We are an OHSAS 18001 certified company…. Our Hazard Identification and Risk assessment (HIRA) first page tells about the legal requirement clause and the legal statements for complying with the HIRA.  Our external auditor (certifying body) insists we insert a column in the HIRA chart to identify what legal requirement clause comes against the control of each identified risk.

1.     Is my auditor correct?

2.     Does the OHSAS 18001 Standards say that?

 My answer –

That is NOT an OHSAS 18001 requirement. I believe your external auditor is confusing the ISO 14001 and OHSAS 18001 requirements. 

Section 4.3.2 of ISO 14001 requires that an organization determine how its applicable environmental legal and other requirements apply to its environmental aspects.  This is often done as your external auditor suggests, although it does NOT have to be done that way.  You can use whatever method is appropriate for your organization.

Section 4.3.2 of OHSAS 18001 does NOT have the same requirement as ISO 14001. It requires that an organization “take into account” its applicable legal other requirements in its OHSMS.  No column, chart, matrix is required.  Nor does it require identifying requirements by individual risk.  This requirement was specifically rejected when OHSAS 18001 was revised in 2007.

© ENLAR® Compliance Services, Inc. (2011)

According to the AIAG statement they firmly believe that “the use of formal management systems are necessary for effective management of health safety and environmental programs.” 

AIAG’s concern appears to be that the OHSAS 18001 standard was developed by an independent group – the OHSAS Project Group chaired by BSI – rather than ISO. 

This is where the “politics” comes in.  Despite intensive lobbying by the OHSAS Project Group, ISO appears unwilling to develop an OHS management system standard. 

Why? 

 The International Labor Organization (ILO) has raised objections and several member countries – including the U.S. – have consistently voted against it.  An OHSMS standard seems to be the exception to the rule that any proposed ISO standard-setting activity is guaranteed to be approved.

© ENLAR^® Compliance Services, Inc. (2009)

To paraphrase a line from the last presidential election – “It’s the System, Stupid.”

Right now, there is a lot of finger-pointing and plenty of blame to spread around.  This mess is not, however, the fault of a single individual, a single institution or, even, a single political party.  Instead, it is the system that is flawed. 

A great deal of our current financial system has been created by the successive imposition of “free-market” reforms. The underlying premise has been that if one removes market controls – privatize public services, cut business regulation, reduce social spending, remove trade barriers and allow businesses more freedom to exploit resources – the resulting capitalist transformation will make all of our lives better.  Unfortunately, this has, instead, been a recipe for disaster.

Just like a financial system, an occupational safety and health management system cannot function without controls.  You cannot simply rely on people “doing the right thing” when it comes to safety – even if they are the ones who may be injured or killed.  They ignore risks, take short-cuts and assume “it won’t happen to them.”  Therefore, occupational safety and health professionals spend their time guarding equipment and installing interlocks, enforcing the use of safe work practices and personal protective equipment, establishing permissible exposure limits and monitoring worker exposure. 

That is why OHSAS 18001:2007 has placed an increased emphasis on controls.  First, section 4.3.2, requires that appropriate controls be identified – taking into account the hierarchy of controls.  Then, section 4.4.6 requires that the identified controls be implemented.  Finally, section 4.5.1 requires monitoring of “the effectiveness of controls.”

To avoid disaster, appropriate controls must be put in place, and more importantly, they must be used and monitoring to ensure they are effective.

© ENLAR^® Compliance Services, Inc. (2008)

There were many excellent sessions covering a wide range of topics important to the practice of industrial hygiene.  In particular, the Tuesday morning general session focused on demonstrating the value of the industrial hygiene profession and included a presentation by Jeffrey P. Pino, President of Sikorsky Aircraft Corporation.

In his presentation, Mr. Pino stated that there are three strategies important to a successful HSE (health, safety and environmental) program:

• Leadership Commitment
• Employee Engagement
• Risk Management

These three strategies are also critical to the implementation of an occupational safety and health management system based on OHSAS 18001:2007.

Demonstrating Leadership Commitment

To demonstrate conformance to OHSAS 18001, top management must be directly involved in the OH&S management system.  The involvement of top management is explicitly required in section 4.2 (OH&S Policy), 4.4.1 (Resources, roles, responsibility, accountability and authority) and 4.6 (Management Review).

In particular, top management must:

• Define and authorize the organization’s OH&S policy
• Ensure the availability of the resources needed for the OH&S management system
• Define roles, allocate responsibilities and accountabilities and delegate authorities to facilitate effective OH&S management
• Ensure the OH&S management system is implemented
• Periodically review the continuing suitability, adequacy and effectiveness of the OH&S management system

Promoting Employee Engagement

One of the major changes in the 2007 revision of OHSAS 18001 is an increased focus on worker participation and consultation with other interested parties.

Section 4.4.3.2 of OHSAS 18001 requires that the organization establish, implement and maintain procedures for worker participation in the OH&S management system, as well as consultation with contractors and other relevant external interested parties, such as regulatory agencies.

It should be noted that, in OHSAS 18001, “engagement” is not limited to just employees – it requires the inclusion of others whose safety and health may be impacted by the activities of the organization.  This expansion beyond just employees is an explicit recognition of the significant change in the relationships in today’s workplaces.  A significant amount of work – particularly dangerous work – is outsourced to contractors.  Many workers are brought in as temporary workers, not employees, and kept on as such for months or even years at a time.

Implementing Risk Management

With an increased focus on effective corporate governance has come an increased interest in corporate risk management.

Unlike ISO 14001:2004 or ISO 9001:2000, OHSAS 18001:2007 is explicitly based on risk management principles.

Risk is a defined term in OHSAS 18001.  It is defined as the “combination of the likelihood of an occurrence of a hazardous event or exposure(s) and the severity of injury or ill health that can be caused by the event or exposure(s).”

The standard also has definitions for risk assessment (the process of evaluating the risk or risks arising from a hazard, taking into account the adequacy of any existing controls, and deciding whether or not the risk is acceptable) and acceptable risk (risk that has been reduced to a level that can be tolerated by the organization having regard to its legal obligations and its own OH&S policy).

Hazard identification, risk assessment and the determination of appropriate controls, as set out in section 4.3.1 of the standard, are the foundation of an OHSAS 18001 management system.  The identification of OH&S hazards and assessment of the associated risks is the primary input for setting objectives, identifying training needs and implementing operational controls.

© ENLAR^® Compliance Services, Inc. (2008)

Section 4.1 of OHSAS 18001:2007 sets out five general requirements for an OH&S management system –

1. establishing a management system
2. documenting your management system
3. implementing your management system
4. maintaining your management system
5. continually improving your management system

The first three of these tasks (establishing, documenting and implementing your OHSMS) are typically completed up-front when an organization makes changes to its existing OH&S programs to conform to OHSAS 18001.  Maintaining and continually improving the occupational health and safety management system are different – they are on-going tasks that are never done.  They are the requirements that transform an OHSMS from “a dusty binder on a shelf” to a meaningful part of an organization’s overall management system.

Continual improvement is an important requirement of an OHSAS 18001 management system.  It is one of the commitments an organization must make in its OH&S policy.  It is a major reason why an organization sets OHSMS objectives (section 4.3.3) and measures OH&S performance (section 4.5.1).  It is “the lenses” through which outputs from management review are viewed.  Section 4.6 of OHSAS 18001 states “The outputs from management reviews shall be consistent with the organization’s commitment to continual improvement….”

So what is continual improvement?

OHSAS 18001:2007 defines it as the “recurring process of enhancing the OH&S management system in order to achieve improvements in overall OH&S performance consistent with the organization’s OH&S policy.”

© ENLAR^® Compliance Services, Inc. (2007)

An incident is not the same as a nonconformity.

First, the definitions are not the same.  OHSAS 18001 uses the ISO 9000 and ISO 14001 definition of a nonconformity – the non-fulfillment of a requirement.  An incident is defined in OHSAS 18001 as a “work-related event(s) in which an injury or ill health (regardless of severity) or fatality occurred, or could have occurred.”  An accident is a particular type of incident in which an injury or illness actually occurs.  A near-miss is an incident where no injury or illness occurs.  Therefore, an incident can be either an accident or a near-miss.

An incident may relate to a nonconformity – but then again, it may not.  It is possible to have accidents and near-misses even if an organization has fulfilled its occupational health and safety management system requirements.  Similarly, an organization may have nonconformities, e.g. “paperwork” issues, which would not be considered incidents.

Not all incidents are the same

• Some incidents are catastrophic disaster events (i.e. emergencies) such as bridge collapses or explosion.

• Some incidents involve unseen hazards, e.g. exposure to chemical releases or biological agents.

• Some incidents involve human factors or behaviors, some involve equipment failure, some involve faulty procedures or processes, and some involve all of these.

• Some involve multiple injuries and deaths; in others, there are no injuries.

Therefore, an organization’s incident investigation procedure needs to be flexible enough to deal with a variety of different types of incidents.

Want some ideas for conducting incident investigations?

Check out the links to various sites on preparing incident investigation reports at

http://ncsp.tamu.edu/reports/default.htm

© ENLAR^® Compliance Services, Inc. (2007)

It is worthwhile, in this context, to explore the differences between authority, responsibility and accountability in an organization:

• Authority is the right to make a decision or take an action
• Responsibility is the obligation to ensure that an action is taken
• Accountability is to be answerable for a particular activity or action to a particular entity

Although clearly related, these terms are not synonymous.  One may have the authority to take a certain action – for example, to spend money on behalf of the organization – but not be obligated to take that action.  Similarly, an individual may have an obligation to do something – for example, to ensure the organization complies with a particular legal requirement — but not be accountable.  The organization may lack a mechanism to hold that individual responsible (answerable) even if compliance is lacking.  Similarly,  an individual may be held accountable – e.g. fired for a particular action – even if he or she did not have the authority or the responsibility to accomplish the activity in question.

There are five key elements of an effective accountability system:

1. Clearly specified standards for authority and responsibility
2. Adequate resources to meet the assigned responsibilities
3. Monitoring and assessment of individual performance
4. Appropriate consequences for taking or failing to take action
5. Consistent and unbiased application of accountability standards

 It should be noted that accountability is not necessarily the same as blame.  Often, organizations seek to assign accountability only when they are looking for someone to blame.

How can you distinguish the difference?

In most organizations, much of what is done requires a group effort where no one person is completely responsible for a particular action or decision.  In addition, accountability goes hand-in-hand with authority and responsibility.  This means that, generally, those with the greatest accountability will be highest up in the organization.  Therefore, if you are truly attempting to identify who is accountable, the result will be a list of people that includes individuals at the top, as well as the bottom, of the org chart.  If you are seeking to assign blame, usually finding a single “fall guy” will be sufficient.

Top managers need to keep in mind the sign President Truman kept on his desk to remind him who was accountable.  It read:  “The BUCK STOPS here!”

© ENLAR^® Compliance Services, Inc. (2007)

• Alignment with ISO 14001
• Use in Third-party Certification
• Development as a Global Standard

Explicit requirements for management of change were added into section 4.3.1 of OHSAS 18001 in the 2007 revision of the standard.  This addition was an explicit request of the American Industrial Hygiene Association for purposes of aligning OHSAS 18001 with the U.S. Occupational Health and Safety Management System standard – ANSI/AIHA Z10-2005.  In addition, management of change is also an explicit requirement for safety management systems implemented to comply with the Seveso II Directive (see Annex III of EU Council Directive 96/82/EC).

 The following requirements related to management of change were added in section 4.3.1:

 The procedures for hazard identification and risk assessment shall take into account:

g) changes or proposed changes in the organization, its activities or materials; h) modifications to the OH&S management system, including temporary changes, and their impacts on operations, processes and activities;…. For the management of change, the organization shall identify the OH&S hazards and risks associated with changes in the organization, the OH&S management system or its activities, prior to the introduction of such changes. 

These new requirements cover four important concepts:

• Identification of the hazards associated with “change”
• Assessment of the risks associated with “change”
• Consideration of OH&S hazards and risks prior to the introduction of the “change”
• Implementation of the controls needed to address the hazards and risks associated with the “change”

For purposes of management of change within an OH&S management system, the changes that need to be addressed include:

• Organizational changes (e.g. personnel or staffing changes)
• Activity changes (e.g. changes to processes, equipment, infrastructure, software)
• Material changes (e.g. new chemicals, packaging)
• Changes to the OH&S management system (e.g. procedures)

Why is management of change so important?

Ineffective management of change is one of the leading causes of serious incidents.  To quote the U.S. Chemical Safety and Hazard Investigation Board (CSB), “In industry, as elsewhere, change often brings progress.  But it can also increase risks that, if not properly managed, create conditions that may lead to injuries, property damage or even death.” (from CSB press release announcing its 8/28/2001 Safety Bulletin concerning “Management of Change”)  Ineffective management of change is one of the major contributing factors in many of the incident investigations conducted by the CSB.  To check it out, go to the CSB web site at http://www.csb.gov  and enter “management of change” as your search term at the link “Search this Site.”

© ENLAR® Compliance Services, Inc. (2007)

This section now sets out additional details on both the inputs to be considered and the methodology to be used for the hazard identification and risk assessment process.  In addition, specific requirements have been added related to “management of change” and for determining appropriate controls to reduce the OH&S risks that are identified.

The standard now clearly links the requirements in 4.3.1 with those set out in 4.4.6 (operational control) so it is clear that the controls identified during the OH&S planning process need to be implemented and maintained as an integral part of operational control.

Overall, the process can be visualized as set out below:

In addition to these substantive changes to the standard, the definitions of hazard, risk and risk assessment have changed.  Hazard is now defined as a ”source, situation or act with a potential for harm in terms of human injury or ill health, or a combination of these.”  Risk is defined as the “combination of the likelihood of an occurrence of a hazard event or exposure and the severity of injury or ill health that may be caused by the event or exposure.”  Risk assessment is defined as the “process of evaluating the risks arising from a hazard, taking into account the adequacy of any existing controls, and deciding whether or not the risk is acceptable.”

It should be noted that other standards and guidance documents may define ”risk assessment” to include the entire process of hazard identification, risk analysis and selection of measures for risk reduction (i.e. “determining controls”).  OHSAS 18001 refers to each of these processes separately and uses the term risk assessment to refer to the risk analysis process only.

There are many different ways and approaches for conducting hazard identification and risk assessment.  Therefore, no one approach will suit every organization.  An organization with limited hazards is not required to implement complex risk assessment procedures.  In addition, different types of hazards may require different risk assessment strategies.  For example, the methodologies for evaluating the risks associated with employee exposure to noise may be distinctly different from the ones used for evaluating equipment safety.  The methodologies selected need to be appropriate for the hazards identified. 

© ENLAR^® Compliance Services, Inc. (2007)