CONTENTS
I. Overview: Importance of Computer Security 1
II. Physical and Environmental Controls 1
III. Software Copyrights/Licenses and Master Copies 2
IV. Unauthorized use of Computers 3
V. Non-EPA Software Product Controls 3
VI. Computer Viruses 4
VII. Magnetic Media (Information Storage) Controls 5
VIII. Disk Organization and File Storage Conventions 5
IX. Backups/Disaster Recovery 6
X. Sensitive Data Controls/Password Protection 6
XI. Information Systems Documentation Requirements 7
XII. Region 10 Computer Monitoring Procedures 8
APPENDICES
APPENDIX A: REGION 10 INFORMATION MANAGEMENT CONTACTS
APPENDIX B: DISK STORAGE AND HARD DISK/FLOPPY DISKETTE
BACKUP OPTIONS
APPENDIX C: QUICK REFERENCE SHEET
-------�
I. Overview: Importance of Computer Security
Region 10 has made a significant investment in the information we
store on our personal computers, local area networks (LANs) and
the mainframe computer in the National Computer Center (NCC),
Research Triangle Park, North Carolina. We have spent millions
of dollars on our computer hardware in order to establish the
computing environment which exists today and which we have grown
to depend upon to perform our jobs. The responsibility to
protect these investments rests with the users of the computers.
This policy document has been prepared to:
a) Describe both regional and national security measures
that need to be taken to ensure the basic physical
protection of personal computers (PCs), LAN workstations,
mainframe terminals, and the magnetic media upon which all
of our valuable information is stored, and
b) Set forth administrative procedures governing the use
of our computers and software.
The "EPA Information Security" and "EPA Information Security for
Personal Computers" manuals give more detailed information about
Agency-wide policy on computer security. Section 2.3 in both
manuals specifically addresses implementation of minimal controls
for information security; specifically, information sensitivity
determination and risk analysis requirements are discussed.
All security policies and procedures established by this document
also apply to work carried out at home or while in travel status.
If you wish to examine a copy of these manuals, please contact
the Chief, Information Technology Section at X2988.
II. Physical and Environmental Controls
The following controls for PCs, LAN workstations and mainframe
terminals are required to prevent theft and physical damage:
Locate PCs away from heavily travelled and easily
accessible areas to the extent possible, on stable
desk tops.
PCs and LAN workstations should not be plugged directly into
the wall; surge protection devices have been provided to
protect our computers against surges in current. It is
mandatory that these devices are used. If a PC is missing a
surge protector, contact the PC Hotline immediately. A new
unit will be supplied from stock.
Physical configuration of equipment must not be modified by
the user. The PC Hotline should be requested to make any
required moves of equipment. Requests should be directed by
WPO message to PCHOTLINE or alternatively by phone to X1201.
The Information Management Branch (1MB) also tracks all
1
-------�
changes in the Region 10 computer inventory system which
contains up-to-date information about each PC and LAN
workstation configuration owned by the region. It is
essential that this information be kept current at all
times.
Computer equipment should not be installed in direct
sunlight or in locations with extreme temperatures
(less than 50 degrees Fahrenheit or greater than 100 degrees
Fahrenheit).
Computer equipment and magnetic storage media are sensitive
to contamination from dirt, smoke, or magnetic fields. Do
not eat or drink in the immediate vicinity of the computer.
Portable PCs require additional security considerations
because they are more vulnerable to theft. Portables should
be stored in locked cabinets when not in use. The person
named on the Sensitive Item Registration card is responsible
for the portable computer and must keep a log to track loans
of these units by the person who signed the registration
card.
Manuals are to be labeled with the user's PC Configuration
number and kept near the PC to facilitate reference.
The following additional security control will be extended to the
LAN servers and other equipment located in the computer room.
Access to the computer room will be strictly controlled. The
door to the computer room is to remain locked at all times.
Only those persons whose names appear on the authorized
access list are to be permitted unaccompanied access. Repair
persons, people from headquarters, etc. are to be logged in
and out. The log entry must specifically identify the reason
for the visit.
III. Software Copyrights/Licenses and Master Copies
Most personal computers with hard disks in Region 10 have
Lotus 1-2-3, dBase and WordPerfect installed as the standard
agency software. LAN and mainframe computers also have
standard agency software installed. In addition, EPA has
purchased copies of software on a case-by-case basis to
perform specific functions such as project tracking and
graphics.
When we buy software, we are purchasing a license agreement
with the manufacturer whereby we are prohibited from
duplicating either the software or documentation. In
general, there are two types of software licenses:
single-machine and site. A single- machine license allows
the user to install the master copy of the software on
his/her PC only. With a site license, the software may be
installed on more than one PC or a LAN file server,
typically for a higher fee. Copying single-machine
software, therefore, for use on another computer is a
violation of the license agreement. Making copies of
software for personal use not only violates copyright laws,
but is a theft of government property. Using unauthorized
copies of software on EPA computers is also illegal, even if
such copies are obtained from sources outside EPA. Willful
violations of U.S. copyright law may result in potential for
personal liability.
2
-------�
EPA purchased software shall be used exclusively on EPA
owned computers (except when permitted by the licensing
agreement, eg. WordPerfect). EPA software should not be
installed on PCs owned by contractors without written
approval of 1MB.
All master copies of software purchased by EPA (including
purchases made by Headquarters) for use in Region 10 must be
sent to the Information Management Branch, where the
diskettes will be stored in a locked room to ensure
accountability and control. This is required for security
purposes as well as to facilitate regionwide software
upgrades. Software vendors require that we either destroy
or return the master diskettes for each copy of the software
that is to be upgraded.
Software purchased by contractors and used in support of
specific EPA related contract activities is subject to the
same approval requirements as software purchased by EPA.
Master copies of the software must also be sent to the 1MB
for storage. Project Officers for all EPA contracts are
responsible for being knowledgeable of all contractual
requirements regulating the contractors' use of computer
hardware and software for EPA business. Questions regarding
such requirements should be directed to the contracting
official.
1MB will conduct unannounced, random audits of Region 10
computers; should illegal or unauthorized software be located on
an employee's computer, appropriate disciplinary action may be
warranted. For additional information on 1MB controls, see
Section XII, Region 10 Computer Monitoring Procedures on page 9.
IV. Unauthorized use of Computers
Computers have been made available by EPA for use by its
employees in the conduct of EPA business. Use of these computers
is not allowed for personal business of any kind, even if it is
done on the employee's own time. Training and practice on EPA
computers shall be done using work related examples and such
activities shall be directed towards developing skills to be used
to perform job related tasks.
PC games and other non-work related software are strictly
prohibited from being installed and/or executed on EPA computers.
V. Non-EPA Software Product Controls
EPA employees shall not install any software without the
approval of 1MB. Contracts have been established by OIRM to
obtain computer software which are based upon a thorough
requirements analysis and are consistent with the Agency's
long-term strategic plans. Software standards are issued by
the director of the National Data Processing Division (NDPD)
after consultation and concurrence by the Director of the
Office of Information Resources Management. Software
products other than those offered on Agency contracts are
generally not permitted on Region 10 PCs. There may be an
exception in which an application has specific requirements
that are not met by Agency standard software. In this case,
a request for use of non-standard software must be submitted
to the Information Management Branch for approval. Agency
resources are best spent on compatible software which has
3
-------�
been tested prior to delivery and for which user support has
been committed. Organizations which acquire non-standard
software should be aware of their inherent and potential
liability caused by not being part of the Agency's standard
architecture.
Privately-owned commercial software shall not be installed
on an Agency computer without prior written authorization
from 1MB. The request must certify that no license
agreement will be violated, the software will be properly
segregated from EPA software, and agency (sensitive) data
will not be stored in non-standard format through use of
this privately-owned software. The user will be required to
produce the license for this software upon request.
Use of database software other than CLIPPER and dRASE III+/IV,
for EPA multi-user system development is not permitted.
Privately-owned database software is also strongly discouraged
in the development of single-user systems (i.e. a personal
project tracking system).
Public domain software exists and is not subject to any
license agreement/copyright laws. However, public domain
software used on EPA computers must be used only in the
performance of job related functions.
1MB written approval and virus-scanning are required before
any public domain software can be loaded on an agency
computer.
VI. Computer Viruses
A computer virus is an extra program hidden within an apparently
normal program or software package referred to as the virus
"host" or "Trojan Horse". Like a biological virus, the computer
virus has two important characteristics: it can replicate itself
and it can cause harm or mischief. This replicating ability
means that a virus can quickly spread via shared diskettes,
networks, electronic bulletin boards, or file servers as programs
or files are stored, executed, uploaded or downloaded.
Potentially infected host software include any of our standard
software packages. Truly malicious viruses can modify or destroy
programs and data.
To detect and combat viruses, a number of specialized programs or
software "vaccines" have been developed. However, it is not
possible to develop a set of generic procedures to ensure the
integrity of non-EPA computer products, public domain software,
EPA application software and data diskettes.
Failure to detect viruses may result in destruction of
government property (software and data). Due to the serious
nature of software viruses and the severe damage that can
occur, all disks that originate outside of Region 10, EPA
must be scanned by virus detection software prior to
installation or use on any EPA computer. Bring disks to be
scanned to the PC Hotline Help desk on the 8th floor or to
the Computer Room on the 10th floor. In addition, both
places can provide you with virus scanning disks which can
be used to check any IBM compatible PC for viruses. It is
permissible to use these virus check disks at home. If a
virus is detected, the user's PC will display a message
alerting the user that a virus has been found; the user
should contact the PC Hotline immediately - DO NOT ATTEMPT
4
-------�
TO REMOVE THE VIRUS YOURSELF. PC Hotline will dispatch PC
specialists who will remove the virus and take all
precautionary measures necessary to prevent the virus from
infiltrating the LAN. All Region 10 Servers are scanned for
viruses on a daily basis.
EPA employees and contractors who use PCs or LANs are also
subject to the virus prevention policies set forth in the
National Data Processing Division (NDPD) Operational
Policies Manual, regarding installation of new software,
backups and virus-scanning requirements. A copy of this
manual is held by Chief, Information Technology Section.
VII. Magnetic Media (Information Storage) Controls
Virtually all information on computers in Region 10 is stored on
magnetic media in the
following forms:
Diskettes
Fixed disks (hard disks) inside the PC
Large capacity fixed disks inside the LAN file servers
Cartridge tapes
Removable disk cartridges (Bernoulli cartridges)
Mainframe disk storage (DASD)
Computer users need to treat magnetic media with special care.
Flexible diskettes are especially susceptible to damage.
Keep disks away from magnetic fields, such as radios, TVs or
microwave ovens.
Do not bend diskettes.
Store disks in a storage box when not in use.
5.25" disks need extra care. Do not: touch the exposed
media, write on them with hard tipped pens, or store them
without their dust jackets.
Contact the PC Hotline for assistance in relocating
computers. Do not attempt to move the equipment yourself.
All information that is accessed by more than one user should be
stored on the LAN or mainframe depending on the application.
Confidential files must not be stored on the Region 10 LAN
servers or on single user PCs unless specifically approved in
writing by the Director, OIRM. Such data must be stored on
diskettes which can be locked up in order to afford the data
proper security. Sensitive information can be stored on the IBM
3090 mainframe (and must be secured via the RACF mainframe
security facility - contact the PC Hotline to identify the
current Region 10 RACF contact. Other types of information can be
stored on the PC local hard drive, if one exists, or on floppy
diskettes.
VIII. Disk Organization and File Storage Conventions
Users should be aware of the ability to create directories and
subdirectories which enable them to better organize their files.
PCs used in common areas should be set up so that each user has a
different directory under his/her own name to store data files
and other large documents.
5
-------�
The use of file extensions within file names to further identify
files is recommended (i.e., "training.doc" might indicate to a
user that this file is a document or text file, whereas
"training.dat" might indicate that the file is a data file which
is in non-readable format).
Some standard file extensions are recommended as follows:
filename.mem (memos), filename.ltr (letter), filename.doc
(documentation), filename.1st (lists), filename.tmp
(temporary files), filename.pf (primary merge file),
filename.sf (secondary merge file), and filename.msg (mail
messages)
PC users should refer to software reference manuals to become
familiar with automatic extensions appended by certain commercial
software packages. This familiarity will help facilitate
identification of data files versus required system files and
will help avoid erroneous file deletions, for example while
cleaning file directories.
IX. Backups/Disaster Recovery
Unfortunately, most computer users learn from a bad experience
that backups are critical to information security. Certain EPA
systems require routine backups of data. Procedures for creating
these backups are documented separately, in the manual written
for the system. Most computer applications, however, provide
relatively crude backup utilities which do not guarantee the user
that their information will be secure; these applications, such
as WordPerfect, will create a backup file of each document the
user creates but this file is overwritten every time a new file
is created. The key to really secure backups is to make a copy
of your information and store it on separate media, in a
different, preferably remote, location.
As a minimal control, make regular backups of all documents
or data files. A precise set of criteria for determining
how often to make backups cannot be provided - how active
the data file is and how long it took to create are key
factors to consider.
Several different means for making backups are available
(see APPENDIX B: Disk Storage and Hard Disk/Floppy Disk
Backup Options).
Contact the PC Hotline if there are any special security
requirements that need to be addressed.
Note that most information stored on LAN file servers and
remote mainframe computers is backed up automatically, and
usually on a daily basis. If information has been stored
via this media, information can be restored in most cases,
upon request. Contact the Computer Room for more details.
X. Sensitive Data Controls/Password Protection
Varying levels of password protection may be applied to the
information we store on magnetic media. Controls are already in
place for access to the Region 10 LAN and the EPA mainframe.
Software for additional file security, such as encryption or file
passwords is available on the market but Region 10 has not
purchased such add-on security software. Those who are
6
-------�
interested learning more about the criteria for evaluating
information sensitivity or wish to discuss incorporation of
advanced security measures should address their initial inquiry
to the PC Hotline.
Computer users must not abuse their password and User-ID
privileges. Violators of password protection expose the
Agency to unnecessary risk and potential irreparable harm
caused by unethical users damaging computer resources,
accessing and disclosing sensitive information, or
committing other fraudulent acts.
Users must also be aware of some important facts regarding
file management on common-use computers. Files which are
erased from a magnetic disk using only the standard DOS
"DEL" or "ERASE" commands are not actually erased from the
computer disk - they are only marked for deletion. For this
reason, until they have been overwritten, they can be
"unerased" using commercially available utility programs.
Additionally, some software systems use work files that are
temporarily stored on disk which are deleted by the system
when they're no longer needed, but are still recoverable by
utility programs. If a user is working with a confidential
file and wishes to ensure that this file cannot be recovered
by a utility program, after being deleted, he/she should
contact the PC Hotline.
Log off or otherwise inactivate all computers in between
uses.
XI. Information Systems Documentation Requirements
Agency information on magnetic media is typically accessed via
either a commercial software package, such as WordPerfect, or an
application developed in-house, such as a dBase budget tracking
system. Therefore, it is necessary that users of this
information have sufficient documentation to operate the software
package or application. Commercial packages are purchased with
manufacturer's documentation, and a myriad of other publications
are typically available as well, to provide a user with reference
information. We must rely on the developer's of our in-house
applications to provide comprehensive documentation for use of
their systems, in order to ensure that those for whom the system
is intended will be able to get to the agency information they
require. It is essential that all new applications developed in
the region for manipulation of agency data abide by strict
development guidelines:
Document functional requirements (needs) analysis
Document system specifications
Maintain hard copies of program code
Document all code to explain logic
Provide comprehensive user documentation and quick reference
sheets
Provide training (optional)
The name of the person to contact for additional guidance
regarding information systems documentation may be ascertained by
contacting the PC Hotline.
7
-------�
XII. Region 10 Computer Monitoring Procedures
The Region 10 Information Management Branch has implemented
control procedures to monitor the effectiveness of the guidelines
stated within this document. They are as follows:
1. Inventory Audits
1MB will perform random inventory audits of all computer
hardware and software owned and installed in the Region. All
discrepancies and violations of regional/software licensing
policies are noted and reported for further action. All hardware
tracked by the personal property system will be located and
sighted by responsible custodial officers annually. Board of
survey proceedings will be initiated on any equipment determined
to be missing. Movement of all computers and peripherals is to be
tracked through move slips.
2. Software Usage Monitoring
1MB will also collect statistics on software accessed by LAN
workstations to ensure that only approved software is used on
Region 10 computers. This information will help 1MB assess
regional software support requirements.
3. LAN Environment Monitoring
The Region 10 LAN environment is continuously monitored by
software which enables detection of numerous hardware, software
or electrical problems that might adversely affect our computing
environment.
4. PC Hotline Support Services
Through the PC Hotline, 1MB provides regional PC users with a
wide range of services to help protect and maintain our computer
environment. Services include virus scanning, acquisition of
equipment cleaning agents, training on proper hardware/software
management procedures, disk management software utilities and
disk conversion hardware, etc. Please find additional
information on 1MB support services in Appendix B: Disk Storage
and Hard Disk/ Floppy Diskette Backup Options.
5. Divisional PC Coordinators
Each Division has appointed a PC Coordinator to help manage
and control the computer hardware and software.
Responsibilities of these coordinators include attendance at
monthly PC management meetings, communication between 1MB and
division management, enforcement of Region 10 Computer Policy,
review of inventory reports and oversight of all PC/LAN related
division-wide projects.
For further information about Region 10 computer monitoring
controls, contact the Information Management Branch.
8
-------�
APPENDIX A
REGION 10 INFORMATION MANAGEMENT CONTACTS
Jane S. Moore
(Senior Information Resource Management Official) X4858
Assistant Regional Administrator for Policy and Management
Robin Gonzalez (PC Site Coordinator) X2977
Chief, Information Management Branch (1MB)
Gus Parlier X2988
Chief, Information Technology Section, 1MB
(Vacant) X1605
Chief, Information Services Section, 1MB
Sharon Nickels X6644
PC Hotline Coordinator
Tom Denning X1026
Local Area Network (IAN) Administrator
Julienne Sears
Head Librarian, Region X Library, 1MB X2969
Computer Room X4252
PC Hotline X1201
PC Hotline Help Desk - N.E. Corner 8th floor
WPO Id: PCHOTLINE
9
-------�
APPENDIX B
DISK STORAGE
AND
HARD DISK/FLOPPY DISKETTE EACKUP OPTIONS
DISK STORAGE OPTIONS:
There are four different storage areas where data can reside and
they are as follows:
Floppy diskettes (3.5" or 5.25")
PC local hard disk
LAN file server
Mainframe Storage - DASD (accessed via Arbiter or SEND
utility, described below)
The main considerations in choosing a storage area are security,
frequency of access, and convenience. Confidential files must
not be stored on the Region 10 LAN servers or on single user PCs
unless specifically approved in writing by the Director, OIRM.
Such data must be stored on diskettes. Sensitive information can
be stored on the IBM 3090 mainframe. All information that is
accessed by more than one user should be stored on the LAN or
mainframe depending on the application. Other types of
information can be stored on the PC local hard drive, if one
exists, or on floppy diskettes. Please note that PC hard disks
and floppy diskettes must be backed-up by the individual user to
ensure data integrity. Other factors to consider when choosing
between hard drives and floppy disks are as follows:
Error Rates: Hard disks may unexpectedly "crash" (the disks
become unreadable) and chances are great, in this case, that all
data will be lost. Floppy disks may also "crash". However,
the amount of data lost is significantly less than that which is
on the hard disk.
Vulnerability: Floppy disks are more susceptible to physical
damage while hard disks are protected by the CPU casing.
Security: There is typically no method available on a PC to
prevent any user from reading all data on a local hard disk.
Floppy disks may be stored in a secure area, and the LAN
file server user directories are password protected.
Cost: It is most economical to use central file server storage
for installation of major software packages, applications and
large data files.
Portability: Floppy disks are portable; hard disks are not
easily removable, and therefore not portable. Data stored on the
local area network can be accessed from any location in the
regional office.
Access Time: Reading or writing to a hard disk is faster than
floppy disk access time. Access time is an important
consideration when working with either large files or when making
frequent alterations to a file of substantial size.
10
-------�
Organization: Hard disk and file server user directory storage
should be organized such that user files are separated from
standard software and application files. Preparation of
directories to organize all information stored on the hard disk
or file server is mandatory due to the size and varied uses of
the hard disk. The user has more control over the floppy disk,
due to its relatively small storage capacity, so that creation of
directories is not essential.
HARD DISK AND FLOPPY DISKETTE BACKUP OPTIONS:
There are four PC hard disk and two floppy diskette backup
options and they are as follows:
From PC Hard Disk to Floppy Disk:
The entire disk or portions of it may be copied to high
density floppy disks for backup purposes. This option is
available to all users; however, it may be very time consuming
and should be employed to back up only those files which have
been altered. Use of software such as "FASTBACK" will expedite
this process. Please contact the PC Hotline to borrow FASTBACK
software.
From PC Hard Disk to IAN File Server Hard Disk:
Portions of the disk may be copied to the IAN via the IAN NCOPY
command. This option is available to all users that have
sufficient IAN disk space available to them in their user
directory. The majority of IAN users are limited to 3-6 MB
depending on the file server being accessed. From PC Hard Disk
to Mainframe DASD: The entire disk or portions of it may be
copied to mainframe DASD via ARBITER. This option is available
to all users that have active mainframe User-IDs. Special device
drivers are also required for the PC and are to be included in
the CONFIG.SYS file on the hard disk. If a large volume of data
(2 MB or more) is to be backed-up, the procedure is to be run
after 5 p.m. so that the network will not be overloaded. Please
contact the PC Hotline to obtain the software and procedures for
accessing ARBITER.
From PC Hard Disk to Centralized Tape Backup Unit using Local
Backup and Restore System:
The entire hard disk may be backed up to a tape, similar to a
video recording tape, using a backup tape unit and the Local
Backup and Restore System. This will occur in background mode so
you continue to use the PC while the backup is occurring. The
system is accessed through Miscellaneous Software on the AutoMaxx
menu. Further assistance may be obtained in the Computer Room.
From Floppy Disk to Floppy Disk:
This option should be used to back up all information stored
on floppy disks. The user has the choice of using the DOS
"diskcopy" command (to both format and exactly replicate the data
on a disk) , or the DOS "copy" command.
From Floppy Disk to IAN File Server Hard Disk:
11
-------�
The entire floppy disk may be copied to the LAN via the LAN
NCOPY command. this option is available to all users.
Please consult the PC Hotline, at X1201, to obtain information
about any of these options.
QUICK REFERENCE SHEET FEBRUARY 1993
COMPUTER SECURITY POLICY
SUMMARY
Excerpted from the Region 10 Computer Security Policy Manual
(February 1993):
Physical Controls
Install computers on stable desk tops with proper ventilation.
Turn PCs off each night. Do not move the PC yourself. Call PC
Hotline to arrange moving. Label all manuals; store near the PC
to facilitate reference. Do not modify physical configuration of
equipment.
Software Copyrights/Licenses and Master Copies
Duplication of software for use on another computer is a
violation of the license agreement and is considered theft of
government property.
Unauthorized Use of Computers
PC games and other non-work related software are strictly
prohibited from being installed and/or executed on EPA computers.
Non-EPA Software Product Controls
Software products other than those offered on Agency contracts
are generally not permitted on Region 10 PCs. 1MB approval and
mandatory virus-scanning is required before any non-EPA software
can be loaded on an agency computer.
Computer Viruses
A computer virus, much like a human virus, can be transferred
from an infected source to any type of disk via many channels.
Users who strictly adhere to software license agreement and
non-EPA software policies will greatly decrease exposure to virus
infection.
Magnetic Media (Information Storage) Controls
Keep disks away from magnetic fields. Do not bend, touch, or
write on diskettes. Store disks in their jackets when not in
use. All information accessed by more than one user is to be
stored on the LAN or mainframe depending on the application.
Confidential data must not be stored on the LAN.
Disk Organization and File Storage Conventions
Create directories and subdirectories on the PC hard disk as well
as floppy disks for better organization and retrieval of files.
The use of file extensions within file names to further identify
files is recommended.
Backups/Disaster Recovery
The key to really secure backups is to make a copy of information
and store it on separate media, in a different, preferably
remote, location. Several different means for making backups are
available. Information stored on the LAN or mainframe can be
restored in most cases, upon request.
12
-------�
Sensitive Data Controls/Password Protection
Password protection for certain documents or personal computer
systems may be established. If there is a need for limited user
access to certain information files, call the PC Hotline.
Computer Security Policy February 1993
APPENDIX C
QUICK REFERENCE SHEET
DOS AND DON'Ts
TO
PROTECT YOUR INFORMATION!
MOST COMMON THREATS:
Computer Viruses
Dust/Dirt
DO
¦ Virus Scan all
new, non-EPA
software
¦ Report any
symptoms of
viruses to the PC
Hotline at once
¦ Avoid use of non-
EPA software (i.e.
public domain)
¦ Clean drive heads
DON'T
¦ Violate copyright
laws
¦ Leave disks
uncovered
Carelessness
Lack of Knowledge
Sabotage
¦ Backup to floppy
disk
¦ Set up automatic
backup features
(such as available
in WordPerfect)
¦ Organize sub-
directories and use
consistent file
naming
conventions
¦ Attend basic
computer training
seminars
¦ Password protect
sensitive
information
¦ Report suspicious
incidents
¦ Store important
information in the
share directory on
the LAN
¦ Exceed normal
storage limitations
on disk (75%-80%
full is optimal)
¦ Delete or overwrite
files in haste
¦ Be afraid to ask for
help
¦ Share your
password with
ANYONE
CONTACT THE PC Hotline FOR
ADDITIONAL INFORMATION OR ASSISTANCE: X1201
13
-------�
Region 10 Electronic File Management Guidance
The following guidance is backed by the philosophy that each system user is responsible for the
data that they have generated on the hard disk drive (c:drive) and the LAN user area (f: drive).
That responsibility includes the routine practice of maintenance and cleanup for all of the files that
they generate on the system. Disk maintenance and cleanup consists of deleting excess files,
assuring that the data is current and making back-ups of important agency data and/or records.
Hard Disk Drive (c: drive) Maintenance
The Information Resources Unit (IRU) will assist users in performing routine maintenance on all
existing hard drives by:
* Provide backup hardware and software
* Providing information and clinics on cleaning up harddisk drives
* Providing software for file defragmentation
* Cleanups will be done on a regular (monthly) basis and will be performed by the users.
File Server File (f: drive) Maintenance
The IRU provides tape backup of all data files and E-mail generated on the LAN on a nightly
basis. Because of the large volume generated, E-mail data is only kept for one day before being
overwritten. All other data files are kept for 2 months before being overwritten which includes all
data on the f: drive.
Although this backup process is automatic, it does not automatically delete any files that may not
have been touched for a long period of time. The decision to delete files from the user area on the
server (f: drive) is left up to the user. IRU requests that users review the files in their user area
periodically and delete files that are no longer used and save seldom used files to a floppy disk.
IRU will assist in providing users with the necessary tools and techniques to perform routing
maintenance on their LAN user areas.
Cleanups will be done on a regular (monthly) basis and will be performed by the users.
Backing-Up Data
Making copies of important data files (especially on your c: drive) is critical to assuring the
agency's data is secure and useable if there should be a system crash. The IRU will assist users in
obtaining the necessary equipment to backup up large data sets (lOOmb and greater) on an as-
needed basis. Most files can be backed up and stored on floppy disk (1.44mb). Users should
regularly make backup copies of important files, label them appropriately and store them in a
secure location (at least one other person and the users supervisor should know where to look for
the backups).
-------�
File and Directory Naming Conventions
It is suggested that all Region 10 system users begin using the following file naming conventions:
Suggested FILE extensions
* doc - general document
* ltr - Agency letter
* rec - Agency Record
* rpt - Agency report
Suggested DIRECTORY names (c: drive only)
* \temp - (standard) Reserved for temporary files (delete once copied to another area)
* \records - for storing Agency record files
* \HQ - for storing any incoming files from HQ
* \Contract - for storing Contractor files
* \Site\Sitename - for storing site files
-------�
Date of Last Update:
Person Responsible:
Phone Number:
11/09/95
Robin Gonzalez
(206) 553-2977
REGION 10
Guidelines and Protocol for sending, receiving and using
Electronic Information
The intent of this memo is to provide the Region 10 staff with a
framework for working with and using electronic mail (E-mail) and
electronic information sources such as the Internet or electronic
Bulletin Board Systems (BBS). The same "Business Communication
Protocol" that applies to our existing methods of written
communication and distribution also applies when sending, receiving,
searching or using electronic information.
Electronic communications are subject to the same records management
considerations as printed communications. The nuances of "what are
records" are not discussed here, but any communication that announces
an agency decision or policy is an official record. Each user is
responsible for managing records that they originate. The Information
Resources Unit does not maintain backups of E-mail and therefore
cannot provide copies of messages in response to FOIA requests.
Any of the various means of processing electronic information may only
be used for the purpose of conducting Official Agency business.
"Official Agency business" can be defined as any correspondence
relating to the mission and/or authorized objectives of EPA, including
actions or programs sanctioned by the Administrator or Regional
Administrator. Use of government equipment and communications
channels to send and/or to receive information of a personal nature is
prohibited and can be career limiting.
Electronic Mail (E-mail)
For the purposes of this document the term "E-mail" refers to any
Agency E-mail program including WPO, GroupWise, Lotus Notes,
All-in-One or cc:Mail.
Be aware that there are situations in which E-mail is not an
appropriate communication tool, such as Official Agency correspondence
or any documents which require a signature.
EPA policy prohibits the availability of confidential or sensitive
material on the LAN, which includes E-mail. If you have a need to
send this type of information via E-mail, be sure to use the security
features available. Once sent, the message must be deleted from the
LAN. If it needs to be saved, it should be stored on a floppy
diskette and placed in a secure location.
Any EPA employee needing to send an all-employee broadcast message
(i.e., using the REGX for all of Region 10 including Operations
Offices or SEA group), should check beforehand with their supervisor
or the appropriate program manager for specific policies. Limiting
the authority to approve broadcast messages to a small group of people
-------�
is a prudent practice which will enable better control over the
information that is distributed on a wide scale.
Any recipient of an E-mail message that is not appropriate or does not
conform to these guidelines, should forward the message along with
their comments to the sender, and a cc: to the senders' supervisor.
If the message is overtly threatening or inappropriate because of
vulgar language or content, the recipient should notify their
supervisor or the HR officer immediately.
Each LAN user is responsible for maintenance of his or her own IN and
OUT Mailboxes. There is a limit of 500 messages that can be retained
in either area. A full IN box will prevent anyone from sending in
more mail, and the recipient will not be aware of this problem.
Therefore, it is important that mail messages be deleted and/or stored
elsewhere on a frequent basis. It is recommended that users make
decisions regarding the deletion or storage of messages immediately
upon reading them. Clean up your "in" and "out" mailboxes and folders
on a weekly basis so as to keep the system clear of any unnecessary
files.
Messages older than 60 days and which are not stored in an archive
folder are automatically deleted by the system. Further information
regarding maintenance of your mailbox messages may be obtained from
the PC HOTLINE (xl201).
Messages being sent to Field offices with files attached are to be
limited to 100 kilobytes in size (approximately 50 pages or a 1 page
graphic). Contact the PC HOTLINE if you are not sure how to determine
file size. This practice will prevent excessive delays in mail
delivery to those offices.
There is an "auto-delete" send option available that should be used
for messages that have a specific time value on them (e.g.
appointments, meetings, etc.). This will save time for those who have
been out of the office for some time and do not want to have to comb
through a pile of "old mail." Remember to use this feature when
sending time sensitive messages. E-mail messages may be sent over the
Internet using any of the above mentioned standard E-mail programs.
This option should only be used if any of the other options are not
available to either party involved (such as with outside vendors or
contractors that do not have access to our mail systems).
Internet
For purposes of this document the terms World wide Web (www), Gopher,
File Transfer Protocol, Telnet and Worldwide Area Information
Search(WAIS) are synonymous with Internet.
The Internet may be used for the purpose of seeking and using
pertinent information related to environmental protection as it
applies to your position description and areas of responsibility.
We encourage Internet users to use the search engines provided and
index on the topic that you are seeking to know more about. This will
save the Agency time and money.
-------�
Please be aware that Internet "traffic" is monitored by the
telecommunications services group at RTP. If suspicious sites are
being visited that are clearly not work related, there is a good
chance that your supervisor may receive a call to discuss the problem.
Again, abuse of this resource can be career limiting, so don't get
sidetracked in an undesirable cyberhood.
Bulletin Board Systems (BBS's)
Bulletin Board Systems may be used for the purpose of seeking and
using and posting pertinent information related to environmental
protection as it applies to your position description and areas of
responsibility.
The BBS it intended to be an outreach vehicle to the public who have a
means of communicating via a modem. We encourage you and your
colleagues to use the BBS for posting important topics or meetings
that are open for public input.
One note of caution regarding files on the BBS: Files posted in
conference areas are accessible by all BBS users. Therefore, when
sending files to a specific BBS user (not intended for general
consumption), the file attachment feature in BBS mail should be used,
otherwise the document will be posted for all to read.
The same protocol that applies to E-mail should be observed when
responding to an inquiry on the BBS.
-------� |