Professional Documents
Culture Documents
Sgs 18001 Manual
Sgs 18001 Manual
OHSAS 18001
WWW.UK.SGS.COM
NDARD
ION OF THE STA
ERS 007
E 2007 V on the 2
D TO TH mentary
UPDATE lud e s c o m
now inc ndard
NEW
Booklet e 1 8001 sta
g e s to th
ch a n
SGS 5258/0308
The Route to OHSAS 18001 The Route to OHSAS 18001
FOREWORD CONTENTS
Page Number
What is OHSAS 18001?
It is a standard which many countries and organisations have Introduction 4
chosen to implement in their commitment to establish a formal
3 Terms and Definitions 6
and recognised mechanism for managing occupational health &
safety. OHSAS 18001 has been specifically designed to provide 4.1 General Requirements 6
such a mechanism and was developed with the requirements 4.2 Occupational Health & Safety Policy 7
of both ISO 9001:2000 and ISO 14001:2004 in mind, thereby 4.3.1 Hazard Identification, Risk Assessment
allowing ready integration of management systems and the and Determining Controls 10
efficiencies that this can bring, as well as implicitly recognising
4.3.2 Legal and Other Requirements 15
an organisation’s own business needs.
4.3.3 Objectives and Programmes 18
OHSAS 18001 was first issued in 1999 but was subject to
4.4.1 Resources, roles, responsibility,
review during 2006 and then issued as a revised standard on 1
accountability and authority 20
July 2007. This booklet is intended to provide an introduction
to the changes made to OHSAS 18001 and the potential 4.4.2 Competence, Training and Awareness 22
implications of those changes. 4.4.3 Communication, Participation
and Consultation 24
OHSAS is based on a number of principles:
4.4.4 Documentation 28
• Clear demonstration of leadership and management commitment
4.4.5 Control of Documents 30
• Setting of objectives leading to improvement of OHS performance
4.4.6 Operational Control 32
• Effective hazard identification, risk management and risk control
4.4.7 Emergency Preparedness and Response 34
• Competence of workforce
• Consultation and communication with all stakeholders 4.5.1 Performance, Measurement and Monitoring 36
• Systematic approach to managing occupational health & safety 4.5.3 Incident Investigation, Non-Conformity,
Corrective and Preventive Action 40
• Monitoring the effectiveness of the management system through
audit and review 4.5.4 Control of Records 45
It has been appreciated for many years that effective 4.5.5 Internal Audit 46
management of occupational health & safety can significantly 4.6 Management Review 48
reduce risk exposure and potentially improve an organisation’s
profitability and sustainability. Leading studies have recognised
that implementing a formal occupational health & safety
management system based on OHSAS 18001 is an excellent
means of achieving this business aim.
• New requirements have been introduced for the investigation THE SCOPE OF OHSAS 18001:2007 STATES:
of incidents
“This Occupational Health & Safety Assessment Series
OHSAS 18001 is now a Standard which defines a set of (OHSAS) Standard specifies requirements for an
requirements for an Occupational Health & Safety Management Occupational Health & Safety (OH&S) management system,
System (SMS) which would be suitable for any kind and size of to enable an organisation to control its OH&S risks and
organisation. Currently no ISO standard is available that defines improve its performance. It does not state specific OH&S
the requirements for a SMS, although national standards bodies performance criteria, nor does it give detailed specifications
have developed standards, and some have adopted OHSAS 18001 for the design of a management system.”
The Route to OHSAS 18001 The Route to OHSAS 18001
This firmly establishes the purpose of OHSAS 18001. Not only 4.2 OCCUPATIONAL HEALTH & SAFETY POLICY
does an effective SMS improve existing and establish new controls,
it also installs and drives a system of continuous improvement An organisation’s Occupational Health & Safety Policy should
in Occupational Health & Safety performance. It must also be be the cornerstone of SMS. Development of a Policy may be
recognised that in many countries there is a legal requirement for required by legislation, but even if it is not, the OHS Policy is
organisations to develop and implement Occupational Health & an essential tool in the formulation and communication of the
Safety Management Systems. In many cases there is no definition
organisation’s intent. The safety policy should in any case reflect
of the required structure for such a system.
the organisation’s operations and processes, and should ideally
A SMS based on the requirements of OHSAS 18001 provides be produced after identifying the OH&S hazards and risks which
for the development of a system of interlinking processes and the organisation may face as a result of its operations.
is a simple and effective toolkit of mechanisms for managing
Occupational Health & Safety issues in any kind of organisation. KEY REQUIREMENTS
It is only prescriptive in terms of what must happen, leaving the
The Policy must:
how to the organisation to decide or devise for itself.
• Be appropriate to the scale and operations of the organisation
The notes below are preceded by the clause number of OHSAS
18001:2007 and are presented in the order they appear in that • Commit to continuous improvement of safety performance
specification. New or changed requirements are shown in italics.
• Commit to compliance with relevant legal and other requirements
Paragraph 1 has been extended but a new requirement has • Be periodically reviewed to ensure its ongoing suitability
been added:
Taking these in turn:
The organisation shall establish, document, maintain and continuously
APPROPRIATE AND AUTHORISED
improve an OH&S management system in accordance with the
requirements of this OH&S Standard and determine how it will The Policy should be appropriate to an organisation. The opening
fulfil these requirements. paragraph(s) of the Policy should give a brief outline of the
organisation’s business sector and operations so that the Policy
The organisation shall define and document the scope of its
can be viewed in context. This will also enable the scope of the
OH&S management system.
SMS to be described (see clauses 4.1 and 4.4.4). The Policy
This requirement links with the revised system document needs to be authorised by top management; evidence of this
requirements shown at clause 4.4.4b. authorisation should be available.
The Route to OHSAS 18001 The Route to OHSAS 18001
PROVIDE A FRAMEWORK FOR SETTING OBJECTIVES Typical interested parties might include shareholders, other
FOR IMPROVEMENT stakeholders, neighbouring companies or residents, emergency
services etc. Some organisations have published their Safety
The OH&S Policy should make reference to the setting of
Policies on their company websites. In some clauses, e.g. 4.4.7,
safety objectives and objectives for the improvement of safety
interested parties are now specifically identified.
performance. Problems can arise when the Policy is written
with good intent but with unrealistic expectation of what The table below summarises the requirements of clause
an organisation can do. For example, if your Policy states a 4.2 and identifies the new requirements now included in
commitment to accident reduction, risk elimination etc., the OHSAS 18001:2007. So to sum up, the Safety Policy is one
SMS must keep such promises. These will need to be delivered of the cornerstones of an SMS. If it makes promises or raises
by means of documented objectives and supported by detailed expectations, they must be delivered. It is the only part of
Management Programmes (see clause 4.3.3). your system that must be made available to the public. Your
employees must know about it and its relevance to them.
The Route to OHSAS 18001 The Route to OHSAS 18001
10 11
The Route to OHSAS 18001 The Route to OHSAS 18001
• identified hazards originating outside the workplace capable part of the workplace design process. To some extent this
of adversely affecting the health and safety of persons requirement links with the management of change
under the control of the organisation within the workplace.
• the organisation’s methodology for hazard identification
This could mean the use of hazardous machinery brought to
and risk assessment shall: be defined with respect to its scope,
the workplace or chemicals brought to the workplace.
nature and timing to ensure it is proactive rather than reactive;
• hazards created in the vicinity of the workplace by work- and provide for the identification, prioritisation and documentation
related activities under the control of the organisation. of risks, and the application of controls, as appropriate
Possibly hazards created by non-routine activities
• for the management of change, the organisation shall
• infrastructure, equipment and materials at the workplace, identify the OH&S hazards and OH&S risks associated
whether provided by the organisation or others; This with changes in the organisation, the OH&S management
requirement is focusing on hazards associated with work system, or its activities, prior to the introduction of such
equipment, e.g. forklift trucks and material, e.g. chemicals changes. This is a definite requirement to manage change and
in particular to identify associated OH&S hazards and risks
• changes or proposed changes in the organisation, its
before the introduction of change. There would need to
activities, or materials. The management of change is now
be evidence of the manner in which this requirement has
addressed in a more definite way within the Standard; this
been addressed so an external auditor can verify the change
requirement, to some extent, links with managing change
management arrangements
and in particular identifying new or revised hazards resulting
from change • when determining controls, or considering changes to
existing controls, consideration shall be given to reducing
• modifications to the OH&S management system, including
the risks according to the following hierarchy: The
temporary changes, and their impacts on operations,
application of the hierarchy of controls shown below is now a
processes, and activities. This is similar to the requirement
requirement. Auditors will need to see evidence that the
above but focuses on the SMS arrangements which, if changed,
controls hierarchy has at least been considered. It is anticipated
may produce additional hazards or weaken existing controls
that OH&S professionals and those with OH&S training
• any applicable legal obligations relating to risk assessment will recognise this hierarchy and the need for its application.
and implementation of necessary controls (see also the However, short explanatory notes have been attached to some
NOTE to 3.12). This requirement ensures that legal and other of the requirements
requirements are considered when determining risk controls. - elimination
Third party auditors have always sought evidence of the
- substitution
consideration of legal and other requirements but until now it
has not been a specific requirement in the Standard - engineering controls - Previously the only clause to refer to
maintenance was clause 4.4.6 Operational Control. Now the
• the design of work areas, processes, installations, words “Engineering Controls” are the only reference to
machinery/equipment, operating procedures and maintenance within the Standard. Although only a short
work organisation, including their adaptation to human reference it is true to say that engineering arrangements,
capabilities. This requirement was originally part of clause e.g. planned maintenance, statutory inspections etc., some
4.4.6 but is now included here to ensure that the OH&S of which are required by legislation or regulation, are risk
hazards and risks associated with the development or change controls. Auditors will need to verify that maintenance
of the workplace are identified and controls determined as arrangements are applied as risk controls.
12 13
The Route to OHSAS 18001 The Route to OHSAS 18001
• the organisation shall document and keep the results of Hierarchy of controls considered
identification of hazards, risk assessments and determined and applied
controls up to date. This requirement ensures that risk Risk assessments reviewed and
assessments are subject to periodic review and up dating controls updated
as necessary as a minimum
Records of process enable it to be audited?
• the organisation shall ensure that the OH&S risks
Process is carried out by competent persons?
and determined controls are taken into account when
establishing, implementing and maintaining its OH&S
DECIDING WHICH OCCUPATIONAL HEALTH AND SAFETY
management system
RISKS ARE “SIGNIFICANT”
HAZARD & RISK IDENTIFICATION or Comment/Plan Having identified all hazards and associated risks which could
Procedure(s) and process for identifying impact on occupational health & safety, the process of rating
hazards, subsequent risk assessment the risks for significance can be carried out. This crucial process,
determining controls is documented? together with a thorough knowledge of legal and other similar
requirements, provide the foundations of the SMS.
Process includes reference to:
This assessment process is vital in determining the need for
• Responsibilities
controls aimed at either reducing risk to levels deemed to be
• Document control
acceptable, or meeting the requirements of legislation. The
• Records
changes introduced in the Standard are intended to strengthen the
• Review
hazard identification and risk assessment process. The importance
Procedure(s) ensure that the following of this process cannot be overestimated. Accurate hazard
requirements are taken into account: identification is fundamental to effective risk assessment as is the
• Routine and non-routine activities identification of significant hazards. If this process not effective
• All persons having access to then risk controls and much of the SMS may be questionable.
the workplace
• Human behaviour/factors
• Hazards originating outside 4.3.2 LEGAL AND OTHER REQUIREMENTS
the workplace
• Hazards in the vicinity of A limited revision of this clause has been made although the
the workplace phrase “persons working under the control of the organisation”
• Infrastructure, equipment etc. has been included with regard to the communication of
• Changes in the organisation information on legal and other requirements. The requirements
• Modification to the SMS of this clause when coupled with the completion of risk
• Legal and other requirements assessments, and there is now a definite requirement to do so
• Design of the workplace (see clause 4.3.1i), forms the foundation of the SMS. This clause
• Management of change of the specification requires that the organisation identifies all
14 15
The Route to OHSAS 18001 The Route to OHSAS 18001
relevant legal and other requirements which are applicable to its compliance with legal and other requirements. This clause is
activities, and uses this data to ensure that suitable controls are part of the ‘Checking’ section of the standard and is discussed
in place to ensure compliance. In this context “compliance” is on page 36.
related not only to the identified requirements but also with the
Ideally the process should ensure that an organisation knows:
organisation’s own Policy.
• What legislation and other requirements are applicable
KEY REQUIREMENTS
• What it means to the organisation
The Standard requires that there is a procedure(s) for identifying • What duty or obligation is imposed
and gaining access to relevant legal and “other requirements”
• How compliance is ensured
which are applicable to the organisation. This procedure
• A reference to the mechanism for confirming compliance.
should include:
It must also ensure that the details of legal and other
• Responsibilities for compiling the listing of legislation and requirements are kept up-to-date.
“other requirements”
LEGAL & OTHER REQUIREMENTS or Comment/Plan
• Sources of data (e.g. update services, subscriptions to journals etc.)
Procedure in place to describe how access
• The means of gaining access to updates
is gained to legal and other requirements,
• The methods employed to communicate the demands of any how to keep track of changes, and who
relevant legislation or “other requirements” does this?
• The types of “other requirements” to be included, e.g. policies, Mechanism in place to record these
codes of practice, national standards, corporate requirements requirements, make sure they are
(if a member of a group of companies) communicated and understood by persons
working under the control of the organisation
The organisation shall ensure that these applicable legal
requirements and other requirements to which the organisation Records and procedure are controlled
subscribes are taken into account in establishing, implementing documents and regularly reviewed
and maintaining its OH&S management system. This is a new There is a means of accessing the
paragraph which is in effect a general statement but is intended original laws, regulations etc.?
to ensure that reference is made to legal and other requirements Register or listing includes (as applicable):
when developing or revising an SMS. • Laws, regulations
The organisation shall keep this information up-to-date. • Policies
• Codes of practice
The organisation shall communicate relevant information on legal • Schemes, e.g. “responsible care”
and other requirements to persons working under its control, • Licences, authorisations, permits, certificates
and to other relevant interested parties. The phrase persons • Planning permission
working under its control means that there needs to be • Insurance
evidence of communication to such persons. • Lease
There is now a new clause, clause 4.5.2 Evaluation of And the means of accessing changes to all
Compliance, which requires the organisation to evaluate of the relevant “other requirements”
16 17
The Route to OHSAS 18001 The Route to OHSAS 18001
Legal and other requirements taken into OBJECTIVES AND PROGRAMMES or Comment/Plan
account when developing, implementing
Is there a process for selecting and
or changing the SMS
documenting the objectives?
The procedure links to the Evaluation of
Are objectives set at relevant levels and
Compliance (clause 4.5.2)
functions within the organisation?
Are there records to show how the
objectives were selected?
4.3.3 OBJECTIVES AND PROGRAMMES
Are there links to:
Clause 4.3.3 is now an amalgamation of the original • Significant risks
requirements of clause 4.3.3 objectives and what was clause • Policy commitments
4.3.4 OH&S management programmes. There have been some • Legal and other requirements
changes in wording, which to some extent includes wording • The views of interested parties?
from other standards, and is evidence of the closer link with Are objectives:
ISO 14001 and ISO 9001. Objectives are the drivers for the • Specific
continuous improvement process which ensures that your SMS • Measurable
delivers real improvements in the functioning of the SMS and, • Achievable
perhaps more importantly, occupational safety performance. • Realistic
KEY REQUIREMENTS • Timed?
Management programmes or action plans
OHSAS 18001 requires that:
in place for achieving objectives
• Objectives are established, maintained, documented, and exist at Do programmes show designated
each relevant function and level in the organisation responsibility and authority for achieving
• Objectives are measurable, where practicable, and are consistent objectives, the means and a time frame by
with the OH&S Policy including the commitments to prevent injury which objectives are to be achieved?
and ill health, comply with applicable legal and other requirements Programmes subject to planned reviewed
and continuous improvement
18 19
The Route to OHSAS 18001 The Route to OHSAS 18001
4.4.1 RESOURCES, ROLES, RESPONSIBILITY, ACCOUNTABILITY • The organisation shall ensure that persons in the workplace
AND AUTHORITY. take responsibility for aspects of OH&S over which they have
control, including adherence to the organisation’s applicable
In common with all management systems’ standards, OHSAS OH&S requirements. This requirement ensures that line
18001 recognises the need to make sure that personnel involved managers, supervisors etc. must now take responsibility for
in the SMS are aware of their responsibilities and authority. In OH&S matters in their area and ensure adherence to applicable
general although the wording of the clause has been revised the OH&S requirements e.g. procedures safe systems of work etc.
requirements remain the same. However, two new requirements
have been introduced. These requirements are shown below;
where requirements are new they are shown in bold italics. Resources, roles, responsibility or Comment/Plan
accountability and authority.
KEY REQUIREMENTS
Evidence of Top management taking
OHSAS 18001 requires that
responsibility for the SMS
• Top management shall take ultimate responsibility for OH&S and
Roles and responsibilities defined,
the OH&S management system.
accountabilities and authorities allocated
• Top management shall demonstrate its commitment by ensuring in manuals, job specifications, organisation
the availability of resources essential to establish, implement, charts, procedures etc
maintain and improve the OH&S management system.
Including responsibilities in
Defining roles, allocating responsibilities and accountabilities, and
emergency situations
delegating authorities, to facilitate effective OH&S management;
roles, responsibilities, accountabilities, and authorities shall be Responsibilities etc. documented and
documented and communicated. communicated e.g. staff aware.
• The organization shall appoint a member(s) of top management Management Appointee nominated
with specific responsibility for OH&S, irrespective of See clause 4.4.1 note 2.
other responsibilities. Management appointee responsibilities
• The identity of the top management appointee shall be made defined by clause 4.4.1 para 2 a and b.
available to all persons working under the control of the
Means of communicating the ID of the
organization. This new requirement means that all persons
management appointee
working under the control of the organisation e.g. employees,
contractors, agency staff etc need to be informed of the identity Personnel taking OH&S responsibility
of the management appointee. and recognise the need to comply with
SMS requirements
• All those with management responsibility shall demonstrate their
commitment to the continual improvement of OH&S performance. Resources provided, defined and adequate?
20 21
The Route to OHSAS 18001 The Route to OHSAS 18001
4.4.2 COMPETENCE, TRAINING AND AWARENESS • The organisation shall establish, implement and maintain a
procedure(s) to make persons working under its control aware of
The general intent of the clause remains the same; however,
- the OH&S consequences, actual or potential, of their work
the second paragraph now contains requirements which can
activities, their behaviour, and the OH&S benefits of improved
be found in other standards particularly ISO 9001:2000. Where
personal performance;
requirements are new these are shown in bold italics. Training
and competence form important keystones in the prevention - Their roles and responsibilities and importance in achieving
of OH&S related problems within the workplace. Employees conformity to the OH&S policy and procedures and to the
cannot be expected to carry out tasks safely or assume OH&S requirements of the OH&S management system, including
responsibility if they have not been adequately trained and are emergency preparedness and response requirements (see 4.4.7);
not competent. Identification of training needs and competence - The potential consequences of departure from
relative to the hazards, risks and legislative requirements specified procedures.
applicable to the operations and activities carried out by the
The requirements above are unchanged, however some
organisation, forms a key aspect of occupational health & safety
additional wording, shown in bold italics, has been included.
management. Legislation generally refers to a need for personnel
Again the phrase persons working under its control appears
to be competent to perform their functions – it is incumbent
whereas previously only employees were referenced. The
on the organisation to ensure that this is fulfilled and that there
behaviour of personnel is referenced so that personnel need
is adequate provision of necessary training and records to
not only to work safely but conduct themselves in a safe manner.
substantiate this.
Training procedures shall take into account differing levels of:
KEY REQUIREMENTS
- responsibility
OHSAS 18001 requires that - ability
• The organisation shall ensure that any person(s) under its - language skills and literacy
control performing tasks that can impact on OH&S is (are) - risk
competent on the basis of appropriate education, training or
experience, and shall retain associated records. Although COMPETENCE, TRAINING & AWARENESS or Comment/Plan
not entirely a new requirement the wording has been changed
and now includes the phrase any persons under its control. Procedure(s) documented and include:
This means that an organisation has to ensure that not only • Means of identifying training needs
employees but contractors, agency staff etc. are competent to • Provision of training to meet needs
carry out work safely.
• A means of evaluating the effectiveness
• The organisation shall identify training needs associated with of training
its OH&S risks and its OH&S management system. It shall • Awareness training (link OH&S
provide training or take other action to meet these needs, consequences of work activities,
evaluate the effectiveness of the training or action taken, and OH&S Policy. EM preparedness)
retain associated records. The wording of these requirements
All necessary training and skills in place?
can be found in other standards, e.g. ISO 9001:2000 clause
6.2.2. If an organisation has certification to other Standards A means of verifying the training/
then arrangements addressing these requirements will competence of persons under the control
already be in place. Therefore safety training and associated of the organisation other than employees
records will simply need to be included. If this not the case Are there records to identify delivery of
then arrangements will need to be developed. training and to verify “competence”?
22 23
The Route to OHSAS 18001 The Route to OHSAS 18001
4.4.3 COMMUNICATIONS, PARTICIPATION AND CONSULTATION 4.4.3.2 Participation and Consultation: The previous version
of the Standard contained requirements for consultation between
This clause has been revised and now consists of two sub-clauses: management and employees, now referred to in this clause
as “workers”, however, the Standard now sets out these
4.4.3.1 Communication: The organisation needs to ensure
requirements in more detail. Where requirements are new these
that suitable communication methods are available for facilitating
are shown in bold italics.
both internal and external communications. Regarding internal
communications it is essential that personnel at all levels are Key Requirements
included and are able to be involved with OH&S issues. Also
OHSAS 18001 requires:
important is appropriate and effective means of communication
with interested parties particularly authoritative bodies, e.g. the The organisation shall establish, implement and maintain a
HSE. The requirements of clause 4.4.3.1 are not entirely new procedure(s) for the participation of workers by their:
but are an expansion of the previously sketchy one-sentence
• appropriate involvement in hazard identification, risk
requirement. Where requirements are new these are shown in
assessments and determination of controls
bold italics.
• appropriate involvement in incident investigation;
KEY REQUIREMENTS
This requirement now requires organisations to involve, as
OHSAS 18001 requires: appropriate, workers in the process of hazard identification,
risk assessment and determining controls. There will need to
With regard to its OH&S hazards and OH&S management
be evidence of this involvement.
system, the organisation shall establish, implement and
maintain a procedure(s) for • involvement in the development and review of OH&S policies
and objectives;
• internal communication among the various levels and functions
Not a new requirement but there will need to be evidence of
of the organisation.
involvement of workers in developing policy and objectives.
• communication with contractors and other visitors to
• consultation where there are any changes that affect their OH&S;
the workplace
Also not a new requirement.
This requirement will mean that recognisable and verifiable
arrangements need to be in place for contractors and other • representation on OH&S matters.
visitors to the workplace. Not a new requirement.
• receiving, documenting and responding to relevant • Workers shall be informed about their participation arrangements,
communications from external interested parties. including who is their representative(s) on OH&S matters.
This requirement has been strengthened and requires that Not strictly a new requirement but the wording has been
there is a procedure for receiving communication from revised to ensure that personnel are aware of their
external interested parties. This implies that there needs to be participation arrangements.
a documented record of all communication to and from
• consultation with contractors where there are changes that
external organisations, e.g. HSE, emergency services etc.
affect their OH&S.
A new requirement is that arrangements are in place to consult
with contractors with regard to changes that may affect them.
24 25
The Route to OHSAS 18001 The Route to OHSAS 18001
• The organisation shall ensure that, when appropriate, relevant PARTICIPATION and CONSULTATION or Comment/Plan
external interested parties are consulted about pertinent OH&S
Established, implemented and maintained
matters, e.g. emergency services, neighbours etc.
a procedure(s) for the participation of
Not an entirely new requirement but the clause wording has
workers by their
been slightly enhanced.
- appropriate involvement in hazard
Legislation often requires an organisation to have methods in identification, risk assessments and
place to communicate OHS issues between workforce and determination of controls;
management and often states that the workforce is entitled to
- appropriate involvement in
elect representatives to discuss OHS issues. The organisation
incident investigation;
needs to ensure that procedures to control internal and external
communications and interfaces are in place. Particular care needs - involvement in the development and
to be taken when dealing with communications from external review of OH&S policies and objectives;
parties, which might include enforcement authorities, lawyers/ - consultation where there are any
solicitors, insurance companies, etc. In many parts of the world changes that affect their OH&S;
there is an increasing trend towards litigation resulting from - representation on OH&S matters.
injuries received in the workplace, so the need to manage the
Workers are informed about their
communication process is critical. The procedures also need to
participation arrangements, including who
define which information relating to the SMS will be divulged to
is their representative(s) on OH&S matters?
outsiders in addition to the Policy (which from clause 4.2 needs
Documented arrangements in place for
to be available to interested parties).
consultation with contractors where there
are changes that affect their OH&S?
COMMUNICATION or Comment/Plan
The organisation to ensure that, when
Procedure to define processes for internal appropriate, relevant external interested
and external communication? parties are consulted about pertinent
Staff aware of procedure? OH&S issues?
26 27
The Route to OHSAS 18001 The Route to OHSAS 18001
OHSAS 18001 requires that OHS system documentation includes: Documented Policy and Objectives
OH&S policy and objectives. Not a new requirement in that Description of the scope of the SMS
clause 4.2 requires the OH&S policy to be documented and clause Description of the main elements of the
4.3.3 requires documented objectives; however, this is new OH&S management system, their interaction
wording for clause 4.4.4. and reference to related documents, e.g.
A description of the scope of the OH&S management system. system procedures, other systems etc.
This is similar to the requirement in ISO 9001:2000. It may be useful Documents, including records, required by
to include in this description the wording of the technical scope of this OHSAS standard
the SMS, e.g. the product and service provided by the organisation
as well as the geographic locations covered by the SMS. Documents, including records, determined
by the organisation to be necessary to ensure
A description of the main elements of the OH&S the effective planning, operation and control
management system and their interaction, and reference
of processes that relate to the management
to related documents. This requirement is also similar to the
of its OH&S risks
document requirements of ISO 9001:2000 and ISO 14001:2004.
This is often addressed by the use of a process map showing the Documents are subject to document
principal elements of the management system and how they work control disciplines?
together as a system and the link to system documentation.
The same approach can be used for the SMS.
28 29
The Route to OHSAS 18001 The Route to OHSAS 18001
4.4.5 CONTROL OF DOCUMENTS • Ensure that documents remain legible and readily identifiable.
Again although a revised requirement this is a standard
The wording of this clause is now almost word for word identical document control requirement.
to that in other standards, e.g. ISO 9001:2000 clause 4.2.3. The
• Ensure that documents of external origin determined by the
requirements have been strengthened and slightly expanded.
organisation to be necessary for the planning and operation
The intent of the clause has not changed in that overall document
of the OH&S management system are identified and their
control aims to ensure that the latest versions of system
distribution controlled. Although a standard document control
documentation are available to personnel at points of use.
requirement this was not included in the previous version of
Organisations which have a Quality (QMS) or Environmental
the standard. To some extent there is a link here with clause
(EMS) management system will be familiar with the requirements
4.3.2 as many documents of external origin may relate to
of this clause. With very little change to wording a document
regulatory requirements.
control procedure from a QMS or EMS will fit with the
requirements of OHSAS 18001. • Prevent the unintended use of obsolete documents and apply
suitable identification to them if they are retained for any purpose.
KEY REQUIREMENTS
OHSAS 18001 requires that documents are controlled so that DOCUMENT CONTROL or Comment/Plan
they can be located, are approved before issue and periodically
reviewed. The revised requirements are listed below. Where Procedure in place to define mechanism
requirements are new or revised they are shown in bold italics. for the control of documents.
• Removal and disposal of obsolete documents now reference to the management of change the full
unless retained for reference or historical requirement for which is cited in clause 4.3.1.
reasons. A means of identification if retained
• For those operations and activities, the organisation shall
• Arrangements to ensure that documents implement and maintain:
of external origin determined by the
• operational controls, as applicable to the organisation and
organisation to be necessary for the
its activities; the organisation shall integrate those operational
planning and operation of the OH&S
controls into its overall OH&S management system
management system are identified and
their distribution controlled • controls related to purchased goods, equipment and services
Are operational control procedures Many organisations do take in to account the requirements of
communicated to suppliers and the emergency services and neighbours as a matter of course
contractors where needed and in some cases legislation requires this, e.g. COMA.
Management of change considered • The organisation shall also periodically test its procedure(s) to
where appropriate respond to emergency situations, where practicable, involving
relevant interested parties as appropriate. The requirement to
Are Permit to Work systems in use if relevant
test emergency arrangements is not new but the need to
involve interested parties, e.g. the emergency services, as
appropriate is new.
4.4.7 EMERGENCY PREPAREDNESS AND RESPONSE
• The organisation shall periodically review and, where necessary,
The organisation needs to consider what needs to happen if, or revise its emergency preparedness and response procedure(s),
when, things go wrong. The range of emergencies which might in particular, after periodical testing and after the occurrence of
arise can be wide, there needs to be some thought as to what emergency situations (see 4.5.3).
can be controlled by the organisation, and what the potential
consequences of any emergency might be.
EMERGENCY PREPAREDNESS or Comment/Plan
KEY REQUIREMENTS AND RESPONSE
OHSAS 18001 requires: A procedure to identify potential Procedure in place to identify potential
emergency situations and to respond to them thereby preventing emergency situations, develop and document
or mitigating any adverse OHS consequences. The key measures to prevent, control and mitigate
requirements are listed below. Where requirements are new they the effects?
are shown in bold italics.
The planning of emergency responses take
• The organisation shall establish, implement and maintain account of the needs of relevant interested
a procedure(s): parties, e.g. emergency services
and neighbours
• Identify the potential for emergency situations.
All potential emergency situations identified e.g.:
• Respond to such emergency situations.
Fire Toxic gas/fumes
• The organisation shall respond to actual emergency situations Flood Radiation
and prevent or mitigate associated adverse OH&S
The weather Injury
consequences. This is a definite requirement to respond to
emergency situations and for that response to prevent or Power cuts Equipment failure
mitigate OHS consequences. Spillage
34 35
The Route to OHSAS 18001 The Route to OHSAS 18001
Plans are periodically tested where • Both qualitative and quantitative measures, appropriate to the
practicable. Interested parties involved needs of the organisation.
as appropriate
• Monitoring to the extent to which the organisation’s OH&S
There is a schedule for future tests? objectives are met..
Records of tests, emergencies and false • Monitoring the effectiveness of controls (for health as well
alarms are maintained? as safety). The new requirement here is the need to monitor
health as well as safety and supports the commitment to
Procedures are amended in the light of
prevent ill health and injury.
experience from tests, drills and incidents
if necessary • Proactive measures of performance that monitor conformance
with the OH & S programme(s), controls and operational criteria.
Emergency equipment maintained, e.g.
fire extinguishers, sprinkler systems, alarms • Reactive measures of performance that monitor ill health,
emergency lighting, spill kits etc. incidents (including accidents, near-misses etc.) and other
(See clause 4.3.1) historical evidence of deficient OH&S performance. A very
small change in wording here that does not change the overall
Staff with emergency response
requirement, which remains the same as that shown in the
responsibilities are trained and competent
previous Standard.
36 37
The Route to OHSAS 18001 The Route to OHSAS 18001
Is the effectiveness of controls (for health an EMS will have little difficulty with this requirement as they
as well as for safety) monitored? will have developed arrangements to evaluate compliance with
environmental legislation. Those organisations implementing
Proactive measures of performance that
an SMS or revising an existing SMS will now need to develop
monitor conformance with the OH&S
compliance evaluation arrangements.
programme(s), controls and operational
criteria identified Clause 4.5.2 has been split into two sub-clauses; 4.5.2.1 contains
requirements for the evaluation of applicable legal requirements
Procedure(s) include reactive measures of
and clause 4.5.2.2 contains requirements for the evaluation of
performance that monitor ill health, incidents
other requirements to which the organisation subscribes.
(including accidents, near-misses, etc.), and
other historical evidence of deficient KEY REQUIREMENTS
OH&S performance
OHSAS 18001 requires that compliance with applicable legal and
Procedure(s) provide for recording of data other requirements is monitored and records maintained. Where
and results of monitoring and measurement requirements are new they are shown in bold italics.
sufficient to facilitate subsequent corrective
4.5.2.1 Consistent with its commitment to compliance
action and preventive action analysis
(see 4.2c), the organisation shall establish, implement and
Monitoring instruments and equipment maintain a procedure(s) for periodically evaluating compliance
calibrated and maintained to ensure accuracy with applicable legal requirements (see 4.3.2).
of measurement
The organisation shall keep records of the results of the
Methods of calibration are defined and periodic evaluations.
traceable to National Standards
NOTE The frequency of periodic evaluation may vary for
Calibration status is clear differing legal requirements.
Are the records of calibration and 4.5.2.2 The organisation shall evaluate compliance with
maintenance activities retained? Records are other requirements to which it subscribes (see 4.3.2).
kept of calibration certificates and of which The organisation may wish to combine this evaluation with
instrument was used for each test the evaluation of legal compliance referred to in 4.5.2.1
or to establish a separate procedure(s). To reduce system
documentation one procedure can be produced to describe
4.5.2 EVALUATION OF COMPLIANCE the evaluation of both legal and other requirements and both
evaluations may be combined.
This is a completely new requirement which is intended to ensure
The organisation shall keep records of the results of the
the evaluation of compliance with legal and other requirements.
periodic evaluations.
It is true to say that many organisations previously implemented
compliance evaluation arrangements but now this is a specific NOTE The frequency of periodic evaluation may vary for various
requirement. The content of this clause has been extracted from other requirements to which the organisation subscribes.
ISO 14001 where it was introduced as part of the 2004 revision
of that Standard. Those organisations which have implemented
38 39
The Route to OHSAS 18001 The Route to OHSAS 18001
EVALUATION OF COMPLIANCE or Comment/Plan The organisation shall establish, implement and maintain a
procedure(s) to record, investigate and analyse incidents in
Procedure(s) for periodically evaluating
order to -
compliance with applicable legal
requirements in place • determine underlying OH&S deficiencies and other factors that
might be causing or contributing to the occurrence of incidents.
Records maintained of the results of the
periodic evaluations • identify the need for corrective action
Procedure for evaluating compliance with • identify opportunities for preventive action
other requirements to which the organisation
• identify opportunities for continuous improvement
subscribes in place
• communicate the results of such investigations
Does the organisation keep records of the
results of the periodic evaluations? The wording of this requirement has been enhanced to ensure that
incidents are investigated and the results are recorded and analysed.
Clause 4.5.3.1 Incident Investigation: this sub-clause is consistent The results of incident investigations shall be documented and
with the new focus on incidents rather than accidents and sets maintained.
out the requirements for procedures to complete the investigation Clause 4.5.3.2 Non-conformity, Corrective and Preventive Action.
of incidents. The results of investigations should facilitate the This clause is in part a revision of the previous OHSAS 18001
identification and implementation of appropriate corrective and clause and the inclusion of wording from other Standards.
preventive actions which either prevent occurrence or recurrence Consequently the clause is significantly more comprehensive. This
of the incidents and that lessons are learned. Overall the is to ensure that corrective and preventive actions are effectively
requirements listed below always were part of the investigation or identified, implemented and closed, also that the effectiveness of
part of the outcome of investigations. corrective and preventive action is determined.
40 41
The Route to OHSAS 18001 The Route to OHSAS 18001
The organisation shall establish, implement and maintain INCIDENT INVESTIGATION OF or Comment/Plan
a procedure(s) for dealing with actual and potential non- NON-CONFORMITY, CORRECTIVE
conformities and for taking corrective action and preventive AND PREVENTIVE ACTION
action. The procedure(s) shall define requirements for
4.5.3.1 Incident Investigation
• identifying and correcting non-conformity(ies) and
Procedures established, implemented and
taking action(s) to mitigate their OH&S consequences,
maintained to record, investigate and analyse
• investigating non-conformity(ies), determining their incidents in order to determine underlying
cause(s) and taking actions in order to avoid their recurrence, OH&S deficiencies and other factors that
• evaluating the need for action(s) to prevent may be causing or contributing to the
non-conformity(ies) and implementing appropriate occurrence of incidents
actions designed to avoid their occurrence, Procedures include arrangements to
• recording and communicating the results of corrective identify the need for corrective action,
action(s) and preventive action(s) taken, and identify opportunities for preventive
action and identify opportunities for
• reviewing the effectiveness of corrective action(s) and continuous improvement?
preventive action(s) taken.
Results of investigations communicated
Where the corrective action and preventive action identifies new
or changed hazards or the need for new or changed controls, Investigations performed in a timely manner?
the procedure shall require that the proposed actions shall be Any identified need for corrective action or
taken through a risk assessment prior to implementation. opportunities for preventive action dealt with
This requirement was part of the previous OHSAS 18001 in accordance with the relevant parts
requirement but previous wording was to some extent of 4.5.3.2?
impractical. The revised wording provides an element of
Legal and other requirements addressed
choice in the application of this requirement and makes
implementation more sensible. The results of incident investigations
documented and maintained?
Any corrective action or preventive action taken to eliminate
the causes of actual and potential non-conformity(ies) shall Staff trained to undertake
be appropriate to the magnitude of problems and incident investigation
commensurate with the OH&S risk(s) encountered.
4.5.3.2 Non-conformity, Corrective Action
The organisation shall ensure that any necessary changes and Preventive Action
arising from corrective action and preventive action are made
Procedure(s) for dealing with actual and
to the OH&S management system documentation.
potential non-conformity(ies) and for taking
corrective action and preventive
action implemented
42 43
The Route to OHSAS 18001 The Route to OHSAS 18001
Does the procedure require that the proposed • The organisation shall establish and maintain records as
actions shall be taken through a risk necessary to demonstrate conformity to the requirements
assessment prior to implementation where of its OH&S management system and of this OHSAS Standard,
the corrective action and preventive action and the results achieved.
identifies new or changed hazards or the
• The organisation shall establish, implement and maintain a
need for new or changed controls?
procedure(s) for the identification, storage, protection, retrieval,
Changes arising from corrective action and retention and disposal of records.
preventive action made to the OH&S
• Records shall be and remain legible, identifiable and traceable.
management system documentation?
44 45
The Route to OHSAS 18001 The Route to OHSAS 18001
Procedure define arrangements for: Audit programme(s) shall be planned, established, implemented
identification, and maintained by the organisation, based on the results of risk
storage, assessments of the organisation’s activities, and the results of
previous audits.
protection – e.g. computer back-up,
retrieval – records readily retrievable Audit procedure(s) shall be established, implemented and
retention – retention times defined maintained that address
disposal • the responsibilities, competencies, and requirements for
Are records legible, identifiable and traceable? planning and conducting audits, reporting results and retaining
associated records,
The organisation shall ensure that internal audits of the OH&S • Reporting audits
management system are conducted at planned intervals to • Establishing audit criteria, scope,
determine whether the OH&S management system frequency of audits
• Non-conformance reporting and close-out
46 47
The Route to OHSAS 18001 The Route to OHSAS 18001
Schedule covers all areas/procedures and Input to management reviews shall include
SMS functions in a given time? • results of internal audits and evaluations of compliance with
Document control and approval of audit applicable legal requirements and with other requirements to
which the organisation subscribes,
paperwork including schedule?
• the results of participation and consultation (see 4.4.3)
Internal auditors trained
• relevant communication(s) from external interested parties,
Able to identify a SMS and
including complaints,
safety non-conformance
Have an understanding of applicable legal • the OH&S performance of the organisation,
and other requirements • the extent to which objectives have been met,
• status of incident investigations, corrective actions and
Non-conformances actioned in a
preventive actions,
timely manner?
• follow-up actions from previous management reviews,
• changing circumstances, including developments in legal and
other requirements related to OH&S, and
4.6 MANAGEMENT REVIEW
• recommendations for improvement.
The requirement to carry out formal management reviews of Previously these requirements were described in OHSAS
the SMS is common with that of other management system 18002:2000 but have now been defined in the Standard.
standards. Management Review, if carried out fully and effectively, The outputs from management reviews shall be consistent
will help the organisation to develop its SMS so that overall safety with the organisation’s commitment to continuous improvement
performance is improved. Previously this clause was somewhat and shall include any decisions and actions related to possible
sketchy but has been significantly revised to include both required changes to
inputs, effectively the review agenda, and outputs. This is in
• OH&S performance
keeping with the management review requirements of both EMS
and QMS Standards and some inputs have been taken from both • OH&S policy and objectives
these standards. • resources, and
48 49
The Route to OHSAS 18001 The Route to OHSAS 18001
Frequency and format of reviews • Don’t ask for the certification audit until you are sure you
is documented are ready!
NB there is no specific requirement for
The certification process breaks down into five stages:
a meeting
Attendees at meeting listed in procedure? • Pre-audit (not mandatory at this stage
e.g. Management Appointee and but highly recommended as assess an organisation
senior management preparedness for assessment)
Reviews take place at specified frequency? • Review of documented system against the Standard and
Reviews included all the required inputs according to the scope of certification
and outputs • Certification Audit
Records, e.g. meeting minutes are kept?
• Certification
Actions assigned and followed up?
• Ongoing surveillance visits
Outputs from management review available
for consultation and communicated to The pre-audit reviews the key processes of hazard identification and
relevant personnel risk assessment, audits, identification of legislation and also checks
that the system is designed to deliver continuous improvement.
Certification of OHSAS 18001:2007 management systems is
The document review is a detailed review of the documented
supported by UKAS accreditation. However, in all countries,
system to verify that it complies with both OHSAS 18001 and
accredited third-party certifications are supported by the
the needs of the organisation.
International Accreditation Forum Guidelines, which describe
how certification bodies must function and expand a little on The certification audit then verifies that the system is fully
the Standard. Despite the fact that accredited certification is not implemented and functioning. All requirements of the
available in all countries, you can rest assured that SGS applies the Standard are checked on a sampling basis across all of
same level of controls required by accreditation bodies to all of its the organisation’s operations.
OHSAS certification activities.
50 51
The Route to OHSAS 18001 The Route to OHSAS 18001
52 53
The Route to OHSAS 18001 The Route to OHSAS 18001
email: ukenquiries@sgs.com
web: www.uk.sgs.com/ohsas_18001
54 55
The Route to
OHSAS 18001
avoiding the pitfalls
WWW.UK.SGS.COM
NDARD
ION OF THE STA
ERS 007
E 2007 V on the 2
D TO TH mentary
UPDATE lud e s c o m
now inc ndard
NEW
Booklet e 1 8001 sta
g e s to th
ch a n
SGS 5258/0308