At the end of the year, our attention often focuses on planning – the setting of goals and objectives for the coming year.  This can be exciting - plans for launching new projects or products – or it can be depressing - setting aside time to organize old files.

Planning is a key component of an OH&S management system.  The planning section of OHSAS 18001 consists of 3 elements –

• Identifying hazards and risks (4.3.1)
• Identifying legal and other requirements (4.3.2)
• Establishing objectives and programs (4.3.3)

Many organizations put a great deal of time and attention into identifying both their hazards and risks and their legal and other requirements. Often, less attention is paid to establishing objectives and programs.

This lack of attention to objectives and programs may be due, in part, to a lack of clarity about how “objectives” actually fit into a management system.  This lack of clarity about objectives, and their interrelationship with risk management, has been an issue of much heated discussion.  It has lead to a lack of consensus in ISO’s attempt to develop consistent definitions across all of its management system standards (see discussion of ISO’s MSS initiative).

One of the areas of confusion relates to the ownership of OH&S objectives.  Although individuals need to be assigned responsibility and authority for achieving OH&S objectives, OH&S objectives are organizational – not personal.  This is clear from the definition of OH&S objective in section 3.14 of OHSAS 18001.  An objective is a goal that an organization sets itself to achieve.   Therefore, OH&S objectives need to be set from an organizational perspective – not as individual performance targets.  This is a critical distinction.  It is the organization itself that is ultimately responsible for setting and achieving its objectives.  This responsibility cannot be shifted onto the backs of individual employees – such as the facility Safety Manager.

A second area of confusion relates to the use of the words “objective” and “risk” in two different contexts within the ISO management system standards and OHSAS 18001. 

The “top-level” meaning – used in defining both what a “management system” is and the meaning of the word “risk.” 

A management system is defined as a “set of interrelated or interacting elements to establish policy and objectives and to achieve those objectives” (ISO 9000, Section 3.2.1 & 3.2.2).  Risk is defined as “the effect of uncertainty on objectives” (ISO 31000, Section 2.1). Both of these definitions are focused on the strategic, organization-wide level of objectives.

This means that the overall “strategic level” objective of an OHSAS 18001 management system must be controlling (managing) OH&S risks in order to prevent injury and ill health to persons working under the control of the organization.  All other OH&S objectives flow from, and must be consistent with, this strategic-level objective.

The “functional level” meaning – used at a project, process or departmental level of an organization. 

This is the level at which most organizational objectives are set and managed.  Financial profitability and sales targets.  Product quality metrics.  Safety performance targets.  Waste reduction goals. 

The functional-level definition of an “OH&S objective”, as set out in section 3.14 of OHSAS 18001, is an “OH&S goal, in terms of OH&S performance, that an organization sets itself to achieve” (OHSAS 18001, Section 3.14).

Functional-level objectives are important.  They are where “the rubber hits the road” so to speak.  However, when evaluating OH&S performance and assessing overall risk management, the objective that must be kept foremost in mind is the strategic, top-level one.

At the end of the day, the question that must be answered is “Are we, as an organization, controlling our OH&S risks in a manner that prevents injury and ill health to those working for our organization?”

© ENLAR Compliance Services, Inc.(2011)

So, what is an audit program and how does it differ from audit procedures?

ISO 19011:2011 defines an audit program as “arrangements for a set of one or more audits planned for a specific time frame and directed towards a specific purpose”.

A procedure is defined as “a specified way to carry out an activity or process”. (ISO 9000 3.4.5)

According to www.dictionary.com, a program is a “planned, coordinated group of activities, procedures, etc., often for a specific purpose”.

In other words, audit procedures are one component of an audit program.

In order to have an internal audit program, an organization must have the following:

1. A defined purpose (established audit program objectives)
2. Audit arrangements (audit procedures)
3. Scheduled audits (audits planned for a specific time frame)

Want to know more about establishing an audit program?

Click here to sign up for the FREE webinar I am giving next Tuesday (December 20th) – ISO 19011:2011 – Impact on Management System Auditing.

© ENLAR Compliance Services, Inc. (2011)

The most significant change is that the scope of the standard has been broadened from the auditing of quality and environmental management systems to the auditing of any management system.  This includes audits of occupational safety and health management systems.  ISO 19011:2011 specifically references OHSAS 18001:2007 in the bibliography and includes an “Illustrative example of discipline-specific knowledge and skills of auditors in occupational health and safety management” in Annex A.8.  This expansion in the scope of the standard to cover OH&S management system audits is the primary reason that I participated in this standard development effort as one of the U.S. experts.

Want to know more about the revisions made to the ISO 19011 standard and the likely impact on management system audits?

Sign up below to attend a FREE webinar on December 20, 2011 at 3 pm (Eastern Time). 

In the meantime, you can check out the PowerPoint slides for a presentation I did in May 2011 at the American Industrial Hygiene Conference – click here to go the blog post where you can access this presentation.  Even if you can’t attend the webinar on December 20th – sign up below to get access to the webinar recording so you can listen to it later. 

Also, you can subscribe to this blog (by entering your e-mail in the box on the right) and get future posts delivered to your e-mail.  Over the coming weeks, I will be posting additional information about how the guidelines set out in ISO 19011:2011 will impact environmental and OH&S internal audit programs.

Fill in your contact information below to attend a FREE webinar – ISO 19011:2011 – Impact on Management System Auditing.

If you want to purchase a copy of ISO 19011:2011 – Click here.

© ENLAR® Compliance Services, Inc. (2011)

Similarly, correction and corrective action are NOT the same.

These are defined terms that have been taken from the quality world and applied to EHS management systems.  They are also an entrenched part of registration audits so it is important to understand how registrars define them (i.e. their ISO 9000 definitions).  When registrars issue corrective action requests (CARs), they often request information on any corrections done as well as a description of the corrective action planned.

A correction is defined as “action to eliminate a detected nonconformity”.  In the quality world, correction is often referred to as containment (as in preventing nonconforming product from reaching the customer).  Correction in a QMS can consist of repair, rework, scrapping the product, etc.  The first action taken is often segregation and control of non-conforming product.

This quality concept was incorporated into ISO 14001 as correction and mitigation – as in taking action to mitigate environmental impacts (see Section 4.5.3 a).  The same concept was also incorporated into OHSAS 18001 as correction and mitigation – as in taking action to mitigate OH&S consequences (see Section 4.5.3.2 a).

In all the standards, the focus of correction is on the immediate fix.

A corrective action is defined as “action to eliminate the cause of a detected nonconformity or other undesirable situation.” A note to this definition in ISO 9000 states that “there is a distinction between correction and corrective action.”  The distinction is the focus.  In corrective action, the focus is on what CAUSED the nonconformity.

Since the focus of corrective action is on causation, some type of root cause analysis is a prerequisite to defining the appropriate corrective action.

© ENLAR® Compliance Services, Inc. (2011)

This page provides access to a FREE mini-course that provides clear and concise answers to the following questions -

•   What is a Management System?
•   What is PDCA and what does it mean?
•   Why is PDCA important?
•   How can I determine if an OHSMS standard is  based on PDCA or not?

This course is about 15  minutes long.  Since it is a flash presentation located on a separate web page, you may need modify your browser settings to allow pop-ups in order to access the course. Also, in order to hear the audio, you will need speakers on your computer. When you are ready to begin, just click on the link below. 

Click here to open – Plan-Do-Check-Act – An Introduction to PDCA

Have comments or questions about this course? 

You can type your questions or comments into the comment box below (you may need to click on the more button if you are on the home page) or send me an e-mail at ecsi2008@ENLAR.c0m.

Did you enjoy this course? 

Check out my Introduction to OHSAS 18001 Course.

This course provides insight into interpreting the OHSAS 18001:2007 requirements as well as expert guidance in implementing an OHSMS for purposes of third-party certification.

© ENLAR® Compliance Services, Inc. (2011)

 When it comes time for our company to be audited on the OHSAS 18001 system, our auditor usually says, “Your Company has not identified ALL the hazards at your facility.”

…  I don’t believe that every potential hazard needs to be identified in order to be compliant.  I always explain this to the auditor, and address what it states in 4.3.1:

“The organization shall establish, implement and maintain a procedure(s) for the ongoing hazard identification, risk assessment, and determination of necessary controls.”

… I don’t feel our auditor is correct in saying we are not compliant because we have not identified all potential hazards.

I really would appreciate your thoughts on this matter.

You are correct in your analysis of the requirement in Section 4.3.1 of OHSAS 18001. What is required – and what auditors should be looking for – is a process NOT perfection.

This is an important distinction and a fundamental principle underlying all of the ISO management system standards and OHSAS 18001.  It is one of the 14 Points for Management that Deming emphasized in his 1982 book, Out of the Crisisand it is what the plan-do-check-act (PDCA) approach is all about.

To illustrate the difference, consider how one goes about controlling a manufacturing line making widgets.  There are 2 different approaches that can be used to ensure quality widgets – an inspection approach and a management system approach.

In an inspection approach, an individual sits at the end of the line and either accepts or rejects each widget on the basis of whether it is conforming or nonconforming.  Conforming widgets become products and nonconforming widgets become waste.

In a management system approach, procedures and operational criteria are put in place to ensure that quality products are made in the first place.  Quality is ensured by the process controls in place during manufacture not by a final inspection.  If a final inspection is done, the primary purpose is for evaluating the adequacy of the process controls not for product acceptance or rejection.

Some OHSMS auditors approach management system auditing with a “final inspector” mentality.  Rather than focusing on evaluating the adequacy of the management system, they gravitate to focusing on the OHSMS equivalent of looking for nonconformity products.  Rather than looking for system conformance, they look for isolated problems.  They act as inspectors not as auditors.

As in manufacturing widgets, isolated deficiencies do not establish the lack of an OH&S management system.  There can be many reasons for “flaws” – only some of which indicate management system failure.  The focus needs to be on evaluating the sufficiency of the management system procedures in place not on substituting auditor judgment for organizational process.

© ENLAR® Compliance Services, Inc. (2011)

Other presenters talked about what the requirements are for a management system and how to establish a management system within an organization.  I discussed management system auditing.

In particular, I outlined five ways that ISO 19011 impacts management system auditing –

1. Defines what is – and is not – an audit.  One of the key things a standard does is establish common definitions for the terms used within that standard.  For purposes of management system auditing, ISO 19011 defines what an audit is – the dictionary does not.  Importantly, in order to be an “ISO audit”, an assessment activity MUST be objective, independent and documented.  This means that a lot of the activities that safety professionals refer to as “audits” really are not.
2. Fosters audit program integration.  Since ISO 19011 covers all types of audits (internal, supply chain, certification) for all subject matter disciplines (safety, quality, environmental…) in all types and sizes of organizations, it sets out a common structure and guidelines for establishing an audit program.  There can be one program instead of many. 
3. Sets a global standard for audits.  The overarching goal of ISO is harmonized international standards.  Since ISO 19011 is an international standard, it can be applied anywhere in the World.
4. Defines what an audit program is.  Section 4.5.5 of IS0 14001 and OHSAS 18001 require that both audit procedures and an audit program be established, implemented and maintained.  Note that this is different than the requirements in other sections which only require that procedures be established.  ISO 19011 provides the answer for what makes up an audit program.
5. Provides consistent criteria for evaluating auditor competence.  In the upcoming revision of ISO 19011, the focus of Section 7 of ISO 19011 will shift from defining auditor competence criteria to setting out a process for evaluating auditor competence.  The auditing organization needs to have a process in place to select the appropriate audit team members to meet the audit program objectives.

For more information, click here to view a copy of my presentation slides.

© ENLAR® Compliance Services, Inc. (2011)

ISO 9001 is based on quality principles. ISO 19011 is based on auditing principles.  Last week, I participated in a conference call for ISO 14046 in which we discussed what principles are important to the development of a water footprint.  For this discussion we started with the sustainability principles set out in a publication entitled, Guide to Corporate Ecosystem Valuation, which was recently developed by the World Business Council for Sustainable Development.

Just as principles are important for many of the ISO standards, OHSAS 18001 is also based on several principles. 

Although they are not explicitly listed within the OHSAS 18001 standard, these include –

• Leadership Involvement – The top management of the organization must be actively engaged in the management system;
• Risk Management – Implementation of an OH&S management system is driven by the risk management needs of the organization – the hazards and risks identified and the controls that are determined to be necessary to prevent injuries and ill health;
• Commitment to Compliance – Societal interests, as reflected in the laws and regulations promulgated, must be addressed;
• Worker Participation – Workers, as the primary stakeholders of an occupational health and safety management system, have the right to be involved in management system processes; and
• Performance Monitoring & Improvement – Continual improvement, a management system mantra, cannot be achieved unless processes are in place to measure performance. 

© ENLAR® Compliance Services, Inc. (2011)

Although this may be seen as progressive by those who developed this new management system structure, it is likely to create confusion on the part of users of the standards who are not information management experts.

There are important reasons for distinguishing between the documents that  need to be controlled in a management system and record retention requirements.  Even though both document control and record control are control of documented information, their purpose and use is very different.

Documents are controlled to ensure that individuals are using the correct information to guide them in accomplishing some task.  The information within a document changes over time as conditions and requirements change.  This is why approval processes and version control are critical for documents.

Records are controlled to ensure that the information contained within the document is available and accurate for reference in the future.  The information in records should not change over time.  This is why preservation and data integrity are critical for records.

In honor of the upcoming tax return deadline, I will use preparation and retention of tax returns as an example of document and record control. 

When you complete your tax return, it would be foolish to use last year’s forms and instructions. Instead, since tax forms typically change each year, you look for the most recent version. You want to ensure you use the right form so you meet the requirements set out in the tax code. Version control is what is important.

Once your tax return has been submitted to the IRS, it becomes a record.  Sometimes that record is requested by others to provide evidence of your financial stability.  It would be foolish to change the information contained in that record – and probably illegal as well.  Data preservation and integrity is what is important – not version control.

Both of these involve the control of “documented information” but they are hardly the same.

© ENLAR® Compliance Services, Inc. (2011)

This is the development of a document that sets out a common High Level Structure and core definitions to be used in all ISO management system standards.  This document was developed by an ISO Joint Technical Coordination Group (JTCG) tasked by the ISO Technical Management Board (TMB).  It was published as JTCG N44 in December 2010.

As set out in this document, all management system standards will be required to use the same top level structure, with the following required elements:

• Context of the Organization
• Leadership
• Planning
• Support
• Operation
• Performance Evaluation
• Improvement

One of the first standards that this ISO initiative is likely to impact wil be ISO 14001.  The revision of ISO 14001 is expected to start later this year. This revision will require restructuring the standard into the High Level Structure set out in JTCG N44.

© ENLAR® Compliance Services, Inc. (2011)