Why is OHSAS 18001 good for you?

Companies are coming under increasing commercial, regulatory and ethical pressures to control risk from their operations. Most organisations now ensure they comply with the appropriate legislation, with many realising the benefits a formalised approach to health and safety management systems can bring.

The health and safety of people, the need to meet legislation and maintain a good business reputation are three very good reasons why organisations are taking health and safety management seriously.

Combined with the adverse publicity and subsequent loss of reputation arising from incidents, it makes good commercial sense to formalise any existing health and safety management system and opt for independent third-party certification to the occupational health and safety specification, OHSAS 18001.

When considering development and implementation of a health and safety management system, many companies are surprised they already have many of the components in place that would constitute such a system.

This article provides some practical guidance and advice for those tasked with gaining OHSAS certification for their organisations and complements the article: ‘Implementing an Occupational Health and Safety Management System (OHSMS) - a Consultant's Viewpoint’. If you are starting to implement your management system, we would advise you to read both in order to gain a balanced perspective.

This article has been written by Judith Turner, Management Systems Lead Assessor, LRQA.

First | Previous | Next | Last

Introduction

Health and safety issues affect all organisations to some degree and potential hazards and risks exist with each activity conducted. Traditionally, Occupational Health & Safety Management in Europe and the US has been based very much on compliance with legislative requirements. In other words, it has been based on controls that were imposed for particular risks as they were prescribed via legislation or regulatory guidance. The modern principle of risk-based safety management places the responsibility much more firmly with the organisation itself to determine what it needs to do, to adequately control risks given its own particular circumstances.

As a management systems-based solution, OHSAS 18001:1999 reflects this latter day principle. Published in 1999 as a single specification for management of occupational health & safety with universal applicability, OHSAS 18002 followed in 2000 and provides guidance on the implementation of OHSAS 18001.

The aim of this article is to provide practical guidance on implementation of a safety management system in line with the requirements of OHSAS 18001, from the perspective of a Certification Body. It draws on experience gained from LRQA Certification assessments ranging back as far as 1998, when pilot programme assessments commenced against the precursor to OHSAS 18001 (known as BS8800). We would advise that this article is read in conjunction with the complementary article, ‘Safety Management Systems’, compiled by Messam and Rider Ltd and also available on this website. Together, the Certification Body and Consultant’s views should provide an overall balanced opinion on the practical implications of implementing an Occupational Health & Safety system.

This article has been written by Judith Turner, Management Systems Lead Assessor with LRQA since 1998. Judith is mainly involved in carrying out of assessments of Customers Environmental and Occupational Health & Safety systems in order to make recommendations for approval, deferral or withdrawal of certification against the appropriate standards. She holds an Honours Degree from St. Andrews University and has recently successfully completed the NEBOSH Diploma. Within LRQA she manages multi-discipline assessment teams and is a sector specialist for minerals and aggregates sectors. She is also qualified to undertake Technical reviews of certification assessment documentation and supervise LRQA assessors under training.

First | Previous | Next | Last

Structure of OHSAS 18001:1999

As a management system, OHSAS 18001 is compatible and similar in many ways to ISO 9001 and ISO 14001, which address Quality and Environmental issues respectively. It requires a ‘Plan - Do - Check - Act’ approach, based on the principle of continual improvement. However, it is not sufficient to purely implement each of the clauses of the Specification in isolation. Instead, they must be connected together as, for example, there is no point identifying (through risk assessment processes) that controls are needed to manage specific hazards, if the controls are not then adequately defined and effectively implemented. If it is determined that controls are needed, then there must also be provision in the system for checking that the controls are adequate, effective and also that corrective action is defined and taken if they are not.

OHSAS 18001 is structured into five distinct sections as follows:

• General Requirements & Policy (4.1 & 4.2)
• Planning (4.3)
• Implementation and Operation (4.4)
• Checking and Corrective Action (4.5)
• Management Review (4.6)

This article will take each in turn and give practical advice on the requirements contained in the Specification, along with advice on implementation and examples of weaknesses that are routinely identified during Certification assessments.

First | Previous | Next | Last

General Requirements and Policy (4.1 & 4.2)

General Requirements (4.1)

'The organisation shall establish and maintain an OH&S management system, the requirements of which are set out in clause 4.'

This general requirement is very simply stated and, as such, requires that all of the clauses of the specification are implemented, some of which contain very specific requirements. The Specification does not provide for the exclusion of any of the clauses or requirements and it is important to note that the scope of 18001 does not include product safety, except to the extent that it can affect people occupationally.

Policy (4.2)

This is the key driver of the system and needs to be defined by top level management. Certain specific commitments are required to be contained within the policy and all of these must be implemented and demonstrable during the assessment process to allow certification to OHSAS 18001 to be recommended.

The Policy must be communicated to all persons who may be affected by it, in order that they can understand their responsibilities within the system. The intent is not that everyone can recite the Policy, but that they know how it affects them and their part in complying with it.

It can be combined with other existing policies, such as Environment or Quality.

OHSAS Requirements

Authority

• Authorised by Top Management
• Relevant and appropriate

Commitments

• Overall objectives must be clearly stated
• Continual improvement of occupational health and safety performance
• To at least comply with legislation and other requirements that are subscribed to

Implementation

• Documented, implemented and maintained
• Communicated and employees made aware of their obligations
• Available to interested parties
• Reviewed periodically to ensure that it remains relevant and appropriate.

Assessment Weaknesses

All too often policy statements, objectives and commitments are unrealistic because they are unspecific, unachievable, unable to be demonstrated or there is insufficient resource available to deliver them.

As the key driver to the system, there should be sufficient transparent linkage into and out of the system, e.g., risk assessments. Where these are missing, the Policy remains as a stand alone document with little purpose or benefit.

During the certification assessment, reference is made to the commitments and broad objectives shown in the Policy. Failure of an Organisation to provide evidence of the implementation of these would preclude a recommendation for certification being made.

First | Previous | Next | Last

Planning (4.3)

Planning for hazard identification, risk assessment and risk control (4.3.1)

The risk assessment process should be the means by which the Organisation identifies and considers the adequacy of the means by which it controls its risks. It should be a comprehensive exercise to review and test controls for existing activities and a pro-active identification of potential hazards for proposed activities.

OHSAS Requirements

Clause 4.3.1 of the Specification requires that:

‘The Organisation shall establish and maintain procedures for the ongoing identification of hazards, the assessment of risks and the implementation of necessary control measures’

It is not the intention that OHSAS 18001 imposes complex hazard identification, risk assessment and risk controls where they are not applicable.

The processes should take into account:

• the size of the Organisation
• the workplace activities
• the nature, complexity and significance of the hazards
• the cost and time involved in undertaking and maintaining the processes
• the availability of reliable data.

The methodology for hazard identification and risk assessment shall:

• be defined to allow consistent application
• be proactive rather than reactive
• provide for classification of risk
• identify risks that are to be eliminated
• identify those risks to be controlled by setting objectives
• provide input into determining training needs and development of operational controls
• provide for the monitoring of required actions, to ensure both the effectiveness and timeliness of implementation
• be documented and kept up to date
• cover:
  • routine activities
  • non routine activities
  • activities of all personnel having access to the workplace
  • subcontractors and visitors
  • all facilities at the workplace

Assessment Weaknesses

The hazard identification and risk assessment process should not be merely a form-filling exercise, based on assumptions that the existing controls are adequate and effectively implemented. It should also not be seen as a standalone exercise that does not link into other parts of the system. It needs to be kept up to date and the link to Clause 4.5.1 is notably absent at the early stages of assessment. Here the Specification requires that all proposed corrective and preventive actions shall be reviewed through the risk assessment process prior to implementation.

It can be based on existing controls as long as these are clearly identified, either within the risk assessment itself or clearly cross-referenced. In addition, single references to ‘use of PPE’ as the lowest form of control are unlikely to be sufficient detail to ensure that, if situations change,the control measures can be adequately reviewed.

The risk assessment process should consider both Safety and Health effects. Many methods ignore the latter and consider only short-term accident consequences, e.g., fatalities and injuries.

Legal and other requirements (4.3.2)

An Organisation implementing OHSAS 18001 needs to ensure it has knowledge of all of the laws or regulatory requirements which may apply to its activities. In addition to legal requirements, the Organisation may subscribe to codes of practice or performance measures imposed by the Corporate Body or as a consequence of membership of certain industry associations. It is intended that once implemented, the processes will allow the Organisation to be aware of, and promote its, legal responsibilities. There is no necessity to establish large legal libraries that may be rarely used.

OHSAS Requirements

Clause 4.3.2 states that:

‘The Organisation shall establish and maintain a procedure for identifying and accessing the legal and other OH&S requirements that are applicable to it.’

There must be procedures in place to identify and have access to:

• legal requirements
• other OH&S requirements to which the Organisation subscribes

The information must be kept up to date and communicated to relevant employees and interested parties, as appropriate.

Assessment Weaknesses

Long registers of legislation are often produced without thought of how these relate to the activities of the Organisation. Knowledge of the legal requirements and its implications needs to be gained, rather than just updating a long list of legislative titles. The maintenance of legal compliance as a Policy commitment will be sampled however, in order to establish confidence that the system is functioning in this regard and, as such, the knowledge on legal and other requirements needs to be maintained.

Objectives and OH&S Management Programmes (4.3.3 & 4.3.4)

Continual improvement is at the heart of achieving and maintaining OHSAS 18001 and the setting and achievement of OH&S objectives is one means of establishing continual improvement. Objectives should be consistent with the OH&S Policy, including the commitment to continual improvement. One or more members of the senior management should be routinely involved in monitoring and reviewing safety performance and in establishing OH&S objectives.

OHSAS Requirements

The Specification requires that:

‘The Organisation shall establish and maintain documented occupational health and safety objectives, at each relevant function and level within the Organisation’

And that,

‘The Organisation shall establish and maintain (an) OH&S management programme(s) for achieving its objectives’

The following needs to be in place, therefore:

• documented occupational health & safety objectives at each relevant function
• documented occupational health & safety objectives at each relevant level

Objectives should be quantified, wherever possible, and the following should be considered when setting objectives:

• OH&S hazards
• Legal and other requirements
• Technology options
• Financial requirements
• Operational requirements
• Business requirements
• Views of interested parties

Management programmes should include documentation of:

• Responsibility and authority for achieving the objectives
• Means by which objectives are to be achieved
• Timescales by which objectives are to be achieved

The OH&S Management Programmes should be reviewed at regular and planned intervals and should be amended for changes to:

• Activities
• Products
• Services
• Operating procedures

Assessment Weaknesses

The setting of objectives should come from information gained through review of other elements within the system to determine where improvements can be made. Sufficient information should be contained within the management programmes to determine who is progressing which action and by what deadline. A process of reviewing progress should also be visible. The key is to be realistic. Large numbers of over ambitious objectives are doomed to failure, whereas a smaller number of restricted and quantified objectives can effectively demonstrate continual improvement.

First | Previous | Next | Last

Implementation and operation (4.4)

Structure and responsibility (4.4.1)

OHSAS Requirements

The Specification requires that roles, responsibilities and authorities are defined, documented and communicated in order to facilitate effective occupational health and safety management.

The following should have been defined, documented and communicated in terms of OH&S personnel who manage, perform and verify activities:

• Roles
• Responsibilities
• Authorities

A member of top management must also have been given ultimate responsibility for OH&S, and this may be the same individual who signs the OH&S Policy.

During the assessment process, it is vital that Management be able to demonstrate their commitment to continual improvement of OH&S performance. Resources should also be in place, including human resources, specialist skills, technology and finance to allow the system to be implemented, controlled and improved.

Assessment Weaknesses

Roles, responsibilities and authorities are rarely defined and documented in sufficient detail. It is possible to document the key roles and responsibilities in top tier documentation, whilst responsibilities and authorities to manage the risks can be shown in operational procedures and work instructions.

Training, awareness and competence (4.4.2)

OHSAS Requirements

‘Personnel shall be competent to perform tasks that may impact on OH&S in the workplace. Competency shall be defined in terms of appropriate education, training and/ or experience’

The requirement to define competence is a key component of OHSAS 18001. There may be specific legal requirements or others that come from company needs and experience.

Tasks that may involve OH&S in the workplace should have relevant competencies defined in terms of appropriate:

• Education
• Training
• Experience

Arrangements need to be in place to identify and remedy any shortfalls between the current level of competency (identified as being possessed by an individual) and the required and defined competency.

Procedures need to be in place to make employees aware of the OH&S consequences of their activities and the training procedures need to take account of:

• Responsibility
• Ability
• Literacy
• Risk

There should also be assessment of individuals to ensure that they have not only achieved, but are also maintaining, the knowledge and competency required.

What will be looked for during the assessment process will be:

• Competency requirements for individual roles
• Analysis of training needs
• Training programmes/ plans for individual employees
• Range of training courses/products available for use within the organisation
• Training records and evaluation records (of the effectiveness of training)

Assessment Weaknesses

All personnel whose activities can involve occupational health & safety hazards must receive appropriate training and the link to the risk assessment process is often missing. Similarly, if the competencies are not clearly defined as part of the necessary control measures, then it is difficult to identify any gaps or training needs.

The requirement to have procedures in place to ensure employees are aware is often interpreted as a one-off awareness session. This is insufficient and procedures should ensure that awareness is maintained as the system matures and changes.

Consultation and communication (4.4.3)

OHSAS Requirements

Procedures need to be demonstrable to ensure pertinent OH&S information is communicated to and from employees and other interested parties. There is a requirement to document employee involvement and consultation arrangements.

Employees should be involved in the development of risk control procedures, consulted on any changes that affect workplace safety, represented on H&S matters and informed about the representatives appointed from both management and employees.

Assessment Weaknesses

Although consultation and communication are often demonstrable, the documented procedures as to how this has been, and will be, consistently achieved are commonly omitted from the system.

Operational control and emergency preparedness (4.4.6 & 4.4.7)

OHSAS Requirements

The Organisation must identify operations and activities associated with defined hazards. This element of the system reinforces clause 4.3.1 in relation to hazard identification and the risk evaluation process.

However the use of the words:

... ‘those operations and activities that are associated with identified risks ...’

broadens the process into activities which may not themselves have direct hazards, e.g., purchasing. Control of these activities, which must include maintenance, must be achieved under ‘specified conditions’. This specification is only required to be documented where the absence of a documented procedure could jeopardise policy commitments or achievement of objectives. Alternative conditions can be specified through, e.g., training, communication or staff competence.

It is important that operational control over contractors is maintained, as they often undertake high risk activities that the Organisation does not possess the necessary competencies to perform.

Emergency situations can arise in any organisation. Even in the lowest risk environment, fires can start or people can fall, warranting action to be taken to respond to the incident. A procedure should therefore be in place to identify the potential for incidents and emergencies. This can sensibly be undertaken during the hazard identification and risk assessment process. Consequently, emergency response should be planned for a wide range of activities from the simplest through to the most complicated. An emergency is purely an unplanned event that results in OH&S implications.

Appropriate emergency equipment should be provided and response capability should be regularly tested.

It is important that Contractors are advised of their responsibilities throughout the period of their contract and particularly how to respond to emergency situations. They should therefore be involved in the testing of plans. Also tenants, visitors and other interested parties who may be affected should also be involved in the testing.

First | Previous | Next | Last

Checking and corrective action (4.5)

Performance measurement and monitoring (4.5.1)

OHSAS Requirements

Procedures need to be in place to monitor and measure OH&S performance on a regular basis. This needs to be both proactive and reactive and inclusive of qualitative and quantitative measures as appropriate. Organisations need to decide what to monitor and how often monitoring will take place, based on a level of risk. (This will also need to take existing legal requirements into account). If monitoring equipment is used, the procedures need to be established and maintained for calibration and maintenance, including resultant records.

Assessment Weaknesses

The majority of Organisations demonstrate robust reactive monitoring to accidents, ill health, incidents and historical evidence of deficient OH&S performance. However, in terms of pro-actively monitoring operational control including legal requirements, this is poorly demonstrated.

Accidents, incidents, non conformances and corrective and preventive actions (4.5.2)

OHSAS Requirements

Effective procedures should be in place for reporting and evaluating/investigating and taking action to mitigate consequences from accidents, incidents and non conformances. The prime purpose of this procedure is to prevent further occurrence of the situation, by identifying and dealing with the root cause(s).

The procedures must include for all proposed corrective and preventive actions to be included within the risk assessment process. Robust incident reporting, including near misses and not restricted to accident reporting, is an important tool in achieving continual improvement.

Assessment Weaknesses

Most Organisations have existing accident reporting and investigation procedures, however these are quite often not effectively implemented. In addition, prior to any corrective action being taken, the Specification requires that there must be demonstrable evidence that the risk assessment process has been followed to ensure additional risks are not introduced.

Records (4.5.3)

OHSAS Requirements

Records should be kept to demonstrate that the OH&S management system operates effectively and that processes have been, and are being, carried out under safe conditions.

Consideration should be given to:

• the authority for disposal of records
• the confidentiality of records
• legal and other requirements
• issues surrounding use of electronic records

Assessment Weaknesses

The requirements to manage records in OHSAS 18001 are very similar to ISO 9001. However, where QMS arrangements have been extended to include OHSAS records, it is common that not all records are identified and easily accessible. The defining of responsibility for maintaining records (and especially for documenting the defined retention periods) is often overlooked.

Audits (4.5.4)

OHSAS Requirements

‘The Organisation shall establish and maintain an audit programme and procedures for periodic OH&S management system audits to be carried out’

The purpose of the internal audit is to determine whether or not the Organisation’s OH&S Management system conforms to their planned arrangements, that it has been properly implemented and maintained and also that it provides information to management.

The audit programme should identify the timescale and allocate responsibility for performing audits. These programmes require authorisation and control within the system and their progress to be monitored in order to avoid slippage against the agreed plan.

Assessment Weaknesses

Audit scopes should be established to ensure that the breadth and depth of audit is comprehended. If internal audit is being utilised as a pro active monitoring tool of compliance with operational control and/or applicable legal requirements, there is normally insufficient depth demonstrable. The audit should test not just whether a control measure exists, but whether it is effectively being implemented, maintained and providing evidence that the Organisation is meeting its Policy commitments and objectives.

Auditor competence must be demonstrated through their education, training and experience. They must understand the Specification, the management system, identified hazards and risks, relevant legislation, the company processes and have auditing skills as appropriate. Attendance at an auditing course does not necessarily ensure that a competent auditor is produced! At certification assessments, LRQA will expect sufficient audits to have been conducted to give confidence in their effectiveness.

First | Previous | Next | Last

Management review (4.6)

OHSAS Requirements

‘The Organisation’s top management shall, at intervals it determines, review the OH&S Management System to ensure its continuing suitability, adequacy and effectiveness’.

Management Review provides an Organisation with the opportunity to re-affirm its commitment to continual improvement. The review process must ensure that necessary information is collected to allow evaluation by management. Top management may be defined in this respect as those with sufficient authority to initiate and manage change in the business and in the OH&S management system, which may also involve financial a uthority.

Not all elements of the Specification and system are required to be covered at once and the review process can be spread over a period of time. The review is required to be documented.

Assessment Weaknesses

This element of the Specification is looking for the Organisation to step back from the system and determine if it is adequate, suitable and effective... not just that it has been implemented! Management Review, especially in an immature system can be seen as a ‘State of the Nation’ discussion that establishes those elements of the system that are not yet fully implemented and this would be seen as a weakness during certification assessment.

Often the review is conducted by the management representative, whereas the Specification is looking for top level management involvement.

First | Previous | Next | Last

Conclusion

OHSAS 18001 provides a management system approach to Occupational Health & Safety. LRQA has been involved in certification to this Specification since it was first introduced in 1999. This article should provide an insight into the main elements of the Specification that are required to be implemented to gain certification and some of the weaknesses that have been encountered during the assessment process.

For information on gaining OHSAS 18001 certification with LRQA, visit our health and safety information section.

LRQA also provide a number of engaging OHSAS courses. Visit the training section to learn more.

First | Previous | Next | Last