Tag: hazard identification
I received the following question from a reader last week –
When it comes time for our company to be audited on the OHSAS 18001 system, our auditor usually says, “Your Company has not identified ALL the hazards at your facility.”
… I don’t believe that every potential hazard needs to be identified in order to be compliant. I always explain this to the auditor, and address what it states in 4.3.1:
“The organization shall establish, implement and maintain a procedure(s) for the ongoing hazard identification, risk assessment, and determination of necessary controls.”
… I don’t feel our auditor is correct in saying we are not compliant because we have not identified all potential hazards.
I really would appreciate your thoughts on this matter.
You are correct in your analysis of the requirement in Section 4.3.1 of OHSAS 18001. What is required – and what auditors should be looking for – is a process NOT perfection.
This is an important distinction and a fundamental principle underlying all of the ISO management system standards and OHSAS 18001. It is one of the 14 Points for Management that Deming emphasized in his 1982 book, Out of the Crisisand it is what the plan-do-check-act (PDCA) approach is all about.
To illustrate the difference, consider how one goes about controlling a manufacturing line making widgets. There are 2 different approaches that can be used to ensure quality widgets – an inspection approach and a management system approach.
I received a follow-up e-mail from a reader asking for additional clarification about the requirements for identifying legal and other requirements in OHSAS 18001. Her organization has tasked her with updating their existing ISO 14001 matrix to include “OH&S requirements, aspects and categories”. She asked whether she was wasting her time given my response to a reader’s question I posted in a previous blog about identifying legal and other requirements.
There are similarities between the requirements in the ISO 14001 and OHSAS 18001 standards. Section 4.3.2 of OHSAS 18001 – like Section 4.3.2 in ISO 14001 – requires that an organization establish a procedure to identify its applicable legal and other requirements. (It is important to keep in mind that a procedure is defined as a specified way of doing some activity.)
The majority of companies use some sort of matrix – often a Word table or Excel spreadsheet – to document the results of their determination of which legal and other requirements are applicable to them. This is often called a Legal Register. This matrix or Legal Register provides the answer to the question – “What are the legal and other requirements we must comply with?” (Although creation of a Legal Register is a common practice, it is NOT required. What is required is that you follow whatever your procedure says you are going to do to identify your applicable legal and other requirements.)
Nature vs. Nurture is an on-going debate in many discussions of individual action. Do we act the way we do because of our genes or our upbringing? Are we who we are as the result of our inherent nature or the behavior of those around us?
This debate impacts occupational health and safety management systems as well. We just don’t call it nature vs. nurture. Instead we discuss safe workplaces (the inherent nature of the workplace) vs. behavior-based safety (the safe or unsafe activities of workers).
Although it is not yet clear how much of who we are is determined by heredity and how much by upbringing, it seems clear that both play a part. As with the “nature vs. nurture” debate, occupational health and safety hazards are created by BOTH unsafe situations AND by unsafe acts. You cannot focus solely on just one or the other in an OHSMS.
OHSAS 18001 makes this clear.
By definition (see OHSAS 18001:2007 3.6), hazards include sources, situations AND acts with the potential for harm. This includes unsafe conditions in the workplace. This ALSO includes unsafe activities on the part of people.
Some organizations seem to forget this distinction when they develop their processes and procedures for hazard identification. They focus almost exclusively on looking at sources of hazards – such as those associated with machinery, facilities, physical stressors and chemical agents. The behavior of people, driven by the psychology of human behavior, is often ignored.
What is being missed? Here are some examples –
Last week, I received the following question from a reader about the OHSAS 18001 requirements related to the identification of applicable legal and other requirements –
We are an OHSAS 18001 certified company…. Our Hazard Identification and Risk assessment (HIRA) first page tells about the legal requirement clause and the legal statements for complying with the HIRA. Our external auditor (certifying body) insists we insert a column in the HIRA chart to identify what legal requirement clause comes against the control of each identified risk.
1. Is my auditor correct?
2. Does the OHSAS 18001 Standards say that?
My answer –
That is NOT an OHSAS 18001 requirement. I believe your external auditor is confusing the ISO 14001 and OHSAS 18001 requirements.
Section 4.3.2 of ISO 14001 requires that an organization determine how its applicable environmental legal and other requirements apply to its environmental aspects. This is often done as your external auditor suggests, although it does NOT have to be done that way. You can use whatever method is appropriate for your organization.
Section 4.3.2 of OHSAS 18001 does NOT have the same requirement as ISO 14001. It requires that an organization “take into account” its applicable legal other requirements in its OHSMS. No column, chart, matrix is required. Nor does it require identifying requirements by individual risk. This requirement was specifically rejected when OHSAS 18001 was revised in 2007.
© ENLAR® Compliance Services, Inc. (2011)
In a previous post, I discussed that there is no single, fill-in-the-blank, process for conducting an OHS hazard identification and risk assessment. Instead, what is needed is an assembly of individual processes that, when taken together, result in a comprehensive OHSMS risk management strategy.
It is equivalent to assembling a meal from an a la carte menu.
So what are your a la carte choices?
They are numerous and varied and include –
- Checklists and questionnaires
- Consequence / likelihood matrices
- Failure modes and effects analysis (FMEA)
- Hazard and operability studies (HAZOP)
- Exposure assessment strategies
- Bayesian analysis
- Ergonomic evaluations
- Computer modeling programs
Just as the key to healthy eating is making wise menu choices, the key to a sound OH&S risk management strategy is choosing the hazard identification and risk assessment tools that are appropriate for your organization.
© ENLAR® Compliance Services, Inc. (2008)
One of the requests I commonly get from organizations seeking to integrate occupational health and safety into an existing environmental management system is –
“Can you provide a generic risk assessment process I can just plug into my aspect/impact procedure?”
The short answer to this request is “No.”
This is the fundamental difference between the OHSAS 18001 and the ISO 14001 standards. To conform to ISO 14001, many organizations have a single aspect/impact evaluation process. It may be complex and involve several factors and complicated calculations but it is typically one process. This is not the case for OHSAS 18001 hazard identification and risk assessment.
To quote from the OHSAS 18002 guidance –
Hazard identification and risk assessment methodologies vary greatly across industries, ranging from simple assessment to complex quantitative analyses with extensive documentation. Individual hazards may require that different methods be used, e.g. an assessment of long term exposure to chemicals may need a different method than that taken for equipment safety or for assessing an office workstation. Each organization should choose approaches that are appropriate to its scope, nature and size, and which meet its needs in terms of detail, complexity, time, cost and availability of reliable data. Taken together, the chosen approaches should result in a comprehensive methodology for the ongoing evaluation of the organization’s risk.
In other words – there is no simplistic answer or cookie-cutter methodology. It is not one process but several that, when taken together, make up a comprehensive risk management strategy.
© ENLAR® Compliance Services, Inc. (2008)