I recently got the following question about a blog post I did back in 2009 – OHSAS 18001 “Governing Body”.
The question was –
My company is an Environmental Laboratory in India. It holds an unaccredited certificate issued by an Indian company. Can you clarify how far this certificate is valid.
My response –
I can’t answer your question since the answer is specific to your organization, the clients you conduct work for and the laws of your jurisdiction. For example, in the United States, there are laws that require testing laboratories to be accredited – including those doing certain environmental tests.
As I mentioned in the blog post you referenced, management system standards are used for a variety of different purposes.
One of those purposes is to set out the requirements upon which certification programs are based. Some of these certifications are reputable and legitimate, whether they are accredited or not. Others are only sham certifications. They are issued primarily to deceive or encourage reliance on the part of third parties that is not justified based on the level of investigation actually being performed by the individual or organization providing the certification.
The issue is not so much accreditation or not. The issue is the credibility of the certification based on the level of due diligence that supports the determination being made.
I posted this question and response because of the increased interest and reliance on OHSMS certification that is being driven by an increase in public sustainability reporting. It is important to understand that certification alone does not represent due diligence unless it is clear exactly what assessment activities were done to support the certification.
© ENLAR Compliance Services, Inc. (2013)
Yesterday, I received a copy of the ISO New Work Item Proposal (NWIP) for a new requirements standard for occupational health and safety management systems. ANSI has requested that comments on this NWIP be sent to ANSI by April 26, 2013, so ANSI can decide how it will vote on this proposal.
There are several interesting aspects to this NWIP –
1. This is a proposal for a Project Committee (PC), not a Technical Committee (TC).
The distinction is that a Project Committee is authorized to develop a single standard. This is the approach that was used for the development of ISO 50001:2011 – the ISO Energy Management System standard. An ISO PC can be converted into a TC in the future but, at least initially, the standard development authority of this ISO committee will be limited solely to the development of the one standard being proposed – an OHSMS requirements document.
2. Given the past controversy that has surrounded the development of an ISO OHSMS standard, this NWIP includes two additional letters.
The first is a letter from the Rob Steele, the ISO Secretary General, addressing the right and ability of ISO to deal with the subject area. The second is a letter from the International Labour Organization (ILO) expressing its concerns with ISO’s decision to proceed with this standard development effort.
3. Any ISO OHSMS standard will be required to meet the requirements for management system standards that are set out in Annex SL of the ISO Directives.
What this means is that an ISO OHSMS will not be based on any of the existing OHSMS standards – including OHSAS 18001 or ANSI Z10. These standards can serve as reference documents but many of the important requirements of an ISO OHSMS will be determined solely by the high-level structure and core common text that are set out in Annex SL.
ANSI is in the process of circulating this proposal to stakeholder groups in the United States. I am confident there will be a great deal of discussion of this NWIP. It is likely that there will be continued disagreement concerning the appropriate venue for developing OH&S standards.
As set out in BSI’s justication document, the world is markedly different today from what it was when an ISO OHSMS standard was last proposed.
Today, protection of workers is as much driven by a complex web of supply chain relationships and sustainability initiatives as it is by governmental decrees and enforcement actions. As show by the success of the certification initiatives that have developed around the handling of electronics waste, publicity and supply chain initiatives can have a greater impact in protecting worker health than governmental rulemaking.
In addition, given the increased use of outsourcing arrangements, many individuals performing work on an organization’s behalf are no longer employees in the traditional labor law sense. By extension, worker safety is no longer solely an employment issue. As explicitly set out in OHSAS 18001, and recognized in several OSHA standards, an organization’s obligation to protect workers extends beyond employees to individuals who are performing work on an organization’s behalf. This can include a range of parties – including contract workers, employees of contractors, volunteers, visitors to the workplace and employees.
Worker safety is no longer simply a labor issue to be addressed through governmental action.
Want to know more?
If you want to know more about Annex SL and the revision of ISO 14001, check out my previous blog post – New Year – New Standards.
If you want to review the ISO NWIP for an OHSMS standard click here (note – this document does not include the Justification Study and other attachments to the NWIP but does include copies of the letters discussed above).
© ENLAR Compliance Services, Inc. (2013)
Recently, I have noticed an increase in statements that some particular safety program or another is required because of the OSHA General Duty Clause. Often, this statement is tied to a pitch for consulting services or to promote a fill-in-the-blank template for whatever safety program is being discussed.
These statements are often a misrepresentation of what the general duty clause actually requires.
What is the “General Duty Clause”?
Each employer shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or likely to cause death or serious physical harm to his employees.
Over the last 40 years, there have been a number of court decisions interpreting this section of the law. These cases have established the requirements that OSHA must be meet in order to bring a “general duty clause” enforcement action against a particular employer. These requirements are –
- There must be a “recognized” hazard – either actual knowledge on the part of the employer or common knowledge in the employer’s industry (for example, set out in an applicable ANSI standard);
- There must be either an employee death or serious injury, or a substantial probability for serious physical harm, that is directly caused by the hazard; and
- Feasible means must exist to materially reduce the hazard.
The General Duty Clause clearly is not a documentation requirement to be cited when no other OSHA regulation applies. It is a requirement that recognized hazards need to be addressed in order to prevent serious injuries.
Since I spend much of my time drafting and using management system standards, the OSH Act “general duty clause” requirements appear to me to be very similar to the “risk assessment” and/or “corrective action” requirements set out in the various management system standards, including OHSAS 18001, ISO 14001 and ISO 9001.
These requirements are –
- Establish processes to identify hazards and/or nonconformities (i.e. identified problems likely to cause harm);
- Assess these and determine the need for action (analyze the probably and extent of likely harm and actions needed to reduce the risk); and
- Take the actions needed to control the hazards and review the effectiveness of those actions.
If an organization establishes an OHS management system with robust processes that are designed to proactively “recognize” and assess hazards and then implements feasible means of addressing these hazards, it will also improve its compliance with the “general duty clause” requirements set out in the Occupational Safety and Health Act.
© ENLAR Compliance Services, Inc. (2013)
I have gotten the following question for several readers –
I hear there is an initiative to develop an ISO safety and health management standard. Will ANSI Z10 be a key input in developing an ISO OHSMS standard?
The short answer is – “I don’t know.”
The longer answer is much more complex and requires delving into the processes – and politics – of international standard development.
It is my understanding that the British Standards Institute (BSI) is seriously considering submitting a proposal to ISO for the development of occupational health and safety management system (OHSMS) standards.
This is not as straightforward as it seems nor does it mean that an ISO OHSMS specification standard, like OHSAS 18001, is a foregone conclusion.
As we start 2013, it is clear that we will shortly be getting a very different version of ISO 14001 – as well as revisions to ISO 9001. OHSAS 18001 may be revised as well – or transformed into an ISO standard.
What is happening with ISO 14001?
The revision of the 2004 edition of ISO 14001 is now well underway.
The impact of Annex SL of the ISO/IEC Directives (a.k.a. Guide 83 High Level Structure) is becoming evident. It is clear that using the new required common approach, with its mandatory definitions and identical core text, will result in significant structural and substantive changes to the standard.
Whether these changes are wise, or not, seems to depend on who you ask.
Next Tuesday, January 8, I will be presenting a webinar for BNA entitled –
Revision of ISO 14001: Is It Reorganization or a Paradigm Shift?
In this webinar, I will cover some of the important changes being made to the ISO 14001 standard, including:
- new requirements related to identifying and meeting the needs and expectations of external parties,
- recognition that pen and paper is being replaced with electronic data, and
- increased focus on achieving outcomes and evaluating environmental performance.
A committee draft (CD) of the revised ISO 14001 standard will be out for comment later this year and the plan is to have the new version ready for final publication in early 2015.
What about OHSAS 18001?
The revision status of OSHAS 18001 is less clear.
BSI has indicated that it plans to again request that ISO develop an OHSMS standard to replace OHSAS 18001. Any revision of OHSAS 18001 is on hold pending the outcome of this action.
What about ISO 9001?
Annex SL applies to ISO 9001 as well, so the next revision of the quality management system will need to deal with many of the same issues associated with Annex SL that are currently being debated in the revision of ISO 14001.
Work has started on this revision of ISO 9001 with a projected completion date of late 2015.
It appears 2013 will be a busy year for standards writers!
© ENLAR Compliance Services, Inc. (2013)
Many companies are increasing including some type of “injury and illness data” in their sustainability reports. It is one of the metrics included in the GRI reporting scheme. It is used both internally and externally to determine financial bonuses. It is also used by a number of companies and governmental agencies to select qualified contractors. There is a great deal of pressure to report low numbers.
The question is – “How accurate is this data?”
There are many who believe it isn’t very accurate at all.
As I discussed in a previous blog, there are strong incentives for under-reporting and, very often, little or no independent verification of the numbers. This is even the case for many of the processes and web-based tools used by major companies to select contractors.
Safety professionals may want to re-assess the risks associated with the creation and external reporting of injury and illness data.
Companies may want to re-assess their reliance on data that has no independent verification.
Because, given the results of a recent court case, inaccurate reporting can be considered fraud and those involved can go to jail.
In early November 2012, a jury convicted a safety manager for The Shaw Group of eight counts of major fraud against the United States. They found that he had provided false and misleading information about injuries associated with work at TVA (Tennessee Valley Authority) facilities. This false injury data was used by his company to collect safety bonuses worth over $2.5 million. (Note – According to the DOJ press release, The Shaw Group entered into a civil agreement in 2008 with the United States and paid back twice the amount of the safety bonus they collected.)
What to know more about verifying injury and illness data?
© ENLAR Compliance Services, Inc. (2012)
There are a number of websites and political candidates touting the benefits of the Ready-Fire-Aim approach. Decisiveness is characterized as a virtue; hesitation as a sign of weakness.
Sometimes it is fatal.
The classic example of this is when a co-worker rushes into a confined space to save a buddy – and they both end up dead.
Most of the pundits favoring the Ready-Fire-Aim approach are focused on overcoming the negative impacts of inertia within an organization. They are seeking to address those situations within organizations where endless studies are conducted but action is never taken.
The want action and they want action NOW.
Inertia is a problem within many organizations that does need to be addressed. But simply focusing on taking action more quickly – speeding up the response – is not always the answer.
Prior to making changes, it is important consider the downside risks of the action being proposed.
Earlier this month, I attended the ISO Working Group meeting for the revision of ISO 14001 (TC 207/SC1/WG5). This revision will result in a number of significant changes to the ISO 14001 standard. These changes are likely to be carried over to a subsequent revision of OHSAS 18001.
There was a great deal of discussion at this meeting about a change that will fundamentally change the nature of the ISO 14001 requirements. If this change is made, it will entirely transform what the ISO 14001 standard is all about.
The primary focus of the current ISO 14001 standard is on ensuring that an organization being certified has procedures in place to achieve the desired results. The language of the new revision will change the focus of the certification process to verification of results (i.e. performance).
Earlier this week, I was asked to respond to a question posed on the ASQ Ask the Experts blog. The question requested information about standards applicable to making modifications to PLCs (Programmable Logic Controllers). In my response, I identified a number of potentially applicable regulations and standards.
As I pointed out in my answer, in order to meet the requirements of OHSAS 18001, an OHSMS must include management of change procedures that assess the potential hazards of PLC modifications prior to any changes being made.
As I thought about the management of change (MOC) procedures I have reviewed over the years, I realized that this has been important deficiency in most of them. MOC procedures tend to focus on equipment (i.e. hardware) changes and often ignore changes to the software that operates the equipment. This is a concern because more and more industrial equipment is computer – rather than human – controlled.
How should this issue be addressed in an OHSMS?
- Appropriate individuals within the company should become familiar with the PLC requirements set out in any applicable regulations and appropriate consensus standards. (Again, for a list of potentially applicable standards, check out the ASQ blog post.)
- Just as equipment is evaluated for developing appropriate lockout-tagout procedures, organizations should develop an up-to-date inventory of their PLCs – focusing first on those computer controls used for safety-related functions or in high-hazard processes (for example, mechanical presses, industrial robots, control of chemical reactions).
- Guidelines on maintaining and modifying PLCs (and other computer controls) should be incorporated into existing routine maintenance work orders (e.g. PM databases) and MOC procedures. Appropriate limitations should be placed on PLC modifications based on the associated risks.
- Individuals responsible for maintaining, troubleshooting and modifying PLCs need to trained AND competent.
- Periodic reviews need to be conducted to ensure that procedures are being followed, PLCs are used correctly, security measures are in place (to prevent unauthorized “hacking”) and backup copies of PLC programs are retained.
As we move toward a future with more and more computer-controlled operations, having management system processes established to ensure they are functioning as intended will become increasingly important for managing both safety and organizational risks.
© ENLAR Compliance Services, Inc. (2012)
Many of the recent high-profile instances of organizational failures – such as the BP Deepwater Horizon explosion, Penn State Sandusky scandal and the Barclays Bank Libor manipulation – have resulted in independent investigations. The point of these investigations is to identify what went wrong in order to prevent similar failures in the future. Often these investigations result in reports with recommendations for management system changes.
Recently, one commentator characterized one of these reports as follows:
These recommendations are simply the imposition of unnecessary bureaucracy on the hapless many in the organization because of the misconduct of a very few. In the end, the changes recommended will not work anyway. What this failure shows is a lack of leadership that management systems can’t solve.
Implicit in this comment are the following assumptions –
- Management systems are simply bureaucratic burdens that get in the way of doing “real work.”
- Management systems don’t work; what is important is leadership.
Taking each of these assumptions in turn –