Implementing an OHSMS - LRQA Guidance


What you should be aware of when implementing it!

The health and safety of people, the need to maintain a good business reputation and meet its legal and other requirements are four very good reasons why organisations are taking health and safety management seriously.

Combined with the adverse publicity and subsequent loss of reputation arising from incidents, it makes good commercial sense to protect the losses to the bottom line by formalising any existing health and safety management system and opt for independent third-party accredited certification to the internationally recognised occupational health and safety specification, OHSAS 18001 to demonstrate this.

When considering development and implementation of a health and safety management system, many companies are surprised they already have many of the components in place that would constitute parts of such a system.

Since its publication in 1999, LRQA has been helping organisations achieve certification to this health and safety specification. We were instrumental in its development and we were the first and currently the only organisation to have achieved worldwide accreditation for all industrial sectors with the United Kingdom Accreditation Service (UKAS). The useful experience used in this article is sourced from those who have struggled to implement 18001. None had all the problems but the experiences are far from unique.

This article provides some practical guidance and advice for those tasked with gaining OHSAS certification for their organisations and complements the article: ‘Implementing an Occupational Health and Safety Management System (OHSMS) - a Consultant's Viewpoint’. If you are starting to implement your management system, we would advise you to read both along with OHSAS 18002:2008 Occupational health and safety management systems — Guidelines for the implementation of OHSAS 18001:2007 in order to gain a balanced perspective.

This article has been written by Technical Managers Mick Fredricks, Judith Turner, and Senior Management Systems Assessor, Ged Farmer of LRQA.

Introduction - Before you start with the standard

Introduction - Before you start with the standard

Health and safety issues affect all organisations to some degree and potential hazards and risks exist with each activity conducted. Traditionally, Occupational Health and Safety (OHS) Management in Europe and the US has been based very much on compliance with prescriptive legislative requirements. In other words, it has been based on controls that were imposed for particular risks as they were prescribed via legislation or regulatory guidance. The modern principle of risk-based safety management (adopted from the UK’s goal and risk based legislation) places the responsibility much more firmly with the organisation itself to determine what it needs to do in order to adequately control risks given its own particular circumstances.

As a management systems-based solution, OHSAS 18001 reflects this latter principle. It was first published in 1999, and revised in 2007, as a single specification for the management of occupational health and safety with universal applicability. OHSAS 18002: 2008 provides guidance on the implementation of OHSAS 18001:2007.

The aim of this article is to provide practical guidance on implementation of a safety management system in line with the requirements of OHSAS 18001, from the perspective of a certification body. It draws on experience gained from LRQA certification assessments ranging back as far as 1998, when pilot programme assessments commenced against the precursor to OHSAS 18001 (known as BS8800). We would advise that this article is read in conjunction with the complementary article, ‘Safety Management Systems’, compiled by Messam and Rider Ltd and also available on this website. Together, the Certification Body and Consultant’s views should provide an overall balanced opinion on the practical implications of implementing an Occupational Health and Safety system.

Before you start with the standard

Be holistic. Get a team of experienced employees and persons that have knowledge of occupational health and safety together and:

  • identify all locations from where you operate your business
  • identify those persons that you have or should have control over
  • identify your activities
  • consider what is acceptable risk in terms of how often and how severely injured you are prepared to defend as acceptable in front of your legislators
  • similarly, what is the acceptable level of ill health that can be caused by your activities.

If you can identify activities or conditions that do not provide acceptable level of freedom from harm and injury, then you are falling short on your policy commitments and precluding the opportunity to be certified to BS OHSAS 18001:2007.

At LRQA, we do not certify:

  • intent to do things – we only make recommendation based upon evidence of routine robust implementation of your OH&S Management System once it is itself compliant with BS OHSAS 18001:2007.
  • we do not certify or withdraw certification on the basis of injury statistics, rather the ability to identify and control significant hazards will form the basis of any recommendation.

Structure of OHSAS 18001

Structure of OHSAS 18001

If you consider the heart of occupational health and safety (OH&S) management system as being the Risk Assessment process – which includes hazard identification, risk evaluation and risk control - then the outputs for the control of significant hazards go on to specify the requirements of all other clauses. This will also both keep necessary requirements in place while rejecting those that are superfluous! This enables you to maintain an effective and efficient OH&S management system.

As a management system, OHSAS 18001 is also compatible and similar in many ways to ISO 9001 and ISO 14001, which address quality and environmental issues respectively. It requires a ‘Plan - Do - Check - Act’ approach, based on the principle of continual improvement. A previously discussed, it is not sufficient to purely implement each of the clauses of the Specification in isolation. Instead, they must be connected together as, for example, there is no point identifying (through risk assessment processes) that controls are needed to manage specific hazards, if the controls are not then adequately defined and effectively implemented. If it is determined that controls are needed, then there must also be provision in the system for checking that the controls are adequate, effective and also that corrective action is defined and taken if they are not.

OHSAS 18001 is structured into five distinct sections as follows:

  • General Requirements & Policy (4.1 & 4.2)
  • Planning (4.3)
  • Implementation and Operation (4.4)
  • Checking (4.5)
  • Management Review (4.6)

This article will take each in turn and give practical advice on the requirements contained in the Specification, along with advice on implementation and examples of weaknesses that are routinely identified during certification assessments.

General Requirements and Policy (4.1 & 4.2)

General Requirements and Policy (4.1 & 4.2)

General Requirements (4.1)

'The organisation shall establish, document, implement, maintain and continually improve an OH&S management system in accordance with the requirements of this OHSAS Standard and determine how it will fulfil these requirements.

'The organization shall define and document the scope of its OH&S management system.'

BS OHSAS 18001:2007. Clause 4.1.

This general requirement is very simply stated and, as such, requires that all of the clauses of the specification are implemented and maintained in order to achieve continual improvement. The system should be documented as required, and critically where stated in the Specification. The Specification does not provide for the exclusion of any of the clauses or requirements and it is important to note that the scope of 18001 does not include product safety, except to the extent that it can affect people occupationally. The scope of the system must be documented and this normally is a far more detailed description than the scope on an accredited certificate.

The purpose of the scope is to enable, all, to understand the coverage of the organisation’s activities within the OH&S management system.

Policy (4.2)

This is the face of the system. It needs to be defined by top level management so that all players in attaining the objectives understand that they are both covered by this Policy and they are required to support it. Certain specific commitments are required to be contained within the policy and all of these must be implemented and demonstrable during the assessment process to allow certification to OHSAS 18001 to be recommended.

The master copy of the policy must be personally signed to evidence accountability at the highest level.

The Policy drafting must have involved participation of employees and when issued be communicated to all persons under the control of the organisation (eg, employees and relevant contractors) who may be affected by it, in order that they can understand their responsibilities within the system. The intent is not that everyone can recite the Policy, but that they know how it affects them and their part in complying with it to achieve its aims.

It can be combined with other existing policies, such as Environment or Quality.

OHSAS Requirements


  • Defined and authorised by Top Management
  • Appropriate to H&S risks


  • Prevention of injury and ill health
  • Continual improvement of occupational health and safety management and performance
  • To at least comply with legislation and other requirements that are subscribed to related to its OH&S hazards
  • Setting and reviewing H&S objectives


  • Documented, implemented and maintained
  • Communicated to all persons under the control of the organisation (eg, employees, contractors and visitors) who may be affected by it
  • Available to interested parties
  • Reviewed periodically to ensure that it remains relevant and appropriate.

Assessment Weaknesses

All too often policy statements, objectives and commitments are unrealistic because they are unspecific, unachievable, there is insufficient resource available to deliver them or they are unable to be demonstrated.

As the key driver to the system, there should be sufficient transparent linkage into and out of the system, eg risk assessments. Where these links are missing, the Policy remains as a stand alone document with little purpose or benefit.

During the certification assessment, reference is made to the commitments and broad objectives shown in the Policy. Failure of an organisation to provide evidence of the implementation of these would preclude a recommendation for certification being made.

Planning (4.3)

Planning (4.3)

Planning for hazard identification, risk assessment and risk control (4.3.1)

The risk assessment process should be the means by which the organisation identifies and considers the adequacy of the means by which it controls its risks. It should be a comprehensive exercise to review and test controls for existing activities and a pro-active identification of potential hazards for proposed activities.

OHSAS Requirements

Clause 4.3.1 of the BS OHSAS 18001:2007 Specification requires that:

‘The Organisation shall establish, implement and maintain a procedure(s) for the ongoing hazard identification, risk evaluation, and determination of necessary control measures’ to achieve acceptable risk.

It is not the intention of OHSAS 18001 to impose complex hazard identification, risk assessment and risk controls where they are not applicable. Suitable and sufficient are the watch words.

The processes should take into account:

  • size of the organisation
  • workplace activities (routine and non-routine)
  • nature, complexity and significance of the uncontrolled hazards
  • cost and time involved in undertaking and maintaining the processes
  • availability of reliable data.

Clause 4.3.1 has a list (a – j) of specific elements that must be included within the risk assessment process where relevant, and be demonstrable.

The methodology for hazard identification and risk assessment shall:

  • be defined with respect to scope, nature and timing
  • be proactive rather than reactive
  • provide for identification, prioritisation and documentation of risks
  • provide for the application of controls
  • include management of change aspects
  • risks in line with the risk reduction hierarchy
  • be documented and kept up to date
  • risks and associated controls are the drivers to defining the necessary requirements for the development and ongoing maintenance of the management system

Assessment Weaknesses

The hazard identification and risk assessment process should not be merely a form-filling exercise, based on assumptions that the existing controls are adequate and effectively implemented. It should also not be seen as a standalone exercise that does not link into other parts of the system. It needs to be kept up to date and the link to Clause is notably absent at the early stages of assessment. Here the Specification requires that all proposed corrective and preventive actions involving new or changed hazards or controls shall be reviewed through the risk assessment process prior to implementation.

It can be based on existing controls as long as these are clearly identified, either within the risk assessment itself or clearly cross-referenced. In addition, single references to ‘use of PPE’ as the lowest form of control are unlikely to be sufficient detail to ensure that, if situations change, the control measures can be adequately reviewed.

Organisations fail to understand and define acceptable risk. Coupled with this failing is the need to focus on the determination of what the significant hazards are, and addressing those to the exclusion of the insignificant hazards.

The risk assessment process should consider both Safety and Health effects. Many methods ignore the latter and consider only short-term accident consequences, eg, fatalities and injuries.

Risk Assessment records are the organisations’ evidence that they have undertaken suitable and sufficient assessment. As such, the outputs from Risk Assessment rather than the Risk Assessment records themselves should be inputted into the operational controls and training material since it is usually far too voluminous to efficiently convey the required controls.

It is important that this clause and associated guidance is read very carefully and clearly understood prior to implementing the system. If this clause is not met correctly, it is likely that other clauses may also not be implemented correctly.

Legal and other requirements (4.3.2)

An organisation implementing OHSAS 18001 needs to ensure it has knowledge of all of the laws or regulatory requirements which may apply to its activities. In addition to legal requirements, the organisation may subscribe to codes of practice or performance measures imposed by the Corporate Body or as a consequence of membership of certain industry associations. It is intended that once implemented, the processes will allow the organisation to be aware of, and promote its, legal responsibilities. There is no necessity to establish large legal libraries that may be rarely used.

OHSAS Requirements

Clause 4.3.2 states that:

‘The Organisation shall establish and maintain a procedure(s) for identifying and accessing the legal and other OH&S requirements that are applicable to it.’

There must be procedures in place to identify and have access to:

  • legal requirements
  • other OH&S requirements that are applicable, ie those to which the organisation subscribes be they from contractual agreements, industry bodies or corporate partners.

The information must be taken into account when implementing and maintaining the system, kept up to date and communicated to persons under the control of the organization, and other relevant parties (eg neighbours if applicable).

Assessment Weaknesses

Inappropriately long registers of legislation are often produced without thought of whether or how these relate to the activities of the organisation. Knowledge of the legal requirements and its implications to the organisation and activities needs to be gained, rather than just updating a long list of legislative titles. The maintenance of compliance with legal and other requirements (see also clause 4.5.2) as a Policy commitment will be sampled however, in order to establish confidence that the system is functioning in this regard and, as such, the knowledge on legal and other requirements needs to be live and current.

Objectives and Programmes (4.3.3)

Continual improvement is at the heart of achieving and maintaining OHSAS 18001 and the setting and achievement of OH&S objectives is one means of establishing continual improvement. Objectives should be consistent with the OH&S Policy (and the framework provided for setting them therein), including the commitment to continual improvement. One or more members of the senior management should be routinely involved in: Establishing OH&S objectives as well as reviewing safety performance; Monitoring and the attainment or otherwise of OH&S objectives.

OHSAS Requirements

The Specification requires that:

‘The Organisation shall establish, implement and maintain documented occupational health and safety objectives, at relevant functions and levels within the Organisation’

And that,

‘The Organisation shall establish, implement and maintain a programme(s) for achieving its objectives’.

The following needs to be in place, therefore:

  • documented occupational health & safety objectives at each relevant function
  • documented occupational health & safety objectives at each relevant level

Objectives should be measurable, wherever possible, and the following should be considered when setting objectives:

  • OH&S Policy commitments
  • OH&S hazards
  • Legal and other requirements
  • Technology options
  • Financial requirements
  • Operational requirements
  • Business requirements
  • Views of interested parties

Management programmes should include documentation of:

  • Accountability, responsibility and authority for achieving the objectives
  • Means by which objectives are to be achieved
  • Timescales by which objectives are to be achieved

The OH&S Management Programmes should be reviewed at regular and planned intervals as necessary to ensure achievement and where slippage is identified, its cause be established and rectified. Note, that sometimes realistic objectives become unrealistic and it is incumbent on management to accept this and to change objectives and/or the programmes appropriately.

Assessment Weaknesses

The setting of objectives should come from information gained through review of other elements within the system to determine where improvements can be made. Sufficient information should be contained within the management programmes to determine who is progressing which action and by what deadline. A process of reviewing progress should also be visible. The key is to be realistic. Large numbers of over ambitious objectives have failed organisations, whereas a smaller number of restricted and quantified objectives can effectively demonstrate continual improvement and accrue considerable credit to the organisation from its interested parties. Where practicable, objectives should be SMART: Specific, Measurable, Achievable, Relevant and Timed.

Implementation and operation (4.4)

Implementation and operation (4.4)

Resources, roles, responsibility, accountability and authority(4.4.1)

OHSAS Requirements

The Specification requires that roles, accountabilities, responsibilities and authorities to achieve these are defined, documented and communicated in order to facilitate effective occupational health and safety management.

Top management must ensure adequate resources are available and used for implementing and maintaining the system. Resources include human resources and specialised skills, organisational infrastructure, technology and financial resources.

A member of top management must also have been given ultimate responsibility for OH&S, implementation and maintenance of the system, and reporting on performance. This may be the same individual who signs the OH&S Policy. Their identity must be available to all relevant persons.

During the assessment process, it is vital that all those with management responsibility be able to demonstrate their commitment to continual improvement of OH&S performance.

Assessment Weaknesses

Roles, accountabilities, responsibilities, and authorities are rarely adequately defined or documented. It is possible to document the key roles and responsibilities in top tier documentation, while responsibilities and authorities to manage the risks can be shown in operational procedures and work instructions. Accountabilities must also be defined and individuals can be accountable both internally to the organization but also externally to the legislature and controlling organisation, for example.

Competence, training and awareness (4.4.2)

OHSAS Requirements

The organisation shall ensure that all person(s) under its control performing tasks that can impact on OH&S is (are) competent on the basis of appropriate education, training or experience, and shall retain those records of awarded competency.

The requirement to define competence is a key component of OHSAS 18001. There may be specific legal requirements or others that come from company needs and experience.

Tasks that may involve OH&S in the workplace should have relevant competencies defined in terms of appropriate:

  • Education
  • Training
  • Experience

Arrangements need to be in place to identify and remedy any shortfalls between the current level of competency (identified as being possessed by an individual) and the required and defined competency.

Procedures need to be in place to make employees aware of the OH&S consequences of their activities and the training procedures need to take account of differing levels of:

  • Responsibility
  • Ability
  • Language/Literacy
  • Risk

To ensure that only competent employees are undertaking tasks.

There should also be assessment of individuals to ensure that they have not only achieved, but are also maintaining, the knowledge and competency required. Any training provided must itself be evaluated as to its effectiveness, and records kept to demonstrate this.

We look for the following during the assessment:

  • Process to define competency requirements
  • Documented competency requirements for individual roles
  • Access to knowledge of how to ensure competent contractors
  • Analysis of training needs for employees
  • Training programmes/ plans for individual employees
  • Range of training courses/products available for use within the organisation
  • Training records and evaluation records (of the effectiveness of training)

Assessment Weaknesses

All personnel whose activities can involve occupational health and safety hazards must receive appropriate training and the link to the risk assessment process is often missing. Similarly, if the competencies are not clearly defined as part of the necessary control measures, then it is difficult to identify any gaps or training needs.

The requirement to have procedures in place to ensure employees are aware is often interpreted as a one-off awareness session. This is normally insufficient and procedures should ensure that awareness is maintained as the system matures and changes with changes in the organisation and / or activities. Hence the system should also be controlling and capturing refresher training records.

Communication, participation and consultation (4.4.3 ( &

OHSAS Requirements

There is a requirement to have procedure(s) to define employee involvement in:

  • hazard identification
  • risk assessments
  • determination of controls
  • incident investigation
  • development and review of policies and objectives
  • consultation arrangements
  • representation.

Employees should be informed about participation arrangements and who their representative is.

Consultation may also be required with contractors where their OH&S may be affected.

Procedures need to be demonstrable to ensure that pertinent OH&S information is communicated to and from employees and other interested parties such as contractors and visitors.

Procedures should also address communications from, and consultation with, external parties (eg HSE, neighbours), and these should be documented and responded to.

Assessment Weaknesses

Although participation, consultation and communication are often demonstrable, the documented procedures as to how this has been, and will be, consistently achieved, and who is involved, are commonly omitted from the system.

Operational control and emergency preparedness (4.4.6 & 4.4.7)

OHSAS Requirements

The organisation must identify operations and activities associated with defined hazards. This element of the system reinforces clause 4.3.1 in relation to hazard identification and the risk evaluation process.

However the use of the words:

... ‘those operations and activities that are associated with identified hazard(s) ...’

…broadens the process into activities which may not themselves have direct hazards, eg, purchasing.

  • Control of these activities, which must include maintenance, must be achieved under ‘stipulated operating criteria’.
  • This specification is only required to be documented where the absence of a documented procedure could jeopardise policy commitments or achievement of objectives
  • Alternative conditions can be specified through, eg, training, communication or staff competence.

It is important that operational control over contractors is maintained, as they often undertake high risk activities that the organisation does not possess the necessary competencies to perform. In turn these may adversely impact on other’s occupational health and safety, including employees.

Emergency situations can arise in any organisation. Even in the lowest risk environment, fires can start or people can fall, warranting action to be taken to respond to the incident. A procedure should therefore be in place to identify the potential for incidents and emergencies. This can sensibly be undertaken during the hazard identification and risk assessment process. For example, look to the significant uncontrolled hazards as a starting point to identify appropriate emergency procedures. Consequently, emergency response should be planned for a wide range of activities from the simplest through to the most complicated. An emergency is purely an unplanned event that results in OH&S implications.

Appropriate emergency equipment should be provided and your response capability should be regularly tested.

It is important that Contractors are advised of their responsibilities throughout the period of their contract and particularly how to respond to emergency situations. They should therefore be involved in the testing of plans, as should external emergency services where they cannot class their response as routine. Also tenants, visitors and other interested parties who may be affected should also be involved in the testing.

Assessment Weaknesses

Implementation of effective operational control is assessed in depth. Weaknesses can be caused by a host of reasons, quite often attributable to failings within other clauses of the standard. If all other clauses are implemented effectively, then weaknesses in operational controls will be reduced.

Weaknesses with respect to emergency preparedness often result from the variety of emergencies not being identified. Also, once this variety is recognised it is often not reflected in planned, and periodic testing. Testing emergency procedures may be through a number of mechanisms, for example, audit, desk top scenario, or live re-enactments. Invaluable information is often lost from actual incidents, when the responses to the emergency plans, are not reviewed.

Often activities of neighbours are erroneously disregarded while the effects of your emergencies on neighbours is addressed.

Checking (4.5)

Checking (4.5)

Performance measurement and monitoring (4.5.1)

OHSAS Requirements

Procedures need to be in place to monitor and measure OH&S performance on a regular basis. This needs to be both proactive and reactive and inclusive of qualitative and quantitative measures as appropriate. Organisations need to decide what to monitor and how often monitoring will take place, based on a level of risk. This will also need to take existing legal requirements into account.

If monitoring equipment is used, the procedures need to be established and maintained for calibration and maintenance, including resultant records.

Assessment Weaknesses

The majority of organisations demonstrate robust reactive monitoring to accidents, ill health, incidents and historical evidence of deficient OH&S performance. However, in terms of pro-actively monitoring operational control including legal requirements, this is poorly demonstrated. Focus should be given to leading indicators as well as lagging indicators.

Evaluation of compliance (4.5.2)

OHSAS Requirements

A Procedure(s) must be implemented to evaluate the extent to which compliance is met against each and every requirement (legal and other) that has been identified through the processes defined in clause 4.3.2. ie those that are significant, in that significant harm maybe realised if adequate controls are not routinely and robustly implemented.

Records must be kept of these evaluations.

Assessment Weaknesses

Many organisations use the audit system to help meet the requirements of this clause. However, audits take samples to a higher degree, are often not in sufficient depth and do not evaluate compliance with each and every requirement that is applicable over a period of time. The certificate is valid for three years. Each requirement should be evaluated at least once for compliance within this period, based on risk. That is, the likelihood of things going wrong because the controls are extensive and /or complex, or the potential for serious harm very evident.

Often, only applicable legal requirements are evaluated and ‘other’ requirements are missed.

Even when compliance evaluation is carried out, many companies do not effectively manage and monitor what has been evaluated and when, so that they cannot demonstrate routine robust compliance over a given period of time.

Incident investigation, nonconformity, corrective action and preventive action (4.5.3 ( &

OHSAS Requirements

Effective procedures should be in place for reporting and evaluating/investigating and taking action to mitigate consequences from accidents, incidents and non conformances. The prime purpose of this procedure is to prevent further occurrence of the situation, by identifying and dealing with the root cause(s) and communicating relevant actions. Investigations must be documented.

The procedures must require that all proposed corrective and preventive actions to be risk assessed, where changed hazards and / or controls have been identified and that implemented controls are recorded in the Risk Assessment record.. Robust incident reporting, including near misses and not restricted to accident reporting, is an important tool in achieving continual improvement.

Clause is not dissimilar to the requirements of ISO 14001 and ISO 9001 in terms of the basics of nonconformity, corrective and preventive action, and so existing procedures could be adapted.

Assessment Weaknesses

Most organisations have existing accident, rather than incident and non conformance, reporting and investigation procedures. However these are quite often not effectively implemented. In addition, prior to any corrective action being taken, the Specification requires that there must be demonstrable evidence that the risk assessment process has been followed to ensure additional risks are not introduced where changed hazards and/or controls have been identified.

Records (4.5.4)

OHSAS Requirements

Records should be kept to demonstrate that the OH&S management system operates effectively and that processes have been, and are being, carried out under safe conditions.

Consideration should be given to:

  • the identification, storage, retrieval, and, disposal of records
  • the confidentiality of records
  • legal and other requirements for content and retention periods.
  • issues surrounding use of electronic records, particularly changing format of storage medium, changing software for reading electronic records.

Assessment Weaknesses

The requirements to manage records in OHSAS 18001 are very similar to ISO 14001 and ISO 9001. However, where existing arrangements have been extended to include OHSAS records, it is common to find that not all records are identified and easily accessible. The defining of responsibility for maintaining records is often overlooked. Many records regarding chemical exposure are now kept for at least forty years in the UK.

Internal Audit (4.5.5)

OHSAS Requirements

The purpose of the internal audit is to determine if the organisation’s OH&S management system is effectively delivering the policy commitments also, specifically, that implementation conforms to their planned arrangements and that the system itself conforms to the requirements of OHSAS 18001. Also it provides information to management on these parameters for them to determine its ongoing suitability to meet their needs and enable effective deployment of objectives for continual improvement.

The audit programme should identify the timescale and allocate responsibility for performing audits. These programmes require authorisation and control within the system and their progress to be monitored in order to avoid slippage against the agreed plan.

The audit procedure(s) should be suitably detailed to cover audit scope, auditor competencies, completing and reporting of audits. Auditors should be objective and impartial.

Assessment Weaknesses

Audit scopes should be established to ensure that the breadth and depth of audit is comprehended. If internal audit is being utilised as a pro-active monitoring tool of compliance with operational control and/or applicable legal requirements, there is normally insufficient depth demonstrable. It is better to provide too much detail rather than too little, initially. The audit should test not just whether a control measure exists, but whether it is: being implemented, routinely robustly; that the controls are effective; that the controls are maintained and providing evidence that the organisation is meeting its Policy commitments and objectives.

Auditor competence requirements must be defined and documented.. They must understand the Specification, the management system, identified hazards and risks, relevant legislation, the company processes and have auditing skills as appropriate to those activities to which they are to audit. Attendance at an auditing course alone is unlikely to yield a competent auditor.

At certification assessments, LRQA will expect sufficient audits to have been conducted to give confidence in their effectiveness.

Management review (4.6)

Management review (4.6)

OHSAS Requirements

‘Top management shall review the organization’s OH&S Management System, at planned intervals it determines, to ensure its continuing suitability, adequacy and effectiveness’’.

Management Review provides an organisation with the opportunity to re-affirm its commitment to continual improvement. The review process must ensure that necessary information is collected to allow evaluation by management. Top management may be defined in this respect as those with sufficient authority to initiate and manage change in the business and in the OH&S management system, which may also involve a financial authority.

Not all elements of the Specification and system are required to be covered at once and the review process can be spread over a period of time. The review must have a minimum of the defined inputs and outputs and is required to be documented.

Assessment Weaknesses

This element of the Specification is looking for the organisation to step back from the system and determine if it is adequate, suitable and effective... not just that it has been implemented! Management Review, especially in an immature system can be seen as a ‘State of the Nation’ discussion that establishes those elements of the system that are not yet fully implemented and this would then indicate that the organisation is not yet ready for certification.

Demonstration of the defined inputs and outputs and their review from a business perspective is crucial.

Often the review is conducted by the management representative, whereas the Specification is looking for top level management participation and setting of objectives going forward.


OHSAS 18001 provides a management system approach to Occupational Health and Safety. LRQA has been involved in certification to this Specification since it was first introduced in 1999. This article should provide an insight into the main elements of the Specification that are required to be implemented to gain certification and some of the weaknesses that have been encountered during the assessment process.

For information on gaining OHSAS 18001 certification with LRQA, visit our health and safety information section.

LRQA also provide a number of engaging OHSAS courses. Visit the training section to learn more.