Category: OHSMS Auditing
Management system audits are an integral part of every management system. All of the management system specification standards – including ISO 9001, ISO 14001 and OHSAS 18001 – require that an organization establish and implement an internal audit program.
I have been involved in auditing for over 30 years.
In the 1980’s – I conducted EHS audits world-wide for Bristol-Myers as part of the corporate audit team.
In the 1990’s – I started the decade reviewing a wide range of audit and assessment reports. As an attorney for U.S. EPA, I evaluated assessments for the purposes of undertaking enforcement actions. Then, as an attorney in private practice, I helped companies establish internal audit programs. I also used audit reports prepared by others for advising clients on mergers, acquisitions, commercial loans and property development activities. In 1997, I shifted my focus to assisting organizations with management system implementation and became a certified EMS Lead Auditor in 1999.
In the 2000’s – I turned my focus to management system audits and the development of audit standards. I developed and taught numerous auditor training courses – from Lead Auditor Training to customized internal auditor training courses covering multiple disciplines (quality, environmental, OS&G, food safety, security etc.). I also helped develop international auditing standards and participated as one of the U.S. Experts in the revision of ISO 19011.
I am pleased to announce that I have launched a new website that is based on my extensive experience in auditing:
This website focuses on providing useful information and resources to help auditors and audit program managers develop expertise in management system auditing. In the blog associated with this site, I will be answering questions about establishing an audit program and providing insight into the intent underlying the language of the ISO standards that set out auditing requirements.
© ENLAR Compliance Services, Inc. (2012)
Every year we do a Christmas dinner party – a three-course English Feast with Roast Beef and Yorkshire Pudding and a dessert we call “The Amy” (Butter Tarts with Stilton Cheese). The menu is set and draws its inspiration from my husband’s heritage (England and Canada) and my Midwest upbringing (Iowa). We have been doing the same meal for the last 15 years.
Once I started developing and implementing management systems, I could not resist applying management system theory to this event. I developed a Christmas Party Checklist. This checklist sets out the various tasks that need to be done and has blanks for assigning responsibilities and checking off each task when it is done.
Why do I use a checklist?
One year, I found the strawberries for the appetizer course still in the refrigerator when I put the leftovers away. Another year, I had to scramble to find the meat platter while the guests watched from the table.
This checklist helps the party go smoothly and, more importantly, it helps me relax and actually enjoy the party because I know I am not going to forget anything important.
The morning after the party I make notes and additions to the checklist and file it away for the following year.
So what does this have to do with OHSAS 18001?
Checklists are an important part of a management system. As with our Christmas party, they prevent you from missing important tasks. They also help make your job more manageable and enjoyable – that is, if they are done right.
Want to learn more about creating effective checklists?
Click here to check out my previous blog and sign up for my mini-course (starting January 16, 2012) focused on checklist creation.
p.s. It was a great webinar Tuesday on ISO 19011:2011 – The Impact on Management System Auditing. Thank you to those of you who participated and submitted questions for the Q&A. Come back here next week for a link you can use to view this presentation.
© ENLAR Compliance Services, Inc. (2011)
One of the requirements often missed when an organization initially implements a management system is the need for an internal audit program. The internal audit element is the only one that requires both procedures and a program. This is true of OHSAS 18001 4.5.5, ISO 14001 4.5.5 and ISO 9001 8.2.2. Simply having procedures is not enough.
So, what is an audit program and how does it differ from audit procedures?
ISO 19011:2011 defines an audit program as “arrangements for a set of one or more audits planned for a specific time frame and directed towards a specific purpose”.
A procedure is defined as “a specified way to carry out an activity or process”. (ISO 9000 3.4.5)
According to www.dictionary.com, a program is a “planned, coordinated group of activities, procedures, etc., often for a specific purpose”.
In other words, audit procedures are one component of an audit program.
In order to have an internal audit program, an organization must have the following:
- A defined purpose (established audit program objectives)
- Audit arrangements (audit procedures)
- Scheduled audits (audits planned for a specific time frame)
Want to know more about establishing an audit program?
Click here to sign up for the FREE webinar I am giving next Tuesday (December 20th) – ISO 19011:2011 – Impact on Management System Auditing.
© ENLAR Compliance Services, Inc. (2011)
In November 2011, ISO published the revision of ISO 19011 as an International Standard (ISO 19011:2011). This second edition of the standard cancels and replaces the first edition (ISO 19011:2002).
The most significant change is that the scope of the standard has been broadened from the auditing of quality and environmental management systems to the auditing of any management system. This includes audits of occupational safety and health management systems. ISO 19011:2011 specifically references OHSAS 18001:2007 in the bibliography and includes an “Illustrative example of discipline-specific knowledge and skills of auditors in occupational health and safety management” in Annex A.8. This expansion in the scope of the standard to cover OH&S management system audits is the primary reason that I participated in this standard development effort as one of the U.S. experts.
Want to know more about the revisions made to the ISO 19011 standard and the likely impact on management system audits?
In a previous blog, I discussed that an incident is NOT the same as a nonconformity. An incident is a situation where some kind of harm occurs (or could occur); a nonconformity is defined as “non-fulfillment of a requirement”. There is often a relationship between the two – but not always.
Similarly, correction and corrective action are NOT the same.
These are defined terms that have been taken from the quality world and applied to EHS management systems. They are also an entrenched part of registration audits so it is important to understand how registrars define them (i.e. their ISO 9000 definitions). When registrars issue corrective action requests (CARs), they often request information on any corrections done as well as a description of the corrective action planned.
A correction is defined as “action to eliminate a detected nonconformity”. In the quality world, correction is often referred to as containment (as in preventing nonconforming product from reaching the customer). Correction in a QMS can consist of repair, rework, scrapping the product, etc. The first action taken is often segregation and control of non-conforming product.
This quality concept was incorporated into ISO 14001 as correction and mitigation – as in taking action to mitigate environmental impacts (see Section 4.5.3 a). The same concept was also incorporated into OHSAS 18001 as correction and mitigation – as in taking action to mitigate OH&S consequences (see Section 18.104.22.168 a).
In all the standards, the focus of correction is on the immediate fix.
A corrective action is defined as “action to eliminate the cause of a detected nonconformity or other undesirable situation.” A note to this definition in ISO 9000 states that “there is a distinction between correction and corrective action.” The distinction is the focus. In corrective action, the focus is on what CAUSED the nonconformity.
Since the focus of corrective action is on causation, some type of root cause analysis is a prerequisite to defining the appropriate corrective action.
© ENLAR® Compliance Services, Inc. (2011)
I received the following question from a reader last week –
When it comes time for our company to be audited on the OHSAS 18001 system, our auditor usually says, “Your Company has not identified ALL the hazards at your facility.”
… I don’t believe that every potential hazard needs to be identified in order to be compliant. I always explain this to the auditor, and address what it states in 4.3.1:
“The organization shall establish, implement and maintain a procedure(s) for the ongoing hazard identification, risk assessment, and determination of necessary controls.”
… I don’t feel our auditor is correct in saying we are not compliant because we have not identified all potential hazards.
I really would appreciate your thoughts on this matter.
You are correct in your analysis of the requirement in Section 4.3.1 of OHSAS 18001. What is required – and what auditors should be looking for – is a process NOT perfection.
This is an important distinction and a fundamental principle underlying all of the ISO management system standards and OHSAS 18001. It is one of the 14 Points for Management that Deming emphasized in his 1982 book, Out of the Crisisand it is what the plan-do-check-act (PDCA) approach is all about.
To illustrate the difference, consider how one goes about controlling a manufacturing line making widgets. There are 2 different approaches that can be used to ensure quality widgets – an inspection approach and a management system approach.
Last week at the American Industrial Hygiene Conference in Portland, I was one of the speakers on a roundtable panel tasked with discussing the topic Integrated Solutions in Sustainable Occupational Health and Safety Management Systems. My presentation was on Auditing Integrated Management Systems – The Impact of ISO 19011.
Other presenters talked about what the requirements are for a management system and how to establish a management system within an organization. I discussed management system auditing.
In particular, I outlined five ways that ISO 19011 impacts management system auditing –
In last week’s post, I discussed the two types of sustainability audits required by OHSAS 18001. In this week’s post, I am going to focus on the objectives necessary for an effective OHSMS internal audit program.
Just as there are different types of sustainability audits, there are different types of objectives required for management system audits. Importantly, an organization needs both audit program objectives and specific objectives to guide the conduct of each individual audit. Although the audit program objectives and individual audit objectives are related, they are not necessarily identical.
It is important to remember that an audit and an audit program are not the same thing. An audit is a “systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled”. An audit program is “set of one or more audits planned for a specific time frame and directed toward a specific purpose”. (Definitions from ISO 19011:2002)
OHSAS 18001 requires that an audit program be established.
An audit program involves more than just doing audits every once and a while. It requires audit planning and it requires the creation of audit procedures. As set out in the note to the definition in ISO 19011 – an audit program includes “all activities necessary for planning, organizing and conducting the audits”.
OHSAS 18001 requires both audits of sustainability and audits for sustainability.
What does this mean? What is the difference?
These two types of audits relate to two different definitions of sustainability.
The first definition, derived from the Brundtland Commission Report’s definition of sustainable development, is “meeting the needs of the present without compromising the ability of future generations to meet their own needs.” Although originally environmentally focused, this concept has evolved to include other components as well. Notably, for occupational health and safety, sustainability is seen as including the actions and conditions that affect all members of society including workers (the “social” component).
The second definition, the dictionary definition, is to “endure without giving way.” This concept of sustainability is focused on survival and maintenance in the face of changing conditions. This is often referred to as management of change. As stated in section 22.214.171.124 of OHSAS 18002, “The organization should manage and control any changes that can affect or impact its OH&S hazards and risks”.
The internal audit element of OHSAS 18001 (section 4.5.5) requires that audits be conducted in order to make the following three types of determinations:
- the OHSMS conforms to the OHSAS 18001 requirements and the organization’s planned arrangements;
- the OHSMS is properly implemented and maintained; and
- the OHSMS is effective in meeting the organization’s policy and objectives.
Many organizations focus almost exclusively on conducting internal audits to determine conformance – the first type of determination listed in section 4.5.5. These organizations often ignore the other two purposes of an internal audit listed in OHSAS 18001 – the requirements for sustainability audits.
In previous posts, I discussed the relative importance of management system standards and company culture on OH&S performance. This discussion was based on the paper entitled The Limits of Management Based Regulation by Neil Gunningham and Darren Sinclair.
One of the conclusions set out in this paper is that the “accountability mechanisms” common to management system standards can have a negative impact on OH&S performance.
The authors suggest that many of the fundamental requirements of management system standards – establishing accountability, performance tracking and internal auditing – are “antithetical to measures that our findings suggested had a positive impact on OHS.” They go on to discuss social science research that finds that accountability mechanisms can decrease trust and, as a result, negatively impact performance.
What does this mean for OHSMS internal audit programs?
First, it is important to recognize that internal audit programs have a purpose. That purpose is best summed up by the phrase – “Trust – but Verify.” That is why OHSAS 18001 includes an internal audit program requirement.