route ohsas 18000

The RouTe To ohSAS 18001

WWW.uK.SGS.CoM

SGS 5258/0308

NeWUPDATED TO THE 2007 VERSION OF THE STANDARD

Booklet now includes commentary on the 2007

changes to the 18001 standard


�

©Copyright SGS United Kingdom Ltd 2008All rights reserved. No part of this publication may be copied,

reproduced or transmitted in any form by any means without thewritten permission of SGS United Kingdom Ltd.

Published by Systems and Services Certification. 2008

FoReWoRD

What is OHSAS 18001?

It is a standard which many countries and organisations have chosen to implement in their commitment to establish a formal and recognised mechanism for managing occupational health & safety. OHSAS 18001 has been specifically designed to provide such a mechanism and was developed with the requirements of both ISO 9001:2000 and ISO 14001:2004 in mind, thereby allowing ready integration of management systems and the efficiencies that this can bring, as well as implicitly recognising an organisation’s own business needs.

OHSAS 18001 was first issued in 1999 but was subject to review during 2006 and then issued as a revised standard on 1 July 2007. This booklet is intended to provide an introduction to the changes made to OHSAS 18001 and the potential implications of those changes.

OHSAS is based on a number of principles:

• Clear demonstration of leadership and management commitment

• Setting of objectives leading to improvement of OHS performance

• Effective hazard identification, risk management and risk control

• Competence of workforce

• Consultation and communication with all stakeholders

• Clear lines and definitions of responsibility

• Systematic approach to managing occupational health & safety

• Monitoring the effectiveness of the management system through audit and review

It has been appreciated for many years that effective management of occupational health & safety can significantly reduce risk exposure and potentially improve an organisation’s profitability and sustainability. Leading studies have recognised that implementing a formal occupational health & safety management system based on OHSAS 18001 is an excellent means of achieving this business aim.

Price £20.00 Sterling


CoNTeNTSPAGe NuMbeR

INTRoDuCTIoN 4

3 TeRMS AND DeFINITIoNS 6

4.1 GeNeRAl RequIReMeNTS 6

4.2 oCCuPATIoNAl heAlTh & SAFeTy PolICy 7

4.3.1 hAzARD IDeNTIFICATIoN, RISK ASSeSSMeNT AND DeTeRMINING CoNTRolS 10

4.3.2 leGAl AND oTheR RequIReMeNTS 15

4.3.3 objeCTIveS AND PRoGRAMMeS 18

4.4.1 ReSouRCeS, RoleS, ReSPoNSIbIlITy, ACCouNTAbIlITy AND AuThoRITy 20

4.4.2 CoMPeTeNCe, TRAINING AND AWAReNeSS 22

4.4.3 CoMMuNICATIoN, PARTICIPATIoN AND CoNSulTATIoN 24

4.4.4 DoCuMeNTATIoN 28

4.4.5 CoNTRol oF DoCuMeNTS 30

4.4.6 oPeRATIoNAl CoNTRol 32

4.4.7 eMeRGeNCy PRePAReDNeSS AND ReSPoNSe 34

4.5.1 PeRFoRMANCe, MeASuReMeNT AND MoNIToRING 36

4.5.2 evAluATIoN oF CoMPlIANCe 38

4.5.3 INCIDeNT INveSTIGATIoN, NoN-CoNFoRMITy, CoRReCTIve AND PReveNTIve ACTIoN 40

4.5.4 CoNTRol oF ReCoRDS 45

4.5.5 INTeRNAl AuDIT 46

4.6 MANAGeMeNT RevIeW 48


�


�

as a national standard. OHSAS 18001 was initially developed and recently reviewed by a committee of interested parties including national standards bodies, certification bodies, learned bodies and industry representatives. It should be noted that although OHSAS 18001:2007 is not an international standard it is being used internationally as a framework of requirements for a Safety Management System.

The foreword to the standard provides an overview of the changes to the standard as listed above. A comprehensive introduction to the Standard has been added which outlines the intent of the Standard and emphasises its intended application for all types, sizes of organisation and to accommodate diverse geographical, cultural and social conditions. The basic approach taken within OHSAS 18001:2007 continues to be the familiar mechanism of PLAN ~ DO ~ CHECK ~ ACT and it systematically requires an organisation to:

• Detail an Occupational Health & Safety Policy applicable to its operations

• Identify the OHS hazards and risks which the organisation needs to manage

• Identify the legal and other requirements applicable to the organisation

• Define and implement the means of managing these issues and requirements

• Implement a means of effecting continuous improvement in the organisation’s occupational health & safety performance

• Check and review the continuing effectiveness, suitability and adequacy of the OHS management system

THE SCOPE OF OHSAS 18001:2007 STATES:

“This Occupational Health & Safety Assessment Series (OHSAS) Standard specifies requirements for an Occupational Health & Safety (OH&S) management system, to enable an organisation to control its OH&S risks and improve its performance. It does not state specific OH&S performance criteria, nor does it give detailed specifications for the design of a management system.”

INTRoDuCTIoN

This booklet gives a brief introduction to OHSAS 18001:2007 and identifies the changes that have been made as a result of the recent review of the standard. A summary of the key changes is listed below and explored in more detail throughout this booklet

SUMMARY OF KEY CHANGES FOR OHSAS 18001:2007

• OHSAS now refers to itself as a “Standard” Previously OHSAS 18001 was referred to as a Specification. Although it is now referred to as a Standard it is not an international standard

• Significant improvement in alignment with ISO 14001:2004

• The importance of “health” has now been given greater emphasis

• New definitions have been added, and existing definitions revised

• The term “tolerable risk” has been replaced by the term “acceptable risk”

• The term “accident” is now included in the term “incident”

• The definition of the term “hazard” no longer refers to “damage to property or damage to the workplace environment” The scope of the standard now specifically excludes health & safety areas such as property damage and environmental impacts

• A new requirement has been introduced for the consideration of the hierarchy of controls as part of OH&S planning

• The management of change is now more explicitly addressed

• Sub-clauses 4.3.3 Objectives and 4.3.4 Management programmes have been merged

• A new clause “Evaluation of compliance” has been introduced

• New requirements have been introduced for the investigation of incidents

OHSAS 18001 is now a Standard which defines a set of requirements for an Occupational Health & Safety Management System (SMS) which would be suitable for any kind and size of organisation. Currently no ISO standard is available that defines the requirements for a SMS, although national standards bodies have developed standards, and some have adopted OHSAS 18001


�


�

This firmly establishes the purpose of OHSAS 18001. Not only does an effective SMS improve existing and establish new controls, it also installs and drives a system of continuous improvement in Occupational Health & Safety performance. It must also be recognised that in many countries there is a legal requirement for organisations to develop and implement Occupational Health & Safety Management Systems. In many cases there is no definition of the required structure for such a system.

A SMS based on the requirements of OHSAS 18001 provides for the development of a system of interlinking processes and is a simple and effective toolkit of mechanisms for managing Occupational Health & Safety issues in any kind of organisation. It is only prescriptive in terms of what must happen, leaving the how to the organisation to decide or devise for itself.

The notes below are preceded by the clause number of OHSAS 18001:2007 and are presented in the order they appear in that specification. New or changed requirements are shown in italics.

3. TeRMS AND DeFINITIoNS

Section 3 of the Standard lists a number of useful Terms and Definitions. Some of these terms have been revised notably the terms Hazard and Risk. Also the new terms Ill Health and Incident have been added.

4.1 GeNeRAl RequIReMeNTS

Paragraph 1 has been extended but a new requirement has been added:

The organisation shall establish, document, maintain and continuously improve an OH&S management system in accordance with the requirements of this OH&S Standard and determine how it will fulfil these requirements.

The organisation shall define and document the scope of its OH&S management system.

This requirement links with the revised system document requirements shown at clause 4.4.4b.

4.2 oCCuPATIoNAl heAlTh & SAFeTy PolICy

An organisation’s Occupational Health & Safety Policy should be the cornerstone of SMS. Development of a Policy may be required by legislation, but even if it is not, the OHS Policy is an essential tool in the formulation and communication of the organisation’s intent. The safety policy should in any case reflect the organisation’s operations and processes, and should ideally be produced after identifying the OH&S hazards and risks which the organisation may face as a result of its operations.

KEY REQUIREMENTS

The Policy must:

• Be appropriate to the scale and operations of the organisation

• Commit to continuous improvement of safety performance

• Commit to compliance with relevant legal and other requirements

• Commit to the prevention of injury and ill health

• Provide a framework for setting objectives for improvement

• Be communicated to all persons working under the control of the organisation with the intent that they are made aware of their individual OH&S obligations

• Be available to interested parties

• Be authorised by top management

• Be periodically reviewed to ensure its ongoing suitability

Taking these in turn:

APPROPRIATE AND AUTHORISED

The Policy should be appropriate to an organisation. The opening paragraph(s) of the Policy should give a brief outline of the organisation’s business sector and operations so that the Policy can be viewed in context. This will also enable the scope of the SMS to be described (see clauses 4.1 and 4.4.4). The Policy needs to be authorised by top management; evidence of this authorisation should be available.


�


�

COMMITMENT TO CONTINUOUS IMPROVEMENT OF SAFETY PERFORMANCE AND TO THE PREVENTION OF ILL HEALTH AND INJURY

Occasionally these commitments are more implied than explicitly stated in the Policy. This can lead to confusion, since the Policy should be understandable and clear. It is right to show this commitment clearly and it is perfectly acceptable to use the exact words from the standard in the Policy – this gives a very clear mandate and direction to the SMS. It is part of the foundations of Occupational Health & Safety Management.

COMMITMENT TO COMPLY WITH RELEVANT LEGAL AND OTHER REQUIREMENTS

Commitment to legal compliance is another fundamental part of the SMS and as such deserves a place in the Policy ~ ideally in just those words. Remember that compliance to legislation is the minimum required by an organisation, not the maximum. The matter of “relevant other requirements” can be more difficult. The Policy should indicate any other pertinent requirements to which the organisation subscribes, e.g. corporate requirements where the organisation is part of a larger group, trade association requirements, sector best practice, etc. This is because the Policy is the only (mandatory) public window into the SMS and those who read it should understand the key issues and intentions of the organisation with respect to occupational health and safety.

PROVIDE A FRAMEWORK FOR SETTING OBJECTIVES FOR IMPROVEMENT

The OH&S Policy should make reference to the setting of safety objectives and objectives for the improvement of safety performance. Problems can arise when the Policy is written with good intent but with unrealistic expectation of what an organisation can do. For example, if your Policy states a commitment to accident reduction, risk elimination etc., the SMS must keep such promises. These will need to be delivered by means of documented objectives and supported by detailed Management Programmes (see clause 4.3.3).

DOCUMENTED, IMPLEMENTED, MAINTAINED AND REVIEWED

Documented: For the OH&S Policy to be effective it needs to be documented in a written format, either on paper or electronically. This will enable all aspects of the Policy, either in total or in part, to be communicated both within and outside the organisation. This will also facilitate the review of the Policy to ensure it remains relevant and suitable to the organisation (see clause 4.6)

Implemented: Refers to the need to deliver the Policy in detail, i.e. developing whatever arrangements and controls that are deemed necessary and keeping the Policy’s promises.

Maintained: Refers to making sure that the Policy is kept up-to-date and relevant (this is partly covered by Management Review see clause 4.6).

COMMUNICATED TO ALL PERSONS WORKING UNDER THE CONTROL OF THE ORGANISATION

Communicating the Policy is not a new requirement but the phrase “all persons working under the control of the organisation” is new. This phrase now appears in a number of clauses although the context varies slightly, e.g. clause 4.4.1 and 4.4.2. This requirement widens the need to communicate either the organisation’s SMS Policy statement or aspects of the SMS arrangements to those who are working under the organisation’s control, e.g. employees, contractors, consultants, agency staff etc.

AVAILABLE TO INTERESTED PARTIES

Typical interested parties might include shareholders, other stakeholders, neighbouring companies or residents, emergency services etc. Some organisations have published their Safety Policies on their company websites. In some clauses, e.g. 4.4.7, interested parties are now specifically identified.

The table below summarises the requirements of clause 4.2 and identifies the new requirements now included in OHSAS 18001:2007. So to sum up, the Safety Policy is one of the cornerstones of an SMS. If it makes promises or raises expectations, they must be delivered. It is the only part of your system that must be made available to the public. Your employees must know about it and its relevance to them.


10


11

KEY REQUIREMENTS

The key features of this clause are:

• The implementation of a procedure(s) for ongoing hazard identification, risk assessment, and determination of necessary controls

• The organisation’s methodology for hazard identification and risk assessment shall be proactive

• The methodology should provide for the prioritisation of hazards and the identification of those that are significant

• Keeping risk assessments and any resultant improvement objectives up to date

A PROCEDURE FOR THE ONGOING IDENTIFICATION OF OCCUPATIONAL HEALTH & SAFETY HAZARDS AND RISKS AND DECIDING WHICH ARE SIGNIFICANT

This means that a documented procedure containing sufficient detail to ensure a repeatable and consistent process. There is also a need to keep sufficient records to show that the procedure has been effectively applied. New requirements have been introduced which the procedure must take into account. In some cases these requirements were previously found in other clauses, e.g. Design of Work Areas was previously part of clause 4.4.6. These requirements are listed below, those that are new or revised are shown in bold italics. Where appropriate or necessary a short explanatory note has been included.

routine and non-routine activities;

• activities of all persons having access to the workplace (including contractors and visitors)

• human behaviour, capabilities and other human factors. This means taking into account all aspects of human behaviour and capability, e.g. physical fitness, training etc.

POLICY or Comment/Plan

Documented, dated and authorised by top management

Appropriate to the nature and scale of the organisation’s OH&S risks

Commits to:

• Continuous improvement

• Compliance with legislation

• Compliance with other requirements

• Prevent ill health and injury

Provides framework for setting and reviewing objectives?

Communicated to all persons under the control of the organisation.

Available to interested parties

Implemented and maintained?

Subject to review to ensure ongoing suitability?

4.3.1 hAzARD IDeNTIFICATIoN, RISK ASSeSSMeNT AND DeTeRMINING CoNTRolS

Hazard identification and risk assessment form the core of the SMS. It is important that the difference between the meaning of the words “hazard” and “risk” is fully understood. It should be noted that the definition of these words has been revised and that both the word hazard and the Standard itself no longer focus on damage to property. Overall this clause has been significantly revised and is now the longest clause in the Standard. New requirements to be taken into account when identifying hazards and completing risk assessment have been introduced. Additionally when determining risk controls consideration must now be given to a hierarchy of controls listed as part of clause 4.3.1.


12


1�

• identified hazards originating outside the workplace capable of adversely affecting the health and safety of persons under the control of the organisation within the workplace. This could mean the use of hazardous machinery brought to the workplace or chemicals brought to the workplace.

• hazards created in the vicinity of the workplace by work- related activities under the control of the organisation. Possibly hazards created by non-routine activities

• infrastructure, equipment and materials at the workplace, whether provided by the organisation or others; This requirement is focusing on hazards associated with work equipment, e.g. forklift trucks and material, e.g. chemicals

• changes or proposed changes in the organisation, its activities, or materials. The management of change is now addressed in a more definite way within the Standard; this requirement, to some extent, links with managing change and in particular identifying new or revised hazards resulting from change

• modifications to the OH&S management system, including temporary changes, and their impacts on operations, processes, and activities. This is similar to the requirement above but focuses on the SMS arrangements which, if changed, may produce additional hazards or weaken existing controls

• any applicable legal obligations relating to risk assessment and implementation of necessary controls (see also the NOTE to 3.12). This requirement ensures that legal and other requirements are considered when determining risk controls. Third party auditors have always sought evidence of the consideration of legal and other requirements but until now it has not been a specific requirement in the Standard

• the design of work areas, processes, installations, machinery/equipment, operating procedures and work organisation, including their adaptation to human capabilities. This requirement was originally part of clause 4.4.6 but is now included here to ensure that the OH&S hazards and risks associated with the development or change of the workplace are identified and controls determined as

part of the workplace design process. To some extent this requirement links with the management of change

• the organisation’s methodology for hazard identification and risk assessment shall: be defined with respect to its scope, nature and timing to ensure it is proactive rather than reactive; and provide for the identification, prioritisation and documentation of risks, and the application of controls, as appropriate

• for the management of change, the organisation shall identify the OH&S hazards and OH&S risks associated with changes in the organisation, the OH&S management system, or its activities, prior to the introduction of such changes. This is a definite requirement to manage change and in particular to identify associated OH&S hazards and risks before the introduction of change. There would need to be evidence of the manner in which this requirement has been addressed so an external auditor can verify the change management arrangements

• when determining controls, or considering changes to existing controls, consideration shall be given to reducing the risks according to the following hierarchy: The application of the hierarchy of controls shown below is now a requirement. Auditors will need to see evidence that the controls hierarchy has at least been considered. It is anticipated that OH&S professionals and those with OH&S training will recognise this hierarchy and the need for its application. However, short explanatory notes have been attached to some of the requirements

- elimination

- substitution

- engineering controls - Previously the only clause to refer to maintenance was clause 4.4.6 Operational Control. Now the words “Engineering Controls” are the only reference to maintenance within the Standard. Although only a short reference it is true to say that engineering arrangements, e.g. planned maintenance, statutory inspections etc., some of which are required by legislation or regulation, are risk controls. Auditors will need to verify that maintenance arrangements are applied as risk controls.


1�


1�

- signage/warnings and/or administrative controls

- personal protective equipment

• the organisation shall document and keep the results of identification of hazards, risk assessments and determined controls up to date. This requirement ensures that risk assessments are subject to periodic review and up dating as necessary as a minimum

• the organisation shall ensure that the OH&S risks and determined controls are taken into account when establishing, implementing and maintaining its OH&S management system

HAZARD & RISK IDENTIFICATION or Comment/Plan

Procedure(s) and process for identifying hazards, subsequent risk assessment determining controls is documented?

Process includes reference to:

• Responsibilities • Document control • Records • Review

Procedure(s) ensure that the following requirements are taken into account:

• Routine and non-routine activities • All persons having access to the workplace • Human behaviour/factors • Hazards originating outside the workplace • Hazards in the vicinity of the workplace • Infrastructure, equipment etc. • Changes in the organisation • Modification to the SMS • Legal and other requirements • Design of the workplace • Management of change

Risk assessment methodology determined, proactive and consistently applied

Hierarchy of controls considered and applied

Risk assessments reviewed and controls updated

Records of process enable it to be audited?

Process is carried out by competent persons?

DECIDING WHICH OCCUPATIONAL HEALTH AND SAFETY RISKS ARE “SIGNIFICANT”

Having identified all hazards and associated risks which could impact on occupational health & safety, the process of rating the risks for significance can be carried out. This crucial process, together with a thorough knowledge of legal and other similar requirements, provide the foundations of the SMS.

This assessment process is vital in determining the need for controls aimed at either reducing risk to levels deemed to be acceptable, or meeting the requirements of legislation. The changes introduced in the Standard are intended to strengthen the hazard identification and risk assessment process. The importance of this process cannot be overestimated. Accurate hazard identification is fundamental to effective risk assessment as is the identification of significant hazards. If this process not effective then risk controls and much of the SMS may be questionable.

4.3.2 leGAl AND oTheR RequIReMeNTS

A limited revision of this clause has been made although the phrase “persons working under the control of the organisation” has been included with regard to the communication of information on legal and other requirements. The requirements of this clause when coupled with the completion of risk assessments, and there is now a definite requirement to do so (see clause 4.3.1i), forms the foundation of the SMS. This clause of the specification requires that the organisation identifies all


1�


1�

relevant legal and other requirements which are applicable to its activities, and uses this data to ensure that suitable controls are in place to ensure compliance. In this context “compliance” is related not only to the identified requirements but also with the organisation’s own Policy.

KEY REQUIREMENTS

The Standard requires that there is a procedure(s) for identifying and gaining access to relevant legal and “other requirements” which are applicable to the organisation. This procedure should include:

• Responsibilities for compiling the listing of legislation and “other requirements”

• Sources of data (e.g. update services, subscriptions to journals etc.)

• The means of gaining access to updates

• The methods employed to communicate the demands of any relevant legislation or “other requirements”

• The types of “other requirements” to be included, e.g. policies, codes of practice, national standards, corporate requirements (if a member of a group of companies)

The organisation shall ensure that these applicable legal requirements and other requirements to which the organisation subscribes are taken into account in establishing, implementing and maintaining its OH&S management system. This is a new paragraph which is in effect a general statement but is intended to ensure that reference is made to legal and other requirements when developing or revising an SMS.

The organisation shall keep this information up-to-date.

The organisation shall communicate relevant information on legal and other requirements to persons working under its control, and to other relevant interested parties. The phrase persons working under its control means that there needs to be evidence of communication to such persons.

There is now a new clause, clause 4.5.2 Evaluation of Compliance, which requires the organisation to evaluate

compliance with legal and other requirements. This clause is part of the ‘Checking’ section of the standard and is discussed on page 36.

Ideally the process should ensure that an organisation knows:

• What legislation and other requirements are applicable

• What it means to the organisation

• What duty or obligation is imposed

• How compliance is ensured

• A reference to the mechanism for confirming compliance.

It must also ensure that the details of legal and other requirements are kept up-to-date.

LEGAL & OTHER REQUIREMENTS or Comment/Plan

Procedure in place to describe how access is gained to legal and other requirements, how to keep track of changes, and who does this?

Mechanism in place to record these requirements, make sure they are communicated and understood by persons working under the control of the organisation

Records and procedure are controlled documents and regularly reviewed

There is a means of accessing the original laws, regulations etc.?

Register or listing includes (as applicable):

• Laws, regulations• Policies• Codes of practice • Schemes, e.g. “responsible care” • Licences, authorisations, permits, certificates• Planning permission• Insurance• Lease And the means of accessing changes to all of the relevant “other requirements”


1�


1�

OBJECTIVES AND PROGRAMMES or Comment/Plan

Is there a process for selecting and documenting the objectives?

Are objectives set at relevant levels and functions within the organisation?

Are there records to show how the objectives were selected?

Are there links to:

• Significant risks• Policy commitments• Legal and other requirements • The views of interested parties?

Are objectives: • Specific • Measurable• Achievable• Realistic• Timed?

Management programmes or action plans in place for achieving objectives

Do programmes show designated responsibility and authority for achieving objectives, the means and a time frame by which objectives are to be achieved?

Programmes subject to planned reviewed

Legal and other requirements taken into account when developing, implementing or changing the SMS

The procedure links to the Evaluation of Compliance (clause 4.5.2)

4.3.3 objeCTIveS AND PRoGRAMMeS

Clause 4.3.3 is now an amalgamation of the original requirements of clause 4.3.3 objectives and what was clause 4.3.4 OH&S management programmes. There have been some changes in wording, which to some extent includes wording from other standards, and is evidence of the closer link with ISO 14001 and ISO 9001. Objectives are the drivers for the continuous improvement process which ensures that your SMS delivers real improvements in the functioning of the SMS and, perhaps more importantly, occupational safety performance.

KEY REQUIREMENTS

OHSAS 18001 requires that:

• Objectives are established, maintained, documented, and exist at each relevant function and level in the organisation

• Objectives are measurable, where practicable, and are consistent with the OH&S Policy including the commitments to prevent injury and ill health, comply with applicable legal and other requirements and continuous improvement

• Consideration of legal and other requirements, significant risks, financial, technical, operational and business issues, as well as the views of interested parties when formulating objectives

• Establish and maintain programmes for achieving objectives

• Programmes shall include, as a minimum, designated responsibility and authority for achieving objectives, the means and a time frame by which objectives are to be achieved

• Programmes subject to planned reviewed


20


21

4.4.1 ReSouRCeS, RoleS, ReSPoNSIbIlITy, ACCouNTAbIlITy AND AuThoRITy.

In common with all management systems’ standards, OHSAS 18001 recognises the need to make sure that personnel involved in the SMS are aware of their responsibilities and authority. In general although the wording of the clause has been revised the requirements remain the same. However, two new requirements have been introduced. These requirements are shown below; where requirements are new they are shown in bold italics.

KEY REQUIREMENTS

OHSAS 18001 requires that

• Top management shall take ultimate responsibility for OH&S and the OH&S management system.

• Top management shall demonstrate its commitment by ensuring the availability of resources essential to establish, implement, maintain and improve the OH&S management system. Defining roles, allocating responsibilities and accountabilities, and delegating authorities, to facilitate effective OH&S management; roles, responsibilities, accountabilities, and authorities shall be documented and communicated.

• The organization shall appoint a member(s) of top management with specific responsibility for OH&S, irrespective of other responsibilities.

• The identity of the top management appointee shall be made available to all persons working under the control of the organization. This new requirement means that all persons working under the control of the organisation e.g. employees, contractors, agency staff etc need to be informed of the identity of the management appointee.

• All those with management responsibility shall demonstrate their commitment to the continual improvement of OH&S performance.

• The organisation shall ensure that persons in the workplace take responsibility for aspects of OH&S over which they have control, including adherence to the organisation’s applicable OH&S requirements. This requirement ensures that line managers, supervisors etc. must now take responsibility for OH&S matters in their area and ensure adherence to applicable OH&S requirements e.g. procedures safe systems of work etc.

Resources, roles, responsibility or Comment/Plan

accountability and authority.

Evidence of Top management taking responsibility for the SMS

Roles and responsibilities defined, accountabilities and authorities allocated in manuals, job specifications, organisation charts, procedures etc

Including responsibilities in emergency situations

Responsibilities etc. documented and communicated e.g. staff aware.

Management Appointee nominated See clause 4.4.1 note 2.

Management appointee responsibilities defined by clause 4.4.1 para 2 a and b.

Means of communicating the ID of the management appointee

Personnel taking OH&S responsibility and recognise the need to comply with SMS requirements

Resources provided, defined and adequate?

Training provided to meet competence needs for responsibilities.


22


2�

4.4.2 CoMPeTeNCe, TRAINING AND AWAReNeSS

The general intent of the clause remains the same; however, the second paragraph now contains requirements which can be found in other standards particularly ISO 9001:2000. Where requirements are new these are shown in bold italics. Training and competence form important keystones in the prevention of OH&S related problems within the workplace. Employees cannot be expected to carry out tasks safely or assume OH&S responsibility if they have not been adequately trained and are not competent. Identification of training needs and competence relative to the hazards, risks and legislative requirements applicable to the operations and activities carried out by the organisation, forms a key aspect of occupational health & safety management. Legislation generally refers to a need for personnel to be competent to perform their functions – it is incumbent on the organisation to ensure that this is fulfilled and that there is adequate provision of necessary training and records to substantiate this.

KEY REQUIREMENTS

OHSAS 18001 requires that

• The organisation shall ensure that any person(s) under its control performing tasks that can impact on OH&S is (are) competent on the basis of appropriate education, training or experience, and shall retain associated records. Although not entirely a new requirement the wording has been changed and now includes the phrase any persons under its control. This means that an organisation has to ensure that not only employees but contractors, agency staff etc. are competent to carry out work safely.

• The organisation shall identify training needs associated with its OH&S risks and its OH&S management system. It shall provide training or take other action to meet these needs, evaluate the effectiveness of the training or action taken, and retain associated records. The wording of these requirements can be found in other standards, e.g. ISO 9001:2000 clause 6.2.2. If an organisation has certification to other Standards then arrangements addressing these requirements will already be in place. Therefore safety training and associated records will simply need to be included. If this not the case then arrangements will need to be developed.

• The organisation shall establish, implement and maintain a procedure(s) to make persons working under its control aware of

- the OH&S consequences, actual or potential, of their work activities, their behaviour, and the OH&S benefits of improved personal performance;

- Their roles and responsibilities and importance in achieving conformity to the OH&S policy and procedures and to the requirements of the OH&S management system, including emergency preparedness and response requirements (see 4.4.7);

- The potential consequences of departure from specified procedures.

The requirements above are unchanged, however some additional wording, shown in bold italics, has been included. Again the phrase persons working under its control appears whereas previously only employees were referenced. The behaviour of personnel is referenced so that personnel need not only to work safely but conduct themselves in a safe manner.

Training procedures shall take into account differing levels of: - responsibility - ability - language skills and literacy - risk

COMPETENCE, TRAINING & AWARENESS or Comment/Plan

Procedure(s) documented and include: • Means of identifying training needs

• Provision of training to meet needs

• A means of evaluating the effectiveness of training

• Awareness training (link OH&S consequences of work activities, OH&S Policy. EM preparedness)

All necessary training and skills in place?

A means of verifying the training/ competence of persons under the control of the organisation other than employees

Are there records to identify delivery of training and to verify “competence”?


2�


2�

4.4.3 CoMMuNICATIoNS, PARTICIPATIoN AND CoNSulTATIoN

This clause has been revised and now consists of two sub-clauses:

4.4.3.1 Communication: The organisation needs to ensure that suitable communication methods are available for facilitating both internal and external communications. Regarding internal communications it is essential that personnel at all levels are included and are able to be involved with OH&S issues. Also important is appropriate and effective means of communication with interested parties particularly authoritative bodies, e.g. the HSE. The requirements of clause 4.4.3.1 are not entirely new but are an expansion of the previously sketchy one-sentence requirement. Where requirements are new these are shown in bold italics.

KEY REQUIREMENTS

OHSAS 18001 requires:

With regard to its OH&S hazards and OH&S management system, the organisation shall establish, implement and maintain a procedure(s) for

• internal communication among the various levels and functions of the organisation.

• communication with contractors and other visitors to the workplace This requirement will mean that recognisable and verifiable arrangements need to be in place for contractors and other visitors to the workplace.

• receiving, documenting and responding to relevant communications from external interested parties. This requirement has been strengthened and requires that there is a procedure for receiving communication from external interested parties. This implies that there needs to be a documented record of all communication to and from external organisations, e.g. HSE, emergency services etc.

4.4.3.2 Participation and Consultation: The previous version of the Standard contained requirements for consultation between management and employees, now referred to in this clause as “workers”, however, the Standard now sets out these requirements in more detail. Where requirements are new these are shown in bold italics.

Key Requirements

OHSAS 18001 requires:

The organisation shall establish, implement and maintain a procedure(s) for the participation of workers by their:

• appropriate involvement in hazard identification, risk assessments and determination of controls

• appropriate involvement in incident investigation; This requirement now requires organisations to involve, as appropriate, workers in the process of hazard identification, risk assessment and determining controls. There will need to be evidence of this involvement.

• involvement in the development and review of OH&S policies and objectives; Not a new requirement but there will need to be evidence of involvement of workers in developing policy and objectives.

• consultation where there are any changes that affect their OH&S; Also not a new requirement.

• representation on OH&S matters. Not a new requirement.

• Workers shall be informed about their participation arrangements, including who is their representative(s) on OH&S matters. Not strictly a new requirement but the wording has been revised to ensure that personnel are aware of their participation arrangements.

• consultation with contractors where there are changes that affect their OH&S. A new requirement is that arrangements are in place to consult with contractors with regard to changes that may affect them.


2�


2�

• The organisation shall ensure that, when appropriate, relevant external interested parties are consulted about pertinent OH&S matters, e.g. emergency services, neighbours etc. Not an entirely new requirement but the clause wording has been slightly enhanced.

Legislation often requires an organisation to have methods in place to communicate OHS issues between workforce and management and often states that the workforce is entitled to elect representatives to discuss OHS issues. The organisation needs to ensure that procedures to control internal and external communications and interfaces are in place. Particular care needs to be taken when dealing with communications from external parties, which might include enforcement authorities, lawyers/solicitors, insurance companies, etc. In many parts of the world there is an increasing trend towards litigation resulting from injuries received in the workplace, so the need to manage the communication process is critical. The procedures also need to define which information relating to the SMS will be divulged to outsiders in addition to the Policy (which from clause 4.2 needs to be available to interested parties).

COMMUNICATION or Comment/Plan

Procedure to define processes for internal and external communication?

Staff aware of procedure?

Staff know the process for making a safety complaint or representing a safety issue

Communications relevant to emergencies covered in procedures?

Arrangements for communicating with contractors and other visitors to the workplace

Documented arrangements for receiving, documenting and responding to relevant communications from external interested parties

PARTICIPATION and CONSULTATION or Comment/Plan

Established, implemented and maintained a procedure(s) for the participation of workers by their

- appropriate involvement in hazard identification, risk assessments and determination of controls;

- appropriate involvement in incident investigation;

- involvement in the development and review of OH&S policies and objectives;

- consultation where there are any changes that affect their OH&S;

- representation on OH&S matters.

Workers are informed about their participation arrangements, including who is their representative(s) on OH&S matters?

Documented arrangements in place for consultation with contractors where there are changes that affect their OH&S?

The organisation to ensure that, when appropriate, relevant external interested parties are consulted about pertinent OH&S issues?


2�


2�

4.4.4 DoCuMeNTATIoN

The organisation needs to document its OHS management system so that all personnel are able to refer to requirements. The description of the documentation requirements for a SMS were previously very limited, this clause has now been significantly revised such that it now provides a more comprehensive description of the documentation required by the Standard. The wording of this clause is very similar to the wording of document requirement clauses in both ISO 9001:2000 and ISO 14001:2004 and describes similar document requirements. The reference to the medium in which documentation may be written, e.g. paper or electronic form, has been removed. However, it has long been accepted that system documentation can be produced in any suitable medium. The footnote to clause 4.4.4, reminding organisations that it is important that system documentation is proportional to the level of complexity, hazard and risk concerned and is kept to the minimum required for effectiveness and efficiency, has been retained.

KEY REQUIREMENTS

OHSAS 18001 requires that OHS system documentation includes:

OH&S policy and objectives. Not a new requirement in that clause 4.2 requires the OH&S policy to be documented and clause 4.3.3 requires documented objectives; however, this is new wording for clause 4.4.4.

A description of the scope of the OH&S management system. This is similar to the requirement in ISO 9001:2000. It may be useful to include in this description the wording of the technical scope of the SMS, e.g. the product and service provided by the organisation as well as the geographic locations covered by the SMS.

A description of the main elements of the OH&S management system and their interaction, and reference to related documents. This requirement is also similar to the document requirements of ISO 9001:2000 and ISO 14001:2004. This is often addressed by the use of a process map showing the principal elements of the management system and how they work together as a system and the link to system documentation. The same approach can be used for the SMS.

Documents, including records, required by this OHSAS standard. Again a requirement similar to that in the other standards which requires that the system documentation includes the documents and records that are cited throughout the standard.

Documents, including records, determined by the organisation to be necessary to ensure the effective planning, operation and control of processes that relate to the management of its OH&S risks. Finally another requirement, similar to that in other standards, which provides the opportunity for the organisation to develop and issue whatever documentation it requires and identify and maintain records it considers necessary for the effective operation of the SMS.

There is no reference to specific documents such as a safety manual. It is matter for the organisation to identify the type of documents it wants to support the structure of the SMS. The familiar three- or four-tiered pyramid documentation model is still an acceptable means of developing and arranging system documentation.

SYSTEM DOCUMENTATION or Comment/Plan

Documented Policy and Objectives

Description of the scope of the SMS

Description of the main elements of the OH&S management system, their interaction and reference to related documents, e.g. system procedures, other systems etc.

Documents, including records, required by this OHSAS standard

Documents, including records, determined by the organisation to be necessary to ensure the effective planning, operation and control of processes that relate to the management of its OH&S risks

Documents are subject to document control disciplines?


�0


�1

• Ensure that documents remain legible and readily identifiable. Again although a revised requirement this is a standard document control requirement.

• Ensure that documents of external origin determined by the organisation to be necessary for the planning and operation of the OH&S management system are identified and their distribution controlled. Although a standard document control requirement this was not included in the previous version of the standard. To some extent there is a link here with clause 4.3.2 as many documents of external origin may relate to regulatory requirements.

• Prevent the unintended use of obsolete documents and apply suitable identification to them if they are retained for any purpose.

DOCUMENT CONTROL or Comment/Plan

Procedure in place to define mechanism for the control of documents.

Procedure includes:

• Approval of documents for adequacy prior to issue

• Arrangements to review and update as necessary and re-approve documents

• Measures to ensure that changes and the current revision status of documents are identified

• Measures to ensure that relevant versions of applicable documents are available at points of use

• Reference to a master list of documents and a list of document holders to ensure they are available to those who need them

• Measures to ensure that documents remain legible and readily identifiable

4.4.5 CoNTRol oF DoCuMeNTS

The wording of this clause is now almost word for word identical to that in other standards, e.g. ISO 9001:2000 clause 4.2.3. The requirements have been strengthened and slightly expanded. The intent of the clause has not changed in that overall document control aims to ensure that the latest versions of system documentation are available to personnel at points of use. Organisations which have a Quality (QMS) or Environmental (EMS) management system will be familiar with the requirements of this clause. With very little change to wording a document control procedure from a QMS or EMS will fit with the requirements of OHSAS 18001.

KEY REQUIREMENTS

OHSAS 18001 requires that documents are controlled so that they can be located, are approved before issue and periodically reviewed. The revised requirements are listed below. Where requirements are new or revised they are shown in bold italics.

Documents required by the OH&S management system and by this OHSAS Standard shall be controlled. Records are a special type of document and shall be controlled in accordance with the requirements given in 4.5.4. This is new introductory wording to this clause but simply makes the statement that documents shall be controlled and draws attention to the requirements for the control records which are described in clause 4,5,4.

The organisation shall establish, implement and maintain a procedure(s) to

• Approve documents for adequacy prior to issue. There is only a minor change here requiring documents to be approved for adequacy prior to issue.

• Review and update as necessary and re-approve documents.

• Ensure that changes and the current revision status of documents are identified. Although a revised requirement this is a standard document control requirement.

• Ensure that relevant versions of applicable documents are available at points of use.


�2


��

• Removal and disposal of obsolete documents unless retained for reference or historical reasons. A means of identification if retained

• Arrangements to ensure that documents of external origin determined by the organisation to be necessary for the planning and operation of the OH&S management system are identified and their distribution controlled

4.4.6 oPeRATIoNAl CoNTRol

This clause of OHSAS 18001 relates to the actual performance of tasks to which OHS hazard and risk is attached, and for which controls may be needed to eliminate or control risks. Essentially operational controls are developed from the outcome of risk assessment. Operational controls can take many forms and can include training, preventive maintenance or documented procedures. The need for separate procedures, work instructions, safe systems of work etc., as a means of risk control needs to take into account the risk levels and the competence level of the personnel involved. It is also important to remember when developing new operational controls or revising existing controls to apply the hierarchy of controls listed at clause 4.3.1

KEY REQUIREMENTS

OHSAS 18001 requires that the organisation needs to identify the operations and activities which are associated with identified hazards where control measures need to be applied. Key requirements are listed below, where requirements are new they are shown in bold italics.

• The organisation shall determine those operations and activities that are associated with the identified hazard(s) where the implementation of controls is necessary to manage the OH&S risk(s). This shall include the management of change (see 4.3.1). Although the wording has been revised this introductory paragraph is essentially the same as the previous standard. However, there is a stronger emphasis on the word hazard and

now reference to the management of change the full requirement for which is cited in clause 4.3.1.

• For those operations and activities, the organisation shall implement and maintain:

• operational controls, as applicable to the organisation and its activities; the organisation shall integrate those operational controls into its overall OH&S management system

• controls related to purchased goods, equipment and services

• controls related to contractors and other visitors to the workplace

• documented procedures, to cover situations where their absence could lead to deviations from the OH&S policy and the objectives

• stipulated operating criteria where their absence could lead to deviations from the OH&S policy and objectives. Not an entirely new requirement but a slightly enhanced wording of the requirement in the previous standard.

OPERATIONAL CONTROL or Comment/Plan

Documented procedures, to cover situations where their absence could lead to deviations from the OH&S policy and the objectives

Operational control procedures are in place for all relevant significant risks?

Hierarchy of controls applied

Controls related to purchased goods, equipment and services in place

Are operational controls subject to effective document control and available where needed?

Controls related to contractors and other visitors to the workplace


��


��

Many organisations do take in to account the requirements of the emergency services and neighbours as a matter of course and in some cases legislation requires this, e.g. COMA.

• The organisation shall also periodically test its procedure(s) to respond to emergency situations, where practicable, involving relevant interested parties as appropriate. The requirement to test emergency arrangements is not new but the need to involve interested parties, e.g. the emergency services, as appropriate is new.

• The organisation shall periodically review and, where necessary, revise its emergency preparedness and response procedure(s), in particular, after periodical testing and after the occurrence of emergency situations (see 4.5.3).

EMERGENCY PREPAREDNESS or Comment/Plan

AND RESPONSE

Procedure in place to identify potential emergency situations, develop and document measures to prevent, control and mitigate the effects?

The planning of emergency responses take account of the needs of relevant interested parties, e.g. emergency services and neighbours

All potential emergency situations identified e.g.:

Fire Toxic gas/fumes

Flood Radiation

The weather Injury

Power cuts Equipment failure

Spillage

Explosions

Emergency procedures and plans are documented and subject to document control Responsibilities are clear and known to relevant staff

Are operational control procedures communicated to suppliers and contractors where needed

Management of change considered where appropriate

Are Permit to Work systems in use if relevant

4.4.7 eMeRGeNCy PRePAReDNeSS AND ReSPoNSe

The organisation needs to consider what needs to happen if, or when, things go wrong. The range of emergencies which might arise can be wide, there needs to be some thought as to what can be controlled by the organisation, and what the potential consequences of any emergency might be.

KEY REQUIREMENTS

OHSAS 18001 requires: A procedure to identify potential emergency situations and to respond to them thereby preventing or mitigating any adverse OHS consequences. The key requirements are listed below. Where requirements are new they are shown in bold italics.

• The organisation shall establish, implement and maintain a procedure(s):

• Identify the potential for emergency situations.

• Respond to such emergency situations.

• The organisation shall respond to actual emergency situations and prevent or mitigate associated adverse OH&S consequences. This is a definite requirement to respond to emergency situations and for that response to prevent or mitigate OHS consequences.

• In planning its emergency response the organisation shall take account of the needs of relevant interested parties, e.g. emergency services and neighbours. The requirement to plan emergency response has always been in place, but what is new is the need to take into account the needs of interested parties.


��


��

Plans are periodically tested where practicable. Interested parties involved as appropriate

There is a schedule for future tests?

Records of tests, emergencies and false alarms are maintained?

Procedures are amended in the light of experience from tests, drills and incidents if necessary

Emergency equipment maintained, e.g. fire extinguishers, sprinkler systems, alarms emergency lighting, spill kits etc. (See clause 4.3.1)

Staff with emergency response responsibilities are trained and competent

4.5.1 PeRFoRMANCe, MeASuReMeNT AND MoNIToRING

Clause 4.5 is the checking part of the Standard and focuses on SMS monitoring mechanisms which are intended to determine OHS performance and the effectiveness of the SMS. The principal focus of monitoring is to identify opportunities for the improvement of both OHS performance and the effectiveness of the SMS. The tile of clause 4.5.1 has been revised but the requirements within this clause have not changed significantly, some minor wording changes have been made to strengthen the effectiveness of performance monitoring.

KEY REQUIREMENTS

OHSAS 18001 requires that OHS performance is monitored on a regular basis. Key requirements are listed below, where requirements are new they are shown in bold italics

The organisation shall establish, implement and maintain a procedure(s) to monitor and measure OH&S performance on a regular basis. This procedure(s) shall provide for:

• Both qualitative and quantitative measures, appropriate to the needs of the organisation.

• Monitoring to the extent to which the organisation’s OH&S objectives are met..

• Monitoring the effectiveness of controls (for health as well as safety). The new requirement here is the need to monitor health as well as safety and supports the commitment to prevent ill health and injury.

• Proactive measures of performance that monitor conformance with the OH & S programme(s), controls and operational criteria.

• Reactive measures of performance that monitor ill health, incidents (including accidents, near-misses etc.) and other historical evidence of deficient OH&S performance. A very small change in wording here that does not change the overall requirement, which remains the same as that shown in the previous Standard.

• Recording of data and results of monitoring and measurement sufficient to facilitate subsequent corrective action and preventive action analysis.

• If equipment is required to monitor or measure performance, the organisation shall establish, implement and maintain procedures for the calibration of such equipment, as appropriate. Records of calibration and maintenance activities shall be retained.

PERFORMANCE MEASUREMENT or Comment/Plan

AND MONITORING

Procedures established, implemented and maintained to monitor and measure OH&S performance on a regular basis

Procedure(s) include both qualitative and quantitative measures, appropriate to the needs of the organisation

Is there monitoring of the extent to which the organisation’s OH&S objectives are met?


��


��

Is the effectiveness of controls (for health as well as for safety) monitored?

Proactive measures of performance that monitor conformance with the OH&S programme(s), controls and operational criteria identified

Procedure(s) include reactive measures of performance that monitor ill health, incidents (including accidents, near-misses, etc.), and other historical evidence of deficient OH&S performance

Procedure(s) provide for recording of data and results of monitoring and measurement sufficient to facilitate subsequent corrective action and preventive action analysis

Monitoring instruments and equipment calibrated and maintained to ensure accuracy of measurement

Methods of calibration are defined and traceable to National Standards

Calibration status is clear

Are the records of calibration and maintenance activities retained? Records are kept of calibration certificates and of which instrument was used for each test

4.5.2 evAluATIoN oF CoMPlIANCe

This is a completely new requirement which is intended to ensure the evaluation of compliance with legal and other requirements. It is true to say that many organisations previously implemented compliance evaluation arrangements but now this is a specific requirement. The content of this clause has been extracted from ISO 14001 where it was introduced as part of the 2004 revision of that Standard. Those organisations which have implemented

an EMS will have little difficulty with this requirement as they will have developed arrangements to evaluate compliance with environmental legislation. Those organisations implementing an SMS or revising an existing SMS will now need to develop compliance evaluation arrangements.

Clause 4.5.2 has been split into two sub-clauses; 4.5.2.1 contains requirements for the evaluation of applicable legal requirements and clause 4.5.2.2 contains requirements for the evaluation of other requirements to which the organisation subscribes.

KEY REQUIREMENTS

OHSAS 18001 requires that compliance with applicable legal and other requirements is monitored and records maintained. Where requirements are new they are shown in bold italics.

4.5.2.1 Consistent with its commitment to compliance (see 4.2c), the organisation shall establish, implement and maintain a procedure(s) for periodically evaluating compliance with applicable legal requirements (see 4.3.2).

The organisation shall keep records of the results of the periodic evaluations.

NOTE The frequency of periodic evaluation may vary for differing legal requirements.

4.5.2.2 The organisation shall evaluate compliance with other requirements to which it subscribes (see 4.3.2). The organisation may wish to combine this evaluation with the evaluation of legal compliance referred to in 4.5.2.1 or to establish a separate procedure(s). To reduce system documentation one procedure can be produced to describe the evaluation of both legal and other requirements and both evaluations may be combined.

The organisation shall keep records of the results of the periodic evaluations.

NOTE The frequency of periodic evaluation may vary for various other requirements to which the organisation subscribes.


�0


�1

EVALUATION OF COMPLIANCE or Comment/Plan

Procedure(s) for periodically evaluating compliance with applicable legal requirements in place

Records maintained of the results of the periodic evaluations

Procedure for evaluating compliance with other requirements to which the organisation subscribes in place

Does the organisation keep records of the results of the periodic evaluations?

4.5.3 INCIDeNT INveSTIGATIoN, NoN-CoNFoRMITy, CoRReCTIve AND PReveNTIve ACTIoN

Clause 4.5.3, previously clause 4.5.2, has been revised,

restructured and split into two sub-clauses.

Clause 4.5.3.1 Incident Investigation: this sub-clause is consistent

with the new focus on incidents rather than accidents and sets

out the requirements for procedures to complete the investigation

of incidents. The results of investigations should facilitate the

identification and implementation of appropriate corrective and

preventive actions which either prevent occurrence or recurrence

of the incidents and that lessons are learned. Overall the

requirements listed below always were part of the investigation or

part of the outcome of investigations.

KEY REQUIREMENTS

OHSAS 18001 requires the organisation shall establish, implement

and maintain procedure(s) to investigate and analyse incident data.

Where requirements are new they are shown in bold italics.

The organisation shall establish, implement and maintain a procedure(s) to record, investigate and analyse incidents in order to -

• determine underlying OH&S deficiencies and other factors that might be causing or contributing to the occurrence of incidents.

• identify the need for corrective action

• identify opportunities for preventive action

• identify opportunities for continuous improvement

• communicate the results of such investigations

The wording of this requirement has been enhanced to ensure that incidents are investigated and the results are recorded and analysed.

The investigations shall be performed in a timely manner. This was always part of the recognised requirements for conducting an investigation now it is a definite requirement of the standard.

Any identified need for corrective action or opportunities for preventive action shall be dealt with in accordance with the relevant parts of 4.5.3.2.

The results of incident investigations shall be documented and maintained.

Clause 4.5.3.2 Non-conformity, Corrective and Preventive Action. This clause is in part a revision of the previous OHSAS 18001 clause and the inclusion of wording from other Standards. Consequently the clause is significantly more comprehensive. This is to ensure that corrective and preventive actions are effectively identified, implemented and closed, also that the effectiveness of corrective and preventive action is determined.

KEY REQUIREMENTS

OHSAS 18001 requires the organisation to put in place procedures to respond to safety related non-conformances. The definitions given in OHSAS 18001 are helpful in understanding the differences in terms. This clause addresses the need to manage things that either could have gone wrong or actually have gone wrong. Where requirements are new they are shown in bold italics.


�2


��

The organisation shall establish, implement and maintain a procedure(s) for dealing with actual and potential non-conformities and for taking corrective action and preventive action. The procedure(s) shall define requirements for

• identifying and correcting non-conformity(ies) and taking action(s) to mitigate their OH&S consequences,

• investigating non-conformity(ies), determining their cause(s) and taking actions in order to avoid their recurrence,

• evaluating the need for action(s) to prevent non-conformity(ies) and implementing appropriate actions designed to avoid their occurrence,

• recording and communicating the results of corrective action(s) and preventive action(s) taken, and

• reviewing the effectiveness of corrective action(s) and preventive action(s) taken.

Where the corrective action and preventive action identifies new or changed hazards or the need for new or changed controls, the procedure shall require that the proposed actions shall be taken through a risk assessment prior to implementation. This requirement was part of the previous OHSAS 18001 requirement but previous wording was to some extent impractical. The revised wording provides an element of choice in the application of this requirement and makes implementation more sensible.

Any corrective action or preventive action taken to eliminate the causes of actual and potential non-conformity(ies) shall be appropriate to the magnitude of problems and commensurate with the OH&S risk(s) encountered.

The organisation shall ensure that any necessary changes arising from corrective action and preventive action are made to the OH&S management system documentation.

INCIDENT INVESTIGATION OF or Comment/Plan

NON-CONFORMITY, CORRECTIVE

AND PREVENTIVE ACTION

4.5.3.1 Incident Investigation

Procedures established, implemented and maintained to record, investigate and analyse incidents in order to determine underlying OH&S deficiencies and other factors that may be causing or contributing to the occurrence of incidents

Procedures include arrangements to identify the need for corrective action, identify opportunities for preventive action and identify opportunities for continuous improvement?

Results of investigations communicated

Investigations performed in a timely manner?

Any identified need for corrective action or opportunities for preventive action dealt with in accordance with the relevant parts of 4.5.3.2?

Legal and other requirements addressed

The results of incident investigations documented and maintained?

Staff trained to undertake incident investigation

4.5.3.2 Non-conformity, Corrective Action and Preventive Action

Procedure(s) for dealing with actual and potential non-conformity(ies) and for taking corrective action and preventive action implemented


��


��

Procedure(s) define requirements for identifying and correcting non-conformity(ies) and taking action(s) to mitigate their OH&S consequences?

Corrective action - Procedure(s) define requirements for investigating non-conformity(ies), determining their cause(s) and taking actions in order to avoid their recurrence?

Preventive Action - Procedure(s) define requirements for evaluating the need for action(s) to prevent non-conformity(ies) and implementing appropriate actions designed to avoid their occurrence?

The results of corrective action(s) and preventive action(s) recorded and communicated

The effectiveness of corrective action(s) and preventive action(s) reviewed and confirmed

Does the procedure require that the proposed actions shall be taken through a risk assessment prior to implementation where the corrective action and preventive action identifies new or changed hazards or the need for new or changed controls?

Changes arising from corrective action and preventive action made to the OH&S management system documentation?

Staff recognise and report non-conformances?

Non-conformance identified by Internal Audit handled in accordance with the procedure

4.5.4 CoNTRol oF ReCoRDS

Records are essential to demonstrate the satisfactory operation of the safety management system. Records are equally essential in the event of a system failure, in either providing support to stated fact, or as a tool to identify gaps or failures in the management system. The procedure for the control of records should require that records be legible, protected and readily retrievable. A key issue for safety-related records is for retention times to be stated. In this regard, it is essential that the organisation has knowledge of any legislation surrounding either accident or ill-health-related claims, which may set outer limits for claims to be made. The organisation may need to defend itself against such claims, and it will be important for it to be able to demonstrate what controls were in place at the time of any incident.

KEY REQUIREMENTS

OHSAS 18001 requires an organisation to ensure that it develops a procedure for identifying, maintaining and disposition of safety-related records. Although the wording to this clause has been revised the requirements are almost exactly the same as those found in both ISO 9001:2000 and ISO 14001:2004 for the control of records.

• The organisation shall establish and maintain records as necessary to demonstrate conformity to the requirements of its OH&S management system and of this OHSAS Standard, and the results achieved.

• The organisation shall establish, implement and maintain a procedure(s) for the identification, storage, protection, retrieval, retention and disposal of records.

• Records shall be and remain legible, identifiable and traceable.


��


��

CONTROL OF RECORDS or Comment/Plan

Records maintained as required by the Standard to demonstrate conformity to the requirements of its OH&S management system and of this OHSAS Standard, and the results achieved?

Procedure define arrangements for:

identification,

storage,

protection – e.g. computer back-up,

retrieval – records readily retrievable

retention – retention times defined

disposal

Are records legible, identifiable and traceable?

4.5.5 INTeRNAl AuDIT

In common with EMS and QMS standards, OHSAS 18001 requires that the system is subject to formal audit to provide assurance that it is providing the benefits that the organisation expects. This clause remains largely unaltered; however, some wording from other standards has been included. The frequency of audits must be related to OHS risk levels. It is also important that all elements of the SMS, including those elements which are more system related, such as document control, records, system audits, management review etc. are subject to audit.

KEY REQUIREMENTS

OHSAS 18001 requires that an organisation confirms through internal audit that the implemented SMS complies with intentions and with the requirements of OHSAS 18001. Where requirements are new they are shown in bold italics.

The organisation shall ensure that internal audits of the OH&S management system are conducted at planned intervals to determine whether the OH&S management system

• conforms to planned arrangements for OH&S management including the requirements of this OHSAS Standard

• has been properly implemented and is maintained, and

• is effective in meeting the organisation’s policy and objectives

• provide information on the results of audits to management.

Audit programme(s) shall be planned, established, implemented and maintained by the organisation, based on the results of risk assessments of the organisation’s activities, and the results of previous audits.

Audit procedure(s) shall be established, implemented and maintained that address

• the responsibilities, competencies, and requirements for planning and conducting audits, reporting results and retaining associated records,

• the determination of audit criteria, scope, frequency and methods.

• Selection of auditors and conduct of audits shall ensure objectivity and the impartiality of the audit process. There always was a requirement for auditors to be independent but the wording has been changed to be a little more explanatory and ensure that the audit process is impartial and objective.

INTERNAL AUDIT or Comment/Plan

Procedure in place to describe the audit process:

• Production of schedule/programme based on risk significance and the results of previous audits

• Responsibilities and competencies for planning audits

• Carrying out the audit

• Reporting audits

• Establishing audit criteria, scope, frequency of audits

• Non-conformance reporting and close-out


��


��

Input to management reviews shall include

• results of internal audits and evaluations of compliance with applicable legal requirements and with other requirements to which the organisation subscribes,

• the results of participation and consultation (see 4.4.3)

• relevant communication(s) from external interested parties, including complaints,

• the OH&S performance of the organisation,

• the extent to which objectives have been met,

• status of incident investigations, corrective actions and preventive actions,

• follow-up actions from previous management reviews,

• changing circumstances, including developments in legal and other requirements related to OH&S, and

• recommendations for improvement.

Previously these requirements were described in OHSAS 18002:2000 but have now been defined in the Standard.

The outputs from management reviews shall be consistent with the organisation’s commitment to continuous improvement and shall include any decisions and actions related to possible changes to

• OH&S performance

• OH&S policy and objectives

• resources, and

• other elements of the OH&S management system

Relevant outputs from management review shall be made available for communication and consultation (see 4.4.3).

Overall clause 4.6 is lengthy and detailed but only sets out that which was expected of an effective management review.

• Review of SMS by ‘top management’ at predetermined intervals

• Reporting by the Management Representative

• Review needed for changes to Policy, Objectives and other elements of the SMS

• At least one management review to be carried out before third party certification

Schedule covers all areas/procedures and SMS functions in a given time?

Document control and approval of audit paperwork including schedule?

Internal auditors trained Able to identify a SMS and safety non-conformance Have an understanding of applicable legal and other requirements

Non-conformances actioned in a timely manner?

4.6 MANAGeMeNT RevIeW

The requirement to carry out formal management reviews of the SMS is common with that of other management system standards. Management Review, if carried out fully and effectively, will help the organisation to develop its SMS so that overall safety performance is improved. Previously this clause was somewhat sketchy but has been significantly revised to include both required inputs, effectively the review agenda, and outputs. This is in keeping with the management review requirements of both EMS and QMS Standards and some inputs have been taken from both these standards.

KEY REQUIREMENTS

OHSAS 18001 requires that the organisation’s top management review the SMS at planned intervals. Where requirements are new they shown in bold italics.

Top management shall review the organisation’s OH&S management system, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. Reviews shall include assessing opportunities for improvement and the need for changes to the OH&S management system, including the OH&S policy and OH&S objectives. Records of the management reviews shall be retained.


�0


�1

• Contact SGS as early in the process as possible

• Don’t ask for the certification audit until you are sure you are ready!

The certification process breaks down into five stages:

• Pre-audit (not mandatory at this stage but highly recommended as assess an organisation preparedness for assessment)

• Review of documented system against the Standard and according to the scope of certification

• Certification Audit

• Certification

• Ongoing surveillance visits

The pre-audit reviews the key processes of hazard identification and risk assessment, audits, identification of legislation and also checks that the system is designed to deliver continuous improvement.

The document review is a detailed review of the documented system to verify that it complies with both OHSAS 18001 and the needs of the organisation.

The certification audit then verifies that the system is fully implemented and functioning. All requirements of the Standard are checked on a sampling basis across all of the organisation’s operations.

MANAGEMENT REVIEW or Comment/Plan

Frequency and format of reviews is documented NB there is no specific requirement for a meeting

Attendees at meeting listed in procedure? e.g. Management Appointee and senior management

Reviews take place at specified frequency?

Reviews included all the required inputs and outputs

Records, e.g. meeting minutes are kept?

Actions assigned and followed up?

Outputs from management review available for consultation and communicated to relevant personnel

Certification of OHSAS 18001:2007 management systems is supported by UKAS accreditation. However, in all countries, accredited third-party certifications are supported by the International Accreditation Forum Guidelines, which describe how certification bodies must function and expand a little on the Standard. Despite the fact that accredited certification is not available in all countries, you can rest assured that SGS applies the same level of controls required by accreditation bodies to all of its OHSAS certification activities.

Finally, some pointers on what helps an organisation to achieve certification at the first attempt:

• Make sure the system is fully implemented

• Carry out at least one full sweep of internal audits and carry out any resulting corrective and preventive actions

• Ensure that all personnel understand the system, Policy and objectives

• Have evidence available to show that the process of continuous improvement is actually happening


�2


��

TRAINING FRoM SGS

OHSAS 18001:2007 – Safety Management Systems Training

SGS can help provide the appropriate training solution as part of your system development.

Our OHSAS courses are designed to challenge and provoke powerful ideas and pragmatic solutions for participants to improve health and safety in line with their business needs.

A selection of our OHSAS 18001:2007 courses are listed below. The courses are certified by IRCA (International Register of Certified Auditors) and are scheduled publicly and can also be delivered in company:

Introduction & Awareness to OHSAS 18001:2007 – An introduction for anyone involved in developing, implementing and managing an occupational health and safety management system

OHSAS 18001:2007 Internal Auditor - This course will equip participants with the knowledge and skills needed to assess an internal occupational health and safety management system.

OHSAS 18001: 2007 Lead Auditor - This course is designed for participants who are, or will be, responsible for auditing safety management systems.

To find out more contact our customer service team on +44 (0)1276 697777, e-mail [email protected] or visit our website www.training.uk.sgs.com


��


��

The SGS Group

The SGS Group of companies is the world’s largest organisation in the field of inspection, verification, testing and certification. The Group comprises more than 300 affiliated companies, each separately organised and managed in accordance with the laws and local practices of the countries in which it does business.

Founded in 1878, it has expanded across the world, operating in over 140 countries, 845 offices, 338 laboratories and with more than 50,000 employees. Since it was established the SGS Group has remained dedicated to its independence as a guarantee of its total impartiality. SGS does not engage in any manufacturing, trading or financial activities which might compromise its independence and neutrality.

For more information, please contact:

SGS United Kingdom Ltd Systems & Services Certification SGS House 217-221 London Road Camberley Surrey GU15 3EY United Kingdom

Tel: +44 (0)1276 697999 Fax: +44 (0)1276 697696

email: [email protected] web: www.uk.sgs.com/ohsas_18001

The RouTe To ohSAS 18001Avoiding The piTfAllS

WWW.uK.SgS.CoM

SGS 5258/0308

neWUPDATED TO THE 2007 VERSION OF THE STANDARD

Booklet now includes commentary on the 2007

changes to the 18001 standard