Category: Standards & Certification

What is an Audit Program?

One of the requirements often missed when an organization initially implements a management system is the need for an internal audit program.  The internal audit element is the only one that requires both procedures and a program.  This is true of OHSAS 18001 4.5.5, ISO 14001 4.5.5 and ISO 9001 8.2.2.  Simply having procedures is not enough.

So, what is an audit program and how does it differ from audit procedures?

ISO 19011:2011 defines an audit program as “arrangements for a set of one or more audits planned for a specific time frame and directed towards a specific purpose”.

A procedure is defined as “a specified way to carry out an activity or process”. (ISO 9000 3.4.5)

According to, a program is a “planned, coordinated group of activities, procedures, etc., often for a specific purpose”.

In other words, audit procedures are one component of an audit program.

In order to have an internal audit program, an organization must have the following:

  1. A defined purpose (established audit program objectives)
  2. Audit arrangements (audit procedures)
  3. Scheduled audits (audits planned for a specific time frame)

Want to know more about establishing an audit program?

Click here to sign up for the FREE webinar I am giving next Tuesday (December 20th) – ISO 19011:2011 – Impact on Management System Auditing.

© ENLAR Compliance Services, Inc. (2011)
December 15, 2011 | 0 Comments More

ISO Publishes ISO 19011:2011

In November 2011, ISO published the revision of ISO 19011 as an International Standard (ISO 19011:2011).  This second edition of the standard cancels and replaces the first edition (ISO 19011:2002).

The most significant change is that the scope of the standard has been broadened from the auditing of quality and environmental management systems to the auditing of any management system.  This includes audits of occupational safety and health management systems.  ISO 19011:2011 specifically references OHSAS 18001:2007 in the bibliography and includes an “Illustrative example of discipline-specific knowledge and skills of auditors in occupational health and safety management” in Annex A.8.  This expansion in the scope of the standard to cover OH&S management system audits is the primary reason that I participated in this standard development effort as one of the U.S. experts.

Want to know more about the revisions made to the ISO 19011 standard and the likely impact on management system audits?

December 9, 2011 | 1 Comment More

Correction vs Corrective Action in an EHSMS

In a previous blog, I discussed that an incident is NOT the same as a nonconformity.  An incident is a situation where some kind of harm occurs (or could occur); a nonconformity is defined as “non-fulfillment of a requirement”.  There is often a relationship between the two – but not always.

Similarly, correction and corrective action are NOT the same.

These are defined terms that have been taken from the quality world and applied to EHS management systems.  They are also an entrenched part of registration audits so it is important to understand how registrars define them (i.e. their ISO 9000 definitions).  When registrars issue corrective action requests (CARs), they often request information on any corrections done as well as a description of the corrective action planned.

A correction is defined as “action to eliminate a detected nonconformity”.  In the quality world, correction is often referred to as containment (as in preventing nonconforming product from reaching the customer).  Correction in a QMS can consist of repair, rework, scrapping the product, etc.  The first action taken is often segregation and control of non-conforming product.

This quality concept was incorporated into ISO 14001 as correction and mitigation – as in taking action to mitigate environmental impacts (see Section 4.5.3 a).  The same concept was also incorporated into OHSAS 18001 as correction and mitigation – as in taking action to mitigate OH&S consequences (see Section a).

In all the standards, the focus of correction is on the immediate fix.

corrective action is defined as “action to eliminate the cause of a detected nonconformity or other undesirable situation.” A note to this definition in ISO 9000 states that “there is a distinction between correction and corrective action.”  The distinction is the focus.  In corrective action, the focus is on what CAUSED the nonconformity.

Since the focus of corrective action is on causation, some type of root cause analysis is a prerequisite to defining the appropriate corrective action.

© ENLAR® Compliance Services, Inc. (2011)
October 26, 2011 | 0 Comments More

What is PDCA?

If you are exploring the web looking for information about implementing management systems, pretty soon you will come across the acronym PDCA.  You will quickly discover that PDCA stands for plan-do-check-act but it may not be clear to you what this actually means.

This page provides access to a FREE mini-course that provides clear and concise answers to the following questions –

  •   What is a Management System?
  •   What is PDCA and what does it mean?
  •   Why is PDCA important?
  •   How can I determine if an OHSMS standard is  based on PDCA or not?

This course is about 15  minutes long.  Since it is a flash presentation located on a separate web page, you may need modify your browser settings to allow pop-ups in order to access the course. Also, in order to hear the audio, you will need speakers on your computer. When you are ready to begin, just click on the link below. 

Click here to open – Plan-Do-Check-Act – An Introduction to PDCA

Have comments or questions about this course? 

You can type your questions or comments into the comment box below (you may need to click on the more button if you are on the home page) or send me an e-mail at ecsi2008@ENLAR.c0m.

Did you enjoy this course? 

Check out my Introduction to OHSAS 18001 Course.

This course provides insight into interpreting the OHSAS 18001:2007 requirements as well as expert guidance in implementing an OHSMS for purposes of third-party certification.

© ENLAR® Compliance Services, Inc. (2011)
August 2, 2011 | 0 Comments More

Process NOT Perfection

I received the following question from a reader last week –

 When it comes time for our company to be audited on the OHSAS 18001 system, our auditor usually says, “Your Company has not identified ALL the hazards at your facility.”

…  I don’t believe that every potential hazard needs to be identified in order to be compliant.  I always explain this to the auditor, and address what it states in 4.3.1:

“The organization shall establish, implement and maintain a procedure(s) for the ongoing hazard identification, risk assessment, and determination of necessary controls.”

… I don’t feel our auditor is correct in saying we are not compliant because we have not identified all potential hazards.

I really would appreciate your thoughts on this matter.

You are correct in your analysis of the requirement in Section 4.3.1 of OHSAS 18001. What is required – and what auditors should be looking for – is a process NOT perfection.

This is an important distinction and a fundamental principle underlying all of the ISO management system standards and OHSAS 18001.  It is one of the 14 Points for Management that Deming emphasized in his 1982 book, Out of the Crisisand it is what the plan-do-check-act (PDCA) approach is all about.

To illustrate the difference, consider how one goes about controlling a manufacturing line making widgets.  There are 2 different approaches that can be used to ensure quality widgets – an inspection approach and a management system approach.

July 13, 2011 | 0 Comments More

Auditing Integrated Management Systems – The Impact of ISO 19011

Last week at the American Industrial Hygiene Conference in Portland, I was one of the speakers on a roundtable panel tasked with discussing the topic Integrated Solutions in Sustainable Occupational Health and Safety Management Systems.  My presentation was on Auditing Integrated Management Systems – The Impact of ISO 19011.

Other presenters talked about what the requirements are for a management system and how to establish a management system within an organization.  I discussed management system auditing.

In particular, I outlined five ways that ISO 19011 impacts management system auditing –

May 24, 2011 | 1 Comment More

OHSMS Principles

Standards are based on principles. 

ISO 9001 is based on quality principles. ISO 19011 is based on auditing principles.  Last week, I participated in a conference call for ISO 14046 in which we discussed what principles are important to the development of a water footprint.  For this discussion we started with the sustainability principles set out in a publication entitled, Guide to Corporate Ecosystem Valuation, which was recently developed by the World Business Council for Sustainable Development.

Just as principles are important for many of the ISO standards, OHSAS 18001 is also based on several principles.

April 19, 2011 | 1 Comment More

Control of Documented Information

In a previous blog, I discussed the new High Level Structure and identical text requirements that has been proposed for all ISO management system standards.  One of the proposed changes is to eliminate the document control and record control elements and replace them with a new provision requiring control of “documented information”.  Documented information is somewhat vaguely defined in this new scheme as “the information required to be controlled and maintained by an organization”.

Although this may be seen as progressive by those who developed this new management system structure, it is likely to create confusion on the part of users of the standards who are not information management experts.

There are important reasons for distinguishing between the documents that  need to be controlled in a management system and record retention requirements.  Even though both document control and record control are control of documented information, their purpose and use is very different.

April 15, 2011 | 0 Comments More

High Level Structure for MS Standards

An initiative has been underway within ISO that is likely to have a significant long-term impact on all management systems within an organization – including occupational health and safety management systems.

This is the development of a document that sets out a common High Level Structure and core definitions to be used in all ISO management system standards.  This document was developed by an ISO Joint Technical Coordination Group (JTCG) tasked by the ISO Technical Management Board (TMB).  It was published as JTCG N44 in December 2010.

January 14, 2011 | 1 Comment More

OHSAS 18001 “Governing Body”

A reader recently posted the following question –

I am dealing with an organization that claims it is certified to OHSAS 18001… Does anyone know if there is an accreditation board or other governing body which administrates OHSAS 18001 who would be responsible for auditing conformance with these practices? Or does this system rely solely on internal audits only? (click here to read the entire comment)

There is no one OHSAS 18001 governing body or accreditation board.

As a voluntary international standard, OHSAS 18001 is utilized by organizations in several different ways.

November 24, 2009 | 0 Comments More